[Minor] added some java docs
This commit is contained in:
parent
5d87120675
commit
7d231ebb3a
|
@ -24,7 +24,7 @@ import ch.eitchnet.privilege.i18n.PrivilegeException;
|
|||
|
||||
/**
|
||||
* <p>
|
||||
* This default {@link EncryptionHandler} creates nokens by using a {@link SecureRandom} object. Hashing is done by
|
||||
* This default {@link EncryptionHandler} creates tokens using a {@link SecureRandom} object. Hashing is done by
|
||||
* using {@link MessageDigest} and the configured algorithm which is passed in the parameters
|
||||
* </p>
|
||||
*
|
||||
|
|
|
@ -33,6 +33,21 @@ import ch.eitchnet.privilege.model.internal.User;
|
|||
import ch.eitchnet.privilege.policy.PrivilegePolicy;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* This is default implementation of the {@link PrivilegeHandler}
|
||||
* </p>
|
||||
*
|
||||
* The following list describes implementation details:
|
||||
* <ul>
|
||||
* <li>any methods which change the model are first validated by checking if the certificate is for an admin user by
|
||||
* calling {@link #validateIsPrivilegeAdmin(Certificate)}</li>
|
||||
* <li>all model requests are delegated to the configured {@link PrivilegeHandler}, except for the session id to
|
||||
* {@link Certificate} map, no model data is kept in this implementation. This also means that to return the
|
||||
* representation objects, for every new model query, a new representation object is created</li>
|
||||
* <li>when creating new users, or editing users then a null password is understood as no password set</li>
|
||||
* <li>Password requirements are simple: Non null and non empty/length 0</li>
|
||||
* </ul>
|
||||
*
|
||||
* @author rvonburg
|
||||
*
|
||||
*/
|
||||
|
@ -106,8 +121,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
validateIsPrivilegeAdmin(certificate);
|
||||
|
||||
// create a new privilege
|
||||
Privilege privilege = new Privilege(privilegeRep.getName(), privilegeRep.getPolicy(), privilegeRep
|
||||
.isAllAllowed(), privilegeRep.getDenyList(), privilegeRep.getAllowList());
|
||||
Privilege privilege = new Privilege(privilegeRep.getName(), privilegeRep.getPolicy(),
|
||||
privilegeRep.isAllAllowed(), privilegeRep.getDenyList(), privilegeRep.getAllowList());
|
||||
|
||||
// delegate to persistence handler
|
||||
this.persistenceHandler.addOrReplacePrivilege(privilege);
|
||||
|
@ -151,8 +166,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
// create new user
|
||||
User user = new User(userRep.getUserId(), userRep.getUsername(), passwordHash, userRep.getFirstname(), userRep
|
||||
.getSurname(), userRep.getUserState(), userRep.getRoles(), userRep.getLocale());
|
||||
User user = new User(userRep.getUserId(), userRep.getUsername(), passwordHash, userRep.getFirstname(),
|
||||
userRep.getSurname(), userRep.getUserState(), userRep.getRoles(), userRep.getLocale());
|
||||
|
||||
// delegate to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(user);
|
||||
|
@ -229,8 +244,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
Set<String> newRoles = new HashSet<String>(currentRoles);
|
||||
newRoles.add(roleName);
|
||||
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(), user
|
||||
.getSurname(), user.getUserState(), newRoles, user.getLocale());
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(),
|
||||
user.getSurname(), user.getUserState(), newRoles, user.getLocale());
|
||||
|
||||
// delegate user replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(newUser);
|
||||
|
@ -334,8 +349,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
// create new user
|
||||
Set<String> newRoles = new HashSet<String>(currentRoles);
|
||||
newRoles.remove(roleName);
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(), user
|
||||
.getSurname(), user.getUserState(), newRoles, user.getLocale());
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(),
|
||||
user.getSurname(), user.getUserState(), newRoles, user.getLocale());
|
||||
|
||||
// delegate user replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(newUser);
|
||||
|
@ -387,8 +402,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
// create new privilege
|
||||
Privilege newPrivilege = new Privilege(privilege.getName(), privilege.getPolicy(), allAllowed, privilege
|
||||
.getDenyList(), privilege.getAllowList());
|
||||
Privilege newPrivilege = new Privilege(privilege.getName(), privilege.getPolicy(), allAllowed,
|
||||
privilege.getDenyList(), privilege.getAllowList());
|
||||
|
||||
// delegate privilege replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplacePrivilege(newPrivilege);
|
||||
|
@ -458,20 +473,26 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
throw new PrivilegeException("Privilege " + privilegeName + " does not exist!");
|
||||
}
|
||||
|
||||
// validate that the policy exists
|
||||
PrivilegePolicy policy = this.persistenceHandler.getPolicy(policyName);
|
||||
if (policy == null) {
|
||||
throw new PrivilegeException("No privilege policy exists for the name " + policyName);
|
||||
}
|
||||
|
||||
// create new privilege
|
||||
Privilege newPrivilege = new Privilege(privilege.getName(), policyName, privilege.isAllAllowed(), privilege
|
||||
.getDenyList(), privilege.getAllowList());
|
||||
Privilege newPrivilege = new Privilege(privilege.getName(), policyName, privilege.isAllAllowed(),
|
||||
privilege.getDenyList(), privilege.getAllowList());
|
||||
|
||||
// delegate privilege replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplacePrivilege(newPrivilege);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see ch.eitchnet.privilege.handler.PrivilegeHandler#setUserLocaleState(ch.eitchnet.privilege.model.Certificate,
|
||||
* @see ch.eitchnet.privilege.handler.PrivilegeHandler#setUserLocale(ch.eitchnet.privilege.model.Certificate,
|
||||
* java.lang.String, java.util.Locale)
|
||||
*/
|
||||
@Override
|
||||
public void setUserLocaleState(Certificate certificate, String username, Locale locale) {
|
||||
public void setUserLocale(Certificate certificate, String username, Locale locale) {
|
||||
|
||||
// validate who is doing this
|
||||
validateIsPrivilegeAdmin(certificate);
|
||||
|
@ -483,8 +504,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
// create new user
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(), user
|
||||
.getSurname(), user.getUserState(), user.getRoles(), locale);
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(),
|
||||
user.getSurname(), user.getUserState(), user.getRoles(), locale);
|
||||
|
||||
// delegate user replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(newUser);
|
||||
|
@ -507,8 +528,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
// create new user
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), firstname, surname, user
|
||||
.getUserState(), user.getRoles(), user.getLocale());
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), firstname, surname,
|
||||
user.getUserState(), user.getRoles(), user.getLocale());
|
||||
|
||||
// delegate user replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(newUser);
|
||||
|
@ -541,8 +562,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
// create new user
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), passwordHash, user.getFirstname(), user
|
||||
.getSurname(), user.getUserState(), user.getRoles(), user.getLocale());
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), passwordHash, user.getFirstname(),
|
||||
user.getSurname(), user.getUserState(), user.getRoles(), user.getLocale());
|
||||
|
||||
// delegate user replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(newUser);
|
||||
|
@ -565,8 +586,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
// create new user
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(), user
|
||||
.getSurname(), state, user.getRoles(), user.getLocale());
|
||||
User newUser = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getFirstname(),
|
||||
user.getSurname(), state, user.getRoles(), user.getLocale());
|
||||
|
||||
// delegate user replacement to persistence handler
|
||||
this.persistenceHandler.addOrReplaceUser(newUser);
|
||||
|
@ -623,8 +644,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
Certificate certificate = new Certificate(sessionId, username, authToken, authPassword, user.getLocale());
|
||||
|
||||
// create and save a new session
|
||||
Session session = new Session(sessionId, authToken, authPassword, user.getUsername(), System
|
||||
.currentTimeMillis());
|
||||
Session session = new Session(sessionId, authToken, authPassword, user.getUsername(),
|
||||
System.currentTimeMillis());
|
||||
this.sessionMap.put(sessionId, new CertificateSessionPair(session, certificate));
|
||||
|
||||
// log
|
||||
|
@ -635,8 +656,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
/**
|
||||
* TODO What is better, validate from {@link Restrictable} to {@link User} or the opposite direction?
|
||||
*
|
||||
* Checks if the action is allowed by iterating the roles of the certificates user and then delegating to
|
||||
* {@link #actionAllowed(Role, Restrictable)}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the {@link Certificate} is not for a currently logged in {@link User} or if the user may not
|
||||
|
@ -648,6 +669,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
@Override
|
||||
public boolean actionAllowed(Certificate certificate, Restrictable restrictable) {
|
||||
|
||||
// TODO What is better, validate from {@link Restrictable} to {@link User} or the opposite direction?
|
||||
|
||||
// first validate certificate
|
||||
if (!isCertificateValid(certificate)) {
|
||||
logger.info("Certificate is not valid, so action is not allowed: " + certificate + " for restrictable: "
|
||||
|
@ -690,18 +713,43 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
/**
|
||||
* @see ch.eitchnet.privilege.handler.PrivilegeHandler#actionAllowed(ch.eitchnet.privilege.model.internal.Role,
|
||||
* Checks if the {@link RoleRep} has access to the {@link Restrictable} by delegating to
|
||||
* {@link PrivilegePolicy#actionAllowed(Role, Privilege, Restrictable)}
|
||||
*
|
||||
* @see ch.eitchnet.privilege.handler.PrivilegeHandler#actionAllowed(ch.eitchnet.privilege.model.RoleRep,
|
||||
* ch.eitchnet.privilege.model.Restrictable)
|
||||
*/
|
||||
@Override
|
||||
public boolean actionAllowed(Role role, Restrictable restrictable) {
|
||||
public boolean actionAllowed(RoleRep roleRep, Restrictable restrictable) {
|
||||
|
||||
// user and restrictable must not be null
|
||||
if (role == null)
|
||||
if (roleRep == null)
|
||||
throw new PrivilegeException("Role may not be null!");
|
||||
else if (restrictable == null)
|
||||
throw new PrivilegeException("Restrictable may not be null!");
|
||||
|
||||
// get role for the roleRep
|
||||
Role role = this.persistenceHandler.getRole(roleRep.getName());
|
||||
|
||||
// validate that the role exists
|
||||
if (role == null) {
|
||||
throw new PrivilegeException("No Role exists with the name " + roleRep.getName());
|
||||
}
|
||||
|
||||
return actionAllowed(role, restrictable);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the {@link Role} has access to the {@link Restrictable} by delegating to
|
||||
* {@link PrivilegePolicy#actionAllowed(Role, Privilege, Restrictable)}
|
||||
*
|
||||
* @param role
|
||||
* @param restrictable
|
||||
*
|
||||
* @return true if the privilege is granted, false otherwise
|
||||
*/
|
||||
protected boolean actionAllowed(Role role, Restrictable restrictable) {
|
||||
|
||||
// validate PrivilegeName for this restrictable
|
||||
String privilegeName = restrictable.getPrivilegeName();
|
||||
if (privilegeName == null || privilegeName.length() < 3) {
|
||||
|
@ -800,6 +848,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
/**
|
||||
* This simple implementation validates that the password is not null, and that the password string is not empty
|
||||
*
|
||||
* @see ch.eitchnet.privilege.handler.PrivilegeHandler#validatePassword(java.lang.String)
|
||||
*/
|
||||
@Override
|
||||
|
|
|
@ -12,6 +12,7 @@ package ch.eitchnet.privilege.handler;
|
|||
|
||||
import java.util.Map;
|
||||
|
||||
import ch.eitchnet.privilege.i18n.PrivilegeException;
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
import ch.eitchnet.privilege.model.internal.Privilege;
|
||||
import ch.eitchnet.privilege.model.internal.Role;
|
||||
|
@ -67,17 +68,20 @@ public interface PersistenceHandler {
|
|||
|
||||
/**
|
||||
* <p>
|
||||
* Thus this method instantiates a {@link PrivilegePolicy} object from the given policyName. The
|
||||
* {@link PrivilegePolicy} is not stored in a database, but rather behind a privilege name a class name is stored
|
||||
* which then is used to instantiate a new object
|
||||
* This method instantiates a {@link PrivilegePolicy} object from the given policyName. The {@link PrivilegePolicy}
|
||||
* is not stored in a database. The privilege name is a class name and is then used to instantiate a new
|
||||
* {@link PrivilegePolicy} object
|
||||
* </p>
|
||||
*
|
||||
* @param policyName
|
||||
* the name/id of the {@link PrivilegePolicy} object to return
|
||||
* the class name of the {@link PrivilegePolicy} object to return
|
||||
*
|
||||
* @return the {@link PrivilegePolicy} object, or null if no class is defined for the given policy name
|
||||
* @return the {@link PrivilegePolicy} object
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the {@link PrivilegePolicy} object for the given policy name could not be instantiated
|
||||
*/
|
||||
public PrivilegePolicy getPolicy(String policyName);
|
||||
public PrivilegePolicy getPolicy(String policyName) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes a {@link User} with the given name and returns the removed object if it existed
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
|
||||
package ch.eitchnet.privilege.handler;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
@ -28,6 +29,10 @@ import ch.eitchnet.privilege.model.internal.User;
|
|||
import ch.eitchnet.privilege.policy.PrivilegePolicy;
|
||||
|
||||
/**
|
||||
* The {@link PrivilegeHandler} is the centrally exposed API for accessing the privilege library. It exposes all needed
|
||||
* methods to access Privilege data model objects, modify them and validate if users or roles have privileges to perform
|
||||
* an action
|
||||
*
|
||||
* @author rvonburg
|
||||
*
|
||||
*/
|
||||
|
@ -87,8 +92,14 @@ public interface PrivilegeHandler {
|
|||
* the username of the user to remove
|
||||
*
|
||||
* @return the {@link UserRep} of the user removed, or null if the user did not exist
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public UserRep removeUser(Certificate certificate, String username);
|
||||
public UserRep removeUser(Certificate certificate, String username) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the role with the given roleName from the user with the given username
|
||||
|
@ -98,9 +109,15 @@ public interface PrivilegeHandler {
|
|||
* @param username
|
||||
* the username of the user from which the role is to be removed
|
||||
* @param roleName
|
||||
* the rolename of the role to remove from the user
|
||||
* the roleName of the role to remove from the user
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void removeRoleFromUser(Certificate certificate, String username, String roleName);
|
||||
public void removeRoleFromUser(Certificate certificate, String username, String roleName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the role with the given roleName
|
||||
|
@ -111,8 +128,14 @@ public interface PrivilegeHandler {
|
|||
* the roleName of the role to remove
|
||||
*
|
||||
* @return the {@link RoleRep} of the role removed, or null if the role did not exist
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public RoleRep removeRole(Certificate certificate, String roleName);
|
||||
public RoleRep removeRole(Certificate certificate, String roleName) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the privilege with the given privilegeName from the role with the given roleName
|
||||
|
@ -123,8 +146,14 @@ public interface PrivilegeHandler {
|
|||
* the roleName of the role from which the privilege is to be removed
|
||||
* @param privilegeName
|
||||
* the privilegeName of the privilege to remove from the role
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName);
|
||||
public void removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the privilege with the given privilegeName
|
||||
|
@ -135,8 +164,14 @@ public interface PrivilegeHandler {
|
|||
* the privilegeName of the privilege to remove
|
||||
*
|
||||
* @return the {@link PrivilegeRep} of the privilege removed, or null if the privilege did not exist
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public PrivilegeRep removePrivilege(Certificate certificate, String privilegeName);
|
||||
public PrivilegeRep removePrivilege(Certificate certificate, String privilegeName) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
|
@ -156,8 +191,14 @@ public interface PrivilegeHandler {
|
|||
* the password of the new user. If the password is null, then this is accepted but the user can not
|
||||
* login, otherwise the password must be validated against
|
||||
* {@link PrivilegeHandler#validatePassword(String)}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void addOrReplaceUser(Certificate certificate, UserRep userRep, String password);
|
||||
public void addOrReplaceUser(Certificate certificate, UserRep userRep, String password)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds a new role, or replaces the role with the information from this {@link RoleRep} if the role already exists
|
||||
|
@ -166,8 +207,14 @@ public interface PrivilegeHandler {
|
|||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleRep
|
||||
* the {@link RoleRep} containing the information to create the new {@link Role}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void addOrReplaceRole(Certificate certificate, RoleRep roleRep);
|
||||
public void addOrReplaceRole(Certificate certificate, RoleRep roleRep) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds a new privilege, or replaces the privilege with the information from this {@link PrivilegeRep} if the
|
||||
|
@ -177,8 +224,14 @@ public interface PrivilegeHandler {
|
|||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeRep
|
||||
* the {@link PrivilegeRep} containing the information to create the new {@link Privilege}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void addOrReplacePrivilege(Certificate certificate, PrivilegeRep privilegeRep);
|
||||
public void addOrReplacePrivilege(Certificate certificate, PrivilegeRep privilegeRep) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds the role with the given roleName to the {@link User} with the given username
|
||||
|
@ -189,8 +242,14 @@ public interface PrivilegeHandler {
|
|||
* the username of the {@link User} to which the role should be added
|
||||
* @param roleName
|
||||
* the roleName of the {@link Role} which should be added to the {@link User}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void addRoleToUser(Certificate certificate, String username, String roleName);
|
||||
public void addRoleToUser(Certificate certificate, String username, String roleName) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds the privilege with the given privilegeName to the {@link Role} with the given roleName
|
||||
|
@ -201,8 +260,14 @@ public interface PrivilegeHandler {
|
|||
* the roleName of the {@link Role} to which the privilege should be added
|
||||
* @param privilegeName
|
||||
* the privilegeName of the {@link Privilege} which should be added to the {@link Role}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void addPrivilegeToRole(Certificate certificate, String roleName, String privilegeName);
|
||||
public void addPrivilegeToRole(Certificate certificate, String roleName, String privilegeName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Changes the password for the {@link User} with the given username. If the password is null, then the {@link User}
|
||||
|
@ -217,115 +282,213 @@ public interface PrivilegeHandler {
|
|||
* the new password for this user. If the password is null, then the {@link User} can not login anymore.
|
||||
* Otherwise the password must meet the requirements of the implementation under
|
||||
* {@link PrivilegeHandler#validatePassword(String)}
|
||||
*/
|
||||
public void setUserPassword(Certificate certificate, String username, String password);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* @param firstname
|
||||
* @param surname
|
||||
*/
|
||||
public void setUserName(Certificate certificate, String username, String firstname, String surname);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* @param state
|
||||
*/
|
||||
public void setUserState(Certificate certificate, String username, UserState state);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* @param locale
|
||||
*/
|
||||
public void setUserLocaleState(Certificate certificate, String username, Locale locale);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* @param policyName
|
||||
*/
|
||||
public void setPrivilegePolicy(Certificate certificate, String privilegeName, String policyName);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* @param allAllowed
|
||||
*/
|
||||
public void setPrivilegeAllAllowed(Certificate certificate, String privilegeName, boolean allAllowed);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* @param denyList
|
||||
*/
|
||||
public void setPrivilegeDenyList(Certificate certificate, String privilegeName, Set<String> denyList);
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* @param allowList
|
||||
*/
|
||||
public void setPrivilegeAllowList(Certificate certificate, String privilegeName, Set<String> allowList);
|
||||
|
||||
/**
|
||||
* @param username
|
||||
* @param password
|
||||
*
|
||||
* @return
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setUserPassword(Certificate certificate, String username, String password)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Changes the name of the user. This changes the first name and the surname. If either value is null, then that
|
||||
* value is not changed
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} for which the name is to be changed
|
||||
* @param firstname
|
||||
* the new first name
|
||||
* @param surname
|
||||
* the new surname
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setUserName(Certificate certificate, String username, String firstname, String surname)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Changes the {@link UserState} of the user
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} for which the {@link UserState} is to be changed
|
||||
* @param state
|
||||
* the new state for the user
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setUserState(Certificate certificate, String username, UserState state) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Changes the {@link Locale} of the user
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} for which the {@link Locale} is to be changed
|
||||
* @param locale
|
||||
* the new {@link Locale} for the user
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setUserLocale(Certificate certificate, String username, Locale locale) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* Sets the class name of the {@link PrivilegePolicy} object for the {@link Privilege} registered for the given
|
||||
* privilegeName
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* the name of the {@link Privilege} for which the policy is to be changed
|
||||
* @param policyName
|
||||
* class name of the {@link PrivilegePolicy} to be registered for this {@link Privilege}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or if the class name of the policy is invalid
|
||||
*/
|
||||
public void setPrivilegePolicy(Certificate certificate, String privilegeName, String policyName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Sets the special flag on the given {@link Privilege} defined by the privilegeName argument so that all is allowed
|
||||
* and thus the allow and deny list of the privilege are ignored
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* the name of the {@link Privilege} for which the allAllowed value is to be changed
|
||||
* @param allAllowed
|
||||
* the boolean defining if all privileges are granted for the value true, or not for the value false
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setPrivilegeAllAllowed(Certificate certificate, String privilegeName, boolean allAllowed)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Sets the {@link List} of strings which represent values which denies finer grained privilege rights for the
|
||||
* {@link Privilege} defined by the privilegeName argument
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* the name of the {@link Privilege} for which the deny list is to be changed
|
||||
* @param denyList
|
||||
* the {@link List} of strings which represent values which denies finer grained privilege rights
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setPrivilegeDenyList(Certificate certificate, String privilegeName, Set<String> denyList)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Sets the {@link List} of strings which represent values which grants finer grained privilege rights for the
|
||||
* {@link Privilege} defined by the privilegeName argument
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param privilegeName
|
||||
* the name of the {@link Privilege} for which the allow list is to be changed
|
||||
* @param allowList
|
||||
* the {@link List} of strings which represent values which grants finer grained privilege rights
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setPrivilegeAllowList(Certificate certificate, String privilegeName, Set<String> allowList)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
|
||||
/**
|
||||
* Authenticates a user by validating that a {@link User} for the given username and password exist and then returns
|
||||
* a {@link Certificate} with which this user may then perform actions
|
||||
*
|
||||
* @param username
|
||||
* the username of the {@link User} which is registered in the {@link PersistenceHandler}
|
||||
* @param password
|
||||
* the password with which this user is to be authenticated. Null passwords are not accepted and they
|
||||
* must meet the requirements of the {@link #validatePassword(String)}-method
|
||||
*
|
||||
* @return a {@link Certificate} with which this user may then perform actions
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user credentials are not valid
|
||||
*/
|
||||
public Certificate authenticate(String username, String password);
|
||||
public Certificate authenticate(String username, String password) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* Checks if the {@link User} registered to the given {@link Certificate} is allowed to access the
|
||||
* {@link Restrictable}
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param restrictable
|
||||
* the {@link Restrictable} to which the user wants access
|
||||
*
|
||||
* @return
|
||||
* @return true if the access is allowed, false otherwise
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the {@link Certificate} is not for a currently logged in {@link User} or if the user may not
|
||||
* perform the action defined by the {@link Restrictable} implementation
|
||||
* if the user for this certificate may not perform the action defined by the {@link Restrictable}
|
||||
* implementation
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public boolean actionAllowed(Certificate certificate, Restrictable restrictable);
|
||||
public boolean actionAllowed(Certificate certificate, Restrictable restrictable) throws AccessDeniedException,
|
||||
PrivilegeException;
|
||||
|
||||
/**
|
||||
* @param role
|
||||
* Checks if the {@link RoleRep} is allowed to access the {@link Restrictable}
|
||||
*
|
||||
* @param roleRep
|
||||
* the {@link RoleRep} for which access to the {@link Restrictable} is to be checked
|
||||
* @param restrictable
|
||||
* @return
|
||||
* the {@link Restrictable} to which access is to be checked
|
||||
*
|
||||
* @return true if the {@link RoleRep} has access, false otherwise
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the {@link Certificate} is not for a currently logged in {@link User} or if the user may not
|
||||
* perform the action defined by the {@link Restrictable} implementation
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if the role may not perform the action defined by the {@link Restrictable} implementation
|
||||
*/
|
||||
public boolean actionAllowed(Role role, Restrictable restrictable);
|
||||
public boolean actionAllowed(RoleRep roleRep, Restrictable restrictable) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* @param certificate
|
||||
* @return
|
||||
* Checks if the given {@link Certificate} is valid. This means that the certificate is for a valid session and that
|
||||
* the user exists for the certificate. This method checks if the {@link Certificate} has been tampered with
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} to check
|
||||
*
|
||||
* @return true if the {@link Certificate} is valid, false otherwise
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the {@link Certificate} is not for a currently logged in {@link User}
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public boolean isCertificateValid(Certificate certificate);
|
||||
public boolean isCertificateValid(Certificate certificate) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
|
@ -344,39 +507,52 @@ public interface PrivilegeHandler {
|
|||
* @param certificate
|
||||
* the {@link Certificate} for which the role should be validated against
|
||||
*
|
||||
* @throws ch.eitchnet.privilege.i18n.PrivilegeException
|
||||
* @throws AccessDeniedException
|
||||
* if the user does not not have admin privileges
|
||||
*/
|
||||
public void validateIsPrivilegeAdmin(Certificate certificate) throws PrivilegeException;
|
||||
public void validateIsPrivilegeAdmin(Certificate certificate) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* Validate that the given password meets any requirements. What these requirements are is a decision made by the
|
||||
* concrete implementation
|
||||
* Validate that the given password meets certain requirements. What these requirements are is a decision made by
|
||||
* the concrete implementation
|
||||
*
|
||||
* @param password
|
||||
* the password to be validated to meet certain requirements
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the password does not implement the requirement of the concrete implementation
|
||||
*/
|
||||
public void validatePassword(String password) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Persists any changes to the privilege data model. Changes are thus not persisted immediately, but must be
|
||||
* actively performed
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return
|
||||
* @return true if changes were persisted, false if no changes were persisted
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
*/
|
||||
public boolean persist(Certificate certificate);
|
||||
public boolean persist(Certificate certificate) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* Initialize the concrete {@link EncryptionHandler}. The passed parameter map contains any configuration this map
|
||||
* might need
|
||||
* Initializes the concrete {@link EncryptionHandler}. The passed parameter map contains any configuration this
|
||||
* {@link PrivilegeHandler} might need. This method may only be called once and this must be enforced by the
|
||||
* concrete implementation
|
||||
*
|
||||
* @param parameterMap
|
||||
* a map containing configuration properties
|
||||
*
|
||||
* @param encryptionHandler
|
||||
* the {@link EncryptionHandler} instance for this {@link PrivilegeHandler}
|
||||
* @param persistenceHandler
|
||||
* the {@link PersistenceHandler} instance for this {@link PrivilegeHandler}
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the this method is called multiple times or an initialization exception occurs
|
||||
*/
|
||||
public void initialize(Map<String, String> parameterMap, EncryptionHandler encryptionHandler,
|
||||
PersistenceHandler persistenceHandler);
|
||||
PersistenceHandler persistenceHandler) throws PrivilegeException;
|
||||
}
|
||||
|
|
|
@ -152,7 +152,13 @@ public class XmlPersistenceHandler implements PersistenceHandler {
|
|||
}
|
||||
|
||||
// instantiate the policy
|
||||
PrivilegePolicy policy = ClassHelper.instantiateClass(policyClazz);
|
||||
PrivilegePolicy policy;
|
||||
try {
|
||||
policy = ClassHelper.instantiateClass(policyClazz);
|
||||
} catch (Exception e) {
|
||||
throw new PrivilegeException("The class for the policy with the name " + policyName + " does not exist!"
|
||||
+ policyName, e);
|
||||
}
|
||||
|
||||
return policy;
|
||||
}
|
||||
|
@ -431,8 +437,8 @@ public class XmlPersistenceHandler implements PersistenceHandler {
|
|||
}
|
||||
|
||||
// create user
|
||||
User user = new User(userId, username, password, firstname, surname, userState, Collections
|
||||
.unmodifiableSet(roles), locale);
|
||||
User user = new User(userId, username, password, firstname, surname, userState,
|
||||
Collections.unmodifiableSet(roles), locale);
|
||||
|
||||
// put user in map
|
||||
this.userMap.put(username, user);
|
||||
|
|
Loading…
Reference in New Issue