Package org.opencms.db

Class CmsLoginManager

java.lang.Object
org.opencms.db.CmsLoginManager
public class CmsLoginManager extends Object
Provides functions used to check the validity of a user login.

Stores invalid login attempts and disables a user account temporarily in case the configured threshold of invalid logins is reached.

The invalid login attempt storage operates on a combination of user name, login remote IP address and user type. This means that a user can be disabled for one remote IP, but still be enabled for another remote IP.

Also allows to temporarily disallow logins (for example in case of maintenance work on the system).

Since:
6.0.0

  • Field Details

  • Constructor Details

    • CmsLoginManager

      public CmsLoginManager(int disableMinutes, int maxBadAttempts, boolean enableSecurity, String tokenLifetime, String maxInactive, String passwordChangeInterval, String userDataCheckInterval, boolean requireOrgUnit, String logoutUri)
      Creates a new storage for invalid logins.

      Parameters:
      disableMinutes - the minutes to disable an account if the threshold is reached
      maxBadAttempts - the number of bad login attempts allowed before an account is temporarily disabled
      enableSecurity - flag to determine if the security option should be enabled on the login dialog
      tokenLifetime - the lifetime of authorization tokens, i.e. the time for which they are valid
      maxInactive - maximum inactivity time
      passwordChangeInterval - the password change interval
      userDataCheckInterval - the user data check interval
      requireOrgUnit - if true, should require organizational unit selection on login
      logoutUri - the alternative logout handler URI

  • Method Details

    • canLockBecauseOfInactivity

      public boolean canLockBecauseOfInactivity(CmsObject cms, CmsUser user)
      Checks whether a user account can be locked because of inactivity.
      Parameters:
      cms - the CMS context
      user - the user to check
      Returns:
      true if the user may be locked after being inactive for too long

    • checkInactive

      public boolean checkInactive(CmsUser user)
      Checks whether the given user has been inactive for longer than the configured limit.

      If no max inactivity time is configured, always returns false.

      Parameters:
      user - the user to check
      Returns:
      true if the user has been inactive for longer than the configured limit

    • checkInvalidLogins

      public void checkInvalidLogins(String userName, String remoteAddress) throws CmsAuthentificationException
      Checks if the threshold for the invalid logins has been reached for the given user.

      In case the configured threshold is reached, an Exception is thrown.

      Parameters:
      userName - the name of the user
      remoteAddress - the remote address (IP) from which the login attempt was made
      Throws:
      CmsAuthentificationException - in case the threshold of invalid login attempts has been reached

    • checkLoginAllowed

      public void checkLoginAllowed() throws CmsAuthentificationException
      Checks if a login is currently allowed.

      In case no logins are allowed, an Exception is thrown.

      Throws:
      CmsAuthentificationException - in case no logins are allowed

    • getBeforeLoginMessage

      public CmsLoginMessage getBeforeLoginMessage()
      Returns the current before login message that is displayed on the login form.

      if null is returned, no login message has been currently set.

      Returns:
      the current login message that is displayed if a user logs in

    • getDisableMinutes

      public int getDisableMinutes()
      Returns the minutes an account gets disabled after too many failed login attempts.

      Returns:
      the minutes an account gets disabled after too many failed login attempts

    • getLoginMessage

      public CmsLoginMessage getLoginMessage()
      Returns the current login message that is displayed if a user logs in.

      if null is returned, no login message has been currently set.

      Returns:
      the current login message that is displayed if a user logs in

    • getLogoutUri

      public String getLogoutUri()
      Gets the logout URI.

      If this is not null, users will be redirected to this JSP when logging out from the workplace or page editor. The JSP is responsible for invalidating the user's session.

      Returns:
      the logout URI

    • getMaxBadAttempts

      public int getMaxBadAttempts()
      Returns the number of bad login attempts allowed before an account is temporarily disabled.

      Returns:
      the number of bad login attempts allowed before an account is temporarily disabled

    • getMaxInactive

      public String getMaxInactive()
      Gets the max inactivity time.

      Returns:
      the max inactivity time

    • getPasswordChangeInterval

      public long getPasswordChangeInterval()
      Gets the password change interval.

      Returns:
      the password change interval

    • getPasswordChangeIntervalStr

      public String getPasswordChangeIntervalStr()
      Gets the raw password change interval string.

      Returns:
      the configured string for the password change interval

    • getTokenLifetime

      public long getTokenLifetime()
      Gets the authorization token lifetime in milliseconds.

      Returns:
      the authorization token lifetime in milliseconds

    • getTokenLifetimeStr

      public String getTokenLifetimeStr()
      Gets the configured token lifetime as a string.

      Returns:
      the configured token lifetime as a string

    • getUserDataCheckInterval

      public long getUserDataCheckInterval()
      Gets the user data check interval.

      Returns:
      the user data check interval

    • getUserDataCheckIntervalStr

      public String getUserDataCheckIntervalStr()
      Gets the raw user data check interval string.

      Returns:
      the configured string for the user data check interval

    • isEnableSecurity

      public boolean isEnableSecurity()
      Returns if the security option ahould be enabled on the login dialog.

      Returns:
      true if the security option ahould be enabled on the login dialog, otherwise false

    • isExcludedFromPasswordReset

      public boolean isExcludedFromPasswordReset(CmsObject cms, CmsUser user)
      Checks if the user should be excluded from password reset.
      Parameters:
      cms - the CmsObject to use
      user - the user to check
      Returns:
      true if the user should be excluded from password reset

    • isOrgUnitRequired

      public boolean isOrgUnitRequired()
      Returns true if organizational unit selection should be required on login.
      Returns:
      true if org unit selection should be required

    • isPasswordReset

      public boolean isPasswordReset(CmsObject cms, CmsUser user)
      Checks if password has to be reset.

      Parameters:
      cms - CmsObject
      user - CmsUser
      Returns:
      true if password should be reset

    • isUserLocked

      public boolean isUserLocked(CmsUser user)
      Checks if a user is locked due to too many failed logins.

      Parameters:
      user - the user to check
      Returns:
      true if the user is locked

    • isUserTempDisabled

      public boolean isUserTempDisabled(String username)
      Checks if given user it temporarily locked.

      Parameters:
      username - to check
      Returns:
      true if user is locked

    • removeLoginMessage

      public void removeLoginMessage(CmsObject cms) throws CmsRoleViolationException
      Removes the current login message.

      This operation requires that the current user has role permissions of CmsRole.ROOT_ADMIN.

      Parameters:
      cms - the current OpenCms user context
      Throws:
      CmsRoleViolationException - in case the current user does not have the required role permissions

    • requiresPasswordChange

      public boolean requiresPasswordChange(CmsObject cms, CmsUser user)
      Checks if a user is required to change his password now.

      Parameters:
      cms - the current CMS context
      user - the user to check
      Returns:
      true if the user should be asked to change his password

    • requiresUserDataCheck

      public boolean requiresUserDataCheck(CmsObject cms, CmsUser user)
      Checks if a user is required to change his password now.

      Parameters:
      cms - the current CMS context
      user - the user to check
      Returns:
      true if the user should be asked to change his password

    • resetUserTempDisable

      public void resetUserTempDisable(String username)
      Resets lock from user.

      Parameters:
      username - to reset lock for

    • setBeforeLoginMessage

      public void setBeforeLoginMessage(CmsObject cms, CmsLoginMessage message) throws CmsRoleViolationException
      Sets the before login message to display on the login form.

      This operation requires that the current user has role permissions of CmsRole.ROOT_ADMIN.

      Parameters:
      cms - the current OpenCms user context
      message - the message to set
      Throws:
      CmsRoleViolationException - in case the current user does not have the required role permissions

    • setLoginMessage

      public void setLoginMessage(CmsObject cms, CmsLoginMessage message) throws CmsRoleViolationException
      Sets the login message to display if a user logs in.

      This operation requires that the current user has role permissions of CmsRole.ROOT_ADMIN.

      Parameters:
      cms - the current OpenCms user context
      message - the message to set
      Throws:
      CmsRoleViolationException - in case the current user does not have the required role permissions

    • unlockUser

      public void unlockUser(CmsObject cms, CmsUser user) throws CmsRoleViolationException
      Unlocks a user who has exceeded his number of failed login attempts so that he can try to log in again.

      This requires the "account manager" role.

      Parameters:
      cms - the current CMS context
      user - the user to unlock
      Throws:
      CmsRoleViolationException - if the permission check fails

    • addInvalidLogin

      protected void addInvalidLogin(String userName, String remoteAddress)
      Adds an invalid attempt to login for the given user / IP to the storage.

      In case the configured threshold is reached, the user is disabled for the configured time.

      Parameters:
      userName - the name of the user
      remoteAddress - the remore address (IP) from which the login attempt was made

    • removeInvalidLogins

      protected void removeInvalidLogins(String userName, String remoteAddress)
      Removes all invalid attempts to login for the given user / IP.

      Parameters:
      userName - the name of the user
      remoteAddress - the remore address (IP) from which the login attempt was made