2010-06-20 22:11:53 +02:00
|
|
|
/*
|
2013-12-15 13:38:29 +01:00
|
|
|
* Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
|
2018-03-19 10:43:08 +01:00
|
|
|
*
|
2013-12-15 13:38:29 +01:00
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
2018-03-19 10:43:08 +01:00
|
|
|
*
|
2013-12-15 13:38:29 +01:00
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
2018-03-19 10:43:08 +01:00
|
|
|
*
|
2013-12-15 13:38:29 +01:00
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
2010-06-20 22:11:53 +02:00
|
|
|
*/
|
2016-06-26 11:38:41 +02:00
|
|
|
package li.strolch.privilege.handler;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2012-07-29 18:23:31 +02:00
|
|
|
import java.util.List;
|
2010-06-20 22:11:53 +02:00
|
|
|
import java.util.Locale;
|
2015-03-08 13:38:15 +01:00
|
|
|
import java.util.Map;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2023-03-14 09:18:15 +01:00
|
|
|
import li.strolch.privilege.base.*;
|
2018-10-05 09:17:12 +02:00
|
|
|
import li.strolch.privilege.model.*;
|
2016-06-26 11:38:41 +02:00
|
|
|
import li.strolch.privilege.model.internal.Role;
|
|
|
|
import li.strolch.privilege.model.internal.User;
|
|
|
|
import li.strolch.privilege.policy.PrivilegePolicy;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
|
|
|
/**
|
2010-11-27 22:00:34 +01:00
|
|
|
* The {@link PrivilegeHandler} is the centrally exposed API for accessing the privilege library. It exposes all needed
|
|
|
|
* methods to access Privilege data model objects, modify them and validate if users or roles have privileges to perform
|
|
|
|
* an action
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2011-08-07 12:14:40 +02:00
|
|
|
* @author Robert von Burg <eitch@eitchnet.ch>
|
2010-06-20 22:11:53 +02:00
|
|
|
*/
|
2010-08-08 22:13:36 +02:00
|
|
|
public interface PrivilegeHandler {
|
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
///
|
|
|
|
|
|
|
|
/**
|
2023-03-14 09:18:15 +01:00
|
|
|
* Privilege "PrivilegeAction" which is used for privileges which are not further categorized e.g. s
|
|
|
|
* {@link #PRIVILEGE_ACTION_PERSIST} and {@link #PRIVILEGE_ACTION_GET_POLICIES}
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION = "PrivilegeAction";
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* For Privilege "PrivilegeAction" value required to be able to persist changes if not exempted by auto persist or
|
|
|
|
* <code>allAllowed</code>
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION_PERSIST = "Persist";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* For Privilege "PrivilegeAction" value required to be able to persist session if not exempted by
|
|
|
|
* <code>allAllowed</code>
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION_PERSIST_SESSIONS = "PersistSessions";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* For Privilege "PrivilegeAction" value required to be able to reload changes if not exempted by
|
|
|
|
* <code>allAllowed</code>
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION_RELOAD = "Reload";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* For Privilege "PrivilegeAction" value required to get currently configured policies if not
|
|
|
|
* <code>allAllowed</code>
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION_GET_POLICIES = "GetPolicies";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* For Privilege "PrivilegeAction" value required to get a certificate if not <code>allAllowed</code>
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION_GET_CERTIFICATE = "GetCertificate";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* For Privilege "PrivilegeAction" value required to get all certificates if not <code>allAllowed</code>
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ACTION_GET_CERTIFICATES = "GetCertificates";
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
|
|
|
|
///
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeGetRole" which is used to validate that a user can get a specific role
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_GET_ROLE = "PrivilegeGetRole";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeAddRole" which is used to validate that a user can add a specific role
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ADD_ROLE = "PrivilegeAddRole";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2010-08-08 22:13:36 +02:00
|
|
|
/**
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
* Privilege "PrivilegeRemoveRole" which is used to validate that a user can remove a specific role
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_REMOVE_ROLE = "PrivilegeRemoveRole";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeModifyRole" which is used to validate that a user can modify a specific role. <b>Note:</b>
|
|
|
|
* This includes modifying of the privileges on the role
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_MODIFY_ROLE = "PrivilegeModifyRole";
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
|
|
|
|
///
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeGetUser" which is used to validate that a user can get a specific user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_GET_USER = "PrivilegeGetUser";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeAddUser" which is used to validate that a user can add a specific user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ADD_USER = "PrivilegeAddUser";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeRemoveUser" which is used to validate that a user can remove a specific user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_REMOVE_USER = "PrivilegeRemoveUser";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeModifyUser" which is used to validate that a user can modify a specific user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_MODIFY_USER = "PrivilegeModifyUser";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Privilege "PRIVILEGE_MODIFY_USER_ROLES" which is used to validate that a user may modify the roles of a user
|
|
|
|
* user
|
|
|
|
*/
|
|
|
|
String PRIVILEGE_MODIFY_USER_ROLES = "PrivilegeModifyUserRoles";
|
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeAddRoleToUser" which is used to validate that a user can add a specific role to a specific
|
|
|
|
* user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_ADD_ROLE_TO_USER = "PrivilegeAddRoleToUser";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PrivilegeRemoveRoleFromUser" which is used to validate that a user can remove a specific role from a
|
|
|
|
* specific user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_REMOVE_ROLE_FROM_USER = "PrivilegeRemoveRoleFromUser";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2015-04-05 00:13:16 +02:00
|
|
|
/**
|
|
|
|
* Privilege "PRIVILEGE_SET_USER_LOCALE" which is used to validate that a user can set the locale of a user, or
|
|
|
|
* their own
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_SET_USER_LOCALE = "PrivilegeSetUserLocale";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2015-04-05 00:13:16 +02:00
|
|
|
/**
|
|
|
|
* Privilege "PRIVILEGE_SET_USER_STATE" which is used to validate that a user can set the state of a user
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_SET_USER_STATE = "PrivilegeSetUserState";
|
2018-03-19 10:43:08 +01:00
|
|
|
|
2015-04-05 00:13:16 +02:00
|
|
|
/**
|
|
|
|
* Privilege "PRIVILEGE_SET_USER_PASSWORD" which is used to validate that a user can set the password of a user, or
|
|
|
|
* their own
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PRIVILEGE_SET_USER_PASSWORD = "PrivilegeSetUserPassword";
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
|
2021-02-23 12:46:22 +01:00
|
|
|
/**
|
|
|
|
* Privilege "PRIVILEGE_SET_USER_PASSWORD" which is used to validate that a user can set the password of a user, or
|
|
|
|
* their own
|
|
|
|
*/
|
|
|
|
String PRIVILEGE_REQUIRE_PASSWORD_CHANGE = "RequirePasswordChange";
|
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
///
|
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* configuration parameter to define a secret_key
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PARAM_SECRET_KEY = "secretKey"; //$NON-NLS-1$
|
2015-10-16 13:16:27 +02:00
|
|
|
|
2020-05-11 17:48:38 +02:00
|
|
|
/**
|
|
|
|
* configuration parameter to define if session refreshing is allowed
|
|
|
|
*/
|
|
|
|
String PARAM_ALLOW_SESSION_REFRESH = "allowSessionRefresh"; //$NON-NLS-1$
|
|
|
|
|
2020-09-25 17:19:22 +02:00
|
|
|
/**
|
|
|
|
* configuration parameter to define if username is case insensitive
|
|
|
|
*/
|
|
|
|
String PARAM_CASE_INSENSITIVE_USERNAME = "caseInsensitiveUsername"; //$NON-NLS-1$
|
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* configuration parameter to define a secret salt
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PARAM_SECRET_SALT = "secretSalt"; //$NON-NLS-1$
|
2015-10-16 13:16:27 +02:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* configuration parameter to define automatic persisting on password change
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA = "autoPersistOnUserChangesData"; //$NON-NLS-1$
|
2010-09-18 22:00:20 +02:00
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* configuration parameter to define if sessions should be persisted
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PARAM_PERSIST_SESSIONS = "persistSessions"; //$NON-NLS-1$
|
2015-10-16 13:16:27 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* configuration parameter to define where sessions are to be persisted
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PARAM_PERSIST_SESSIONS_PATH = "persistSessionsPath"; //$NON-NLS-1$
|
2015-10-16 13:16:27 +02:00
|
|
|
|
2015-03-13 22:55:10 +01:00
|
|
|
/**
|
|
|
|
* configuration parameter to define {@link PrivilegeConflictResolution}
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
String PARAM_PRIVILEGE_CONFLICT_RESOLUTION = "privilegeConflictResolution";
|
2015-03-13 22:55:10 +01:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Returns a {@link UserRep} for the given username
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the name of the {@link UserRep} to return
|
|
|
|
*
|
2010-09-19 22:19:38 +02:00
|
|
|
* @return the {@link UserRep} for the given username, or null if it was not found
|
2010-08-08 22:13:36 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep getUser(Certificate certificate, String username);
|
2010-08-08 22:13:36 +02:00
|
|
|
|
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Returns a {@link RoleRep} for the given roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the name of the {@link RoleRep} to return
|
|
|
|
*
|
2010-09-19 22:19:38 +02:00
|
|
|
* @return the {@link RoleRep} for the given roleName, or null if it was not found
|
2010-08-08 22:13:36 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
RoleRep getRole(Certificate certificate, String roleName);
|
2015-03-08 13:38:15 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the map of {@link PrivilegePolicy} definitions
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @return the map of {@link PrivilegePolicy} definitions
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
Map<String, String> getPolicyDefs(Certificate certificate);
|
2015-03-08 13:38:15 +01:00
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* Returns the list of {@link Certificate Certificates}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-10-16 13:16:27 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
*
|
2015-10-16 13:16:27 +02:00
|
|
|
* @return the list of {@link Certificate Certificates}
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
List<Certificate> getCertificates(Certificate certificate);
|
2015-10-16 13:16:27 +02:00
|
|
|
|
2015-03-08 13:38:15 +01:00
|
|
|
/**
|
|
|
|
* Returns all {@link RoleRep RoleReps}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @return the list of {@link RoleRep RoleReps}
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
List<RoleRep> getRoles(Certificate certificate);
|
2015-03-08 13:38:15 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns all {@link UserRep UserReps}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @return the list of {@link UserRep UserReps}
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
List<UserRep> getUsers(Certificate certificate);
|
2010-08-08 22:13:36 +02:00
|
|
|
|
2012-07-29 18:23:31 +02:00
|
|
|
/**
|
|
|
|
* Method to query {@link UserRep} which meet the criteria set in the given {@link UserRep}. Null fields mean the
|
2015-03-08 13:38:15 +01:00
|
|
|
* fields are irrelevant.
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2012-07-29 18:23:31 +02:00
|
|
|
* @param selectorRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link UserRep} to use as criteria selection
|
|
|
|
*
|
2012-07-29 18:23:31 +02:00
|
|
|
* @return a list of {@link UserRep}s which fit the given criteria
|
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
List<UserRep> queryUsers(Certificate certificate, UserRep selectorRep);
|
2012-07-29 18:23:31 +02:00
|
|
|
|
2010-08-08 22:13:36 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Removes the user with the given username
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-08-08 22:13:36 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the user to remove
|
|
|
|
*
|
2010-09-19 22:19:38 +02:00
|
|
|
* @return the {@link UserRep} of the user removed, or null if the user did not exist
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2010-08-08 22:13:36 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep removeUser(Certificate certificate, String username) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Removes the role with the given roleName from the user with the given username
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the user from which the role is to be removed
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the roleName of the role to remove from the user
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep removeRoleFromUser(Certificate certificate, String username, String roleName) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Removes the role with the given roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the roleName of the role to remove
|
|
|
|
*
|
2010-09-19 22:19:38 +02:00
|
|
|
* @return the {@link RoleRep} of the role removed, or null if the role did not exist
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or the role is still in use by a user
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
RoleRep removeRole(Certificate certificate, String roleName) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Removes the privilege with the given privilegeName from the role with the given roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the roleName of the role from which the privilege is to be removed
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param privilegeName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the privilegeName of the privilege to remove from the role
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName)
|
|
|
|
throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* <p>
|
2015-03-08 13:38:15 +01:00
|
|
|
* Adds a new user with the information from this {@link UserRep}
|
2010-09-19 22:19:38 +02:00
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-19 22:19:38 +02:00
|
|
|
* <p>
|
|
|
|
* If the password given is null, then the user is created, but can not not login! Otherwise the password must meet
|
2023-03-14 09:18:15 +01:00
|
|
|
* the requirements of the implementation under {@link PrivilegeHandler#validatePassword(Locale, char[])}
|
2010-09-19 22:19:38 +02:00
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param userRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link UserRep} containing the information to create the new {@link User}
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param password
|
2018-10-05 09:17:12 +02:00
|
|
|
* the password of the new user. If the password is null, then this is accepted but the user can not login,
|
2023-03-14 09:18:15 +01:00
|
|
|
* otherwise the password must be validated against {@link PrivilegeHandler#validatePassword(Locale, char[])}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or the user already exists
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep addUser(Certificate certificate, UserRep userRep, char[] password) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2021-02-23 21:57:25 +01:00
|
|
|
/**
|
|
|
|
* Allows the bulk adding or updating of users. If the user exists, the user's history and password is kept,
|
|
|
|
* otherwise the user is created without a password
|
|
|
|
*
|
|
|
|
* @param certificate
|
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
* @param userReps
|
|
|
|
* the list of users to add or update
|
|
|
|
*/
|
|
|
|
void addOrUpdateUsers(Certificate certificate, List<UserRep> userReps) throws PrivilegeException;
|
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2015-03-08 13:38:15 +01:00
|
|
|
* <p>
|
|
|
|
* Updates the fields for the user with the given user. All fields on the given {@link UserRep} which are non-null
|
|
|
|
* will be updated on the existing user. The username on the given {@link UserRep} must be set and correspond to an
|
|
|
|
* existing user.
|
|
|
|
* </p>
|
2023-03-14 09:18:15 +01:00
|
|
|
* <p>
|
2015-03-08 13:38:15 +01:00
|
|
|
* The following fields are considered updateable:
|
|
|
|
* <ul>
|
|
|
|
* <li>{@link UserRep#getFirstname()}</li>
|
|
|
|
* <li>{@link UserRep#getLastname()}</li>
|
|
|
|
* <li>{@link UserRep#getLocale()}</li>
|
|
|
|
* <li>{@link UserRep#getProperties()} - the existing properties will be replaced with the given properties</li>
|
|
|
|
* </ul>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* <p>
|
|
|
|
* Any other fields will be ignored
|
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param userRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link UserRep} with the fields set to their new values
|
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2015-03-08 13:38:15 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or if the user does not exist
|
2015-03-08 13:38:15 +01:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep updateUser(Certificate certificate, UserRep userRep) throws PrivilegeException;
|
2015-03-08 13:38:15 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* <p>
|
|
|
|
* Replaces the existing user with the information from this {@link UserRep} if the user already exists
|
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* <p>
|
|
|
|
* If the password given is null, then the user is created, but can not not login! Otherwise the password must meet
|
2023-03-14 09:18:15 +01:00
|
|
|
* the requirements of the implementation under {@link PrivilegeHandler#validatePassword(Locale, char[])}
|
2015-03-08 13:38:15 +01:00
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param userRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link UserRep} containing the information to replace the existing {@link User}
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param password
|
2018-10-05 09:17:12 +02:00
|
|
|
* the password of the new user. If the password is null, then this is accepted but the user can not login,
|
2023-03-14 09:18:15 +01:00
|
|
|
* otherwise the password must be validated against {@link PrivilegeHandler#validatePassword(Locale, char[])}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2015-03-08 13:38:15 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or if the user does not exist
|
2015-03-08 13:38:15 +01:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password) throws PrivilegeException;
|
2015-03-08 13:38:15 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Adds a new role with the information from this {@link RoleRep}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link RoleRep} containing the information to create the new {@link Role}
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or if the role already exists
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
RoleRep addRole(Certificate certificate, RoleRep roleRep) throws PrivilegeException;
|
2015-03-08 13:38:15 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Replaces the existing role with the information from this {@link RoleRep}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2015-03-08 13:38:15 +01:00
|
|
|
* @param roleRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link RoleRep} containing the information to replace the existing {@link Role}
|
|
|
|
*
|
2015-03-08 13:38:15 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2015-03-08 13:38:15 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or if the role does not exist
|
2015-03-08 13:38:15 +01:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
RoleRep replaceRole(Certificate certificate, RoleRep roleRep) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-09-19 22:19:38 +02:00
|
|
|
* Adds the role with the given roleName to the {@link User} with the given username
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the {@link User} to which the role should be added
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the roleName of the {@link Role} which should be added to the {@link User}
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or if the role does not exist
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep addRoleToUser(Certificate certificate, String username, String roleName) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2015-03-08 13:38:15 +01:00
|
|
|
* Adds the {@link PrivilegeRep} to the {@link Role} with the given roleName or replaces it, if it already exists
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param roleName
|
2017-10-06 16:59:22 +02:00
|
|
|
* the roleName of the {@link Role} to which the privilege should be added
|
2011-07-30 15:20:08 +02:00
|
|
|
* @param privilegeRep
|
2017-10-06 16:59:22 +02:00
|
|
|
* the representation of the {@link IPrivilege} which should be added or replaced on the {@link Role}
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate or the role does not exist
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep)
|
|
|
|
throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2011-08-07 16:13:23 +02:00
|
|
|
* <p>
|
2010-09-19 22:19:38 +02:00
|
|
|
* Changes the password for the {@link User} with the given username. If the password is null, then the {@link User}
|
2023-03-14 09:18:15 +01:00
|
|
|
* can not login anymore. Otherwise the password must meet the requirements of the implementation under
|
|
|
|
* {@link PrivilegeHandler#validatePassword(Locale, char[])}
|
2011-08-07 16:13:23 +02:00
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2011-08-07 16:13:23 +02:00
|
|
|
* <p>
|
|
|
|
* It should be possible for a user to change their own password
|
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the {@link User} for which the password is to be changed
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param password
|
2018-10-05 09:17:12 +02:00
|
|
|
* the new password for this user. If the password is null, then the {@link User} can not login anymore. Otherwise
|
2023-03-14 09:18:15 +01:00
|
|
|
* the password must meet the requirements of the implementation under
|
|
|
|
* {@link PrivilegeHandler#validatePassword(Locale, char[])}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
void setUserPassword(Certificate certificate, String username, char[] password) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2021-02-23 12:46:22 +01:00
|
|
|
/**
|
|
|
|
* <p>
|
|
|
|
* Requires the given user to change their password after next login
|
|
|
|
* </p>
|
|
|
|
*
|
|
|
|
* @param certificate
|
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
* @param username
|
|
|
|
* the username of the {@link User} for which the password change is requested
|
|
|
|
*
|
|
|
|
* @throws AccessDeniedException
|
|
|
|
* if the user for this certificate may not perform the action
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if there is anything wrong with this certificate
|
|
|
|
*/
|
|
|
|
void requirePasswordChange(Certificate certificate, String username) throws PrivilegeException;
|
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-11-27 22:00:34 +01:00
|
|
|
* Changes the {@link UserState} of the user
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the {@link User} for which the {@link UserState} is to be changed
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param state
|
2017-10-06 16:59:22 +02:00
|
|
|
* the new state for the user
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep setUserState(Certificate certificate, String username, UserState state) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-11-27 22:00:34 +01:00
|
|
|
* Changes the {@link Locale} of the user
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the {@link User} for which the {@link Locale} is to be changed
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param locale
|
2017-10-06 16:59:22 +02:00
|
|
|
* the new {@link Locale} for the user
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user for this certificate may not perform the action
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
UserRep setUserLocale(Certificate certificate, String username, Locale locale) throws PrivilegeException;
|
2010-06-20 22:11:53 +02:00
|
|
|
|
2016-09-07 14:41:16 +02:00
|
|
|
/**
|
|
|
|
* Initiate a password reset challenge for the given username
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2016-09-07 14:41:16 +02:00
|
|
|
* @param usage
|
2017-10-06 16:59:22 +02:00
|
|
|
* the usage for which the challenge is requested
|
2016-09-07 14:41:16 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the user to initiate the challenge for
|
2016-09-07 14:41:16 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
void initiateChallengeFor(Usage usage, String username);
|
2016-09-07 14:41:16 +02:00
|
|
|
|
2019-03-09 19:38:30 +01:00
|
|
|
/**
|
|
|
|
* Initiate a password reset challenge for the given username
|
|
|
|
*
|
|
|
|
* @param usage
|
|
|
|
* the usage for which the challenge is requested
|
|
|
|
* @param username
|
|
|
|
* the username of the user to initiate the challenge for
|
|
|
|
* @param source
|
|
|
|
* the source of the challenge
|
|
|
|
*/
|
|
|
|
void initiateChallengeFor(Usage usage, String username, String source);
|
|
|
|
|
2016-09-07 14:41:16 +02:00
|
|
|
/**
|
|
|
|
* Validate the response of a challenge for the given username
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2016-09-07 14:41:16 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the user for which the challenge is to be validated
|
2016-09-07 14:41:16 +02:00
|
|
|
* @param challenge
|
2017-10-06 16:59:22 +02:00
|
|
|
* the challenge from the user
|
|
|
|
*
|
2016-09-07 14:41:16 +02:00
|
|
|
* @return certificate with which the user can access the system with the {@link Usage} set to the value from the
|
2017-10-06 16:59:22 +02:00
|
|
|
* initiated challenge
|
|
|
|
*
|
2016-09-07 14:41:16 +02:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if anything goes wrong
|
2016-09-07 14:41:16 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
Certificate validateChallenge(String username, String challenge) throws PrivilegeException;
|
2016-09-07 14:41:16 +02:00
|
|
|
|
2019-03-09 19:38:30 +01:00
|
|
|
/**
|
|
|
|
* Validate the response of a challenge for the given username
|
|
|
|
*
|
|
|
|
* @param username
|
|
|
|
* the username of the user for which the challenge is to be validated
|
|
|
|
* @param challenge
|
|
|
|
* the challenge from the user
|
|
|
|
* @param source
|
|
|
|
* the source of the challenge validation
|
|
|
|
*
|
|
|
|
* @return certificate with which the user can access the system with the {@link Usage} set to the value from the
|
|
|
|
* initiated challenge
|
|
|
|
*
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if anything goes wrong
|
|
|
|
*/
|
|
|
|
Certificate validateChallenge(String username, String challenge, String source) throws PrivilegeException;
|
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-11-27 22:00:34 +01:00
|
|
|
* Authenticates a user by validating that a {@link User} for the given username and password exist and then returns
|
|
|
|
* a {@link Certificate} with which this user may then perform actions
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param username
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the {@link User} which is registered in the {@link PersistenceHandler}
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param password
|
2018-10-05 09:17:12 +02:00
|
|
|
* the password with which this user is to be authenticated. Null passwords are not accepted and they must meet
|
2023-03-14 09:18:15 +01:00
|
|
|
* the requirements of the {@link #validatePassword(Locale, char[])}-method
|
2020-05-11 17:48:38 +02:00
|
|
|
* @param keepAlive
|
|
|
|
* should this session be kept alive
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @return a {@link Certificate} with which this user may then perform actions
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the user credentials are not valid
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2020-05-11 17:48:38 +02:00
|
|
|
Certificate authenticate(String username, char[] password, boolean keepAlive) throws AccessDeniedException;
|
2017-10-06 16:59:22 +02:00
|
|
|
|
2019-03-09 19:38:30 +01:00
|
|
|
/**
|
|
|
|
* Authenticates a user by validating that a {@link User} for the given username and password exist and then returns
|
|
|
|
* a {@link Certificate} with which this user may then perform actions
|
|
|
|
*
|
|
|
|
* @param username
|
|
|
|
* the username of the {@link User} which is registered in the {@link PersistenceHandler}
|
|
|
|
* @param password
|
|
|
|
* the password with which this user is to be authenticated. Null passwords are not accepted and they must meet
|
2023-03-14 09:18:15 +01:00
|
|
|
* the requirements of the {@link #validatePassword(Locale, char[])}-method
|
2019-03-09 19:38:30 +01:00
|
|
|
* @param source
|
|
|
|
* the source of the authentication request, i.e. remote IP
|
2020-04-23 10:06:30 +02:00
|
|
|
* @param usage
|
|
|
|
* the usage type for this authentication
|
2020-05-11 17:48:38 +02:00
|
|
|
* @param keepAlive
|
|
|
|
* should this session be kept alive
|
2019-03-09 19:38:30 +01:00
|
|
|
*
|
|
|
|
* @return a {@link Certificate} with which this user may then perform actions
|
|
|
|
*
|
|
|
|
* @throws AccessDeniedException
|
|
|
|
* if the user credentials are not valid
|
|
|
|
*/
|
2020-05-11 17:48:38 +02:00
|
|
|
Certificate authenticate(String username, char[] password, String source, Usage usage, boolean keepAlive)
|
|
|
|
throws AccessDeniedException;
|
2019-03-09 19:38:30 +01:00
|
|
|
|
2017-10-06 16:59:22 +02:00
|
|
|
/**
|
|
|
|
* Authenticates a user on a remote Single Sign On service. This is implemented by the
|
|
|
|
*
|
|
|
|
* @param data
|
|
|
|
* the data to perform the SSO
|
2020-05-11 17:48:38 +02:00
|
|
|
* @param keepAlive
|
|
|
|
* should this session be kept alive
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
|
|
|
* @return the {@link Certificate} for the user
|
|
|
|
*
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if something goes wrong with the SSO
|
|
|
|
*/
|
2020-05-11 17:48:38 +02:00
|
|
|
Certificate authenticateSingleSignOn(Object data, boolean keepAlive) throws PrivilegeException;
|
2010-08-08 22:13:36 +02:00
|
|
|
|
2019-03-09 19:38:30 +01:00
|
|
|
/**
|
|
|
|
* Authenticates a user on a remote Single Sign On service. This is implemented by the
|
|
|
|
*
|
|
|
|
* @param data
|
|
|
|
* the data to perform the SSO
|
|
|
|
* @param source
|
|
|
|
* the source of the SSO authentication
|
2020-05-11 17:48:38 +02:00
|
|
|
* @param keepAlive
|
|
|
|
* may the certificate be kept alive
|
2019-03-09 19:38:30 +01:00
|
|
|
*
|
|
|
|
* @return the {@link Certificate} for the user
|
|
|
|
*
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if something goes wrong with the SSO
|
|
|
|
*/
|
2020-05-11 17:48:38 +02:00
|
|
|
Certificate authenticateSingleSignOn(Object data, String source, boolean keepAlive) throws PrivilegeException;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Refreshes the given certificate's session with a new session, i.e. a new certificate
|
|
|
|
*
|
|
|
|
* @param certificate
|
|
|
|
* the certificate for which to perform a refresh
|
|
|
|
* @param source
|
|
|
|
* the source of the refresh request
|
|
|
|
*
|
|
|
|
* @return a {@link Certificate} with which this user may then perform actions
|
|
|
|
*
|
|
|
|
* @throws AccessDeniedException
|
|
|
|
* if the certificate is now valid, or refreshing is not allowed
|
|
|
|
*/
|
|
|
|
Certificate refresh(Certificate certificate, String source) throws AccessDeniedException;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return true if refreshing sessions is allowed
|
|
|
|
*
|
|
|
|
* @return true if refreshing sessions is allowed
|
|
|
|
*/
|
|
|
|
boolean isRefreshAllowed();
|
2019-03-09 19:38:30 +01:00
|
|
|
|
2021-05-17 21:40:46 +02:00
|
|
|
/**
|
|
|
|
* Returns true if persisting on user data changed enabled
|
|
|
|
*
|
|
|
|
* @return true persisting on user data changed enabled
|
|
|
|
*/
|
|
|
|
boolean isPersistOnUserDataChanged();
|
|
|
|
|
2011-07-27 22:15:47 +02:00
|
|
|
/**
|
2013-04-09 07:33:32 +02:00
|
|
|
* Invalidates the session for the given {@link Certificate}, effectively logging out the user who was authenticated
|
|
|
|
* with the credentials associated to the given {@link Certificate}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2011-07-27 22:15:47 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} for which the session is to be invalidated
|
|
|
|
*
|
2013-04-09 07:33:32 +02:00
|
|
|
* @return true if the session was still valid and is now invalidated, false otherwise
|
2011-07-27 22:15:47 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
boolean invalidate(Certificate certificate);
|
2011-07-27 22:15:47 +02:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2013-04-09 07:33:32 +02:00
|
|
|
* Checks if the given {@link Certificate} is valid. This means that the certificate is for a valid session and that
|
|
|
|
* the user exists for the certificate. This method checks if the {@link Certificate} has been tampered with
|
2023-03-14 09:18:15 +01:00
|
|
|
* <p>
|
2013-04-09 07:33:32 +02:00
|
|
|
* Returns the {@link PrivilegeContext} for the given {@link Certificate}. The {@link PrivilegeContext} is an
|
|
|
|
* encapsulated state of a user's privileges so that for the duration of a user's call, the user can perform their
|
|
|
|
* actions and do not need to access the {@link PrivilegeHandler} anymore
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} to check
|
|
|
|
*
|
2013-04-09 07:33:32 +02:00
|
|
|
* @return the {@link PrivilegeContext} for the given {@link Certificate}
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @throws PrivilegeException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if there is anything wrong with this certificate
|
2017-07-26 15:15:20 +02:00
|
|
|
* @throws NotAuthenticatedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the certificate has expired
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
PrivilegeContext validate(Certificate certificate) throws PrivilegeException;
|
2010-09-18 22:00:20 +02:00
|
|
|
|
2019-09-25 11:11:46 +02:00
|
|
|
/**
|
|
|
|
* Checks if the given {@link PrivilegeContext} is valid. This means that the privilege context is for a valid
|
|
|
|
* system user session and that the user exists for the certificate. This method checks if the {@link Certificate}
|
|
|
|
* has been tampered with
|
|
|
|
*
|
|
|
|
* @param ctx
|
|
|
|
* the {@link PrivilegeContext} to check
|
|
|
|
*
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if there is anything wrong with this privilege context
|
|
|
|
* @throws NotAuthenticatedException
|
|
|
|
* if the privilege context has expired
|
|
|
|
*/
|
|
|
|
void validateSystemSession(PrivilegeContext ctx) throws PrivilegeException;
|
|
|
|
|
2019-03-09 19:38:30 +01:00
|
|
|
/**
|
|
|
|
* Checks if the given {@link Certificate} is valid. This means that the certificate is for a valid session and that
|
|
|
|
* the user exists for the certificate. This method checks if the {@link Certificate} has been tampered with
|
2023-03-14 09:18:15 +01:00
|
|
|
* <p>
|
2019-03-09 19:38:30 +01:00
|
|
|
* Returns the {@link PrivilegeContext} for the given {@link Certificate}. The {@link PrivilegeContext} is an
|
|
|
|
* encapsulated state of a user's privileges so that for the duration of a user's call, the user can perform their
|
|
|
|
* actions and do not need to access the {@link PrivilegeHandler} anymore
|
|
|
|
*
|
|
|
|
* @param certificate
|
|
|
|
* the {@link Certificate} to check
|
|
|
|
* @param source
|
|
|
|
* the source, e.g. remote IP for this validation request
|
|
|
|
*
|
|
|
|
* @return the {@link PrivilegeContext} for the given {@link Certificate}
|
|
|
|
*
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if there is anything wrong with this certificate
|
|
|
|
* @throws NotAuthenticatedException
|
|
|
|
* if the certificate has expired
|
|
|
|
*/
|
|
|
|
PrivilegeContext validate(Certificate certificate, String source) throws PrivilegeException;
|
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2021-02-22 23:11:15 +01:00
|
|
|
* @see li.strolch.privilege.handler.PasswordStrengthHandler#validateStrength(char[])
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2023-03-14 09:18:15 +01:00
|
|
|
void validatePassword(Locale locale, char[] password) throws PasswordStrengthException;
|
2010-09-18 22:00:20 +02:00
|
|
|
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
/**
|
|
|
|
* <p>
|
|
|
|
* Informs this {@link PersistenceHandler} to reload the data from the backend
|
|
|
|
* </p>
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
* <b>Note:</b> It depends on the underlying {@link PersistenceHandler} implementation if data really is read
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2019-03-09 19:38:30 +01:00
|
|
|
* @param source
|
|
|
|
* the source of the request
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
* @return true if the reload was successful, false if something went wrong
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the users of the given certificate does not have the privilege to perform this action
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
*/
|
2019-03-09 19:38:30 +01:00
|
|
|
boolean reload(Certificate certificate, String source);
|
[Major] removed the need for a role PrivilegeAdmin - now use privileges
- this solves the situation where a user might be allowed to add a user
with a specific role, but not change a role and other such use cases
Now there are privileges for every use case with two new
PrivilegePolicies:
- RoleAccessPrivilege
- UserAccessPrivilege
both of these policies expect a ch.eitchnet.utils.collections.Tuple as
privilege value. The Tuple is a simple wrapper for two values: first and
second. Each privilege has its own requirement on the actual values
Special privilege actions:
- PrivilegeAction -> privilege vlaue: String
- Persist (required Allow)
- Reload (required Allow)
- GetPolicies (required Allow)
Role specific privileges:
- PrivilegeGetRole -> privilege value: Tuple(null, newRole)
- PrivilegeAddRole -> privilege value: Tuple(null, newRole)
- PrivilegeRemoveRole -> privilege value: Tuple(null, newRole)
- PrivilegeModifyRole -> privilege value: Tuple(oldRole, newRole)
Use specific privileges:
- PrivilegeGetUser -> privilege value: Tuple(null, newUser)
- PrivilegeAddUser -> privilege value: Tuple(null, newUser)
- PrivilegeRemoveUser -> privilege value: Tuple(null, newUser)
- PrivilegeModifyUser -> privilege value: Tuple(oldUser, newUser)
- NOTE: without modifying roles, only fields and properties!
- PrivilegeAddRoleToUser -> privilege value: Tuple(oldUser, roleName)
- PrivilegeRemoveRoleFromUser -> privilege value: Tuple(oldUser,
roleName)
2015-03-12 17:32:06 +01:00
|
|
|
|
2010-09-18 22:00:20 +02:00
|
|
|
/**
|
2010-11-27 22:00:34 +01:00
|
|
|
* Persists any changes to the privilege data model. Changes are thus not persisted immediately, but must be
|
|
|
|
* actively performed
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-09-18 22:00:20 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @return true if changes were persisted, false if no changes were persisted
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2010-11-27 22:00:34 +01:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the users of the given certificate does not have the privilege to perform this action
|
2010-09-18 22:00:20 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
boolean persist(Certificate certificate) throws AccessDeniedException;
|
2012-08-05 01:33:54 +02:00
|
|
|
|
2015-10-16 13:16:27 +02:00
|
|
|
/**
|
|
|
|
* Persists all currently active sessions
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-10-16 13:16:27 +02:00
|
|
|
* @param certificate
|
2017-10-06 16:59:22 +02:00
|
|
|
* the {@link Certificate} of the user which has the privilege to perform this action
|
2019-03-09 19:38:30 +01:00
|
|
|
* @param source
|
|
|
|
* the source of the request
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-10-16 13:16:27 +02:00
|
|
|
* @return true if changes were persisted, false if not (i.e. not enabled)
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-10-16 13:16:27 +02:00
|
|
|
* @throws AccessDeniedException
|
2017-10-06 16:59:22 +02:00
|
|
|
* if the users of the given certificate does not have the privilege to perform this action
|
2015-10-16 13:16:27 +02:00
|
|
|
*/
|
2019-03-09 19:38:30 +01:00
|
|
|
boolean persistSessions(Certificate certificate, String source) throws AccessDeniedException;
|
2015-10-16 13:16:27 +02:00
|
|
|
|
2012-08-05 01:33:54 +02:00
|
|
|
/**
|
|
|
|
* Special method to perform work as a System user, meaning the given systemUsername corresponds to an account which
|
|
|
|
* has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation
|
2016-09-29 12:26:27 +02:00
|
|
|
* of the given {@link SystemAction} instance
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2012-08-05 01:33:54 +02:00
|
|
|
* @param systemUsername
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the system user to perform the action as
|
2012-08-05 01:33:54 +02:00
|
|
|
* @param action
|
2017-10-06 16:59:22 +02:00
|
|
|
* the action to be performed as the system user
|
|
|
|
*
|
2015-10-08 12:26:31 +02:00
|
|
|
* @throws PrivilegeException
|
2018-12-18 14:30:37 +01:00
|
|
|
* if the user does not exist, or the system action is not allowed
|
|
|
|
* @throws Exception
|
|
|
|
* if anything else goes wrong during execution
|
2015-10-08 12:26:31 +02:00
|
|
|
*/
|
2018-12-18 14:30:37 +01:00
|
|
|
void runAs(String systemUsername, SystemAction action) throws PrivilegeException, Exception;
|
2016-09-29 12:26:27 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Special method to perform work as a System user, meaning the given systemUsername corresponds to an account which
|
|
|
|
* has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation
|
|
|
|
* of the given {@link SystemAction} instance
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2016-09-29 12:26:27 +02:00
|
|
|
* @param systemUsername
|
2017-10-06 16:59:22 +02:00
|
|
|
* the username of the system user to perform the action as
|
2016-09-29 12:26:27 +02:00
|
|
|
* @param action
|
2017-10-06 16:59:22 +02:00
|
|
|
* the action to be performed as the system user
|
|
|
|
*
|
2016-09-29 12:26:27 +02:00
|
|
|
* @return the action
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2016-09-29 12:26:27 +02:00
|
|
|
* @throws PrivilegeException
|
2018-12-18 14:30:37 +01:00
|
|
|
* if the user does not exist, or the system action is not allowed
|
|
|
|
* @throws Exception
|
|
|
|
* if anything else goes wrong during execution
|
2016-09-29 12:26:27 +02:00
|
|
|
*/
|
2018-12-18 14:30:37 +01:00
|
|
|
<T> T runWithResult(String systemUsername, SystemActionWithResult<T> action) throws PrivilegeException, Exception;
|
2015-10-08 12:26:31 +02:00
|
|
|
|
2019-09-25 11:11:46 +02:00
|
|
|
/**
|
|
|
|
* Special method to open a {@link PrivilegeContext} as a System user, meaning the given systemUsername corresponds
|
2023-03-14 09:18:15 +01:00
|
|
|
* to an account which has the state {@link UserState#SYSTEM}. This is used in cases where a system user's
|
|
|
|
* {@link PrivilegeContext} should be open for a longer period of time, or where opening many
|
|
|
|
* {@link PrivilegeContext} is resource intensive e.g. on low power devices.
|
2019-09-25 11:11:46 +02:00
|
|
|
*
|
|
|
|
* @param systemUsername
|
|
|
|
* the username of the system user to perform the action as
|
|
|
|
*
|
|
|
|
* @return the action
|
|
|
|
*
|
|
|
|
* @throws PrivilegeException
|
|
|
|
* if the user does not exist, or the system action is not allowed
|
|
|
|
*/
|
|
|
|
PrivilegeContext openSystemUserContext(String systemUsername) throws PrivilegeException;
|
|
|
|
|
2020-07-09 10:25:03 +02:00
|
|
|
/**
|
|
|
|
* Returns the configuration for this {@link PrivilegeHandler}
|
|
|
|
*
|
|
|
|
* @return the configuration as a Map
|
|
|
|
*/
|
|
|
|
Map<String, String> getParameterMap();
|
|
|
|
|
2015-10-08 12:26:31 +02:00
|
|
|
/**
|
|
|
|
* Returns the {@link EncryptionHandler} instance
|
2017-10-06 16:59:22 +02:00
|
|
|
*
|
2015-10-08 12:26:31 +02:00
|
|
|
* @return the {@link EncryptionHandler} instance
|
2012-08-05 01:33:54 +02:00
|
|
|
*/
|
2017-10-06 16:59:22 +02:00
|
|
|
EncryptionHandler getEncryptionHandler() throws PrivilegeException;
|
2020-07-09 10:25:03 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the {@link PersistenceHandler}
|
|
|
|
*
|
|
|
|
* @return the {@link PersistenceHandler}
|
|
|
|
*/
|
|
|
|
PersistenceHandler getPersistenceHandler();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the {@link SingleSignOnHandler}
|
|
|
|
*
|
|
|
|
* @return the {@link SingleSignOnHandler}
|
|
|
|
*/
|
|
|
|
SingleSignOnHandler getSsoHandler();
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the {@link UserChallengeHandler}
|
|
|
|
*
|
|
|
|
* @return the {@link UserChallengeHandler}
|
|
|
|
*/
|
|
|
|
UserChallengeHandler getUserChallengeHandler();
|
2010-06-20 22:11:53 +02:00
|
|
|
}
|