From 67271d611ee66d67477843ca7fc388e5fb50750c Mon Sep 17 00:00:00 2001 From: Robert von Burg Date: Sat, 27 Sep 2014 12:23:38 +0200 Subject: [PATCH] [New] Added Certificate.getLastAccess() and PrivilegeHandler.checkPassword() --- .../handler/DefaultPrivilegeHandler.java | 102 +++++++++++------- .../privilege/handler/PrivilegeHandler.java | 14 +++ .../eitchnet/privilege/model/Certificate.java | 17 +++ 3 files changed, 97 insertions(+), 36 deletions(-) diff --git a/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java b/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java index e3ec04f6f..1a74f217e 100644 --- a/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java +++ b/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java @@ -622,42 +622,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { throw new PrivilegeException(msg); } - // and validate the password - validatePassword(password); - - // we only work with hashed passwords - String passwordHash = this.encryptionHandler.convertToHash(password); - - // get user object - User user = this.persistenceHandler.getUser(username); - // no user means no authentication - if (user == null) { - String msg = MessageFormat.format("There is no user defined with the username {0}", username); //$NON-NLS-1$ - throw new AccessDeniedException(msg); - } - - // make sure not a system user - they may not login in - if (user.getUserState() == UserState.SYSTEM) { - String msg = "User {0} is a system user and may not login!"; //$NON-NLS-1$ - msg = MessageFormat.format(msg, username); - throw new AccessDeniedException(msg); - } - - // validate password - String pwHash = user.getPassword(); - if (pwHash == null) - throw new AccessDeniedException(MessageFormat.format( - "User {0} has no password and may not login!", username)); //$NON-NLS-1$ - if (!pwHash.equals(passwordHash)) - throw new AccessDeniedException(MessageFormat.format("Password is incorrect for {0}", username)); //$NON-NLS-1$ - - // validate if user is allowed to login - // this also capture the trying to login of SYSTEM user - if (user.getUserState() != UserState.ENABLED) { - String msg = "User {0} does not have state {1} and can not login!"; //$NON-NLS-1$ - msg = MessageFormat.format(msg, username, UserState.ENABLED); - throw new AccessDeniedException(msg); - } + // check the password + User user = checkCredentialsAndUserState(username, password); // validate user has at least one role Set userRoles = user.getRoles(); @@ -696,6 +662,60 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { return certificate; } + /** + * Checks the credentials and validates that the user may log in. + * + * @param username + * the username of the {@link User} to check against + * @param password + * the password of this user + * + * @return the {@link User} if the credentials are valid and the user may login + * + * @throws AccessDeniedException + * if anything is wrong with the credentials or the user state + */ + private User checkCredentialsAndUserState(String username, byte[] password) throws AccessDeniedException { + + // and validate the password + validatePassword(password); + + // we only work with hashed passwords + String passwordHash = this.encryptionHandler.convertToHash(password); + + // get user object + User user = this.persistenceHandler.getUser(username); + // no user means no authentication + if (user == null) { + String msg = MessageFormat.format("There is no user defined with the username {0}", username); //$NON-NLS-1$ + throw new AccessDeniedException(msg); + } + + // make sure not a system user - they may not login in + if (user.getUserState() == UserState.SYSTEM) { + String msg = "User {0} is a system user and may not login!"; //$NON-NLS-1$ + msg = MessageFormat.format(msg, username); + throw new AccessDeniedException(msg); + } + + // validate password + String pwHash = user.getPassword(); + if (pwHash == null) + throw new AccessDeniedException(MessageFormat.format( + "User {0} has no password and may not login!", username)); //$NON-NLS-1$ + if (!pwHash.equals(passwordHash)) + throw new AccessDeniedException(MessageFormat.format("Password is incorrect for {0}", username)); //$NON-NLS-1$ + + // validate if user is allowed to login + // this also capture the trying to login of SYSTEM user + if (user.getUserState() != UserState.ENABLED) { + String msg = "User {0} does not have state {1} and can not login!"; //$NON-NLS-1$ + msg = MessageFormat.format(msg, username, UserState.ENABLED); + throw new AccessDeniedException(msg); + } + return user; + } + /** * Builds a {@link PrivilegeContext} for the given {@link User} and its {@link Certificate} * @@ -801,6 +821,16 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { // everything is ok } + @Override + public void checkPassword(Certificate certificate, byte[] password) throws PrivilegeException { + try { + isCertificateValid(certificate); + checkCredentialsAndUserState(certificate.getUsername(), password); + } finally { + clearPassword(password); + } + } + @Override public PrivilegeContext getPrivilegeContext(Certificate certificate) throws PrivilegeException { diff --git a/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java b/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java index d527fd171..cf472d41e 100644 --- a/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java +++ b/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java @@ -351,6 +351,20 @@ public interface PrivilegeHandler { */ public void isCertificateValid(Certificate certificate) throws PrivilegeException; + /** + * Checks that the given password belongs to the given {@link Certificate}. If it doesn't, then a + * {@link PrivilegeException} is thrown + * + * @param certificate + * the certificate for which to check the password + * @param password + * the password to check against the user from the certificate + * + * @throws PrivilegeException + * if the certificate is invalid or the password does not match + */ + public void checkPassword(Certificate certificate, byte[] password) throws PrivilegeException; + /** * Returns the {@link PrivilegeContext} for the given {@link Certificate}. The {@link PrivilegeContext} is an * encapsulated state of a user's privileges so that for the duration of a user's call, the user can perform their diff --git a/src/main/java/ch/eitchnet/privilege/model/Certificate.java b/src/main/java/ch/eitchnet/privilege/model/Certificate.java index 51f264583..6e48ae4ec 100644 --- a/src/main/java/ch/eitchnet/privilege/model/Certificate.java +++ b/src/main/java/ch/eitchnet/privilege/model/Certificate.java @@ -45,6 +45,7 @@ public final class Certificate implements Serializable { private final String authToken; private Locale locale; + private long lastAccess; private Map propertyMap; private Map sessionDataMap; @@ -197,6 +198,21 @@ public final class Certificate implements Serializable { return this.authToken; } + /** + * @return the lastAccess + */ + public long getLastAccess() { + return this.lastAccess; + } + + /** + * @param lastAccess + * the lastAccess to set + */ + public void setLastAccess(long lastAccess) { + this.lastAccess = lastAccess; + } + /** * Returns a string representation of this object displaying its concrete type and its values * @@ -223,6 +239,7 @@ public final class Certificate implements Serializable { builder.append(", locale="); builder.append(this.locale); + builder.append("]"); return builder.toString(); }