diff --git a/application/src/main/java/org/thingsboard/server/service/security/auth/rest/RestAuthenticationProvider.java b/application/src/main/java/org/thingsboard/server/service/security/auth/rest/RestAuthenticationProvider.java index 7d612fef25..92409fa4ac 100644 --- a/application/src/main/java/org/thingsboard/server/service/security/auth/rest/RestAuthenticationProvider.java +++ b/application/src/main/java/org/thingsboard/server/service/security/auth/rest/RestAuthenticationProvider.java @@ -36,11 +36,15 @@ import org.thingsboard.server.common.data.id.TenantId; import org.thingsboard.server.common.data.id.UserId; import org.thingsboard.server.common.data.security.Authority; import org.thingsboard.server.common.data.security.UserCredentials; +import org.thingsboard.server.common.data.security.model.SecuritySettings; +import org.thingsboard.server.common.data.security.model.UserPasswordPolicy; import org.thingsboard.server.dao.customer.CustomerService; +import org.thingsboard.server.dao.exception.DataValidationException; import org.thingsboard.server.dao.user.UserService; import org.thingsboard.server.queue.util.TbCoreComponent; import org.thingsboard.server.service.security.auth.MfaAuthenticationToken; import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService; +import org.thingsboard.server.service.security.exception.UserPasswordNotValidException; import org.thingsboard.server.service.security.model.SecurityUser; import org.thingsboard.server.service.security.model.UserPrincipal; import org.thingsboard.server.service.security.system.SystemSecurityService; @@ -83,6 +87,17 @@ public class RestAuthenticationProvider implements AuthenticationProvider { if (userPrincipal.getType() == UserPrincipal.Type.USER_NAME) { String username = userPrincipal.getValue(); String password = (String) authentication.getCredentials(); + + SecuritySettings securitySettings = systemSecurityService.getSecuritySettings(null); + UserPasswordPolicy passwordPolicy = securitySettings.getPasswordPolicy(); + if (Boolean.TRUE.equals(passwordPolicy.getForceUserToResetPasswordIfNotValid())) { + try { + systemSecurityService.validatePasswordByPolicy(password, passwordPolicy); + } catch (DataValidationException e) { + throw new UserPasswordNotValidException("The entered password violates our policies. If this is your real password, please reset it."); + } + } + securityUser = authenticateByUsernameAndPassword(authentication, userPrincipal, username, password); if (twoFactorAuthService.isTwoFaEnabled(securityUser.getTenantId(), securityUser.getId())) { return new MfaAuthenticationToken(securityUser); diff --git a/application/src/main/java/org/thingsboard/server/service/security/exception/UserPasswordNotValidException.java b/application/src/main/java/org/thingsboard/server/service/security/exception/UserPasswordNotValidException.java index 7cd01be7d5..2c1488bcbf 100644 --- a/application/src/main/java/org/thingsboard/server/service/security/exception/UserPasswordNotValidException.java +++ b/application/src/main/java/org/thingsboard/server/service/security/exception/UserPasswordNotValidException.java @@ -15,9 +15,9 @@ */ package org.thingsboard.server.service.security.exception; -import org.springframework.security.core.AuthenticationException; +import org.springframework.security.authentication.AccountStatusException; -public class UserPasswordNotValidException extends AuthenticationException { +public class UserPasswordNotValidException extends AccountStatusException { public UserPasswordNotValidException(String msg) { super(msg); diff --git a/application/src/main/java/org/thingsboard/server/service/security/system/DefaultSystemSecurityService.java b/application/src/main/java/org/thingsboard/server/service/security/system/DefaultSystemSecurityService.java index 5dacefc924..e60ff36a43 100644 --- a/application/src/main/java/org/thingsboard/server/service/security/system/DefaultSystemSecurityService.java +++ b/application/src/main/java/org/thingsboard/server/service/security/system/DefaultSystemSecurityService.java @@ -133,19 +133,9 @@ public class DefaultSystemSecurityService implements SystemSecurityService { @Override public void validateUserCredentials(TenantId tenantId, UserCredentials userCredentials, String username, String password) throws AuthenticationException { - SecuritySettings securitySettings = self.getSecuritySettings(tenantId); - UserPasswordPolicy passwordPolicy = securitySettings.getPasswordPolicy(); - - if (!tenantId.isSysTenantId() && Boolean.TRUE.equals(passwordPolicy.getForceUserToResetPasswordIfNotValid())) { - try { - validatePasswordByPolicy(password, passwordPolicy); - } catch (DataValidationException e) { - throw new UserPasswordNotValidException("The entered password violates our policies. If this is your real password, please reset it."); - - } - } if (!encoder.matches(password, userCredentials.getPassword())) { int failedLoginAttempts = userService.increaseFailedLoginAttempts(tenantId, userCredentials.getUserId()); + SecuritySettings securitySettings = self.getSecuritySettings(tenantId); if (securitySettings.getMaxFailedLoginAttempts() != null && securitySettings.getMaxFailedLoginAttempts() > 0) { if (failedLoginAttempts > securitySettings.getMaxFailedLoginAttempts() && userCredentials.isEnabled()) { lockAccount(userCredentials.getUserId(), username, securitySettings.getUserLockoutNotificationEmail(), securitySettings.getMaxFailedLoginAttempts()); @@ -161,6 +151,7 @@ public class DefaultSystemSecurityService implements SystemSecurityService { userService.resetFailedLoginAttempts(tenantId, userCredentials.getUserId()); + SecuritySettings securitySettings = self.getSecuritySettings(tenantId); if (isPositiveInteger(securitySettings.getPasswordPolicy().getPasswordExpirationPeriodDays())) { if ((userCredentials.getCreatedTime() + TimeUnit.DAYS.toMillis(securitySettings.getPasswordPolicy().getPasswordExpirationPeriodDays())) @@ -227,7 +218,8 @@ public class DefaultSystemSecurityService implements SystemSecurityService { } } - private void validatePasswordByPolicy(String password, UserPasswordPolicy passwordPolicy) { + @Override + public void validatePasswordByPolicy(String password, UserPasswordPolicy passwordPolicy) { List passwordRules = new ArrayList<>(); Integer maximumLength = passwordPolicy.getMaximumLength(); diff --git a/application/src/main/java/org/thingsboard/server/service/security/system/SystemSecurityService.java b/application/src/main/java/org/thingsboard/server/service/security/system/SystemSecurityService.java index 64550c438e..ad008c6ecf 100644 --- a/application/src/main/java/org/thingsboard/server/service/security/system/SystemSecurityService.java +++ b/application/src/main/java/org/thingsboard/server/service/security/system/SystemSecurityService.java @@ -22,6 +22,7 @@ import org.thingsboard.server.common.data.id.CustomerId; import org.thingsboard.server.common.data.id.TenantId; import org.thingsboard.server.common.data.security.UserCredentials; import org.thingsboard.server.common.data.security.model.SecuritySettings; +import org.thingsboard.server.common.data.security.model.UserPasswordPolicy; import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; import org.thingsboard.server.dao.exception.DataValidationException; import org.thingsboard.server.service.security.model.SecurityUser; @@ -34,6 +35,8 @@ public interface SystemSecurityService { SecuritySettings saveSecuritySettings(TenantId tenantId, SecuritySettings securitySettings); + void validatePasswordByPolicy(String password, UserPasswordPolicy passwordPolicy); + void validateUserCredentials(TenantId tenantId, UserCredentials userCredentials, String username, String password) throws AuthenticationException; void validateTwoFaVerification(SecurityUser securityUser, boolean verificationSuccess, PlatformTwoFaSettings twoFaSettings);