Class CmsLoginManager


  • public class CmsLoginManager
    extends java.lang.Object
    Provides functions used to check the validity of a user login.

    Stores invalid login attempts and disables a user account temporarily in case the configured threshold of invalid logins is reached.

    The invalid login attempt storage operates on a combination of user name, login remote IP address and user type. This means that a user can be disabled for one remote IP, but still be enabled for another remote IP.

    Also allows to temporarily disallow logins (for example in case of maintenance work on the system).

    Since:
    6.0.0
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static long DEFAULT_TOKEN_LIFETIME
      Default token lifetime.
      static int DISABLE_MINUTES_DEFAULT
      Default lock time if treshold for bad login attempts is reached.
      static boolean ENABLE_SECURITY_DEFAULT
      Default setting for the security option.
      static java.lang.String KEY_SEPARATOR
      Separator used for storage keys.
      protected int m_disableMillis
      The milliseconds to disable an account if the threshold is reached.
      protected int m_disableMinutes
      The minutes to disable an account if the threshold is reached.
      protected boolean m_enableSecurity
      The flag to determine if the security option ahould be enabled on the login dialog.
      protected int m_maxBadAttempts
      The number of bad login attempts allowed before an account is temporarily disabled.
      protected java.util.Map<java.lang.String,​org.opencms.db.CmsLoginManager.CmsUserData> m_storage
      The storage for the bad login attempts.
      protected java.lang.String m_tokenLifetimeStr
      The token lifetime.
      static int MAX_BAD_ATTEMPTS_DEFAULT
      Default for bad login attempts.
      protected static java.util.Map<java.lang.String,​java.util.Set<org.opencms.db.CmsLoginManager.CmsUserData>> TEMP_DISABLED_USER
      Map holding usernames and userdata for user which are currently locked.
    • Constructor Summary

      Constructors 
      Constructor Description
      CmsLoginManager​(int disableMinutes, int maxBadAttempts, boolean enableSecurity, java.lang.String tokenLifetime, java.lang.String maxInactive, java.lang.String passwordChangeInterval, java.lang.String userDataCheckInterval, boolean requireOrgUnit, java.lang.String logoutUri)
      Creates a new storage for invalid logins.
    • Field Detail

      • TEMP_DISABLED_USER

        protected static java.util.Map<java.lang.String,​java.util.Set<org.opencms.db.CmsLoginManager.CmsUserData>> TEMP_DISABLED_USER
        Map holding usernames and userdata for user which are currently locked.
      • m_disableMillis

        protected int m_disableMillis
        The milliseconds to disable an account if the threshold is reached.
      • m_disableMinutes

        protected int m_disableMinutes
        The minutes to disable an account if the threshold is reached.
      • m_enableSecurity

        protected boolean m_enableSecurity
        The flag to determine if the security option ahould be enabled on the login dialog.
      • m_maxBadAttempts

        protected int m_maxBadAttempts
        The number of bad login attempts allowed before an account is temporarily disabled.
      • m_storage

        protected java.util.Map<java.lang.String,​org.opencms.db.CmsLoginManager.CmsUserData> m_storage
        The storage for the bad login attempts.
    • Constructor Detail

      • CmsLoginManager

        public CmsLoginManager​(int disableMinutes,
                               int maxBadAttempts,
                               boolean enableSecurity,
                               java.lang.String tokenLifetime,
                               java.lang.String maxInactive,
                               java.lang.String passwordChangeInterval,
                               java.lang.String userDataCheckInterval,
                               boolean requireOrgUnit,
                               java.lang.String logoutUri)
        Creates a new storage for invalid logins.

        Parameters:
        disableMinutes - the minutes to disable an account if the threshold is reached
        maxBadAttempts - the number of bad login attempts allowed before an account is temporarily disabled
        enableSecurity - flag to determine if the security option should be enabled on the login dialog
        tokenLifetime - the lifetime of authorization tokens, i.e. the time for which they are valid
        maxInactive - maximum inactivity time
        passwordChangeInterval - the password change interval
        userDataCheckInterval - the user data check interval
        requireOrgUnit - if true, should require organizational unit selection on login
        logoutUri - the alternative logout handler URI
    • Method Detail

      • canLockBecauseOfInactivity

        public boolean canLockBecauseOfInactivity​(CmsObject cms,
                                                  CmsUser user)
        Checks whether a user account can be locked because of inactivity.
        Parameters:
        cms - the CMS context
        user - the user to check
        Returns:
        true if the user may be locked after being inactive for too long
      • checkInactive

        public boolean checkInactive​(CmsUser user)
        Checks whether the given user has been inactive for longer than the configured limit.

        If no max inactivity time is configured, always returns false.

        Parameters:
        user - the user to check
        Returns:
        true if the user has been inactive for longer than the configured limit
      • checkInvalidLogins

        public void checkInvalidLogins​(java.lang.String userName,
                                       java.lang.String remoteAddress)
                                throws CmsAuthentificationException
        Checks if the threshold for the invalid logins has been reached for the given user.

        In case the configured threshold is reached, an Exception is thrown.

        Parameters:
        userName - the name of the user
        remoteAddress - the remote address (IP) from which the login attempt was made
        Throws:
        CmsAuthentificationException - in case the threshold of invalid login attempts has been reached
      • getBeforeLoginMessage

        public CmsLoginMessage getBeforeLoginMessage()
        Returns the current before login message that is displayed on the login form.

        if null is returned, no login message has been currently set.

        Returns:
        the current login message that is displayed if a user logs in
      • getDisableMinutes

        public int getDisableMinutes()
        Returns the minutes an account gets disabled after too many failed login attempts.

        Returns:
        the minutes an account gets disabled after too many failed login attempts
      • getLoginMessage

        public CmsLoginMessage getLoginMessage()
        Returns the current login message that is displayed if a user logs in.

        if null is returned, no login message has been currently set.

        Returns:
        the current login message that is displayed if a user logs in
      • getLogoutUri

        public java.lang.String getLogoutUri()
        Gets the logout URI.

        If this is not null, users will be redirected to this JSP when logging out from the workplace or page editor. The JSP is responsible for invalidating the user's session.

        Returns:
        the logout URI
      • getMaxBadAttempts

        public int getMaxBadAttempts()
        Returns the number of bad login attempts allowed before an account is temporarily disabled.

        Returns:
        the number of bad login attempts allowed before an account is temporarily disabled
      • getMaxInactive

        public java.lang.String getMaxInactive()
        Gets the max inactivity time.

        Returns:
        the max inactivity time
      • getPasswordChangeInterval

        public long getPasswordChangeInterval()
        Gets the password change interval.

        Returns:
        the password change interval
      • getPasswordChangeIntervalStr

        public java.lang.String getPasswordChangeIntervalStr()
        Gets the raw password change interval string.

        Returns:
        the configured string for the password change interval
      • getTokenLifetime

        public long getTokenLifetime()
        Gets the authorization token lifetime in milliseconds.

        Returns:
        the authorization token lifetime in milliseconds
      • getTokenLifetimeStr

        public java.lang.String getTokenLifetimeStr()
        Gets the configured token lifetime as a string.

        Returns:
        the configured token lifetime as a string
      • getUserDataCheckInterval

        public long getUserDataCheckInterval()
        Gets the user data check interval.

        Returns:
        the user data check interval
      • getUserDataCheckIntervalStr

        public java.lang.String getUserDataCheckIntervalStr()
        Gets the raw user data check interval string.

        Returns:
        the configured string for the user data check interval
      • isEnableSecurity

        public boolean isEnableSecurity()
        Returns if the security option ahould be enabled on the login dialog.

        Returns:
        true if the security option ahould be enabled on the login dialog, otherwise false
      • isExcludedFromPasswordReset

        public boolean isExcludedFromPasswordReset​(CmsObject cms,
                                                   CmsUser user)
        Checks if the user should be excluded from password reset.
        Parameters:
        cms - the CmsObject to use
        user - the user to check
        Returns:
        true if the user should be excluded from password reset
      • isOrgUnitRequired

        public boolean isOrgUnitRequired()
        Returns true if organizational unit selection should be required on login.
        Returns:
        true if org unit selection should be required
      • isPasswordReset

        public boolean isPasswordReset​(CmsObject cms,
                                       CmsUser user)
        Checks if password has to be reset.

        Parameters:
        cms - CmsObject
        user - CmsUser
        Returns:
        true if password should be reset
      • isUserLocked

        public boolean isUserLocked​(CmsUser user)
        Checks if a user is locked due to too many failed logins.

        Parameters:
        user - the user to check
        Returns:
        true if the user is locked
      • isUserTempDisabled

        public boolean isUserTempDisabled​(java.lang.String username)
        Checks if given user it temporarily locked.

        Parameters:
        username - to check
        Returns:
        true if user is locked
      • requiresPasswordChange

        public boolean requiresPasswordChange​(CmsObject cms,
                                              CmsUser user)
        Checks if a user is required to change his password now.

        Parameters:
        cms - the current CMS context
        user - the user to check
        Returns:
        true if the user should be asked to change his password
      • requiresUserDataCheck

        public boolean requiresUserDataCheck​(CmsObject cms,
                                             CmsUser user)
        Checks if a user is required to change his password now.

        Parameters:
        cms - the current CMS context
        user - the user to check
        Returns:
        true if the user should be asked to change his password
      • resetUserTempDisable

        public void resetUserTempDisable​(java.lang.String username)
        Resets lock from user.

        Parameters:
        username - to reset lock for
      • unlockUser

        public void unlockUser​(CmsObject cms,
                               CmsUser user)
                        throws CmsRoleViolationException
        Unlocks a user who has exceeded his number of failed login attempts so that he can try to log in again.

        This requires the "account manager" role.

        Parameters:
        cms - the current CMS context
        user - the user to unlock
        Throws:
        CmsRoleViolationException - if the permission check fails
      • addInvalidLogin

        protected void addInvalidLogin​(java.lang.String userName,
                                       java.lang.String remoteAddress)
        Adds an invalid attempt to login for the given user / IP to the storage.

        In case the configured threshold is reached, the user is disabled for the configured time.

        Parameters:
        userName - the name of the user
        remoteAddress - the remore address (IP) from which the login attempt was made
      • removeInvalidLogins

        protected void removeInvalidLogins​(java.lang.String userName,
                                           java.lang.String remoteAddress)
        Removes all invalid attempts to login for the given user / IP.

        Parameters:
        userName - the name of the user
        remoteAddress - the remore address (IP) from which the login attempt was made