NetIQ Access Manager Authentication Class using reCaptcha

reCaptchaCustomAuthentication

package com.novell.nam.authentication;

/*
* Copyright (c) 2015 Jared Jennings <jared@jaredjennings.org>. All Rights Reserved.
* don't forget to set the class property recaptcha_private_key
*/

import java.util.*;

import javax.servlet.http.*;

import org.eclipse.higgins.sts.api.*;

import com.novell.nidp.*;
import com.novell.nidp.authentication.*;
import com.novell.nidp.authentication.local.*;
import com.novell.nidp.common.authority.*;

import net.tanesha.recaptcha.ReCaptchaImpl;
import net.tanesha.recaptcha.ReCaptchaResponse;

public class reCaptchaCustomAuthentication extends LocalAuthenticationClass implements STSAuthenticationClass
{
  /**
   * Constructor for form based authentication
   *
   * @param props      Properties associated with the implementing class
   * @param uStores    List of ordered user stores to authenticate against
   */
  public reCaptchaCustomAuthentication(Properties props, ArrayList<UserAuthority> uStores)
  {
      super(props,uStores);
  }

  /**
   * Get the authentication type this class implements
   * 
   * @return	returns the authentication type represented by this class
   */
  public String getType()
  {
      return AuthnConstants.PASSWORD;
  }

  public void initializeRequest(HttpServletRequest    request,
			  					  HttpServletResponse   response,
			  					  NIDPSession           session,
			  					  NIDPSessionData		data,
			  					  boolean               following,
			  					  String                url)
	{
		super.initializeRequest(request, response, session, data, following, url);
	}

  /**
   * Perform form based authentication.  This method gets called on each response
   * during authentication process
   * 
   * @return  returns the status of the authentication process which is
   *          one of AUTHENTICATED, NOT_AUTHENTICATED, CANCELLED, HANDLED_REQUEST, 
   *          PWD_EXPIRING, PWD_EXPIRED
   */
  protected int doAuthenticate()
  {
      // If this is the first time the class is called following another method
      // we want to display the form that will get the credentials.  This method
      // prevents a previous form from providing data to the next form if any
      // parameter names end up being the same
      if (!isFirstCallAfterPrevMethod())
      {
          // This wasnt first time method was called, so see if data can be processed
          int status = handlePostedData();
          if (status != NOT_AUTHENTICATED)
              return status;
      }
      
      String jsp = getProperty(AuthnConstants.PROPERTY_JSP); 
      if (jsp == null || jsp.length() == 0)
          jsp = NIDPConstants.JSP_LOGIN;            

      m_PageToShow = new PageToShow(jsp);
      m_PageToShow.addAttribute(NIDPConstants.ATTR_URL, (getReturnURL() != null ? getReturnURL() : m_Request.getRequestURL().toString()));
      if (getAuthnRequest() != null && getAuthnRequest().getTarget() != null)
      	m_PageToShow.addAttribute("target", getAuthnRequest().getTarget());

      return SHOW_JSP;
  }
   
  /**
   * Get and process the data that is posted from the form
   *
   * @return  returns the status of the authentication process which is
   *          one of AUTHENTICATED, NOT_AUTHENTICATED, CANCELLED, HANDLED_REQUEST, 
   *          PWD_EXPIRING, PWD_EXPIRED
   */
  private int handlePostedData()
  {
      // Look for a name and password
      String id       = m_Request.getParameter(NIDPConstants.PARM_USERID);
      String password = m_Request.getParameter(NIDPConstants.PARM_PASSWORD);
      
      // validate the captcha before we attempt to find a user in the directory. This hopefully will cut down on scripts and other attacks.
      ValidateCaptcha ();
      
      // Check to see if admin has setup for a custom query
  	String ldapQuery = checkForQuery();
  	
      try
      {
          // using admin defined attributes for query
          if (ldapQuery != null)
          {
          	if (authenticateWithQuery(ldapQuery,password)) 
          		return AUTHENTICATED;
          }
          
          // If using default of name and password
          else
          {
              if (id == null || id.length() == 0)
                  return NOT_AUTHENTICATED;
       
              if (authenticateWithPassword(id,password))
                  return AUTHENTICATED;
          }            
      }
      catch (PasswordExpiringException pe)
      {
          return PWD_EXPIRING;
      }
      catch (PasswordExpiredException pe)
      {
          return PWD_EXPIRED;
      }
      
      m_Request.setAttribute(NIDPConstants.ATTR_LOGIN_ERROR, getUserErrorMsg());
      return NOT_AUTHENTICATED;
  }

  public NIDPPrincipal handleSTSAuthentication(ISecurityInformation securityInformation)
  {
	   	IUsernameToken usernameToken = 
	   		(IUsernameToken)securityInformation.getFirst(IUsernameToken.class);
		   	
 		if (null != usernameToken)
 		{
 	        try
 	        {
 	            if (authenticateWithPassword(usernameToken.getUsername(),usernameToken.getPassword()))
 	                return getPrincipal();
 	        }
 	        catch (PasswordExpiringException pe)
 	        {
 	            return getPrincipal();
 	        }
 	        catch (PasswordExpiredException pe) {}
 		}
 		return null;
  }

  	/**
  	 * Validates that the user provided Captcha answer is valid.
  	 * Returns true if it is.
  	 * @author jjennings <Sept 28, 2012>
  	 * @return boolean
  	 */
	private boolean ValidateCaptcha ()
	{
		String remoteAddr = m_Request.getRemoteAddr ();
		ReCaptchaImpl reCaptcha = new ReCaptchaImpl ();
		reCaptcha.setPrivateKey (getProperty("recaptcha_private_key"));

		String challenge = m_Request.getParameter ("recaptcha_challenge_field");
		String uresponse = m_Request.getParameter ("recaptcha_response_field");
		ReCaptchaResponse reCaptchaResponse = reCaptcha.checkAnswer (remoteAddr, challenge, uresponse);

		if (reCaptchaResponse.isValid ()) {
			return true;
		} else {
			return false;
		}

	}
}