Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved.
- */
- package com.legrand.b2c.security;
- import de.hybris.platform.acceleratorstorefrontcommons.security.AbstractAcceleratorAuthenticationProvider;
- import de.hybris.platform.core.Constants;
- import de.hybris.platform.core.model.user.CustomerModel;
- import de.hybris.platform.core.model.user.UserModel;
- import de.hybris.platform.europe1.enums.UserPriceGroup;
- import de.hybris.platform.servicelayer.config.ConfigurationService;
- import de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException;
- import org.apache.commons.lang.StringUtils;
- import org.apache.log4j.Logger;
- import org.assertj.core.util.Objects;
- import org.springframework.security.authentication.AbstractAuthenticationToken;
- import org.springframework.security.authentication.BadCredentialsException;
- import org.springframework.security.authentication.LockedException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.AuthenticationException;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.SimpleGrantedAuthority;
- import org.springframework.security.core.userdetails.UserDetails;
- /**
- * Derived authentication provider supporting additional authentication checks. See
- * {@link de.hybris.platform.spring.security.RejectUserPreAuthenticationChecks}.
- *
- * <ul>
- * <li>prevent login without password for users created via CSCockpit</li>
- * <li>prevent login as user in group admingroup</li>
- * </ul>
- *
- * any login as admin disables SearchRestrictions and therefore no page can be viewed correctly
- */
- public class AcceleratorAuthenticationProvider extends AbstractAcceleratorAuthenticationProvider
- {
- private static final String ROLE_ADMIN_GROUP = "ROLE_" + Constants.USER.ADMIN_USERGROUP.toUpperCase();
- private static final Logger LOG = Logger.getLogger(AcceleratorAuthenticationProvider.class);
- private static final String DEFAULT_USER_PRICE_GROUP_B2C = "lr.usergroup.default.B2C";
- private GrantedAuthority adminAuthority = new SimpleGrantedAuthority(ROLE_ADMIN_GROUP);
- private ConfigurationService configurationService;
- public ConfigurationService getConfigurationService() {
- return configurationService;
- }
- @Override
- public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
- final String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
- try {
- CustomerModel userModel = (CustomerModel) getUserService().getUserForUID(StringUtils.lowerCase(username));
- UserPriceGroup userPriceGroupB2C = UserPriceGroup
- .valueOf(getConfigurationService().getConfiguration().getString(DEFAULT_USER_PRICE_GROUP_B2C));
- if (Objects.areEqual(userModel.getEurope1PriceFactory_UPG(), userPriceGroupB2C) && !userModel.isEmailValidated())
- throw new LockedException("Login attempt as " + Constants.USER.ADMIN_USERGROUP + " is rejected. Email is not validated.");
- } catch (final UnknownIdentifierException e) {
- throw new BadCredentialsException(
- messages.getMessage(CORE_AUTHENTICATION_PROVIDER_BAD_CREDENTIALS, BAD_CREDENTIALS), e);
- }
- return super.authenticate(authentication);
- }
- /**
- * @see de.hybris.platform.acceleratorstorefrontcommons.security.AbstractAcceleratorAuthenticationProvider#additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails,
- * org.springframework.security.authentication.AbstractAuthenticationToken)
- */
- @Override
- protected void additionalAuthenticationChecks(final UserDetails details, final AbstractAuthenticationToken authentication)
- throws AuthenticationException
- {
- super.additionalAuthenticationChecks(details, authentication);
- // Check if the user is in role admingroup
- if (getAdminAuthority() != null && details.getAuthorities().contains(getAdminAuthority()))
- {
- throw new LockedException("Login attempt as " + Constants.USER.ADMIN_USERGROUP + " is rejected");
- }
- }
- public void setAdminGroup(final String adminGroup)
- {
- if (StringUtils.isBlank(adminGroup))
- {
- adminAuthority = null;
- }
- else
- {
- adminAuthority = new SimpleGrantedAuthority(adminGroup);
- }
- }
- protected GrantedAuthority getAdminAuthority()
- {
- return adminAuthority;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement