commit 0aaa60dc6a9c0597b42cbb4c821f37b9d48bb791
author Antonio Sanso <asanso@apache.org> Wed Oct 14 08:13:03 2015 +0000
committer Antonio Sanso <asanso@apache.org> Wed Oct 14 08:13:03 2015 +0000
tree 3efb54ff42438504334efd5f3b7e23b1efd0e3c4
parent d176cc7b173dc7ca99f5cc0ab279fd71c210b543

SLING-5141 - Expose Oak's Login Failures in Authenticator Reason (applied patch from Dominique Jaeggi thanks!)

git-svn-id: https://svn.apache.org/repos/asf/sling/trunk@1708557 13f79535-47bb-0310-9956-ffa450edef68

src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java

diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index 6cd7e55..dfc3d5e 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -29,6 +29,8 @@
 import java.util.Map;
 
 import javax.jcr.SimpleCredentials;
+import javax.security.auth.login.AccountLockedException;
+import javax.security.auth.login.AccountNotFoundException;
 import javax.security.auth.login.CredentialExpiredException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletRequestEvent;
@@ -958,30 +960,32 @@
                 // request authentication information and send 403 (Forbidden)
                 // if no handler can request authentication information.            
 
+                AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;
+                String message = "User name and password do not match";
+
                 if (reason.getCause() instanceof CredentialExpiredException) {
                     // force failure attribute to be set so handlers can
                     // react to this special circumstance
-
-                    AuthenticationHandler.FAILURE_REASON_CODES code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED;
-                    String message = "Password expired";
-
                     Object creds = authInfo.get("user.jcr.credentials");
                     if (creds instanceof SimpleCredentials && ((SimpleCredentials) creds).getAttribute("PasswordHistoryException") != null) {
                         code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY;
                         message = "Password expired and new password found in password history";
+                    } else {
+                        code = AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED;
+                        message = "Password expired";
                     }
-
-                    request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, code);
-                    ensureAttribute(request, AuthenticationHandler.FAILURE_REASON, message);
-
-                } else {
-                    // preset a reason for the login failure (if not done already)
-                    request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE,
-                            AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN);
-                    ensureAttribute(request, AuthenticationHandler.FAILURE_REASON,
-                            "User name and password do not match");
+                } else if (reason.getCause() instanceof AccountLockedException) {
+                    code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED;
+                    message = "Account is locked";
+                } else if (reason.getCause() instanceof AccountNotFoundException) {
+                    code = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND;
+                    message = "Account was not found";
                 }
 
+                // preset a reason for the login failure
+                request.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, code);
+                ensureAttribute(request, AuthenticationHandler.FAILURE_REASON, message);
+
                 doLogin(request, response);
             }
 

src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java

diff --git a/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java b/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java
index a35e02a..5d9b848 100644
--- a/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java
+++ b/src/main/java/org/apache/sling/auth/core/spi/AuthenticationHandler.java
@@ -109,18 +109,21 @@
     /**
      * This enum indicates the supported detailed login failure reason codes:
      * <ul>
-     *     <li><code>invalid_login</code>:</li> indicates username/password mismatch.
-     *     <li><code>password_expired</code>:</li> indicates password has expired or was never set and
-     *     change initial password is enabled
-     *     <li><code>unknown</code>:</li> an unknown reason for the login failure was encountered.
+     *     <li><code>invalid_login</code>: indicates username/password mismatch.</li>
+     *     <li><code>password_expired</code>: indicates password has expired or was never set and
+     *     change initial password is enabled</li>
+     *     <li><code>account_locked</code>: the account was disabled or locked</li>
+     *     <li><code>account_not_found</code>: the account was not found (not the same as username password mismatch)</li>
      * </ul>
      * @since 1.1.0
      */
-    static enum FAILURE_REASON_CODES {
+    enum FAILURE_REASON_CODES {
         INVALID_LOGIN,
         PASSWORD_EXPIRED,
         PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY,
-        UNKNOWN;
+        UNKNOWN,
+        ACCOUNT_LOCKED,
+        ACCOUNT_NOT_FOUND;
 
         @Override
         public String toString() {