Class TokenAuthenticationManagerImpl
java.lang.Object
com.atlassian.crowd.manager.authentication.TokenAuthenticationManagerImpl
- All Implemented Interfaces:
TokenAuthenticationManager
- Direct Known Subclasses:
RecoveryModeAwareTokenAuthenticationManager
@Transactional
public class TokenAuthenticationManagerImpl
extends Object
implements TokenAuthenticationManager
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionTokenAuthenticationManagerImpl(SessionTokenStorage tokenManager, ApplicationDAO applicationDao, TokenFactory tokenFactory, com.atlassian.cache.Cache<String, Boolean> cache, com.atlassian.event.api.EventPublisher eventPublisher, PropertyManager propertyManager, DirectoryManager directoryManager, ApplicationManager applicationManager, ApplicationService applicationService, Clock clock) -
Method Summary
Modifier and TypeMethodDescriptionprotected List<ValidationFactor>activeValidationFactors(ValidationFactor[] factors) authenticateApplication(Application application, ApplicationAuthenticationContext authenticationContext, TokenLifetime tokenLifetime) Authenticates an application and generates an authentication token.authenticateApplicationWithoutValidatingPassword(Application application, ApplicationAuthenticationContext authenticationContext, TokenLifetime tokenLifetime) Authenticates an application and generates an authentication token, ignoring the credentials.authenticateUser(Application application, UserAuthenticationContext authenticationContext, boolean validatePassword, TokenLifetime tokenLifetime) authenticateUser(Application application, UserAuthenticationContext authenticateContext, TokenLifetime tokenLifetime) Authenticates a user and and generates an authentication token.authenticateUserWithoutValidatingPassword(Application application, UserAuthenticationContext authenticateContext) Feigns the authentication process for a user and creates a token for the authentication without validating the password.findAuthorisedApplications(User user, String applicationName) Returns a list of applications a user is authorised to authenticate with.findUserByToken(Token token, Application application) Will find a user via the passed in token.findUserTokenByKey(String tokenKey, Application application) Returns the token matching a given keygenerateUserToken(long directoryID, AuthenticationContext authenticationContext, TokenLifetime tokenLifetime) This method will return aTokenbased on the passed in parameters.genericValidateToken(String token, ValidationFactor[] validationFactors) Will validate a token key with the givenValidationFactor's against one (if it exists) in the datastore.getTokenExpiryTime(Token token) Returns the expiry time of a token.voidInvalidates all user and application tokens.invalidateToken(String tokenKey) Attempts to invalidate a Token based on the passed in Token key (random hash).voidinvalidateTokensForUser(String username, String exclusionToken, String applicationName) Invalidates all sessions for a user, possibly excluding a specific one.protected booleanisAllowedToAuthenticate(String username, long directoryId, Application application) Determines if a user is permitted to attempt authentication with a given application.protected booleanmaybeUpdateLastAccessedTime(Token token) voidRemoves all tokens that have exceeded their expiry time.validateApplicationToken(String tokenKey, ValidationFactor[] clientValidationFactors) Validates an application token key given validation factors.validateUserToken(Application application, String userTokenKey, ValidationFactor[] validationFactors) Validates a user token key given validation factors and checks that the user is allowed to authenticate with the specified application
-
Field Details
-
RECENT_TOKENS_CACHE_SIZE_SYSTEM_PROPERTY_NAME
- See Also:
-
RECENT_TOKENS_CACHE_TTL_SYSTEM_PROPERTY_NAME
- See Also:
-
-
Constructor Details
-
TokenAuthenticationManagerImpl
public TokenAuthenticationManagerImpl(SessionTokenStorage tokenManager, ApplicationDAO applicationDao, TokenFactory tokenFactory, com.atlassian.cache.Cache<String, Boolean> cache, com.atlassian.event.api.EventPublisher eventPublisher, PropertyManager propertyManager, DirectoryManager directoryManager, ApplicationManager applicationManager, ApplicationService applicationService, Clock clock)
-
-
Method Details
-
invalidateToken
Description copied from interface:TokenAuthenticationManagerAttempts to invalidate a Token based on the passed in Token key (random hash).If the token does not exist (ie. already invalidated) this method returns
Optional.empty(). If an existing token is successfully invalidated, a TokenInvalidatedEvent is fired, and the invalidated token is returned- Specified by:
invalidateTokenin interfaceTokenAuthenticationManager- Parameters:
tokenKey- the token key (random hash) to invalidate.
-
invalidateAllTokens
public void invalidateAllTokens()Description copied from interface:TokenAuthenticationManagerInvalidates all user and application tokens. This means it will also invalidate the token of the calling application.- Specified by:
invalidateAllTokensin interfaceTokenAuthenticationManager
-
removeExpiredTokens
public void removeExpiredTokens()Description copied from interface:TokenAuthenticationManagerRemoves all tokens that have exceeded their expiry time.NOTE: Do not call this method from the web layer, as this is wrapped in a Spring managed transaction.
- Specified by:
removeExpiredTokensin interfaceTokenAuthenticationManager
-
findUserByToken
public User findUserByToken(Token token, Application application) throws InvalidTokenException, OperationFailedException Description copied from interface:TokenAuthenticationManagerWill find a user via the passed in token.- Specified by:
findUserByTokenin interfaceTokenAuthenticationManager- Parameters:
token- the tokenapplication- the application to do the lookup for- Returns:
- the User associated to the given token
- Throws:
InvalidTokenException- if the User or Directory cannot be found that relates to the given token, or the token is associated to an Application and not a UserOperationFailedException- if there was an issue accessing the user from the underlying directory
-
findUserTokenByKey
public Token findUserTokenByKey(String tokenKey, Application application) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException Description copied from interface:TokenAuthenticationManagerReturns the token matching a given key- Specified by:
findUserTokenByKeyin interfaceTokenAuthenticationManager- Parameters:
tokenKey- the token keyapplication- the application to do the lookup for- Returns:
- the Token with the given token key
- Throws:
InvalidTokenException- if the token cannot be found by the give key, or the token is associated to an Application and not a UserApplicationAccessDeniedException- the user is not allowed to authenticate with the application.OperationFailedException- if there was an issue accessing the user from the underlying directory
-
findAuthorisedApplications
public List<Application> findAuthorisedApplications(User user, String applicationName) throws OperationFailedException, DirectoryNotFoundException Description copied from interface:TokenAuthenticationManagerReturns a list of applications a user is authorised to authenticate with.NOTE: this is a potentially expensive call, iterating all applications and all group mappings for each application and determining group membership, ie. expense = number of applications * number of group mappings per application.
- Specified by:
findAuthorisedApplicationsin interfaceTokenAuthenticationManager- Parameters:
user- user to search for.applicationName- name of the current application- Returns:
- list of applications.
- Throws:
OperationFailedException- if there was an error querying directory.DirectoryNotFoundException- if the directory could not be found.
-
authenticateApplication
public Token authenticateApplication(Application application, ApplicationAuthenticationContext authenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException Description copied from interface:TokenAuthenticationManagerAuthenticates an application and generates an authentication token.- Specified by:
authenticateApplicationin interfaceTokenAuthenticationManager- Parameters:
application- the application being authenticatedauthenticationContext- application authentication credentials.tokenLifetime- Requested lifetime of the token- Returns:
- generated authentication token.
- Throws:
InvalidAuthenticationException- authentication was not successful because either the application does not exist, the password is incorrect, the application is inactive or there was a problem generating the authentication token.
-
authenticateApplicationWithoutValidatingPassword
public Token authenticateApplicationWithoutValidatingPassword(Application application, ApplicationAuthenticationContext authenticationContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException Description copied from interface:TokenAuthenticationManagerAuthenticates an application and generates an authentication token, ignoring the credentials.This method should only be used to generate a token for an application that has already authenticated via some other means (eg. TLS client certificates) as this method bypasses any password checks.
- Specified by:
authenticateApplicationWithoutValidatingPasswordin interfaceTokenAuthenticationManager- Parameters:
application- the application being authenticatedauthenticationContext- application authentication credentials.tokenLifetime- Requested lifetime of the token- Returns:
- generated authentication token.
- Throws:
InvalidAuthenticationException- authentication was not successful because either the application does not exist, the application is inactive or there was a problem generating the authentication token.
-
authenticateUser
public Token authenticateUser(Application application, UserAuthenticationContext authenticationContext, boolean validatePassword, TokenLifetime tokenLifetime) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException -
authenticateUser
public Token authenticateUser(Application application, UserAuthenticationContext authenticateContext, TokenLifetime tokenLifetime) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException, ExpiredCredentialException Description copied from interface:TokenAuthenticationManagerAuthenticates a user and and generates an authentication token. The password of the user is validated before generating a token.The
RemoteDirectory.authenticate(String, com.atlassian.crowd.embedded.api.PasswordCredential)method is iteratively called for each assigned directory. If the user does not exist in one directory, the directory is skipped and the next one is examined. If the user does not exist in any of the assigned directories then anInvalidAuthenticationExceptionis thrown.- Specified by:
authenticateUserin interfaceTokenAuthenticationManagerauthenticateContext- The authentication details for the user.tokenLifetime- Requested lifetime of the token- Returns:
- The authenticated token for the user.
- Throws:
InvalidAuthenticationException- The authentication was not successful.OperationFailedException- error thrown by directory implementation when attempting to find or authenticate the user.InactiveAccountException- user account is inactive.ApplicationAccessDeniedException- user does not have access to authenticate with application.ExpiredCredentialException- the user's credentials have expired. The user must change their credentials in order to successfully authenticate.
-
authenticateUserWithoutValidatingPassword
public Token authenticateUserWithoutValidatingPassword(Application application, UserAuthenticationContext authenticateContext) throws InvalidAuthenticationException, OperationFailedException, InactiveAccountException, ApplicationAccessDeniedException Description copied from interface:TokenAuthenticationManagerFeigns the authentication process for a user and creates a token for the authentication without validating the password.This method should only be used to generate a token for a user that has already authenticated credentials via some other means (eg. SharePoint NTLM connector) as this method bypasses any password checks.
If you want actual password authentication, use the
TokenAuthenticationManager.authenticateUser(Application, UserAuthenticationContext, TokenLifetime)method.- Specified by:
authenticateUserWithoutValidatingPasswordin interfaceTokenAuthenticationManagerauthenticateContext- The authentication details for the user.- Returns:
- The authenticated token for the user.
- Throws:
InvalidAuthenticationException- if the authentication was not successful.OperationFailedException- if the error thrown by directory implementation when attempting to find or authenticate the user.InactiveAccountException- if the user account is inactive.ApplicationAccessDeniedException- if the user does not have access to authenticate with application.
-
validateApplicationToken
public Token validateApplicationToken(String tokenKey, ValidationFactor[] clientValidationFactors) throws InvalidTokenException Description copied from interface:TokenAuthenticationManagerValidates an application token key given validation factors.- Specified by:
validateApplicationTokenin interfaceTokenAuthenticationManager- Parameters:
tokenKey- returns a valid token corresponding to the tokenKey.clientValidationFactors- validation factors for generating the token hash.- Returns:
- validated token.
- Throws:
InvalidTokenException- if the tokenKey or corresponding client validation factors do not represent a valid application token.
-
validateUserToken
public Token validateUserToken(Application application, String userTokenKey, ValidationFactor[] validationFactors) throws InvalidTokenException, ApplicationAccessDeniedException, OperationFailedException Description copied from interface:TokenAuthenticationManagerValidates a user token key given validation factors and checks that the user is allowed to authenticate with the specified application- Specified by:
validateUserTokenin interfaceTokenAuthenticationManager- Parameters:
application- the application performing the authenticationuserTokenKey- returns a valid token corresponding to the tokenKey.validationFactors- validation factors for generating the token hash.- Returns:
- validated authentication token.
- Throws:
InvalidTokenException- if the userTokenKey or corresponding validationFactors do not represent a valid SSO token.ApplicationAccessDeniedException- the user is not allowed to authenticate with the application.OperationFailedException- there was an error communicating with an underlying directory when determining if a user is allowed to authenticate with the application (eg. if a user has the appropriate group memberships).
-
activeValidationFactors
-
generateUserToken
protected org.apache.commons.lang3.tuple.Pair<Token,Boolean> generateUserToken(long directoryID, AuthenticationContext authenticationContext, TokenLifetime tokenLifetime) throws InvalidTokenException, OperationFailedException This method will return aTokenbased on the passed in parameters. If a token already exists in the datastore, this token will be returned with an updated lastAccessed time. If a token is not found based on the passed in parameters a newTokenwill be generated and stored in the datastore.- Parameters:
directoryID- the directoryID you wish to generate a Token forauthenticationContext- holder for the required attributes to authenticate against the Crowd servertokenLifetime- requested lifetime of the token- Returns:
- a pair of
Tokenand boolean indicating whether lastAccessedTime was updated - Throws:
InvalidTokenException- if there was an issue generating the key for a token.OperationFailedException- if adding the new token failed
-
genericValidateToken
protected org.apache.commons.lang3.tuple.Pair<Token,Boolean> genericValidateToken(String token, ValidationFactor[] validationFactors) throws InvalidTokenException Will validate a token key with the givenValidationFactor's against one (if it exists) in the datastore.- Parameters:
token- the key of aTokenvalidationFactors- theValidationFactor's that are being used for authentication- Returns:
- the existing token if there is a match and boolean indicating whether lastAccessed time was updated
- Throws:
InvalidTokenException- thrown if the token keys are not equal, or the token has expired, or the token does not exist
-
maybeUpdateLastAccessedTime
protected org.apache.commons.lang3.tuple.Pair<Token,Boolean> maybeUpdateLastAccessedTime(Token token) throws ObjectNotFoundException - Throws:
ObjectNotFoundException
-
isExpired
-
isAllowedToAuthenticate
protected boolean isAllowedToAuthenticate(String username, long directoryId, Application application) throws OperationFailedException, DirectoryNotFoundException Determines if a user is permitted to attempt authentication with a given application.For a a user to have access to an application:
- the Application must be active.
And either:
- the User is stored in a directory which is associated to the Application and the "allow all to authenticate" flag is true.
- the User is a member of a Group that is allowed to authenticate with the Application and both the User and Group are from the same RemoteDirectory.
Note that this call is not cached and does not affect the cache.
- Parameters:
application- application the user wants to authenticate with.username- the username of the user that wants to authenticate with the application.directoryId- the directoryId of the user that wants to authenticate with the application.- Returns:
trueiff the user is permitted to attempt authentication with the application.- Throws:
OperationFailedException- if the directory implementation could not be loaded when performing a membership check.DirectoryNotFoundException
-
invalidateTokensForUser
public void invalidateTokensForUser(String username, @Nullable String exclusionToken, String applicationName) throws UserNotFoundException, ApplicationNotFoundException Description copied from interface:TokenAuthenticationManagerInvalidates all sessions for a user, possibly excluding a specific one.- Specified by:
invalidateTokensForUserin interfaceTokenAuthenticationManagerexclusionToken- the random hash of a token to leave validapplicationName- name of the current application- Throws:
UserNotFoundExceptionApplicationNotFoundException
-
getTokenExpiryTime
Description copied from interface:TokenAuthenticationManagerReturns the expiry time of a token.- Specified by:
getTokenExpiryTimein interfaceTokenAuthenticationManager- Parameters:
token- a token- Returns:
- the expiry time for the given token
-