Package com.broadleafcommerce.auth.user.service

Class DefaultUserLockoutService

java.lang.Object
com.broadleafcommerce.auth.user.service.DefaultUserLockoutService
All Implemented Interfaces:
UserLockoutService
public class DefaultUserLockoutService extends Object implements UserLockoutService

  • Constructor Details

  • Method Details

    • createLoginAttempt

      public void createLoginAttempt(User user, String loginAttemptResult)
      Description copied from interface: UserLockoutService
      Create a user login attempt.
      Specified by:
      createLoginAttempt in interface UserLockoutService
      Parameters:
      user - The user to create a login attempt for
      loginAttemptResult - The login attempt result.

    • createLoginAttempt

      public void createLoginAttempt(String username, String loginAttemptResult, String clientId)
      Description copied from interface: UserLockoutService
      Create a user login attempt
      Specified by:
      createLoginAttempt in interface UserLockoutService
      Parameters:
      username - The username to create an attempt for
      loginAttemptResult - The login attempt result
      clientId - The client ID

    • createResetPasswordAttempt

      public void createResetPasswordAttempt(String username, @Nullable String userId, String resetPasswordAttemptResult, String authServerId)
      Description copied from interface: UserLockoutService
      Creates a UserResetPasswordAttempt.
      Specified by:
      createResetPasswordAttempt in interface UserLockoutService
      Parameters:
      username - The username to create an attempt for
      userId - The user ID of the user who attempted to reset their password. This is nullable, as an attempt could be made to reset the password using a specific username, but no user exists for that username.
      resetPasswordAttemptResult - The reset password attempt result
      authServerId - The authentication server ID that contains the property configurations to be applied to this attempt
      See Also:

    • validateMaximumResetPasswordAttempts

      public void validateMaximumResetPasswordAttempts(String username, @Nullable String userId, String authServerId)
      Description copied from interface: UserLockoutService
      Validates whether current number of reset password attempts for a user have exceeded the maximum attempt limit. This method can be used in conjunction with UserLockoutService.createResetPasswordAttempt(String, String, String, String) to pre-validate the current state before performing outside actions that require attempt to be valid, such as resetting the password on the user or consuming a one-time token.
      Specified by:
      validateMaximumResetPasswordAttempts in interface UserLockoutService
      Parameters:
      username - Username of the user to validate
      userId - User ID of the user to validate reset password attempts for
      authServerId - Authentication server ID containing property configurations to be referenced for this attempt

    • createChangePasswordAttempt

      public void createChangePasswordAttempt(String username, String userId, String changePasswordAttemptResult, String authServerId)
      Description copied from interface: UserLockoutService
      Creates a UserChangePasswordAttempt.
      Specified by:
      createChangePasswordAttempt in interface UserLockoutService
      Parameters:
      username - The username to create an attempt for
      userId - The user ID of the user who attempted to change their password. This should be non-null since a user can only change a password when they are logged in.
      changePasswordAttemptResult - The change password attempt result
      authServerId - The authentication server ID that contains the property configurations to be applied to this attempt
      See Also:

    • validateMaximumChangePasswordAttempts

      public void validateMaximumChangePasswordAttempts(String username, String userId, String authServerId)
      Description copied from interface: UserLockoutService
      Validates whether current number of change password attempts for a user have exceeded the maximum attempt limit. This method can be used in conjunction with UserLockoutService.createChangePasswordAttempt(String, String, String, String) to pre-validate the current state before performing outside actions that require attempt to be valid, such as changing the password on the user.
      Specified by:
      validateMaximumChangePasswordAttempts in interface UserLockoutService
      Parameters:
      username - Username of the user to validate
      userId - User ID of the user to validate change password attempts on
      authServerId - Authentication server ID containing property configurations to be referenced for this attempt

    • unlockUser

      public User unlockUser(User user)
      Description copied from interface: UserLockoutService
      Manually unlock a user
      Specified by:
      unlockUser in interface UserLockoutService
      Parameters:
      user - The user to unlock

    • lockUser

      public User lockUser(User user)
      Description copied from interface: UserLockoutService
      Manually lock a user
      Specified by:
      lockUser in interface UserLockoutService
      Parameters:
      user - The user to lock

    • unlockUserIfEligible

      public Optional<User> unlockUserIfEligible(String username, String clientId)
      Description copied from interface: UserLockoutService
      If a user is eligible for unlocking, unlock them.
      Specified by:
      unlockUserIfEligible in interface UserLockoutService
      Parameters:
      username - The username
      clientId - The client ID
      Returns:
      The user, if they exist

    • canResetPassword

      public boolean canResetPassword(User user)
      Description copied from interface: UserLockoutService
      Return true if this user can reset their password.

      See AuthorizationServer.getLockedUserCanResetPassword() and UserLockoutProperties.isLockedUserCanResetPassword()

      Specified by:
      canResetPassword in interface UserLockoutService
      Parameters:
      user - The user to check
      Returns:
      true if the user can reset their password, otherwise false.

    • unlockUserOnPasswordResetIfEligible

      @Nullable public Boolean unlockUserOnPasswordResetIfEligible(User user)
      Description copied from interface: UserLockoutService
      After a password reset, unlock the user if they're eligible.

      See AuthorizationServer.getResetPasswordUnlocksUser() and UserLockoutProperties.isResetPasswordUnlocksUser()

      Specified by:
      unlockUserOnPasswordResetIfEligible in interface UserLockoutService
      Parameters:
      user - The user to unlock, if eligible
      Returns:
      true if the user has been unlocked, false if the user is still locked, or null if no action was taken

    • createLoginAttempt

      protected void createLoginAttempt(String username, @Nullable String userId, String loginAttemptResult, String authServerId)

    • unlockOrValidateAttemptsLessThanMaximum

      protected void unlockOrValidateAttemptsLessThanMaximum(String username, @Nullable User user, AuthorizationServer server, int attemptCount, int maximumAttemptsAllowed)

    • userShouldBeUnlocked

      protected boolean userShouldBeUnlocked(@Nullable User user, AuthorizationServer server)

    • countLoginAttempts

      protected int countLoginAttempts(String username, AuthorizationServer server)

    • countResetPasswordAttempts

      protected int countResetPasswordAttempts(String username, AuthorizationServer server)
      Returns the total count of failed reset password attempts for the username and server.
      Parameters:
      username - The username to count the attempts from
      server - The server where the attempts occurred
      Returns:
      the total count of failed reset password attempts for a username in a server
      Since:
      2.1.3

    • countChangePasswordAttempts

      protected int countChangePasswordAttempts(String username, AuthorizationServer server)
      Returns the total count of failed change password attempts for the username and server.
      Parameters:
      username - The username to count the attempts from
      server - The server where the attempts occurred
      Returns:
      the total count of failed change password attempts for a username in a server
      Since:
      2.1.3

    • getLockoutDuration

      @Nullable protected Duration getLockoutDuration(AuthorizationServer server)

    • readAuthServer

      protected AuthorizationServer readAuthServer(String authServerId)

    • getLockoutDurationMinutes

      @Nullable protected Long getLockoutDurationMinutes(AuthorizationServer server)

    • getLoginFailDecayMinutes

      @Nullable protected Long getLoginFailDecayMinutes(AuthorizationServer server)

    • getChangePasswordFailDecayMinutes

      @Nullable protected Long getChangePasswordFailDecayMinutes(AuthorizationServer server)
      Returns the configuration value of the fail decay minutes for change password attempts. If not set in AuthorizationServer, it will be gotten from UserLockoutProperties instead. Otherwise, it returns null. See AuthorizationServer.changePasswordFailDecayMinutes or UserLockoutProperties.changePasswordFailDecayMinutes for more information.
      Parameters:
      server - The server to initially fetch the configuration value from
      Returns:
      the configuration value of the fail decay minutes for change password attempts
      Since:
      2.1.3

    • getResetPasswordFailDecayMinutes

      @Nullable protected Long getResetPasswordFailDecayMinutes(AuthorizationServer server)
      Returns the configuration value of the fail decay minutes for reset password attempts. If not set in AuthorizationServer, it will be gotten from UserLockoutProperties instead. Otherwise, it returns null. See AuthorizationServer.resetPasswordFailDecayMinutes or UserLockoutProperties.resetPasswordFailDecayMinutes for more information.
      Parameters:
      server - The server to initially fetch the configuration value from
      Returns:
      the configuration value of the fail decay minutes for reset password attempts
      Since:
      2.1.3

    • getLoginAttemptsAllowed

      protected int getLoginAttemptsAllowed(AuthorizationServer server)

    • getResetPasswordAttemptsAllowed

      protected int getResetPasswordAttemptsAllowed(AuthorizationServer server)
      Returns the configuration value of maximum reset password attempts before a user is locked out. If not set in AuthorizationServer, it will be gotten from UserLockoutProperties instead. Otherwise, it returns the maximum Integer value. See AuthorizationServer.failedResetPasswordAttemptsAllowed or UserLockoutProperties.failedResetPasswordAttemptsAllowed for more information.
      Parameters:
      server - The server to initially fetch the configuration value from
      Returns:
      the configuration value of maximum reset password attempts before a user is locked out
      Since:
      2.1.3

    • getChangePasswordAttemptsAllowed

      protected int getChangePasswordAttemptsAllowed(AuthorizationServer server)
      Returns the configuration value of maximum change password attempts before a user is locked out. If not set in AuthorizationServer, it will be gotten from UserLockoutProperties instead. Otherwise, it returns the maximum Integer value. See AuthorizationServer.failedChangePasswordAttemptsAllowed or UserLockoutProperties.failedChangePasswordAttemptsAllowed for more information.
      Parameters:
      server - The server to initially fetch the configuration value from
      Returns:
      the configuration value of maximum change password attempts before a user is locked out
      Since:
      2.1.3

    • throwIfLocked

      protected void throwIfLocked(int attempts, int attemptsAllowed, String username, AuthorizationServer server, @Nullable User user)

    • isResetPasswordUnlocksUser

      protected boolean isResetPasswordUnlocksUser(AuthorizationServer server)

    • isLockedUserCanResetPassword

      protected boolean isLockedUserCanResetPassword(AuthorizationServer server)

    • getUserService

      protected UserService<User> getUserService()

    • getUserLoginAttemptService

      protected UserLoginAttemptService<UserLoginAttempt> getUserLoginAttemptService()

    • getUserResetPasswordAttemptService

      protected UserResetPasswordAttemptService<UserResetPasswordAttempt> getUserResetPasswordAttemptService()

    • setUserResetPasswordAttemptService

      @Autowired public void setUserResetPasswordAttemptService(UserResetPasswordAttemptService<UserResetPasswordAttempt> userResetPasswordAttemptService)

    • getUserChangePasswordAttemptService

      protected UserChangePasswordAttemptService<UserChangePasswordAttempt> getUserChangePasswordAttemptService()

    • setUserChangePasswordAttemptService

      @Autowired public void setUserChangePasswordAttemptService(UserChangePasswordAttemptService<UserChangePasswordAttempt> userChangePasswordAttemptService)

    • getClientService

      protected AuthorizedClientService<AuthorizedClient> getClientService()

    • getServerService

      protected AuthorizationServerService<AuthorizationServer> getServerService()

    • getUserLockoutProperties

      protected UserLockoutProperties getUserLockoutProperties()