org.opencms.db

Class CmsLoginManager

java.lang.Object

org.opencms.db.CmsLoginManager

public class CmsLoginManager
extends java.lang.Object

Provides functions used to check the validity of a user login.

Stores invalid login attempts and disables a user account temporarily in case the configured threshold of invalid logins is reached.

The invalid login attempt storage operates on a combination of user name, login remote IP address and user type. This means that a user can be disabled for one remote IP, but still be enabled for another remote IP.

Also allows to temporarily disallow logins (for example in case of maintenance work on the system).

Since:

6.0.0

Field Summary

Fields

Modifier and Type	Field and Description
static long	DEFAULT_TOKEN_LIFETIME Default token lifetime.
static int	DISABLE_MINUTES_DEFAULT Default lock time if treshold for bad login attempts is reached.
static boolean	ENABLE_SECURITY_DEFAULT Default setting for the security option.
static java.lang.String	KEY_SEPARATOR Separator used for storage keys.
protected int	m_disableMillis The milliseconds to disable an account if the threshold is reached.
protected int	m_disableMinutes The minutes to disable an account if the threshold is reached.
protected boolean	m_enableSecurity The flag to determine if the security option ahould be enabled on the login dialog.
protected int	m_maxBadAttempts The number of bad login attempts allowed before an account is temporarily disabled.
protected java.util.Map<java.lang.String,org.opencms.db.CmsLoginManager.CmsUserData>	m_storage The storage for the bad login attempts.
protected java.lang.String	m_tokenLifetimeStr The token lifetime.
static int	MAX_BAD_ATTEMPTS_DEFAULT Default for bad login attempts.
protected static java.util.Map<java.lang.String,java.util.Set<org.opencms.db.CmsLoginManager.CmsUserData>>	TEMP_DISABLED_USER Map holding usernames and userdata for user which are currently locked.

Constructor Summary

Constructors

Constructor and Description
CmsLoginManager(int disableMinutes, int maxBadAttempts, boolean enableSecurity, java.lang.String tokenLifetime, java.lang.String maxInactive, java.lang.String passwordChangeInterval, java.lang.String userDataCheckInterval) Creates a new storage for invalid logins.

Method Summary

Modifier and Type	Method and Description
protected void	addInvalidLogin(java.lang.String userName, java.lang.String remoteAddress) Adds an invalid attempt to login for the given user / IP to the storage.
boolean	canLockBecauseOfInactivity(CmsObject cms, CmsUser user) Checks whether a user account can be locked because of inactivity.
boolean	checkInactive(CmsUser user) Checks whether the given user has been inactive for longer than the configured limit.
void	checkInvalidLogins(java.lang.String userName, java.lang.String remoteAddress) Checks if the threshold for the invalid logins has been reached for the given user.
void	checkLoginAllowed() Checks if a login is currently allowed.
CmsLoginMessage	getBeforeLoginMessage() Returns the current before login message that is displayed on the login form.
int	getDisableMinutes() Returns the minutes an account gets disabled after too many failed login attempts.
CmsLoginMessage	getLoginMessage() Returns the current login message that is displayed if a user logs in.
int	getMaxBadAttempts() Returns the number of bad login attempts allowed before an account is temporarily disabled.
java.lang.String	getMaxInactive() Gets the max inactivity time.
long	getPasswordChangeInterval() Gets the password change interval.
java.lang.String	getPasswordChangeIntervalStr() Gets the raw password change interval string.
long	getTokenLifetime() Gets the authorization token lifetime in milliseconds.
java.lang.String	getTokenLifetimeStr() Gets the configured token lifetime as a string.
long	getUserDataCheckInterval() Gets the user data check interval.
java.lang.String	getUserDataCheckIntervalStr() Gets the raw user data check interval string.
boolean	isEnableSecurity() Returns if the security option ahould be enabled on the login dialog.
boolean	isPasswordReset(CmsObject cms, CmsUser user) Checks if password has to be reset.
boolean	isUserLocked(CmsUser user) Checks if a user is locked due to too many failed logins.
boolean	isUserTempDisabled(java.lang.String username) Checks if given user it temporarily locked.
protected void	removeInvalidLogins(java.lang.String userName, java.lang.String remoteAddress) Removes all invalid attempts to login for the given user / IP.
void	removeLoginMessage(CmsObject cms) Removes the current login message.
boolean	requiresPasswordChange(CmsObject cms, CmsUser user) Checks if a user is required to change his password now.
boolean	requiresUserDataCheck(CmsObject cms, CmsUser user) Checks if a user is required to change his password now.
void	resetUserTempDisable(java.lang.String username) Resets lock from user.
void	setBeforeLoginMessage(CmsObject cms, CmsLoginMessage message) Sets the before login message to display on the login form.
void	setLoginMessage(CmsObject cms, CmsLoginMessage message) Sets the login message to display if a user logs in.
void	unlockUser(CmsObject cms, CmsUser user) Unlocks a user who has exceeded his number of failed login attempts so that he can try to log in again.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_TOKEN_LIFETIME

public static final long DEFAULT_TOKEN_LIFETIME

Default token lifetime.

See Also:

Constant Field Values

DISABLE_MINUTES_DEFAULT

public static final int DISABLE_MINUTES_DEFAULT

Default lock time if treshold for bad login attempts is reached.

See Also:

Constant Field Values

ENABLE_SECURITY_DEFAULT

public static final boolean ENABLE_SECURITY_DEFAULT

Default setting for the security option.

See Also:

Constant Field Values

KEY_SEPARATOR

public static final java.lang.String KEY_SEPARATOR

Separator used for storage keys.

See Also:

Constant Field Values

MAX_BAD_ATTEMPTS_DEFAULT

public static final int MAX_BAD_ATTEMPTS_DEFAULT

Default for bad login attempts.

See Also:

Constant Field Values

TEMP_DISABLED_USER

protected static java.util.Map<java.lang.String,java.util.Set<org.opencms.db.CmsLoginManager.CmsUserData>> TEMP_DISABLED_USER

Map holding usernames and userdata for user which are currently locked.

m_disableMillis

protected int m_disableMillis

The milliseconds to disable an account if the threshold is reached.

m_disableMinutes

protected int m_disableMinutes

The minutes to disable an account if the threshold is reached.

m_enableSecurity

protected boolean m_enableSecurity

The flag to determine if the security option ahould be enabled on the login dialog.

m_maxBadAttempts

protected int m_maxBadAttempts

The number of bad login attempts allowed before an account is temporarily disabled.

m_storage

protected java.util.Map<java.lang.String,org.opencms.db.CmsLoginManager.CmsUserData> m_storage

The storage for the bad login attempts.

m_tokenLifetimeStr

protected java.lang.String m_tokenLifetimeStr

The token lifetime.

Constructor Detail

CmsLoginManager

public CmsLoginManager(int disableMinutes,
                       int maxBadAttempts,
                       boolean enableSecurity,
                       java.lang.String tokenLifetime,
                       java.lang.String maxInactive,
                       java.lang.String passwordChangeInterval,
                       java.lang.String userDataCheckInterval)

Creates a new storage for invalid logins.

Parameters:

disableMinutes - the minutes to disable an account if the threshold is reached

maxBadAttempts - the number of bad login attempts allowed before an account is temporarily disabled

enableSecurity - flag to determine if the security option should be enabled on the login dialog

tokenLifetime - the lifetime of authorization tokens, i.e. the time for which they are valid

maxInactive - maximum inactivity time

passwordChangeInterval - the password change interval

userDataCheckInterval - the user data check interval

Method Detail

canLockBecauseOfInactivity

public boolean canLockBecauseOfInactivity(CmsObject cms,
                                          CmsUser user)

Checks whether a user account can be locked because of inactivity.

Parameters:

cms - the CMS context

user - the user to check

Returns:

true if the user may be locked after being inactive for too long

checkInactive

public boolean checkInactive(CmsUser user)

Checks whether the given user has been inactive for longer than the configured limit.

If no max inactivity time is configured, always returns false.

Parameters:

user - the user to check

Returns:

true if the user has been inactive for longer than the configured limit

checkInvalidLogins

public void checkInvalidLogins(java.lang.String userName,
                               java.lang.String remoteAddress)
                        throws CmsAuthentificationException

Checks if the threshold for the invalid logins has been reached for the given user.

In case the configured threshold is reached, an Exception is thrown.

Parameters:

userName - the name of the user

remoteAddress - the remote address (IP) from which the login attempt was made

Throws:

CmsAuthentificationException - in case the threshold of invalid login attempts has been reached

checkLoginAllowed

public void checkLoginAllowed()
                       throws CmsAuthentificationException

Checks if a login is currently allowed.

In case no logins are allowed, an Exception is thrown.

Throws:

CmsAuthentificationException - in case no logins are allowed

getBeforeLoginMessage

public CmsLoginMessage getBeforeLoginMessage()

Returns the current before login message that is displayed on the login form.

if null is returned, no login message has been currently set.

Returns:

the current login message that is displayed if a user logs in

getDisableMinutes

public int getDisableMinutes()

Returns the minutes an account gets disabled after too many failed login attempts.

Returns:

the minutes an account gets disabled after too many failed login attempts

getLoginMessage

public CmsLoginMessage getLoginMessage()

Returns the current login message that is displayed if a user logs in.

if null is returned, no login message has been currently set.

Returns:

the current login message that is displayed if a user logs in

getMaxBadAttempts

public int getMaxBadAttempts()

Returns the number of bad login attempts allowed before an account is temporarily disabled.

Returns:

the number of bad login attempts allowed before an account is temporarily disabled

getMaxInactive

public java.lang.String getMaxInactive()

Gets the max inactivity time.

Returns:

the max inactivity time

getPasswordChangeInterval

public long getPasswordChangeInterval()

Gets the password change interval.

Returns:

the password change interval

getPasswordChangeIntervalStr

public java.lang.String getPasswordChangeIntervalStr()

Gets the raw password change interval string.

Returns:

the configured string for the password change interval

getTokenLifetime

public long getTokenLifetime()

Gets the authorization token lifetime in milliseconds.

Returns:

the authorization token lifetime in milliseconds

getTokenLifetimeStr

public java.lang.String getTokenLifetimeStr()

Gets the configured token lifetime as a string.

Returns:

the configured token lifetime as a string

getUserDataCheckInterval

public long getUserDataCheckInterval()

Gets the user data check interval.

Returns:

the user data check interval

getUserDataCheckIntervalStr

public java.lang.String getUserDataCheckIntervalStr()

Gets the raw user data check interval string.

Returns:

the configured string for the user data check interval

isEnableSecurity

public boolean isEnableSecurity()

Returns if the security option ahould be enabled on the login dialog.

Returns:

true if the security option ahould be enabled on the login dialog, otherwise false

isPasswordReset

public boolean isPasswordReset(CmsObject cms,
                               CmsUser user)

Checks if password has to be reset.

Parameters:

cms - CmsObject

user - CmsUser

Returns:

true if password should be reset

isUserLocked

public boolean isUserLocked(CmsUser user)

Checks if a user is locked due to too many failed logins.

Parameters:

user - the user to check

Returns:

true if the user is locked

isUserTempDisabled

public boolean isUserTempDisabled(java.lang.String username)

Checks if given user it temporarily locked.

Parameters:

username - to check

Returns:

true if user is locked

removeLoginMessage

public void removeLoginMessage(CmsObject cms)
                        throws CmsRoleViolationException

Removes the current login message.

This operation requires that the current user has role permissions of CmsRole.ROOT_ADMIN.

Parameters:

cms - the current OpenCms user context

Throws:

CmsRoleViolationException - in case the current user does not have the required role permissions

requiresPasswordChange

public boolean requiresPasswordChange(CmsObject cms,
                                      CmsUser user)

Checks if a user is required to change his password now.

Parameters:

cms - the current CMS context

user - the user to check

Returns:

true if the user should be asked to change his password

requiresUserDataCheck

public boolean requiresUserDataCheck(CmsObject cms,
                                     CmsUser user)

Checks if a user is required to change his password now.

Parameters:

cms - the current CMS context

user - the user to check

Returns:

true if the user should be asked to change his password

resetUserTempDisable

public void resetUserTempDisable(java.lang.String username)

Resets lock from user.

Parameters:

username - to reset lock for

setBeforeLoginMessage

public void setBeforeLoginMessage(CmsObject cms,
                                  CmsLoginMessage message)
                           throws CmsRoleViolationException

Sets the before login message to display on the login form.

This operation requires that the current user has role permissions of CmsRole.ROOT_ADMIN.

Parameters:

cms - the current OpenCms user context

message - the message to set

Throws:

CmsRoleViolationException - in case the current user does not have the required role permissions

setLoginMessage

public void setLoginMessage(CmsObject cms,
                            CmsLoginMessage message)
                     throws CmsRoleViolationException

Sets the login message to display if a user logs in.

This operation requires that the current user has role permissions of CmsRole.ROOT_ADMIN.

Parameters:

cms - the current OpenCms user context

message - the message to set

Throws:

CmsRoleViolationException - in case the current user does not have the required role permissions

unlockUser

public void unlockUser(CmsObject cms,
                       CmsUser user)
                throws CmsRoleViolationException

Unlocks a user who has exceeded his number of failed login attempts so that he can try to log in again.

This requires the "account manager" role.

Parameters:

cms - the current CMS context

user - the user to unlock

Throws:

CmsRoleViolationException - if the permission check fails

addInvalidLogin

protected void addInvalidLogin(java.lang.String userName,
                               java.lang.String remoteAddress)

Adds an invalid attempt to login for the given user / IP to the storage.

In case the configured threshold is reached, the user is disabled for the configured time.

Parameters:

userName - the name of the user

remoteAddress - the remore address (IP) from which the login attempt was made

removeInvalidLogins

protected void removeInvalidLogins(java.lang.String userName,
                                   java.lang.String remoteAddress)

Removes all invalid attempts to login for the given user / IP.

Parameters:

userName - the name of the user

remoteAddress - the remore address (IP) from which the login attempt was made