org.apache.jetspeed.security.spi.impl
Class MaxPasswordAuthenticationFailuresInterceptor

java.lang.Object
  org.apache.jetspeed.security.spi.impl.AbstractInternalPasswordCredentialInterceptorImpl
      org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor

All Implemented Interfaces:

InternalPasswordCredentialInterceptor

public class MaxPasswordAuthenticationFailuresInterceptor
extends AbstractInternalPasswordCredentialInterceptorImpl

Enforces a maximum number of times a user may provide an invalid password. Once the maximum number of invalid authentications is reached, the credential is disabled.

Note: the current count is not reset on valid authentication by this interceptor. This is done by the DefaultCredentialHandler which invokes the interceptor(s) after authentication and no interceptor afterAuthenicated method returns true.

But, this interceptor does (re)sets the count on creation and on change of the password.

Version:

$Id$

Author:

Ate Douma

Constructor Summary

MaxPasswordAuthenticationFailuresInterceptor(int maxNumberOfAuthenticationFailures)
Configure the maximum number of invalid authentications allowed in a row.

Method Summary

boolean	afterAuthenticated(InternalUserPrincipal internalUser, java.lang.String userName, InternalCredential credential, boolean authenticated) Checks the current count of authentication failures when the credential is not expired and authentication failed.
void	beforeCreate(InternalUserPrincipal internalUser, java.util.Collection credentials, java.lang.String userName, InternalCredential credential, java.lang.String password) Sets the count of invalid authentications to zero (0).
void	beforeSetPassword(InternalUserPrincipal internalUser, java.util.Collection credentials, java.lang.String userName, InternalCredential credential, java.lang.String password, boolean authenticated) Resets the count of invalid authentications to zero (0).

Methods inherited from class org.apache.jetspeed.security.spi.impl.AbstractInternalPasswordCredentialInterceptorImpl

afterLoad

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

MaxPasswordAuthenticationFailuresInterceptor

public MaxPasswordAuthenticationFailuresInterceptor(int maxNumberOfAuthenticationFailures)

Configure the maximum number of invalid authentications allowed in a row.

A value of zero (0) disables the check

Method Detail

afterAuthenticated

public boolean afterAuthenticated(InternalUserPrincipal internalUser,
                                  java.lang.String userName,
                                  InternalCredential credential,
                                  boolean authenticated)
                           throws SecurityException

Checks the current count of authentication failures when the credential is not expired and authentication failed.

Specified by:

afterAuthenticated in interface InternalPasswordCredentialInterceptor

Overrides:

afterAuthenticated in class AbstractInternalPasswordCredentialInterceptorImpl

Parameters:

internalUser - the user to which the credential belongs

userName - the name of the principal to which the credential belongs

credential - the credential of the user

authenticated - true if the provided password matches the value of the credential

Returns:

true if the maximum number of invalid authentications is reached and the credential is disabled.

Throws:

SecurityException

See Also:

InternalPasswordCredentialInterceptor.afterAuthenticated(org.apache.jetspeed.security.om.InternalUserPrincipal, java.lang.String, org.apache.jetspeed.security.om.InternalCredential, boolean)

beforeCreate

public void beforeCreate(InternalUserPrincipal internalUser,
                         java.util.Collection credentials,
                         java.lang.String userName,
                         InternalCredential credential,
                         java.lang.String password)
                  throws SecurityException

Sets the count of invalid authentications to zero (0).

Specified by:

beforeCreate in interface InternalPasswordCredentialInterceptor

Overrides:

beforeCreate in class AbstractInternalPasswordCredentialInterceptorImpl

Parameters:

internalUser - the user to which the credential belongs

credentials - the collection of credentials which will set on the user after (already contains the new credential)

userName - the name of the principal to which the credential belongs

credential - the credential of the user

password - the new password value (already set on the new credential)

Throws:

SecurityException

See Also:

InternalPasswordCredentialInterceptor.beforeCreate(org.apache.jetspeed.security.om.InternalUserPrincipal, java.util.Collection, java.lang.String, InternalCredential, java.lang.String)

beforeSetPassword

public void beforeSetPassword(InternalUserPrincipal internalUser,
                              java.util.Collection credentials,
                              java.lang.String userName,
                              InternalCredential credential,
                              java.lang.String password,
                              boolean authenticated)
                       throws SecurityException

Resets the count of invalid authentications to zero (0).

Specified by:

beforeSetPassword in interface InternalPasswordCredentialInterceptor

Overrides:

beforeSetPassword in class AbstractInternalPasswordCredentialInterceptorImpl

Parameters:

internalUser - the user to which the credential belongs

credentials - the collection of credentials which will set on the user after (already contains the new credential)

userName - the name of the principal to which the credential belongs

credential - the credential of the user

password - the new password value (already set on the new credential)

authenticated - true if the new password value is provided by the user directly

Throws:

SecurityException

See Also:

InternalPasswordCredentialInterceptor.beforeSetPassword(org.apache.jetspeed.security.om.InternalUserPrincipal, java.util.Collection, java.lang.String, org.apache.jetspeed.security.om.InternalCredential, java.lang.String, boolean)