[Major] Implemented SingleSignOn facility for Privilege
This commit is contained in:
parent
484d0a9e92
commit
adf53dd49f
|
@ -336,7 +336,7 @@ public abstract class AbstractTransaction implements StrolchTransaction {
|
|||
|
||||
private void assertQueryAllowed(StrolchQuery query) {
|
||||
try {
|
||||
PrivilegeContext privilegeContext = this.privilegeHandler.getPrivilegeContext(this.certificate);
|
||||
PrivilegeContext privilegeContext = this.privilegeHandler.validate(this.certificate);
|
||||
privilegeContext.validateAction(query);
|
||||
} catch (PrivilegeException e) {
|
||||
throw new StrolchAccessDeniedException(this.certificate, query, ExceptionHelper.getExceptionMessage(e), e);
|
||||
|
@ -705,7 +705,7 @@ public abstract class AbstractTransaction implements StrolchTransaction {
|
|||
public void assertHasPrivilege(Operation operation, StrolchRootElement element) throws AccessDeniedException {
|
||||
DBC.PRE.assertNotNull("operation must not be null", operation);
|
||||
DBC.PRE.assertNotNull("element must not be null", element);
|
||||
this.privilegeHandler.getPrivilegeContext(this.certificate)
|
||||
this.privilegeHandler.validate(this.certificate)
|
||||
.validateAction(new TransactedRestrictable(this, operation.getPrivilegeName(element), element));
|
||||
}
|
||||
|
||||
|
@ -960,13 +960,9 @@ public abstract class AbstractTransaction implements StrolchTransaction {
|
|||
@Override
|
||||
public void autoCloseableReadOnly() throws StrolchTransactionException {
|
||||
long start = System.nanoTime();
|
||||
boolean throwException = false;
|
||||
try {
|
||||
this.txResult.setState(TransactionState.CLOSING);
|
||||
|
||||
Thread.currentThread().getUncaughtExceptionHandler();
|
||||
StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
|
||||
|
||||
if (!this.commands.isEmpty()) {
|
||||
autoCloseableRollback();
|
||||
String msg = "There are commands registered on a read-only transaction. Changing to rollback! Did you forget to commit?";
|
||||
|
@ -1218,8 +1214,6 @@ public abstract class AbstractTransaction implements StrolchTransaction {
|
|||
|
||||
List<Audit> audits = new ArrayList<>();
|
||||
|
||||
// TODO this is bad... doesn't account for a created and deleted in same TX...
|
||||
|
||||
if (this.orderMap != null) {
|
||||
if (this.realm.isAuditTrailEnabledForRead())
|
||||
auditsFor(audits, AccessType.READ, this.orderMap.getRead());
|
||||
|
|
|
@ -30,14 +30,8 @@ import li.strolch.agent.api.StrolchRealm;
|
|||
import li.strolch.model.audit.AccessType;
|
||||
import li.strolch.model.audit.Audit;
|
||||
import li.strolch.persistence.api.StrolchTransaction;
|
||||
import li.strolch.privilege.base.NotAuthenticatedException;
|
||||
import li.strolch.privilege.base.PrivilegeException;
|
||||
import li.strolch.privilege.handler.DefaultPrivilegeHandler;
|
||||
import li.strolch.privilege.handler.EncryptionHandler;
|
||||
import li.strolch.privilege.handler.PersistenceHandler;
|
||||
import li.strolch.privilege.handler.SystemAction;
|
||||
import li.strolch.privilege.handler.SystemActionWithResult;
|
||||
import li.strolch.privilege.handler.XmlPersistenceHandler;
|
||||
import li.strolch.privilege.handler.*;
|
||||
import li.strolch.privilege.helper.PrivilegeInitializationHelper;
|
||||
import li.strolch.privilege.helper.XmlConstants;
|
||||
import li.strolch.privilege.model.Certificate;
|
||||
|
@ -67,24 +61,22 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
|
|||
|
||||
// initialize privilege
|
||||
RuntimeConfiguration runtimeConfiguration = configuration.getRuntimeConfiguration();
|
||||
File privilegeConfigFile = configuration.getConfigFile(PROP_PRIVILEGE_CONFIG_FILE, PRIVILEGE_CONFIG_XML,
|
||||
runtimeConfiguration);
|
||||
li.strolch.privilege.handler.PrivilegeHandler privilegeHandler = initializeFromXml(configuration,
|
||||
privilegeConfigFile);
|
||||
this.privilegeHandler = privilegeHandler;
|
||||
File privilegeConfigFile = configuration
|
||||
.getConfigFile(PROP_PRIVILEGE_CONFIG_FILE, PRIVILEGE_CONFIG_XML, runtimeConfiguration);
|
||||
this.privilegeHandler = initializeFromXml(configuration, privilegeConfigFile);
|
||||
}
|
||||
|
||||
/**
|
||||
* Initializes the {@link DefaultPrivilegeHandler} from the configuration file
|
||||
*
|
||||
*
|
||||
* @param privilegeXmlFile
|
||||
* a {@link File} reference to the XML file containing the configuration for Privilege
|
||||
*
|
||||
* a {@link File} reference to the XML file containing the configuration for Privilege
|
||||
*
|
||||
* @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
*/
|
||||
private li.strolch.privilege.handler.PrivilegeHandler initializeFromXml(ComponentConfiguration configuration,
|
||||
File privilegeXmlFile) {
|
||||
File privilegeXmlFile) {
|
||||
|
||||
// make sure file exists
|
||||
if (!privilegeXmlFile.exists()) {
|
||||
|
@ -142,14 +134,13 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
|
|||
}
|
||||
|
||||
@Override
|
||||
public void isCertificateValid(Certificate certificate) throws PrivilegeException, NotAuthenticatedException {
|
||||
assertStarted();
|
||||
this.privilegeHandler.isCertificateValid(certificate);
|
||||
public PrivilegeContext validate(Certificate certificate) throws PrivilegeException {
|
||||
return this.privilegeHandler.validate(certificate);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean invalidateSession(Certificate certificate) {
|
||||
boolean invalidateSession = this.privilegeHandler.invalidateSession(certificate);
|
||||
public boolean invalidate(Certificate certificate) {
|
||||
boolean invalidateSession = this.privilegeHandler.invalidate(certificate);
|
||||
StrolchRealm realm = getContainer().getRealm(certificate);
|
||||
try (StrolchTransaction tx = realm.openTx(certificate, StrolchPrivilegeConstants.LOGOUT)) {
|
||||
tx.setSuppressDoNothingLogging(true);
|
||||
|
@ -164,7 +155,7 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
|
|||
@Override
|
||||
public boolean sessionTimeout(Certificate certificate) {
|
||||
assertStarted();
|
||||
boolean invalidateSession = this.privilegeHandler.invalidateSession(certificate);
|
||||
boolean invalidateSession = this.privilegeHandler.invalidate(certificate);
|
||||
StrolchRealm realm = getContainer().getRealm(certificate);
|
||||
try (StrolchTransaction tx = realm.openTx(certificate, StrolchPrivilegeConstants.SESSION_TIME_OUT)) {
|
||||
tx.setSuppressDoNothingLogging(true);
|
||||
|
@ -213,13 +204,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
|
|||
|
||||
@Override
|
||||
public <T> T runAsAgentWithResult(PrivilegedRunnableWithResult<T> runnable) throws PrivilegeException {
|
||||
return this.privilegeHandler.runWithResult(StrolchConstants.SYSTEM_USER_AGENT,
|
||||
new StrolchSystemActionWithResult<>(runnable));
|
||||
}
|
||||
|
||||
@Override
|
||||
public PrivilegeContext getPrivilegeContext(Certificate certificate) throws PrivilegeException {
|
||||
return this.privilegeHandler.getPrivilegeContext(certificate);
|
||||
return this.privilegeHandler
|
||||
.runWithResult(StrolchConstants.SYSTEM_USER_AGENT, new StrolchSystemActionWithResult<>(runnable));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -24,183 +24,170 @@ import li.strolch.runtime.StrolchConstants;
|
|||
|
||||
/**
|
||||
* The privilege handler for authenticating users and performing actions as a system user
|
||||
*
|
||||
*
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*/
|
||||
public interface PrivilegeHandler {
|
||||
|
||||
/**
|
||||
* Authenticate a user
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the username
|
||||
* the username
|
||||
* @param password
|
||||
* the password
|
||||
*
|
||||
* the password
|
||||
*
|
||||
* @return the certificate
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#authenticate(String, byte[])
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#authenticate(String, char[])
|
||||
*/
|
||||
public Certificate authenticate(String username, char[] password);
|
||||
|
||||
/**
|
||||
* Validate that the certificate is still valid
|
||||
*
|
||||
* @param certificate
|
||||
* the certificate
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the certificate is not valid
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#isCertificateValid(Certificate)
|
||||
*/
|
||||
public void isCertificateValid(Certificate certificate) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Invalidates the given certificate
|
||||
*
|
||||
* @param certificate
|
||||
* the certificate
|
||||
*
|
||||
* @return true if the certificate was invalidated, or false if it was already invalidated
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#invalidateSession(li.strolch.privilege.model.Certificate)
|
||||
*/
|
||||
public boolean invalidateSession(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Notifies that the session has timed out, i.e. the certificate must be invalidated
|
||||
*
|
||||
* @param certificate
|
||||
* the certificate that has timed out
|
||||
* @return true if the certificate was invalidated, or false it was already invalidated
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#invalidateSession(li.strolch.privilege.model.Certificate)
|
||||
*/
|
||||
public boolean sessionTimeout(Certificate certificate);
|
||||
Certificate authenticate(String username, char[] password);
|
||||
|
||||
/**
|
||||
* Returns the {@link PrivilegeContext} for the given certificate
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the certificate
|
||||
*
|
||||
* the certificate
|
||||
*
|
||||
* @return the {@link PrivilegeContext} for the given certificate
|
||||
*
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the certificate is not valid anymore
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#getPrivilegeContext(li.strolch.privilege.model.Certificate)
|
||||
* if the certificate is not valid anymore
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#validate(li.strolch.privilege.model.Certificate)
|
||||
*/
|
||||
public PrivilegeContext getPrivilegeContext(Certificate certificate) throws PrivilegeException;
|
||||
PrivilegeContext validate(Certificate certificate) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Invalidates the given certificate
|
||||
*
|
||||
* @param certificate
|
||||
* the certificate
|
||||
*
|
||||
* @return true if the certificate was invalidated, or false if it was already invalidated
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#invalidate(li.strolch.privilege.model.Certificate)
|
||||
*/
|
||||
boolean invalidate(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Notifies that the session has timed out, i.e. the certificate must be invalidated
|
||||
*
|
||||
* @param certificate
|
||||
* the certificate that has timed out
|
||||
*
|
||||
* @return true if the certificate was invalidated, or false it was already invalidated
|
||||
*
|
||||
* @see li.strolch.privilege.handler.PrivilegeHandler#invalidate(li.strolch.privilege.model.Certificate)
|
||||
*/
|
||||
boolean sessionTimeout(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Run the given {@link SystemAction} as the given system user
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the system username
|
||||
* the system username
|
||||
* @param action
|
||||
* the action to perform
|
||||
*
|
||||
* the action to perform
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public void runAs(String username, SystemAction action) throws PrivilegeException;
|
||||
void runAs(String username, SystemAction action) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link SystemActionWithResult} as the given system user
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the system username
|
||||
* the system username
|
||||
* @param action
|
||||
* the action to perform
|
||||
*
|
||||
* the action to perform
|
||||
*
|
||||
* @return the result
|
||||
*
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public <T> T runWithResult(String username, SystemActionWithResult<T> action) throws PrivilegeException;
|
||||
<T> T runWithResult(String username, SystemActionWithResult<T> action) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link PrivilegedRunnable} as the given system user
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the system username
|
||||
* the system username
|
||||
* @param runnable
|
||||
* the runnable to perform
|
||||
*
|
||||
* the runnable to perform
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public void runAs(String username, PrivilegedRunnable runnable) throws PrivilegeException;
|
||||
void runAs(String username, PrivilegedRunnable runnable) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link PrivilegedRunnable} as the given system user
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the system username
|
||||
* the system username
|
||||
* @param runnable
|
||||
* the runnable to perform
|
||||
*
|
||||
* the runnable to perform
|
||||
*
|
||||
* @return the result
|
||||
*
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public <T> T runWithResult(String username, PrivilegedRunnableWithResult<T> runnable) throws PrivilegeException;
|
||||
<T> T runWithResult(String username, PrivilegedRunnableWithResult<T> runnable) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link SystemAction} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT}
|
||||
*
|
||||
* @param runnable
|
||||
* the runnable to perform
|
||||
*
|
||||
*
|
||||
* @param action
|
||||
* the action to perform
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public void runAsAgent(SystemAction action) throws PrivilegeException;
|
||||
void runAsAgent(SystemAction action) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link SystemActionWithResult} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT}
|
||||
*
|
||||
* @param runnable
|
||||
* the runnable to perform
|
||||
*
|
||||
*
|
||||
* @param action
|
||||
* the action to perform
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public <T> T runAsAgentWithResult(SystemActionWithResult<T> action) throws PrivilegeException;
|
||||
<T> T runAsAgentWithResult(SystemActionWithResult<T> action) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link PrivilegedRunnable} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT}
|
||||
*
|
||||
*
|
||||
* @param runnable
|
||||
* the runnable to perform
|
||||
*
|
||||
* the runnable to perform
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public void runAsAgent(PrivilegedRunnable runnable) throws PrivilegeException;
|
||||
void runAsAgent(PrivilegedRunnable runnable) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Run the given {@link PrivilegedRunnableWithResult} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT}
|
||||
*
|
||||
*
|
||||
* @param runnable
|
||||
* the runnable to perform
|
||||
*
|
||||
* the runnable to perform
|
||||
*
|
||||
* @return the result
|
||||
*
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is something wrong
|
||||
* if there is something wrong
|
||||
*/
|
||||
public <T> T runAsAgentWithResult(PrivilegedRunnableWithResult<T> runnable) throws PrivilegeException;
|
||||
<T> T runAsAgentWithResult(PrivilegedRunnableWithResult<T> runnable) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Returns the {@link li.strolch.privilege.handler.PrivilegeHandler}
|
||||
*
|
||||
*
|
||||
* @return the {@link li.strolch.privilege.handler.PrivilegeHandler}
|
||||
*/
|
||||
public abstract li.strolch.privilege.handler.PrivilegeHandler getPrivilegeHandler();
|
||||
li.strolch.privilege.handler.PrivilegeHandler getPrivilegeHandler();
|
||||
|
||||
}
|
|
@ -39,10 +39,6 @@ public class DefaultServiceHandler extends StrolchComponent implements ServiceHa
|
|||
private PrivilegeHandler privilegeHandler;
|
||||
private boolean throwOnPrivilegeFail;
|
||||
|
||||
/**
|
||||
* @param container
|
||||
* @param componentName
|
||||
*/
|
||||
public DefaultServiceHandler(ComponentContainer container, String componentName) {
|
||||
super(container, componentName);
|
||||
}
|
||||
|
@ -74,7 +70,7 @@ public class DefaultServiceHandler extends StrolchComponent implements ServiceHa
|
|||
PrivilegeContext privilegeContext;
|
||||
String username = certificate == null ? "null" : certificate.getUsername();
|
||||
try {
|
||||
privilegeContext = this.privilegeHandler.getPrivilegeContext(certificate);
|
||||
privilegeContext = this.privilegeHandler.validate(certificate);
|
||||
privilegeContext.validateAction(service);
|
||||
} catch (PrivilegeException e) {
|
||||
|
||||
|
|
|
@ -1,47 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<Privilege>
|
||||
|
||||
<Container>
|
||||
|
||||
<Parameters>
|
||||
<!-- parameters for the container itself -->
|
||||
<Parameter name="secretKey" value="5185F447-6317-4856-B40E-573919BA0A16" />
|
||||
<Parameter name="secretSalt" value="00F6E88C-A64F-410A-8FCF-9CD340E340F7" />
|
||||
<Parameter name="persistSessions" value="true" />
|
||||
<Parameter name="persistSessionsPath" value="./target/${target}/sessions.dat" />
|
||||
<Parameter name="autoPersistOnUserChangesData" value="true" />
|
||||
<Parameter name="privilegeConflictResolution" value="STRICT" />
|
||||
</Parameters>
|
||||
|
||||
<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
|
||||
<Parameters>
|
||||
<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
|
||||
<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
|
||||
<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
|
||||
<!-- default iterations: 200000 -->
|
||||
<Parameter name="hashIterations" value="10000" />
|
||||
<!-- default key length: 256 -->
|
||||
<Parameter name="hashKeyLength" value="256" />
|
||||
</Parameters>
|
||||
</EncryptionHandler>
|
||||
|
||||
<PersistenceHandler class="li.strolch.privilege.handler.XmlPersistenceHandler">
|
||||
<Parameters>
|
||||
<Parameter name="basePath" value="./target/${target}" />
|
||||
<Parameter name="usersXmlFile" value="PrivilegeUsers.xml" />
|
||||
<Parameter name="rolesXmlFile" value="PrivilegeRoles.xml" />
|
||||
</Parameters>
|
||||
</PersistenceHandler>
|
||||
|
||||
<UserChallengeHandler class="li.strolch.privilege.test.model.TestUserChallengeHandler">
|
||||
</UserChallengeHandler>
|
||||
|
||||
</Container>
|
||||
|
||||
<Policies>
|
||||
<Policy name="DefaultPrivilege" class="li.strolch.privilege.policy.DefaultPrivilege" />
|
||||
<Policy name="RoleAccessPrivilege" class="li.strolch.privilege.policy.RoleAccessPrivilege" />
|
||||
<Policy name="UserAccessPrivilege" class="li.strolch.privilege.policy.UserAccessPrivilege" />
|
||||
</Policies>
|
||||
|
||||
</Privilege>
|
|
@ -85,6 +85,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
*/
|
||||
private EncryptionHandler encryptionHandler;
|
||||
|
||||
/**
|
||||
* The Single Sign On Handler
|
||||
*/
|
||||
private SingleSignOnHandler ssoHandler;
|
||||
|
||||
/**
|
||||
* The {@link UserChallengeHandler} is used to challenge a user which tries to authenticate and/or change their
|
||||
* password
|
||||
|
@ -127,7 +132,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public RoleRep getRole(Certificate certificate, String roleName) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_GET_ROLE);
|
||||
|
||||
Role role = this.persistenceHandler.getRole(roleName);
|
||||
|
@ -143,7 +148,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public UserRep getUser(Certificate certificate, String username) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_GET_USER);
|
||||
|
||||
User user = this.persistenceHandler.getUser(username);
|
||||
|
@ -158,7 +163,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public Map<String, String> getPolicyDefs(Certificate certificate) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_GET_POLICIES));
|
||||
|
||||
Map<String, String> policyDef = new HashMap<>(this.policyMap.size());
|
||||
|
@ -172,7 +177,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public List<Certificate> getCertificates(Certificate certificate) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_GET_CERTIFICATES));
|
||||
|
||||
return this.privilegeContextMap.values().stream().map(PrivilegeContext::getCertificate)
|
||||
|
@ -183,7 +188,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public List<RoleRep> getRoles(Certificate certificate) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_GET_ROLE);
|
||||
|
||||
Stream<Role> rolesStream = this.persistenceHandler.getAllRoles().stream();
|
||||
|
@ -207,7 +212,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public List<UserRep> getUsers(Certificate certificate) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_GET_USER);
|
||||
|
||||
Stream<User> usersStream = this.persistenceHandler.getAllUsers().stream();
|
||||
|
@ -231,7 +236,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public List<UserRep> queryUsers(Certificate certificate, UserRep selectorRep) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_GET_USER);
|
||||
|
||||
String selUserId = selectorRep.getUserId();
|
||||
|
@ -334,8 +339,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
* null or empty, then true is returned. If a key/value pair from the selectionMap is not in the properties, then
|
||||
* false is returned
|
||||
*
|
||||
* @param selectionMap the map defining the expected properties
|
||||
* @param properties the properties which must be a sub set of selectionMap to have this method return true
|
||||
* @param selectionMap
|
||||
* the map defining the expected properties
|
||||
* @param properties
|
||||
* the properties which must be a sub set of selectionMap to have this method return true
|
||||
*
|
||||
* @return If the selectionMap is null or empty, then true is returned. If a key/value pair from the selectionMap is
|
||||
* not in the properties, then false is returned
|
||||
*/
|
||||
|
@ -361,8 +369,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
* Checks if the given roles contains the given selectionRoles, if this is the case, or selectionRoles is null or
|
||||
* empty, then true is returned, otherwise false
|
||||
*
|
||||
* @param selectionRoles the required roles
|
||||
* @param roles the roles to check if they contain the selectionRoles
|
||||
* @param selectionRoles
|
||||
* the required roles
|
||||
* @param roles
|
||||
* the roles to check if they contain the selectionRoles
|
||||
*
|
||||
* @return Checks if the given roles contains the given selectionRoles, if this is the case, or selectionRoles is
|
||||
* null or empty, then true is returned, otherwise false
|
||||
*/
|
||||
|
@ -379,7 +390,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
try {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_ADD_USER);
|
||||
|
||||
// make sure userId is not set
|
||||
|
@ -444,7 +455,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
try {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_USER);
|
||||
|
||||
// first validate user
|
||||
|
@ -512,10 +523,15 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
private User createUser(UserRep userRep, byte[] passwordHash, byte[] salt) {
|
||||
User user = new User(userRep.getUserId(), userRep.getUsername(), passwordHash, salt, userRep.getFirstname(),
|
||||
userRep.getLastname(), userRep.getUserState(), userRep.getRoles(), userRep.getLocale(),
|
||||
userRep.getProperties());
|
||||
return user;
|
||||
String userId = userRep.getUserId();
|
||||
String userName = userRep.getUsername();
|
||||
String firstName = userRep.getFirstname();
|
||||
String lastName = userRep.getLastname();
|
||||
UserState state = userRep.getUserState();
|
||||
Set<String> roles = userRep.getRoles();
|
||||
Locale locale = userRep.getLocale();
|
||||
Map<String, String> properties = userRep.getProperties();
|
||||
return new User(userId, userName, passwordHash, salt, firstName, lastName, state, roles, locale, properties);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -523,7 +539,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
throws AccessDeniedException, PrivilegeException {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_USER);
|
||||
|
||||
// get existing user
|
||||
|
@ -585,7 +601,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public UserRep removeUser(Certificate certificate, String username) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_REMOVE_USER);
|
||||
|
||||
// validate user exists
|
||||
|
@ -610,7 +626,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public UserRep addRoleToUser(Certificate certificate, String username, String roleName) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_ADD_ROLE_TO_USER);
|
||||
|
||||
// get user
|
||||
|
@ -658,7 +674,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public UserRep removeRoleFromUser(Certificate certificate, String username, String roleName) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_REMOVE_ROLE_FROM_USER);
|
||||
|
||||
// get User
|
||||
|
@ -698,7 +714,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public UserRep setUserLocale(Certificate certificate, String username, Locale locale) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_SET_USER_LOCALE);
|
||||
|
||||
// get User
|
||||
|
@ -735,7 +751,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
try {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_SET_USER_PASSWORD);
|
||||
|
||||
// get User
|
||||
|
@ -778,7 +794,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
if (certificate.getUsage() == Usage.SET_PASSWORD) {
|
||||
invalidateSession(certificate);
|
||||
invalidate(certificate);
|
||||
}
|
||||
|
||||
logger.info("Updated password for " + newUser.getUsername());
|
||||
|
@ -792,7 +808,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public UserRep setUserState(Certificate certificate, String username, UserState state) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_SET_USER_STATE);
|
||||
|
||||
// get User
|
||||
|
@ -821,7 +837,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public RoleRep addRole(Certificate certificate, RoleRep roleRep) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_ADD_ROLE);
|
||||
|
||||
// first validate role
|
||||
|
@ -854,7 +870,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public RoleRep replaceRole(Certificate certificate, RoleRep roleRep) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_ROLE);
|
||||
|
||||
// first validate role
|
||||
|
@ -891,7 +907,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public RoleRep removeRole(Certificate certificate, String roleName) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_REMOVE_ROLE);
|
||||
|
||||
// validate no user is using this role
|
||||
|
@ -927,7 +943,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_ROLE);
|
||||
|
||||
// validate PrivilegeRep
|
||||
|
@ -983,7 +999,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName) {
|
||||
|
||||
// validate user actually has this type of privilege
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_ROLE);
|
||||
|
||||
// get role
|
||||
|
@ -1116,12 +1132,39 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public Certificate authenticateSingleSignOn(Object data) throws PrivilegeException {
|
||||
if (this.ssoHandler == null)
|
||||
throw new IllegalStateException("The SSO Handler is not configured!");
|
||||
|
||||
User user = this.ssoHandler.authenticateSingleSignOn(data);
|
||||
|
||||
// get 2 auth tokens
|
||||
String authToken = this.encryptionHandler.nextToken();
|
||||
|
||||
// get next session id
|
||||
String sessionId = UUID.randomUUID().toString();
|
||||
|
||||
// create a new certificate, with details of the user
|
||||
Certificate certificate = buildCertificate(Usage.ANY, user, authToken, sessionId);
|
||||
certificate.setLastAccess(new Date());
|
||||
|
||||
PrivilegeContext privilegeContext = buildPrivilegeContext(certificate, user);
|
||||
this.privilegeContextMap.put(sessionId, privilegeContext);
|
||||
|
||||
persistSessions();
|
||||
|
||||
// log
|
||||
logger.info(MessageFormat.format("User {0} authenticated: {1}", user.getUsername(), certificate)); //$NON-NLS-1$
|
||||
|
||||
return certificate;
|
||||
}
|
||||
|
||||
private Certificate buildCertificate(Usage usage, User user, String authToken, String sessionId) {
|
||||
Set<String> userRoles = user.getRoles();
|
||||
Certificate certificate = new Certificate(usage, sessionId, user.getUsername(), user.getFirstname(),
|
||||
user.getLastname(), user.getUserState(), authToken, new Date(), user.getLocale(), userRoles,
|
||||
return new Certificate(usage, sessionId, user.getUsername(), user.getFirstname(), user.getLastname(),
|
||||
user.getUserState(), authToken, new Date(), user.getLocale(), userRoles,
|
||||
new HashMap<>(user.getProperties()));
|
||||
return certificate;
|
||||
}
|
||||
|
||||
private boolean persistSessions() {
|
||||
|
@ -1146,15 +1189,15 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
return true;
|
||||
}
|
||||
|
||||
private boolean loadSessions() {
|
||||
private void loadSessions() {
|
||||
if (!this.persistSessions) {
|
||||
logger.info("Persisteding of sessions not enabled, so not loading!.");
|
||||
return false;
|
||||
return;
|
||||
}
|
||||
|
||||
if (!this.persistSessionsPath.exists()) {
|
||||
logger.info("No persisted sessions exist to be loaded.");
|
||||
return false;
|
||||
return;
|
||||
}
|
||||
|
||||
if (!this.persistSessionsPath.isFile())
|
||||
|
@ -1170,13 +1213,14 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
|
||||
} catch (Exception e) {
|
||||
logger.error("Failed to load sessions!", e);
|
||||
this.persistSessionsPath.delete();
|
||||
return false;
|
||||
if (!this.persistSessionsPath.delete())
|
||||
logger.error("Failed to delete session file at " + this.persistSessionsPath.getAbsolutePath());
|
||||
return;
|
||||
}
|
||||
|
||||
if (certificateStubs.isEmpty()) {
|
||||
logger.info("No persisted sessions exist to be loaded.");
|
||||
return false;
|
||||
return;
|
||||
}
|
||||
|
||||
for (CertificateStub certificateStub : certificateStubs) {
|
||||
|
@ -1205,17 +1249,22 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
logger.info("Loaded " + this.privilegeContextMap.size() + " sessions.");
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the credentials and validates that the user may log in.
|
||||
*
|
||||
* @param username the username of the {@link User} to check against
|
||||
* @param password the password of this user
|
||||
* @param username
|
||||
* the username of the {@link User} to check against
|
||||
* @param password
|
||||
* the password of this user
|
||||
*
|
||||
* @return the {@link User} if the credentials are valid and the user may login
|
||||
* @throws AccessDeniedException if anything is wrong with the credentials or the user state
|
||||
* @throws InvalidCredentialsException if the given credentials are invalid, the user does not exist, or has no password set
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if anything is wrong with the credentials or the user state
|
||||
* @throws InvalidCredentialsException
|
||||
* if the given credentials are invalid, the user does not exist, or has no password set
|
||||
*/
|
||||
private User checkCredentialsAndUserState(String username, char[] password)
|
||||
throws InvalidCredentialsException, AccessDeniedException {
|
||||
|
@ -1253,7 +1302,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
byte[] salt = user.getSalt();
|
||||
if (salt == null)
|
||||
throw new AccessDeniedException(
|
||||
MessageFormat.format("User {0} has no salt and may not login!", salt)); //$NON-NLS-1$
|
||||
MessageFormat.format("User {0} has no salt and may not login!", username)); //$NON-NLS-1$
|
||||
|
||||
// we only work with hashed passwords
|
||||
byte[] passwordHash = this.encryptionHandler.hashPassword(password, salt);
|
||||
|
@ -1269,8 +1318,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
/**
|
||||
* Builds a {@link PrivilegeContext} for the given {@link User} and its {@link Certificate}
|
||||
*
|
||||
* @param certificate the certificate for which to build the {@link PrivilegeContext}
|
||||
* @param user the user for which to build the {@link PrivilegeContext}
|
||||
* @param certificate
|
||||
* the certificate for which to build the {@link PrivilegeContext}
|
||||
* @param user
|
||||
* the user for which to build the {@link PrivilegeContext}
|
||||
*
|
||||
* @return the {@link PrivilegeContext}
|
||||
*/
|
||||
private PrivilegeContext buildPrivilegeContext(Certificate certificate, User user) {
|
||||
|
@ -1337,12 +1389,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
UserRep userRep = user.asUserRep();
|
||||
PrivilegeContext privilegeContext = new PrivilegeContext(userRep, certificate, privileges, policies);
|
||||
return privilegeContext;
|
||||
return new PrivilegeContext(userRep, certificate, privileges, policies);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean invalidateSession(Certificate certificate) {
|
||||
public boolean invalidate(Certificate certificate) {
|
||||
|
||||
// remove registration
|
||||
PrivilegeContext privilegeContext = this.privilegeContextMap.remove(certificate.getSessionId());
|
||||
|
@ -1361,7 +1412,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
|
||||
@Override
|
||||
public void isCertificateValid(Certificate certificate) throws PrivilegeException, NotAuthenticatedException {
|
||||
public PrivilegeContext validate(Certificate certificate) throws PrivilegeException, NotAuthenticatedException {
|
||||
|
||||
// certificate must not be null
|
||||
if (certificate == null)
|
||||
|
@ -1387,33 +1438,13 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
LocalDateTime dateTime = LocalDateTime
|
||||
.ofInstant(sessionCertificate.getLoginTime().toInstant(), ZoneId.systemDefault());
|
||||
if (dateTime.plusHours(1).isBefore(LocalDateTime.now())) {
|
||||
invalidateSession(sessionCertificate);
|
||||
invalidate(sessionCertificate);
|
||||
throw new NotAuthenticatedException("Certificate has already expired!"); //$NON-NLS-1$
|
||||
}
|
||||
}
|
||||
|
||||
// get user object
|
||||
User user = this.persistenceHandler.getUser(privilegeContext.getUsername());
|
||||
|
||||
// if user exists, then certificate is valid
|
||||
if (user == null) {
|
||||
String msg = "Oh boy, how did this happen: No User in user map although the certificate is valid!"; //$NON-NLS-1$
|
||||
throw new PrivilegeException(msg);
|
||||
}
|
||||
|
||||
// everything is ok
|
||||
|
||||
certificate.setLastAccess(new Date());
|
||||
}
|
||||
|
||||
@Override
|
||||
public PrivilegeContext getPrivilegeContext(Certificate certificate)
|
||||
throws PrivilegeException, NotAuthenticatedException {
|
||||
|
||||
// first validate certificate
|
||||
isCertificateValid(certificate);
|
||||
|
||||
return this.privilegeContextMap.get(certificate.getSessionId());
|
||||
return privilegeContext;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1437,7 +1468,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public boolean persist(Certificate certificate) {
|
||||
|
||||
// validate who is doing this
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_PERSIST));
|
||||
|
||||
return this.persistenceHandler.persist();
|
||||
|
@ -1447,7 +1478,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public boolean persistSessions(Certificate certificate) {
|
||||
|
||||
// validate who is doing this
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_PERSIST_SESSIONS));
|
||||
|
||||
return persistSessions();
|
||||
|
@ -1457,7 +1488,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
public boolean reload(Certificate certificate) {
|
||||
|
||||
// validate who is doing this
|
||||
PrivilegeContext prvCtx = getPrivilegeContext(certificate);
|
||||
PrivilegeContext prvCtx = validate(certificate);
|
||||
prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_RELOAD));
|
||||
|
||||
return this.persistenceHandler.reload();
|
||||
|
@ -1468,16 +1499,28 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
* {@link PrivilegeHandler} might need. This method may only be called once and this must be enforced by the
|
||||
* concrete implementation
|
||||
*
|
||||
* @param parameterMap a map containing configuration properties
|
||||
* @param encryptionHandler the {@link EncryptionHandler} instance for this {@link PrivilegeHandler}
|
||||
* @param persistenceHandler the {@link PersistenceHandler} instance for this {@link PrivilegeHandler}
|
||||
* @param userChallengeHandler the handler to challenge a user's actions e.g. password change or authentication
|
||||
* @param policyMap map of {@link PrivilegePolicy} classes
|
||||
* @throws PrivilegeException if the this method is called multiple times or an initialization exception occurs
|
||||
* @param parameterMap
|
||||
* a map containing configuration properties
|
||||
* @param encryptionHandler
|
||||
* the {@link EncryptionHandler} instance for this {@link PrivilegeHandler}
|
||||
* @param persistenceHandler
|
||||
* the {@link PersistenceHandler} instance for this {@link PrivilegeHandler}
|
||||
* @param userChallengeHandler
|
||||
* the handler to challenge a user's actions e.g. password change or authentication
|
||||
* @param ssoHandler
|
||||
* the {@link SingleSignOnHandler}
|
||||
* @param policyMap
|
||||
* map of {@link PrivilegePolicy} classes
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the this method is called multiple times or an initialization exception occurs
|
||||
*/
|
||||
public synchronized void initialize(Map<String, String> parameterMap, EncryptionHandler encryptionHandler,
|
||||
PersistenceHandler persistenceHandler, UserChallengeHandler userChallengeHandler,
|
||||
Map<String, Class<PrivilegePolicy>> policyMap) {
|
||||
public synchronized void initialize(Map<String, String> parameterMap,
|
||||
EncryptionHandler encryptionHandler,
|
||||
PersistenceHandler persistenceHandler,
|
||||
UserChallengeHandler userChallengeHandler,
|
||||
SingleSignOnHandler ssoHandler,
|
||||
Map<String, Class<PrivilegePolicy>> policyMap) {
|
||||
|
||||
if (this.initialized)
|
||||
throw new PrivilegeException("Already initialized!"); //$NON-NLS-1$
|
||||
|
@ -1486,6 +1529,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
this.encryptionHandler = encryptionHandler;
|
||||
this.persistenceHandler = persistenceHandler;
|
||||
this.userChallengeHandler = userChallengeHandler;
|
||||
this.ssoHandler = ssoHandler;
|
||||
|
||||
handleAutoPersistOnUserDataChange(parameterMap);
|
||||
handlePersistSessionsParam(parameterMap);
|
||||
|
@ -1678,7 +1722,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
/**
|
||||
* Validates that the policies which are not null on the privileges of the role exist
|
||||
*
|
||||
* @param role the role for which the policies are to be checked
|
||||
* @param role
|
||||
* the role for which the policies are to be checked
|
||||
*/
|
||||
private void validatePolicies(Role role) {
|
||||
for (String privilegeName : role.getPrivilegeNames()) {
|
||||
|
@ -1696,7 +1741,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
* Passwords should not be kept as strings, as string are immutable, this method thus clears the char array so that
|
||||
* the password is not in memory anymore
|
||||
*
|
||||
* @param password the char array containing the passwort which is to be set to zeroes
|
||||
* @param password
|
||||
* the char array containing the passwort which is to be set to zeroes
|
||||
*/
|
||||
private void clearPassword(char[] password) {
|
||||
if (password != null) {
|
||||
|
@ -1734,7 +1780,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
}
|
||||
|
||||
private <T> PrivilegeContext initiateSystemPrivilege(String username, Restrictable restrictable) {
|
||||
private PrivilegeContext initiateSystemPrivilege(String username, Restrictable restrictable) {
|
||||
if (username == null)
|
||||
throw new PrivilegeException("systemUsername may not be null!"); //$NON-NLS-1$
|
||||
if (restrictable == null)
|
||||
|
@ -1767,7 +1813,9 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
* Returns the {@link Certificate} for the given system username. If it does not yet exist, then it is created by
|
||||
* authenticating the system user
|
||||
*
|
||||
* @param systemUsername the name of the system user
|
||||
* @param systemUsername
|
||||
* the name of the system user
|
||||
*
|
||||
* @return the {@link Certificate} for this system user
|
||||
*/
|
||||
private PrivilegeContext getSystemUserPrivilegeContext(String systemUsername) {
|
||||
|
@ -1833,9 +1881,13 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
* {@link PrivilegePolicy} object
|
||||
* </p>
|
||||
*
|
||||
* @param policyName the class name of the {@link PrivilegePolicy} object to return
|
||||
* @param policyName
|
||||
* the class name of the {@link PrivilegePolicy} object to return
|
||||
*
|
||||
* @return the {@link PrivilegePolicy} object
|
||||
* @throws PrivilegeException if the {@link PrivilegePolicy} object for the given policy name could not be instantiated
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the {@link PrivilegePolicy} object for the given policy name could not be instantiated
|
||||
*/
|
||||
private PrivilegePolicy getPolicy(String policyName) {
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ import li.strolch.privilege.policy.PrivilegePolicy;
|
|||
* The {@link PrivilegeHandler} is the centrally exposed API for accessing the privilege library. It exposes all needed
|
||||
* methods to access Privilege data model objects, modify them and validate if users or roles have privileges to perform
|
||||
* an action
|
||||
*
|
||||
*
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*/
|
||||
public interface PrivilegeHandler {
|
||||
|
@ -50,307 +50,303 @@ public interface PrivilegeHandler {
|
|||
* Privilege "PrivilegeAction" which is used for privileges which are not further categorized e.g. s
|
||||
* {@link #PRIVILEGE_ACTION_PERSIST} and {@link #PRIVILEGE_ACTION_GET_POLICIES}
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION = "PrivilegeAction";
|
||||
String PRIVILEGE_ACTION = "PrivilegeAction";
|
||||
|
||||
/**
|
||||
* For Privilege "PrivilegeAction" value required to be able to persist changes if not exempted by auto persist or
|
||||
* <code>allAllowed</code>
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION_PERSIST = "Persist";
|
||||
String PRIVILEGE_ACTION_PERSIST = "Persist";
|
||||
/**
|
||||
* For Privilege "PrivilegeAction" value required to be able to persist session if not exempted by
|
||||
* <code>allAllowed</code>
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION_PERSIST_SESSIONS = "PersistSessions";
|
||||
String PRIVILEGE_ACTION_PERSIST_SESSIONS = "PersistSessions";
|
||||
/**
|
||||
* For Privilege "PrivilegeAction" value required to be able to reload changes if not exempted by
|
||||
* <code>allAllowed</code>
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION_RELOAD = "Reload";
|
||||
String PRIVILEGE_ACTION_RELOAD = "Reload";
|
||||
/**
|
||||
* For Privilege "PrivilegeAction" value required to get currently configured policies if not
|
||||
* <code>allAllowed</code>
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION_GET_POLICIES = "GetPolicies";
|
||||
String PRIVILEGE_ACTION_GET_POLICIES = "GetPolicies";
|
||||
/**
|
||||
* For Privilege "PrivilegeAction" value required to get a certificate if not <code>allAllowed</code>
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION_GET_CERTIFICATE = "GetCertificate";
|
||||
String PRIVILEGE_ACTION_GET_CERTIFICATE = "GetCertificate";
|
||||
/**
|
||||
* For Privilege "PrivilegeAction" value required to get all certificates if not <code>allAllowed</code>
|
||||
*/
|
||||
public static final String PRIVILEGE_ACTION_GET_CERTIFICATES = "GetCertificates";
|
||||
String PRIVILEGE_ACTION_GET_CERTIFICATES = "GetCertificates";
|
||||
|
||||
///
|
||||
|
||||
/**
|
||||
* Privilege "PrivilegeGetRole" which is used to validate that a user can get a specific role
|
||||
*/
|
||||
public static final String PRIVILEGE_GET_ROLE = "PrivilegeGetRole";
|
||||
String PRIVILEGE_GET_ROLE = "PrivilegeGetRole";
|
||||
/**
|
||||
* Privilege "PrivilegeAddRole" which is used to validate that a user can add a specific role
|
||||
*/
|
||||
public static final String PRIVILEGE_ADD_ROLE = "PrivilegeAddRole";
|
||||
String PRIVILEGE_ADD_ROLE = "PrivilegeAddRole";
|
||||
/**
|
||||
* Privilege "PrivilegeRemoveRole" which is used to validate that a user can remove a specific role
|
||||
*/
|
||||
public static final String PRIVILEGE_REMOVE_ROLE = "PrivilegeRemoveRole";
|
||||
String PRIVILEGE_REMOVE_ROLE = "PrivilegeRemoveRole";
|
||||
/**
|
||||
* Privilege "PrivilegeModifyRole" which is used to validate that a user can modify a specific role. <b>Note:</b>
|
||||
* This includes modifying of the privileges on the role
|
||||
*/
|
||||
public static final String PRIVILEGE_MODIFY_ROLE = "PrivilegeModifyRole";
|
||||
String PRIVILEGE_MODIFY_ROLE = "PrivilegeModifyRole";
|
||||
|
||||
///
|
||||
|
||||
/**
|
||||
* Privilege "PrivilegeGetUser" which is used to validate that a user can get a specific user
|
||||
*/
|
||||
public static final String PRIVILEGE_GET_USER = "PrivilegeGetUser";
|
||||
String PRIVILEGE_GET_USER = "PrivilegeGetUser";
|
||||
/**
|
||||
* Privilege "PrivilegeAddUser" which is used to validate that a user can add a specific user
|
||||
*/
|
||||
public static final String PRIVILEGE_ADD_USER = "PrivilegeAddUser";
|
||||
String PRIVILEGE_ADD_USER = "PrivilegeAddUser";
|
||||
/**
|
||||
* Privilege "PrivilegeRemoveUser" which is used to validate that a user can remove a specific user
|
||||
*/
|
||||
public static final String PRIVILEGE_REMOVE_USER = "PrivilegeRemoveUser";
|
||||
String PRIVILEGE_REMOVE_USER = "PrivilegeRemoveUser";
|
||||
/**
|
||||
* Privilege "PrivilegeModifyUser" which is used to validate that a user can modify a specific user
|
||||
*/
|
||||
public static final String PRIVILEGE_MODIFY_USER = "PrivilegeModifyUser";
|
||||
String PRIVILEGE_MODIFY_USER = "PrivilegeModifyUser";
|
||||
/**
|
||||
* Privilege "PrivilegeAddRoleToUser" which is used to validate that a user can add a specific role to a specific
|
||||
* user
|
||||
*/
|
||||
public static final String PRIVILEGE_ADD_ROLE_TO_USER = "PrivilegeAddRoleToUser";
|
||||
String PRIVILEGE_ADD_ROLE_TO_USER = "PrivilegeAddRoleToUser";
|
||||
/**
|
||||
* Privilege "PrivilegeRemoveRoleFromUser" which is used to validate that a user can remove a specific role from a
|
||||
* specific user
|
||||
*/
|
||||
public static final String PRIVILEGE_REMOVE_ROLE_FROM_USER = "PrivilegeRemoveRoleFromUser";
|
||||
String PRIVILEGE_REMOVE_ROLE_FROM_USER = "PrivilegeRemoveRoleFromUser";
|
||||
/**
|
||||
* Privilege "PRIVILEGE_SET_USER_LOCALE" which is used to validate that a user can set the locale of a user, or
|
||||
* their own
|
||||
*/
|
||||
public static final String PRIVILEGE_SET_USER_LOCALE = "PrivilegeSetUserLocale";
|
||||
String PRIVILEGE_SET_USER_LOCALE = "PrivilegeSetUserLocale";
|
||||
/**
|
||||
* Privilege "PRIVILEGE_SET_USER_STATE" which is used to validate that a user can set the state of a user
|
||||
*/
|
||||
public static final String PRIVILEGE_SET_USER_STATE = "PrivilegeSetUserState";
|
||||
String PRIVILEGE_SET_USER_STATE = "PrivilegeSetUserState";
|
||||
/**
|
||||
* Privilege "PRIVILEGE_SET_USER_PASSWORD" which is used to validate that a user can set the password of a user, or
|
||||
* their own
|
||||
*/
|
||||
public static final String PRIVILEGE_SET_USER_PASSWORD = "PrivilegeSetUserPassword";
|
||||
String PRIVILEGE_SET_USER_PASSWORD = "PrivilegeSetUserPassword";
|
||||
|
||||
///
|
||||
|
||||
/**
|
||||
* configuration parameter to define a secret_key
|
||||
*/
|
||||
public static final String PARAM_SECRET_KEY = "secretKey"; //$NON-NLS-1$
|
||||
String PARAM_SECRET_KEY = "secretKey"; //$NON-NLS-1$
|
||||
|
||||
/**
|
||||
* configuration parameter to define a secret salt
|
||||
*/
|
||||
public static final String PARAM_SECRET_SALT = "secretSalt"; //$NON-NLS-1$
|
||||
String PARAM_SECRET_SALT = "secretSalt"; //$NON-NLS-1$
|
||||
|
||||
/**
|
||||
* configuration parameter to define automatic persisting on password change
|
||||
*/
|
||||
public static final String PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA = "autoPersistOnUserChangesData"; //$NON-NLS-1$
|
||||
String PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA = "autoPersistOnUserChangesData"; //$NON-NLS-1$
|
||||
|
||||
/**
|
||||
* configuration parameter to define if sessions should be persisted
|
||||
*/
|
||||
public static final String PARAM_PERSIST_SESSIONS = "persistSessions"; //$NON-NLS-1$
|
||||
String PARAM_PERSIST_SESSIONS = "persistSessions"; //$NON-NLS-1$
|
||||
|
||||
/**
|
||||
* configuration parameter to define where sessions are to be persisted
|
||||
*/
|
||||
public static final String PARAM_PERSIST_SESSIONS_PATH = "persistSessionsPath"; //$NON-NLS-1$
|
||||
String PARAM_PERSIST_SESSIONS_PATH = "persistSessionsPath"; //$NON-NLS-1$
|
||||
|
||||
/**
|
||||
* configuration parameter to define {@link PrivilegeConflictResolution}
|
||||
*/
|
||||
public static final String PARAM_PRIVILEGE_CONFLICT_RESOLUTION = "privilegeConflictResolution";
|
||||
String PARAM_PRIVILEGE_CONFLICT_RESOLUTION = "privilegeConflictResolution";
|
||||
|
||||
/**
|
||||
* Returns a {@link UserRep} for the given username
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the name of the {@link UserRep} to return
|
||||
*
|
||||
* the name of the {@link UserRep} to return
|
||||
*
|
||||
* @return the {@link UserRep} for the given username, or null if it was not found
|
||||
*/
|
||||
public UserRep getUser(Certificate certificate, String username);
|
||||
UserRep getUser(Certificate certificate, String username);
|
||||
|
||||
/**
|
||||
* Returns a {@link RoleRep} for the given roleName
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleName
|
||||
* the name of the {@link RoleRep} to return
|
||||
*
|
||||
* the name of the {@link RoleRep} to return
|
||||
*
|
||||
* @return the {@link RoleRep} for the given roleName, or null if it was not found
|
||||
*/
|
||||
public RoleRep getRole(Certificate certificate, String roleName);
|
||||
RoleRep getRole(Certificate certificate, String roleName);
|
||||
|
||||
/**
|
||||
* Returns the map of {@link PrivilegePolicy} definitions
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return the map of {@link PrivilegePolicy} definitions
|
||||
*/
|
||||
public Map<String, String> getPolicyDefs(Certificate certificate);
|
||||
Map<String, String> getPolicyDefs(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Returns the list of {@link Certificate Certificates}
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return the list of {@link Certificate Certificates}
|
||||
*/
|
||||
public List<Certificate> getCertificates(Certificate certificate);
|
||||
List<Certificate> getCertificates(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Returns all {@link RoleRep RoleReps}
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return the list of {@link RoleRep RoleReps}
|
||||
*/
|
||||
public List<RoleRep> getRoles(Certificate certificate);
|
||||
List<RoleRep> getRoles(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Returns all {@link UserRep UserReps}
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return the list of {@link UserRep UserReps}
|
||||
*/
|
||||
public List<UserRep> getUsers(Certificate certificate);
|
||||
List<UserRep> getUsers(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Method to query {@link UserRep} which meet the criteria set in the given {@link UserRep}. Null fields mean the
|
||||
* fields are irrelevant.
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param selectorRep
|
||||
* the {@link UserRep} to use as criteria selection
|
||||
*
|
||||
* the {@link UserRep} to use as criteria selection
|
||||
*
|
||||
* @return a list of {@link UserRep}s which fit the given criteria
|
||||
*/
|
||||
public List<UserRep> queryUsers(Certificate certificate, UserRep selectorRep);
|
||||
List<UserRep> queryUsers(Certificate certificate, UserRep selectorRep);
|
||||
|
||||
/**
|
||||
* Removes the user with the given username
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the user to remove
|
||||
*
|
||||
* the username of the user to remove
|
||||
*
|
||||
* @return the {@link UserRep} of the user removed, or null if the user did not exist
|
||||
*
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public UserRep removeUser(Certificate certificate, String username)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep removeUser(Certificate certificate, String username) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the role with the given roleName from the user with the given username
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the user from which the role is to be removed
|
||||
* the username of the user from which the role is to be removed
|
||||
* @param roleName
|
||||
* the roleName of the role to remove from the user
|
||||
*
|
||||
* the roleName of the role to remove from the user
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public UserRep removeRoleFromUser(Certificate certificate, String username, String roleName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep removeRoleFromUser(Certificate certificate, String username, String roleName) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the role with the given roleName
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleName
|
||||
* the roleName of the role to remove
|
||||
*
|
||||
* the roleName of the role to remove
|
||||
*
|
||||
* @return the {@link RoleRep} of the role removed, or null if the role did not exist
|
||||
*
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or the role is still in use by a user
|
||||
* if there is anything wrong with this certificate or the role is still in use by a user
|
||||
*/
|
||||
public RoleRep removeRole(Certificate certificate, String roleName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
RoleRep removeRole(Certificate certificate, String roleName) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Removes the privilege with the given privilegeName from the role with the given roleName
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleName
|
||||
* the roleName of the role from which the privilege is to be removed
|
||||
* the roleName of the role from which the privilege is to be removed
|
||||
* @param privilegeName
|
||||
* the privilegeName of the privilege to remove from the role
|
||||
*
|
||||
* the privilegeName of the privilege to remove from the role
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName)
|
||||
throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Adds a new user with the information from this {@link UserRep}
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* If the password given is null, then the user is created, but can not not login! Otherwise the password must meet
|
||||
* the requirements of the implementation under {@link PrivilegeHandler#validatePassword(char[])}
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param userRep
|
||||
* the {@link UserRep} containing the information to create the new {@link User}
|
||||
* the {@link UserRep} containing the information to create the new {@link User}
|
||||
* @param password
|
||||
* the password of the new user. If the password is null, then this is accepted but the user can not
|
||||
* login, otherwise the password must be validated against
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
*
|
||||
* the password of the new user. If the password is null, then this is accepted but the user can not
|
||||
* login, otherwise the password must be validated against
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or the user already exists
|
||||
* if there is anything wrong with this certificate or the user already exists
|
||||
*/
|
||||
public UserRep addUser(Certificate certificate, UserRep userRep, char[] password)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep addUser(Certificate certificate, UserRep userRep, char[] password) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
|
@ -358,7 +354,7 @@ public interface PrivilegeHandler {
|
|||
* will be updated on the existing user. The username on the given {@link UserRep} must be set and correspond to an
|
||||
* existing user.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* The following fields are considered updateable:
|
||||
* <ul>
|
||||
* <li>{@link UserRep#getFirstname()}</li>
|
||||
|
@ -366,117 +362,113 @@ public interface PrivilegeHandler {
|
|||
* <li>{@link UserRep#getLocale()}</li>
|
||||
* <li>{@link UserRep#getProperties()} - the existing properties will be replaced with the given properties</li>
|
||||
* </ul>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* Any other fields will be ignored
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param userRep
|
||||
* the {@link UserRep} with the fields set to their new values
|
||||
*
|
||||
* the {@link UserRep} with the fields set to their new values
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or if the user does not exist
|
||||
* if there is anything wrong with this certificate or if the user does not exist
|
||||
*/
|
||||
public UserRep updateUser(Certificate certificate, UserRep userRep)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep updateUser(Certificate certificate, UserRep userRep) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Replaces the existing user with the information from this {@link UserRep} if the user already exists
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* If the password given is null, then the user is created, but can not not login! Otherwise the password must meet
|
||||
* the requirements of the implementation under {@link PrivilegeHandler#validatePassword(char[])}
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param userRep
|
||||
* the {@link UserRep} containing the information to replace the existing {@link User}
|
||||
* the {@link UserRep} containing the information to replace the existing {@link User}
|
||||
* @param password
|
||||
* the password of the new user. If the password is null, then this is accepted but the user can not
|
||||
* login, otherwise the password must be validated against
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
*
|
||||
* the password of the new user. If the password is null, then this is accepted but the user can not
|
||||
* login, otherwise the password must be validated against
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or if the user does not exist
|
||||
* if there is anything wrong with this certificate or if the user does not exist
|
||||
*/
|
||||
public UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds a new role with the information from this {@link RoleRep}
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleRep
|
||||
* the {@link RoleRep} containing the information to create the new {@link Role}
|
||||
*
|
||||
* the {@link RoleRep} containing the information to create the new {@link Role}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or if the role already exists
|
||||
* if there is anything wrong with this certificate or if the role already exists
|
||||
*/
|
||||
public RoleRep addRole(Certificate certificate, RoleRep roleRep) throws AccessDeniedException, PrivilegeException;
|
||||
RoleRep addRole(Certificate certificate, RoleRep roleRep) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Replaces the existing role with the information from this {@link RoleRep}
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleRep
|
||||
* the {@link RoleRep} containing the information to replace the existing {@link Role}
|
||||
*
|
||||
* the {@link RoleRep} containing the information to replace the existing {@link Role}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or if the role does not exist
|
||||
* if there is anything wrong with this certificate or if the role does not exist
|
||||
*/
|
||||
public RoleRep replaceRole(Certificate certificate, RoleRep roleRep)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
RoleRep replaceRole(Certificate certificate, RoleRep roleRep) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds the role with the given roleName to the {@link User} with the given username
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} to which the role should be added
|
||||
* the username of the {@link User} to which the role should be added
|
||||
* @param roleName
|
||||
* the roleName of the {@link Role} which should be added to the {@link User}
|
||||
*
|
||||
* the roleName of the {@link Role} which should be added to the {@link User}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or if the role does not exist
|
||||
* if there is anything wrong with this certificate or if the role does not exist
|
||||
*/
|
||||
public UserRep addRoleToUser(Certificate certificate, String username, String roleName)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep addRoleToUser(Certificate certificate, String username, String roleName) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Adds the {@link PrivilegeRep} to the {@link Role} with the given roleName or replaces it, if it already exists
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param roleName
|
||||
* the roleName of the {@link Role} to which the privilege should be added
|
||||
* the roleName of the {@link Role} to which the privilege should be added
|
||||
* @param privilegeRep
|
||||
* the representation of the {@link IPrivilege} which should be added or replaced on the {@link Role}
|
||||
*
|
||||
* the representation of the {@link IPrivilege} which should be added or replaced on the {@link Role}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate or the role does not exist
|
||||
* if there is anything wrong with this certificate or the role does not exist
|
||||
*/
|
||||
public RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep)
|
||||
throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
|
@ -484,243 +476,240 @@ public interface PrivilegeHandler {
|
|||
* can not login anymore. Otherwise the password must meet the requirements of the implementation under
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* It should be possible for a user to change their own password
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} for which the password is to be changed
|
||||
* the username of the {@link User} for which the password is to be changed
|
||||
* @param password
|
||||
* the new password for this user. If the password is null, then the {@link User} can not login anymore.
|
||||
* Otherwise the password must meet the requirements of the implementation under
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
*
|
||||
* the new password for this user. If the password is null, then the {@link User} can not login anymore.
|
||||
* Otherwise the password must meet the requirements of the implementation under
|
||||
* {@link PrivilegeHandler#validatePassword(char[])}
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public void setUserPassword(Certificate certificate, String username, char[] password)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
void setUserPassword(Certificate certificate, String username, char[] password) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Changes the {@link UserState} of the user
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} for which the {@link UserState} is to be changed
|
||||
* the username of the {@link User} for which the {@link UserState} is to be changed
|
||||
* @param state
|
||||
* the new state for the user
|
||||
*
|
||||
* the new state for the user
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public UserRep setUserState(Certificate certificate, String username, UserState state)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep setUserState(Certificate certificate, String username, UserState state) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Changes the {@link Locale} of the user
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
* @param username
|
||||
* the username of the {@link User} for which the {@link Locale} is to be changed
|
||||
* the username of the {@link User} for which the {@link Locale} is to be changed
|
||||
* @param locale
|
||||
* the new {@link Locale} for the user
|
||||
*
|
||||
* the new {@link Locale} for the user
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user for this certificate may not perform the action
|
||||
* if the user for this certificate may not perform the action
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* if there is anything wrong with this certificate
|
||||
*/
|
||||
public UserRep setUserLocale(Certificate certificate, String username, Locale locale)
|
||||
throws AccessDeniedException, PrivilegeException;
|
||||
UserRep setUserLocale(Certificate certificate, String username, Locale locale) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Initiate a password reset challenge for the given username
|
||||
*
|
||||
*
|
||||
* @param usage
|
||||
* the usage for which the challenge is requested
|
||||
* the usage for which the challenge is requested
|
||||
* @param username
|
||||
* the username of the user to initiate the challenge for
|
||||
* the username of the user to initiate the challenge for
|
||||
*/
|
||||
public void initiateChallengeFor(Usage usage, String username);
|
||||
void initiateChallengeFor(Usage usage, String username);
|
||||
|
||||
/**
|
||||
* Validate the response of a challenge for the given username
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the username of the user for which the challenge is to be validated
|
||||
* the username of the user for which the challenge is to be validated
|
||||
* @param challenge
|
||||
* the challenge from the user
|
||||
*
|
||||
* the challenge from the user
|
||||
*
|
||||
* @return certificate with which the user can access the system with the {@link Usage} set to the value from the
|
||||
* initiated challenge
|
||||
*
|
||||
* initiated challenge
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if anything goes wrong
|
||||
* if anything goes wrong
|
||||
*/
|
||||
public Certificate validateChallenge(String username, String challenge) throws PrivilegeException;
|
||||
Certificate validateChallenge(String username, String challenge) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Authenticates a user by validating that a {@link User} for the given username and password exist and then returns
|
||||
* a {@link Certificate} with which this user may then perform actions
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the username of the {@link User} which is registered in the {@link PersistenceHandler}
|
||||
* the username of the {@link User} which is registered in the {@link PersistenceHandler}
|
||||
* @param password
|
||||
* the password with which this user is to be authenticated. Null passwords are not accepted and they
|
||||
* must meet the requirements of the {@link #validatePassword(char[])}-method
|
||||
*
|
||||
* the password with which this user is to be authenticated. Null passwords are not accepted and they
|
||||
* must meet the requirements of the {@link #validatePassword(char[])}-method
|
||||
*
|
||||
* @return a {@link Certificate} with which this user may then perform actions
|
||||
*
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the user credentials are not valid
|
||||
* if the user credentials are not valid
|
||||
*/
|
||||
public Certificate authenticate(String username, char[] password) throws AccessDeniedException;
|
||||
Certificate authenticate(String username, char[] password) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* Authenticates a user on a remote Single Sign On service. This is implemented by the
|
||||
*
|
||||
* @param data
|
||||
* the data to perform the SSO
|
||||
*
|
||||
* @return the {@link Certificate} for the user
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if something goes wrong with the SSO
|
||||
*/
|
||||
Certificate authenticateSingleSignOn(Object data) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Invalidates the session for the given {@link Certificate}, effectively logging out the user who was authenticated
|
||||
* with the credentials associated to the given {@link Certificate}
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} for which the session is to be invalidated
|
||||
* the {@link Certificate} for which the session is to be invalidated
|
||||
*
|
||||
* @return true if the session was still valid and is now invalidated, false otherwise
|
||||
*/
|
||||
public boolean invalidateSession(Certificate certificate);
|
||||
boolean invalidate(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Checks if the given {@link Certificate} is valid. This means that the certificate is for a valid session and that
|
||||
* the user exists for the certificate. This method checks if the {@link Certificate} has been tampered with
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} to check
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is anything wrong with this certificate
|
||||
* @throws NotAuthenticatedException
|
||||
* if the certificate has expired
|
||||
*/
|
||||
public void isCertificateValid(Certificate certificate) throws PrivilegeException, NotAuthenticatedException;
|
||||
|
||||
/**
|
||||
*
|
||||
* Returns the {@link PrivilegeContext} for the given {@link Certificate}. The {@link PrivilegeContext} is an
|
||||
* encapsulated state of a user's privileges so that for the duration of a user's call, the user can perform their
|
||||
* actions and do not need to access the {@link PrivilegeHandler} anymore
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* a valid {@link Certificate} for which a {@link PrivilegeContext} is to be returned
|
||||
* the {@link Certificate} to check
|
||||
*
|
||||
* @return the {@link PrivilegeContext} for the given {@link Certificate}
|
||||
*
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if there is a configuration error or the {@link Certificate} is invalid
|
||||
* if there is anything wrong with this certificate
|
||||
* @throws NotAuthenticatedException
|
||||
* if the certificate has expired
|
||||
* if the certificate has expired
|
||||
*/
|
||||
public PrivilegeContext getPrivilegeContext(Certificate certificate)
|
||||
throws PrivilegeException, NotAuthenticatedException;
|
||||
PrivilegeContext validate(Certificate certificate) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Validate that the given password meets certain requirements. What these requirements are is a decision made by
|
||||
* the concrete implementation
|
||||
*
|
||||
*
|
||||
* @param password
|
||||
* the password to be validated to meet certain requirements
|
||||
*
|
||||
* the password to be validated to meet certain requirements
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the password does not implement the requirement of the concrete implementation
|
||||
* if the password does not implement the requirement of the concrete implementation
|
||||
*/
|
||||
public void validatePassword(char[] password) throws PrivilegeException;
|
||||
void validatePassword(char[] password) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Informs this {@link PersistenceHandler} to reload the data from the backend
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* <b>Note:</b> It depends on the underlying {@link PersistenceHandler} implementation if data really is read
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return true if the reload was successful, false if something went wrong
|
||||
*
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
*/
|
||||
public boolean reload(Certificate certificate);
|
||||
boolean reload(Certificate certificate);
|
||||
|
||||
/**
|
||||
* Persists any changes to the privilege data model. Changes are thus not persisted immediately, but must be
|
||||
* actively performed
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return true if changes were persisted, false if no changes were persisted
|
||||
*
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
*/
|
||||
public boolean persist(Certificate certificate) throws AccessDeniedException;
|
||||
boolean persist(Certificate certificate) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* Persists all currently active sessions
|
||||
*
|
||||
*
|
||||
* @param certificate
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* the {@link Certificate} of the user which has the privilege to perform this action
|
||||
*
|
||||
* @return true if changes were persisted, false if not (i.e. not enabled)
|
||||
*
|
||||
*
|
||||
* @throws AccessDeniedException
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
* if the users of the given certificate does not have the privilege to perform this action
|
||||
*/
|
||||
public boolean persistSessions(Certificate certificate) throws AccessDeniedException;
|
||||
boolean persistSessions(Certificate certificate) throws AccessDeniedException;
|
||||
|
||||
/**
|
||||
* Special method to perform work as a System user, meaning the given systemUsername corresponds to an account which
|
||||
* has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation
|
||||
* of the given {@link SystemAction} instance
|
||||
*
|
||||
*
|
||||
*
|
||||
* @param systemUsername
|
||||
* the username of the system user to perform the action as
|
||||
* the username of the system user to perform the action as
|
||||
* @param action
|
||||
* the action to be performed as the system user
|
||||
*
|
||||
* @return the action
|
||||
*
|
||||
* the action to be performed as the system user
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the user does not exist, or the system action is not alloed
|
||||
*/
|
||||
public void runAs(String systemUsername, SystemAction action) throws PrivilegeException;
|
||||
void runAs(String systemUsername, SystemAction action) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Special method to perform work as a System user, meaning the given systemUsername corresponds to an account which
|
||||
* has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation
|
||||
* of the given {@link SystemAction} instance
|
||||
*
|
||||
*
|
||||
*
|
||||
* @param systemUsername
|
||||
* the username of the system user to perform the action as
|
||||
* the username of the system user to perform the action as
|
||||
* @param action
|
||||
* the action to be performed as the system user
|
||||
*
|
||||
* the action to be performed as the system user
|
||||
*
|
||||
* @return the action
|
||||
*
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the user does not exist, or the system action is not alloed
|
||||
*/
|
||||
public <T> T runWithResult(String systemUsername, SystemActionWithResult<T> action) throws PrivilegeException;
|
||||
<T> T runWithResult(String systemUsername, SystemActionWithResult<T> action) throws PrivilegeException;
|
||||
|
||||
/**
|
||||
* Returns the {@link EncryptionHandler} instance
|
||||
*
|
||||
*
|
||||
* @return the {@link EncryptionHandler} instance
|
||||
*/
|
||||
public EncryptionHandler getEncryptionHandler() throws PrivilegeException;
|
||||
|
||||
EncryptionHandler getEncryptionHandler() throws PrivilegeException;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
package li.strolch.privilege.handler;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import li.strolch.privilege.base.PrivilegeException;
|
||||
import li.strolch.privilege.model.internal.User;
|
||||
|
||||
public interface SingleSignOnHandler {
|
||||
|
||||
/**
|
||||
* Initialize the concrete {@link SingleSignOnHandler}. The passed parameter map contains any configuration the
|
||||
* concrete {@link SingleSignOnHandler} might need
|
||||
*
|
||||
* @param parameterMap
|
||||
* a map containing configuration properties
|
||||
*/
|
||||
void initialize(Map<String, String> parameterMap);
|
||||
|
||||
/**
|
||||
* Authenticates a user on a remote Single Sign On service.
|
||||
*
|
||||
* @param data
|
||||
* the data required to sign on the user
|
||||
*
|
||||
* @return the user, configured with the remote
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the SSO can not be performed with the given data
|
||||
*/
|
||||
User authenticateSingleSignOn(Object data) throws PrivilegeException;
|
||||
|
||||
}
|
|
@ -22,11 +22,7 @@ import java.text.MessageFormat;
|
|||
import java.util.Map;
|
||||
|
||||
import li.strolch.privilege.base.PrivilegeException;
|
||||
import li.strolch.privilege.handler.DefaultPrivilegeHandler;
|
||||
import li.strolch.privilege.handler.EncryptionHandler;
|
||||
import li.strolch.privilege.handler.PersistenceHandler;
|
||||
import li.strolch.privilege.handler.PrivilegeHandler;
|
||||
import li.strolch.privilege.handler.UserChallengeHandler;
|
||||
import li.strolch.privilege.handler.*;
|
||||
import li.strolch.privilege.model.internal.PrivilegeContainerModel;
|
||||
import li.strolch.privilege.policy.PrivilegePolicy;
|
||||
import li.strolch.privilege.xml.PrivilegeConfigSaxReader;
|
||||
|
@ -36,19 +32,19 @@ import li.strolch.utils.helper.XmlHelper;
|
|||
/**
|
||||
* This class implements the initializing of the {@link PrivilegeHandler} by loading an XML file containing the
|
||||
* configuration
|
||||
*
|
||||
*
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*/
|
||||
public class PrivilegeInitializationHelper {
|
||||
|
||||
/**
|
||||
* Initializes the {@link DefaultPrivilegeHandler} from the configuration file
|
||||
*
|
||||
*
|
||||
* @param privilegeXmlFile
|
||||
* a {@link File} reference to the XML file containing the configuration for Privilege
|
||||
*
|
||||
* a {@link File} reference to the XML file containing the configuration for Privilege
|
||||
*
|
||||
* @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
*/
|
||||
public static PrivilegeHandler initializeFromXml(File privilegeXmlFile) {
|
||||
|
||||
|
@ -72,12 +68,12 @@ public class PrivilegeInitializationHelper {
|
|||
/**
|
||||
* Initializes the {@link PrivilegeHandler} by loading from the given input stream. This stream must be a valid XML
|
||||
* source
|
||||
*
|
||||
*
|
||||
* @param privilegeConfigInputStream
|
||||
* the XML stream containing the privilege configuration
|
||||
*
|
||||
* the XML stream containing the privilege configuration
|
||||
*
|
||||
* @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
*/
|
||||
public static PrivilegeHandler initializeFromXml(InputStream privilegeConfigInputStream) {
|
||||
|
||||
|
@ -91,12 +87,12 @@ public class PrivilegeInitializationHelper {
|
|||
|
||||
/**
|
||||
* Initializes the {@link PrivilegeHandler} by initializing from the given {@link PrivilegeContainerModel}
|
||||
*
|
||||
*
|
||||
* @param containerModel
|
||||
* the configuration for the {@link PrivilegeHandler}
|
||||
*
|
||||
* the configuration for the {@link PrivilegeHandler}
|
||||
*
|
||||
* @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
* {@link PersistenceHandler} are set and initialized as well
|
||||
*/
|
||||
public static PrivilegeHandler initializeFromXml(PrivilegeContainerModel containerModel) {
|
||||
|
||||
|
@ -137,13 +133,31 @@ public class PrivilegeInitializationHelper {
|
|||
throw new PrivilegeException(msg, e);
|
||||
}
|
||||
|
||||
// initialize SSO handler
|
||||
SingleSignOnHandler ssoHandler;
|
||||
if (containerModel.getSsoHandlerClassName() == null) {
|
||||
ssoHandler = null;
|
||||
} else {
|
||||
String ssoHandlerClassName = containerModel.getSsoHandlerClassName();
|
||||
ssoHandler = ClassHelper.instantiateClass(ssoHandlerClassName);
|
||||
parameterMap = containerModel.getSsoHandlerParameterMap();
|
||||
try {
|
||||
ssoHandler.initialize(parameterMap);
|
||||
} catch (Exception e) {
|
||||
String msg = "SingleSignOnHandler {0} could not be initialized"; //$NON-NLS-1$
|
||||
msg = MessageFormat.format(msg, ssoHandlerClassName);
|
||||
throw new PrivilegeException(msg, e);
|
||||
}
|
||||
}
|
||||
|
||||
// initialize privilege handler
|
||||
DefaultPrivilegeHandler privilegeHandler = new DefaultPrivilegeHandler();
|
||||
parameterMap = containerModel.getParameterMap();
|
||||
Map<String, Class<PrivilegePolicy>> policyMap = containerModel.getPolicies();
|
||||
try {
|
||||
privilegeHandler.initialize(parameterMap, encryptionHandler, persistenceHandler, challengeHandler,
|
||||
policyMap);
|
||||
privilegeHandler
|
||||
.initialize(parameterMap, encryptionHandler, persistenceHandler, challengeHandler, ssoHandler,
|
||||
policyMap);
|
||||
} catch (Exception e) {
|
||||
String msg = "PrivilegeHandler {0} could not be initialized"; //$NON-NLS-1$
|
||||
msg = MessageFormat.format(msg, privilegeHandler.getClass().getName());
|
||||
|
|
|
@ -68,6 +68,11 @@ public class XmlConstants {
|
|||
*/
|
||||
public static final String XML_HANDLER_ENCRYPTION = "EncryptionHandler";
|
||||
|
||||
/**
|
||||
* XML_HANDLER_ENCRYPTION = "EncryptionHandler" :
|
||||
*/
|
||||
public static final String XML_HANDLER_SSO = "SsoHandler";
|
||||
|
||||
/**
|
||||
* XML_HANDLER_PRIVILEGE = "PrivilegeHandler" :
|
||||
*/
|
||||
|
|
|
@ -27,11 +27,11 @@ import li.strolch.privilege.policy.PrivilegePolicy;
|
|||
/**
|
||||
* This class is used during XML parsing to hold the model before it is properly validated and made accessible through
|
||||
* the {@link PrivilegeHandler}
|
||||
*
|
||||
*
|
||||
* <p>
|
||||
* Note: This is an internal object which is not to be serialized or passed to clients
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*/
|
||||
public class PrivilegeContainerModel {
|
||||
|
@ -39,10 +39,12 @@ public class PrivilegeContainerModel {
|
|||
private String encryptionHandlerClassName;
|
||||
private String persistenceHandlerClassName;
|
||||
private String userChallengeHandlerClassName;
|
||||
private String ssoHandlerClassName;
|
||||
|
||||
private Map<String, String> encryptionHandlerParameterMap;
|
||||
private Map<String, String> persistenceHandlerParameterMap;
|
||||
private Map<String, String> challengeHandlerParameterMap;
|
||||
private Map<String, String> ssoHandlerParameterMap;
|
||||
|
||||
private Map<String, String> parameterMap;
|
||||
|
||||
|
@ -53,6 +55,7 @@ public class PrivilegeContainerModel {
|
|||
this.encryptionHandlerParameterMap = new HashMap<>();
|
||||
this.persistenceHandlerParameterMap = new HashMap<>();
|
||||
this.challengeHandlerParameterMap = new HashMap<>();
|
||||
this.ssoHandlerParameterMap = new HashMap<>();
|
||||
}
|
||||
|
||||
public Map<String, String> getParameterMap() {
|
||||
|
@ -103,6 +106,14 @@ public class PrivilegeContainerModel {
|
|||
this.userChallengeHandlerClassName = userChallengeHandlerClassName;
|
||||
}
|
||||
|
||||
public String getSsoHandlerClassName() {
|
||||
return this.ssoHandlerClassName;
|
||||
}
|
||||
|
||||
public void setSsoHandlerClassName(String ssoHandlerClassName) {
|
||||
this.ssoHandlerClassName = ssoHandlerClassName;
|
||||
}
|
||||
|
||||
public Map<String, String> getUserChallengeHandlerParameterMap() {
|
||||
return this.challengeHandlerParameterMap;
|
||||
}
|
||||
|
@ -111,6 +122,14 @@ public class PrivilegeContainerModel {
|
|||
this.challengeHandlerParameterMap = challengeHandlerParameterMap;
|
||||
}
|
||||
|
||||
public Map<String, String> getSsoHandlerParameterMap() {
|
||||
return this.ssoHandlerParameterMap;
|
||||
}
|
||||
|
||||
public void setSsoHandlerParameterMap(Map<String, String> ssoHandlerParameterMap) {
|
||||
this.ssoHandlerParameterMap = ssoHandlerParameterMap;
|
||||
}
|
||||
|
||||
public void addPolicy(String privilegeName, String policyClassName) {
|
||||
|
||||
try {
|
||||
|
@ -160,6 +179,8 @@ public class PrivilegeContainerModel {
|
|||
builder.append(this.persistenceHandlerParameterMap.size());
|
||||
builder.append(", challengeHandlerParameterMap=");
|
||||
builder.append(this.challengeHandlerParameterMap.size());
|
||||
builder.append(", ssoHandlerParameterMap=");
|
||||
builder.append(this.ssoHandlerParameterMap.size());
|
||||
builder.append(", parameterMap=");
|
||||
builder.append(this.parameterMap.size());
|
||||
builder.append(", policies=");
|
||||
|
|
|
@ -15,20 +15,20 @@
|
|||
*/
|
||||
package li.strolch.privilege.xml;
|
||||
|
||||
import static li.strolch.privilege.helper.XmlConstants.*;
|
||||
|
||||
import java.io.File;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
import li.strolch.privilege.helper.XmlConstants;
|
||||
import li.strolch.privilege.model.internal.PrivilegeContainerModel;
|
||||
import li.strolch.privilege.policy.PrivilegePolicy;
|
||||
import li.strolch.utils.helper.XmlHelper;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
/**
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*
|
||||
*/
|
||||
public class PrivilegeConfigDomWriter {
|
||||
|
||||
|
@ -36,7 +36,7 @@ public class PrivilegeConfigDomWriter {
|
|||
private final File configFile;
|
||||
|
||||
/**
|
||||
*
|
||||
*
|
||||
*/
|
||||
public PrivilegeConfigDomWriter(PrivilegeContainerModel containerModel, File configFile) {
|
||||
this.containerModel = containerModel;
|
||||
|
@ -44,72 +44,77 @@ public class PrivilegeConfigDomWriter {
|
|||
}
|
||||
|
||||
/**
|
||||
*
|
||||
*
|
||||
*/
|
||||
public void write() {
|
||||
|
||||
// create document root
|
||||
Document doc = XmlHelper.createDocument();
|
||||
Element rootElement = doc.createElement(XmlConstants.XML_ROOT_PRIVILEGE);
|
||||
Element rootElement = doc.createElement(XML_ROOT_PRIVILEGE);
|
||||
doc.appendChild(rootElement);
|
||||
|
||||
Element containerElement = doc.createElement(XmlConstants.XML_CONTAINER);
|
||||
Element containerElement = doc.createElement(XML_CONTAINER);
|
||||
rootElement.appendChild(containerElement);
|
||||
|
||||
Element parameterElement;
|
||||
Element parametersElement;
|
||||
|
||||
// Parameters
|
||||
parametersElement = doc.createElement(XmlConstants.XML_PARAMETERS);
|
||||
containerElement.appendChild(parametersElement);
|
||||
for (Entry<String, String> entry : this.containerModel.getParameterMap().entrySet()) {
|
||||
parameterElement = doc.createElement(XmlConstants.XML_PARAMETER);
|
||||
parameterElement.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey());
|
||||
parameterElement.setAttribute(XmlConstants.XML_ATTR_VALUE, entry.getValue());
|
||||
parametersElement.appendChild(parameterElement);
|
||||
}
|
||||
|
||||
// create EncryptionHandler
|
||||
Element encryptionHandlerElem = doc.createElement(XmlConstants.XML_HANDLER_ENCRYPTION);
|
||||
Element encryptionHandlerElem = doc.createElement(XML_HANDLER_ENCRYPTION);
|
||||
containerElement.appendChild(encryptionHandlerElem);
|
||||
encryptionHandlerElem.setAttribute(XmlConstants.XML_ATTR_CLASS,
|
||||
this.containerModel.getEncryptionHandlerClassName());
|
||||
encryptionHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getEncryptionHandlerClassName());
|
||||
// Parameters
|
||||
parametersElement = doc.createElement(XmlConstants.XML_PARAMETERS);
|
||||
encryptionHandlerElem.appendChild(parametersElement);
|
||||
for (Entry<String, String> entry : this.containerModel.getEncryptionHandlerParameterMap().entrySet()) {
|
||||
parameterElement = doc.createElement(XmlConstants.XML_PARAMETER);
|
||||
parameterElement.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey());
|
||||
parameterElement.setAttribute(XmlConstants.XML_ATTR_VALUE, entry.getValue());
|
||||
parametersElement.appendChild(parameterElement);
|
||||
}
|
||||
fillParameterMap(doc, encryptionHandlerElem, this.containerModel.getEncryptionHandlerParameterMap());
|
||||
|
||||
// create PersistenceHandler
|
||||
Element persistenceHandlerElem = doc.createElement(XmlConstants.XML_HANDLER_PERSISTENCE);
|
||||
Element persistenceHandlerElem = doc.createElement(XML_HANDLER_PERSISTENCE);
|
||||
containerElement.appendChild(persistenceHandlerElem);
|
||||
persistenceHandlerElem.setAttribute(XmlConstants.XML_ATTR_CLASS,
|
||||
this.containerModel.getPersistenceHandlerClassName());
|
||||
persistenceHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getPersistenceHandlerClassName());
|
||||
// Parameters
|
||||
parametersElement = doc.createElement(XmlConstants.XML_PARAMETERS);
|
||||
persistenceHandlerElem.appendChild(parametersElement);
|
||||
for (Entry<String, String> entry : this.containerModel.getPersistenceHandlerParameterMap().entrySet()) {
|
||||
parameterElement = doc.createElement(XmlConstants.XML_PARAMETER);
|
||||
parameterElement.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey());
|
||||
parameterElement.setAttribute(XmlConstants.XML_ATTR_VALUE, entry.getValue());
|
||||
parametersElement.appendChild(parameterElement);
|
||||
fillParameterMap(doc, persistenceHandlerElem, this.containerModel.getPersistenceHandlerParameterMap());
|
||||
|
||||
// Parameters
|
||||
fillParameterMap(doc, containerElement, this.containerModel.getParameterMap());
|
||||
|
||||
// create UserChallengeHandler
|
||||
Element userChallengeHandlerElem = doc.createElement(XML_HANDLER_USER_CHALLENGE);
|
||||
containerElement.appendChild(userChallengeHandlerElem);
|
||||
userChallengeHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getUserChallengeHandlerClassName());
|
||||
// Parameters
|
||||
fillParameterMap(doc, userChallengeHandlerElem, this.containerModel.getUserChallengeHandlerParameterMap());
|
||||
|
||||
// create SingleSignOnHandler
|
||||
if (this.containerModel.getSsoHandlerClassName() != null) {
|
||||
Element ssoHandlerElem = doc.createElement(XML_HANDLER_SSO);
|
||||
containerElement.appendChild(ssoHandlerElem);
|
||||
ssoHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getSsoHandlerClassName());
|
||||
// Parameters
|
||||
fillParameterMap(doc, ssoHandlerElem, this.containerModel.getSsoHandlerParameterMap());
|
||||
}
|
||||
|
||||
// Policies
|
||||
Element policiesElem = doc.createElement(XmlConstants.XML_POLICIES);
|
||||
Element policiesElem = doc.createElement(XML_POLICIES);
|
||||
rootElement.appendChild(policiesElem);
|
||||
for (Entry<String, Class<PrivilegePolicy>> entry : this.containerModel.getPolicies().entrySet()) {
|
||||
Element policyElem = doc.createElement(XmlConstants.XML_POLICY);
|
||||
policyElem.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey());
|
||||
policyElem.setAttribute(XmlConstants.XML_ATTR_CLASS, entry.getValue().getName());
|
||||
Element policyElem = doc.createElement(XML_POLICY);
|
||||
policyElem.setAttribute(XML_ATTR_NAME, entry.getKey());
|
||||
policyElem.setAttribute(XML_ATTR_CLASS, entry.getValue().getName());
|
||||
policiesElem.appendChild(policyElem);
|
||||
}
|
||||
|
||||
// write the container file to disk
|
||||
XmlHelper.writeDocument(doc, this.configFile);
|
||||
}
|
||||
|
||||
private void fillParameterMap(Document doc, Element parent, Map<String, String> parameterMap) {
|
||||
|
||||
if (parameterMap != null && !parameterMap.isEmpty()) {
|
||||
Element parametersElement = doc.createElement(XML_PARAMETERS);
|
||||
for (Entry<String, String> entry : parameterMap.entrySet()) {
|
||||
Element parameterElement = doc.createElement(XML_PARAMETER);
|
||||
parameterElement.setAttribute(XML_ATTR_NAME, entry.getKey());
|
||||
parameterElement.setAttribute(XML_ATTR_VALUE, entry.getValue());
|
||||
parametersElement.appendChild(parameterElement);
|
||||
}
|
||||
|
||||
parent.appendChild(parametersElement);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -105,6 +105,10 @@ public class PrivilegeConfigSaxReader extends DefaultHandler {
|
|||
this.currentElement = qName;
|
||||
String className = attributes.getValue(XmlConstants.XML_ATTR_CLASS);
|
||||
getContainerModel().setUserChallengeHandlerClassName(className);
|
||||
} else if (qName.equals(XmlConstants.XML_HANDLER_SSO)) {
|
||||
this.currentElement = qName;
|
||||
String className = attributes.getValue(XmlConstants.XML_ATTR_CLASS);
|
||||
getContainerModel().setSsoHandlerClassName(className);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -123,6 +127,8 @@ public class PrivilegeConfigSaxReader extends DefaultHandler {
|
|||
getContainerModel().setPersistenceHandlerParameterMap(parametersChild.getParameterMap());
|
||||
} else if (this.currentElement.equals(XmlConstants.XML_HANDLER_USER_CHALLENGE)) {
|
||||
getContainerModel().setUserChallengeHandlerParameterMap(parametersChild.getParameterMap());
|
||||
} else if (this.currentElement.equals(XmlConstants.XML_HANDLER_SSO)) {
|
||||
getContainerModel().setSsoHandlerParameterMap(parametersChild.getParameterMap());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -25,8 +25,7 @@ public class AbstractPrivilegeTest {
|
|||
protected void login(String username, char[] password) {
|
||||
Certificate certificate = privilegeHandler.authenticate(username, password);
|
||||
assertTrue("Certificate is null!", certificate != null);
|
||||
PrivilegeContext privilegeContext = privilegeHandler.getPrivilegeContext(certificate);
|
||||
this.ctx = privilegeContext;
|
||||
this.ctx = privilegeHandler.validate(certificate);
|
||||
}
|
||||
|
||||
protected void logout() {
|
||||
|
@ -34,7 +33,7 @@ public class AbstractPrivilegeTest {
|
|||
try {
|
||||
PrivilegeContext privilegeContext = this.ctx;
|
||||
this.ctx = null;
|
||||
privilegeHandler.invalidateSession(privilegeContext.getCertificate());
|
||||
privilegeHandler.invalidate(privilegeContext.getCertificate());
|
||||
} catch (PrivilegeException e) {
|
||||
String msg = "There is no PrivilegeContext currently bound to the ThreadLocal!";
|
||||
if (!e.getMessage().equals(msg))
|
||||
|
@ -43,18 +42,18 @@ public class AbstractPrivilegeTest {
|
|||
}
|
||||
}
|
||||
|
||||
protected static void prepareConfigs(String dst, String configFilename, String usersFilename,
|
||||
String rolesFilename) {
|
||||
protected static void prepareConfigs(String dst,
|
||||
String configFilename,
|
||||
String usersFilename,
|
||||
String rolesFilename) {
|
||||
try {
|
||||
String pwd = System.getProperty("user.dir");
|
||||
|
||||
File configPath = new File(pwd, "config");
|
||||
File configPath = new File("src/test/resources/config");
|
||||
|
||||
File privilegeConfigFile = new File(configPath, configFilename);
|
||||
File privilegeUsersFile = new File(configPath, usersFilename);
|
||||
File privilegeRolesFile = new File(configPath, rolesFilename);
|
||||
|
||||
File targetPath = new File(pwd, "target/" + dst);
|
||||
File targetPath = new File("target/" + dst);
|
||||
if (!targetPath.mkdirs())
|
||||
throw new RuntimeException("Could not create parent " + targetPath);
|
||||
|
||||
|
@ -79,8 +78,7 @@ public class AbstractPrivilegeTest {
|
|||
|
||||
protected static void removeConfigs(String dst) {
|
||||
try {
|
||||
String pwd = System.getProperty("user.dir");
|
||||
File targetPath = new File(pwd, "target");
|
||||
File targetPath = new File("target");
|
||||
targetPath = new File(targetPath, dst);
|
||||
if (targetPath.exists() && !FileHelper.deleteFile(targetPath, true)) {
|
||||
throw new RuntimeException(
|
||||
|
@ -94,8 +92,7 @@ public class AbstractPrivilegeTest {
|
|||
|
||||
protected static File getPrivilegeConfigFile(String dst, String configFilename) {
|
||||
try {
|
||||
String pwd = System.getProperty("user.dir");
|
||||
File targetPath = new File(pwd, "target");
|
||||
File targetPath = new File("target");
|
||||
targetPath = new File(targetPath, dst);
|
||||
return new File(targetPath, configFilename);
|
||||
} catch (Exception e) {
|
||||
|
|
|
@ -38,11 +38,11 @@ public class PersistSessionsTest extends AbstractPrivilegeTest {
|
|||
|
||||
// login and assert sessions file was written
|
||||
login("admin", "admin".toCharArray());
|
||||
this.privilegeHandler.isCertificateValid(ctx.getCertificate());
|
||||
this.privilegeHandler.validate(ctx.getCertificate());
|
||||
assertTrue("Sessions File should have been created!", sessionsFile.isFile());
|
||||
|
||||
// re-initialize and assert still logged in
|
||||
initialize(PersistSessionsTest.class.getSimpleName(), "PrivilegeConfig.xml");
|
||||
this.privilegeHandler.isCertificateValid(ctx.getCertificate());
|
||||
this.privilegeHandler.validate(ctx.getCertificate());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -59,9 +59,9 @@ import li.strolch.utils.helper.ArraysHelper;
|
|||
|
||||
/**
|
||||
* JUnit for performing Privilege tests. This JUnit is by no means complete, but checks the bare minimum.br />
|
||||
*
|
||||
*
|
||||
* TODO add more tests, especially with deny and allow lists
|
||||
*
|
||||
*
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*/
|
||||
@SuppressWarnings("nls")
|
||||
|
@ -117,9 +117,10 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailAuthenticationNOk() throws Exception {
|
||||
this.exception.expect(AccessDeniedException.class);
|
||||
this.exception.expectMessage("blabla");
|
||||
this.exception.expectMessage("User admin failed to authenticate: Password is incorrect for admin");
|
||||
try {
|
||||
login(ADMIN, ArraysHelper.copyOf(PASS_BAD));
|
||||
} finally {
|
||||
|
@ -127,9 +128,10 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testFailAuthenticationPWNull() throws Exception {
|
||||
this.exception.expect(PrivilegeException.class);
|
||||
this.exception.expectMessage("blabla");
|
||||
this.exception.expectMessage("User admin failed to authenticate: A password may not be empty!");
|
||||
try {
|
||||
login(ADMIN, null);
|
||||
} finally {
|
||||
|
@ -324,7 +326,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
Certificate certificate = this.ctx.getCertificate();
|
||||
|
||||
UserRep selectorRep = new UserRep(null, null, null, null, null,
|
||||
new HashSet<>(Arrays.asList("PrivilegeAdmin")), null, null);
|
||||
new HashSet<>(Collections.singletonList("PrivilegeAdmin")), null, null);
|
||||
List<UserRep> users = this.privilegeHandler.queryUsers(certificate, selectorRep);
|
||||
assertEquals(1, users.size());
|
||||
assertEquals(ADMIN, users.get(0).getUsername());
|
||||
|
@ -341,8 +343,8 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
|
||||
Certificate certificate = this.ctx.getCertificate();
|
||||
|
||||
UserRep selectorRep = new UserRep(null, null, null, null, null, new HashSet<>(Arrays.asList(ROLE_TEMP)),
|
||||
null, null);
|
||||
UserRep selectorRep = new UserRep(null, null, null, null, null,
|
||||
new HashSet<>(Collections.singletonList(ROLE_TEMP)), null, null);
|
||||
List<UserRep> users = this.privilegeHandler.queryUsers(certificate, selectorRep);
|
||||
assertEquals(0, users.size());
|
||||
|
||||
|
@ -384,12 +386,13 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
public void shouldSetPasswordWithChallenge() {
|
||||
this.privilegeHandler.initiateChallengeFor(Usage.SET_PASSWORD, ADMIN);
|
||||
UserChallenge userChallenge = TestUserChallengeHandler.getInstance().getChallenges().values().stream()
|
||||
.filter(u -> u.getUser().getUsername().equals(ADMIN)).findFirst().get();
|
||||
.filter(u -> u.getUser().getUsername().equals(ADMIN)).findFirst()
|
||||
.orElseThrow(() -> new IllegalStateException("Missing admin user!"));
|
||||
Certificate certificate = this.privilegeHandler.validateChallenge(ADMIN, userChallenge.getChallenge());
|
||||
this.privilegeHandler.setUserPassword(certificate, ADMIN, ArraysHelper.copyOf(PASS_TED));
|
||||
|
||||
try {
|
||||
this.privilegeHandler.isCertificateValid(certificate);
|
||||
this.privilegeHandler.validate(certificate);
|
||||
fail("Certificate should not be valid anymore!");
|
||||
} catch (PrivilegeException e) {
|
||||
// expected
|
||||
|
@ -398,7 +401,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
// change password back
|
||||
certificate = this.privilegeHandler.authenticate(ADMIN, PASS_TED);
|
||||
this.privilegeHandler.setUserPassword(certificate, ADMIN, ArraysHelper.copyOf(PASS_ADMIN));
|
||||
this.privilegeHandler.invalidateSession(certificate);
|
||||
this.privilegeHandler.invalidate(certificate);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -651,8 +654,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
// let's add a new user ted
|
||||
HashSet<String> roles = new HashSet<>();
|
||||
roles.add(ROLE_USER);
|
||||
userRep = new UserRep(null, TED, "Ted", "Newman", UserState.ENABLED, roles, null,
|
||||
new HashMap<String, String>());
|
||||
userRep = new UserRep(null, TED, "Ted", "Newman", UserState.ENABLED, roles, null, new HashMap<>());
|
||||
Certificate certificate = this.ctx.getCertificate();
|
||||
this.privilegeHandler.addUser(certificate, userRep, null);
|
||||
logger.info("Added user " + TED);
|
||||
|
@ -765,7 +767,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
|
|||
|
||||
// let's add a new user bob
|
||||
UserRep userRep = new UserRep(null, BOB, "Bob", "Newman", UserState.NEW,
|
||||
new HashSet<>(Arrays.asList(ROLE_MY)), null, new HashMap<String, String>());
|
||||
new HashSet<>(Collections.singletonList(ROLE_MY)), null, new HashMap<>());
|
||||
Certificate certificate = this.ctx.getCertificate();
|
||||
this.privilegeHandler.addUser(certificate, userRep, null);
|
||||
logger.info("Added user " + BOB);
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
package li.strolch.privilege.test;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import li.strolch.privilege.model.Certificate;
|
||||
import li.strolch.privilege.model.Restrictable;
|
||||
import li.strolch.privilege.test.model.TestRestrictable;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
public class SsoHandlerTest extends AbstractPrivilegeTest {
|
||||
|
||||
@BeforeClass
|
||||
public static void init() throws Exception {
|
||||
removeConfigs(SsoHandlerTest.class.getSimpleName());
|
||||
prepareConfigs(SsoHandlerTest.class.getSimpleName(), "PrivilegeConfig.xml", "PrivilegeUsers.xml",
|
||||
"PrivilegeRoles.xml");
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void destroy() throws Exception {
|
||||
removeConfigs(SsoHandlerTest.class.getSimpleName());
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setup() throws Exception {
|
||||
initialize(SsoHandlerTest.class.getSimpleName(), "PrivilegeConfig.xml");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSsoAdmin() throws Exception {
|
||||
|
||||
try {
|
||||
Map<String, String> data = new HashMap<>();
|
||||
data.put("userId", "admin");
|
||||
data.put("username", "admin");
|
||||
data.put("firstName", "Admin");
|
||||
data.put("lastName", "Istrator");
|
||||
data.put("roles", "PrivilegeAdmin, AppUser");
|
||||
|
||||
// auth
|
||||
Certificate cert = this.privilegeHandler.authenticateSingleSignOn(data);
|
||||
this.ctx = this.privilegeHandler.validate(cert);
|
||||
|
||||
// validate action
|
||||
Restrictable restrictable = new TestRestrictable();
|
||||
this.ctx.validateAction(restrictable);
|
||||
|
||||
} finally {
|
||||
// de-auth
|
||||
logout();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -16,30 +16,13 @@
|
|||
package li.strolch.privilege.test;
|
||||
|
||||
import static org.hamcrest.Matchers.containsInAnyOrder;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import java.io.File;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import java.util.*;
|
||||
|
||||
import li.strolch.privilege.handler.DefaultEncryptionHandler;
|
||||
import li.strolch.privilege.handler.MailUserChallengeHandler;
|
||||
import li.strolch.privilege.handler.PrivilegeHandler;
|
||||
import li.strolch.privilege.handler.XmlPersistenceHandler;
|
||||
import li.strolch.privilege.model.IPrivilege;
|
||||
|
@ -48,15 +31,16 @@ import li.strolch.privilege.model.internal.PrivilegeContainerModel;
|
|||
import li.strolch.privilege.model.internal.PrivilegeImpl;
|
||||
import li.strolch.privilege.model.internal.Role;
|
||||
import li.strolch.privilege.model.internal.User;
|
||||
import li.strolch.privilege.xml.PrivilegeConfigDomWriter;
|
||||
import li.strolch.privilege.xml.PrivilegeConfigSaxReader;
|
||||
import li.strolch.privilege.xml.PrivilegeRolesDomWriter;
|
||||
import li.strolch.privilege.xml.PrivilegeRolesSaxReader;
|
||||
import li.strolch.privilege.xml.PrivilegeUsersDomWriter;
|
||||
import li.strolch.privilege.xml.PrivilegeUsersSaxReader;
|
||||
import li.strolch.privilege.test.model.DummySsoHandler;
|
||||
import li.strolch.privilege.xml.*;
|
||||
import li.strolch.utils.helper.FileHelper;
|
||||
import li.strolch.utils.helper.StringHelper;
|
||||
import li.strolch.utils.helper.XmlHelper;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
/**
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
|
@ -64,12 +48,13 @@ import li.strolch.utils.helper.XmlHelper;
|
|||
@SuppressWarnings("nls")
|
||||
public class XmlTest {
|
||||
|
||||
private static final String TARGET_TEST = "./target/test";
|
||||
private static final String TARGET_TEST = "target/test/";
|
||||
private static final String SRC_TEST = "src/test/resources/config/";
|
||||
private static final Logger logger = LoggerFactory.getLogger(XmlTest.class);
|
||||
|
||||
/**
|
||||
* @throws Exception
|
||||
* if something goes wrong
|
||||
* if something goes wrong
|
||||
*/
|
||||
@BeforeClass
|
||||
public static void init() throws Exception {
|
||||
|
@ -89,17 +74,17 @@ public class XmlTest {
|
|||
if (!tmpDir.exists())
|
||||
return;
|
||||
|
||||
File tmpFile = new File("target/test/PrivilegeTest.xml");
|
||||
File tmpFile = new File(TARGET_TEST + "PrivilegeTest.xml");
|
||||
if (tmpFile.exists() && !tmpFile.delete()) {
|
||||
throw new RuntimeException("Tmp still exists and can not be deleted at " + tmpFile.getAbsolutePath());
|
||||
}
|
||||
|
||||
tmpFile = new File("target/test/PrivilegeUsersTest.xml");
|
||||
tmpFile = new File(TARGET_TEST + "PrivilegeUsersTest.xml");
|
||||
if (tmpFile.exists() && !tmpFile.delete()) {
|
||||
throw new RuntimeException("Tmp still exists and can not be deleted at " + tmpFile.getAbsolutePath());
|
||||
}
|
||||
|
||||
tmpFile = new File("target/test/PrivilegeRolesTest.xml");
|
||||
tmpFile = new File(TARGET_TEST + "PrivilegeRolesTest.xml");
|
||||
if (tmpFile.exists() && !tmpFile.delete()) {
|
||||
throw new RuntimeException("Tmp still exists and can not be deleted at " + tmpFile.getAbsolutePath());
|
||||
}
|
||||
|
@ -115,7 +100,7 @@ public class XmlTest {
|
|||
|
||||
PrivilegeContainerModel containerModel = new PrivilegeContainerModel();
|
||||
PrivilegeConfigSaxReader saxReader = new PrivilegeConfigSaxReader(containerModel);
|
||||
File xmlFile = new File("config/PrivilegeConfig.xml");
|
||||
File xmlFile = new File(SRC_TEST + "PrivilegeConfig.xml");
|
||||
XmlHelper.parseDocument(xmlFile, saxReader);
|
||||
logger.info(containerModel.toString());
|
||||
|
||||
|
@ -153,22 +138,24 @@ public class XmlTest {
|
|||
containerModel.setEncryptionHandlerParameterMap(encryptionHandlerParameterMap);
|
||||
containerModel.setPersistenceHandlerClassName(XmlPersistenceHandler.class.getName());
|
||||
containerModel.setPersistenceHandlerParameterMap(persistenceHandlerParameterMap);
|
||||
containerModel.setUserChallengeHandlerClassName(MailUserChallengeHandler.class.getName());
|
||||
containerModel.setSsoHandlerClassName(DummySsoHandler.class.getName());
|
||||
|
||||
containerModel.addPolicy("DefaultPrivilege", "li.strolch.privilege.policy.DefaultPrivilege");
|
||||
|
||||
File configFile = new File("./target/test/PrivilegeTest.xml");
|
||||
File configFile = new File(TARGET_TEST + "PrivilegeTest.xml");
|
||||
PrivilegeConfigDomWriter configSaxWriter = new PrivilegeConfigDomWriter(containerModel, configFile);
|
||||
configSaxWriter.write();
|
||||
|
||||
String fileHash = StringHelper.toHexString(FileHelper.hashFileSha256(configFile));
|
||||
assertEquals("800b8e42e15b6b3bb425fa9c12a011d587d2b12343a1d1371eaa36dc1b2ea5f4", fileHash);
|
||||
assertEquals("55c1212446707563877009f2090a39ad2fdf5462108109bbe0c10759d100a482", fileHash);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void canReadUsers() {
|
||||
|
||||
PrivilegeUsersSaxReader xmlHandler = new PrivilegeUsersSaxReader();
|
||||
File xmlFile = new File("config/PrivilegeUsers.xml");
|
||||
File xmlFile = new File(SRC_TEST + "PrivilegeUsers.xml");
|
||||
XmlHelper.parseDocument(xmlFile, xmlHandler);
|
||||
|
||||
List<User> users = xmlHandler.getUsers();
|
||||
|
@ -215,7 +202,7 @@ public class XmlTest {
|
|||
public void canReadRoles() {
|
||||
|
||||
PrivilegeRolesSaxReader xmlHandler = new PrivilegeRolesSaxReader();
|
||||
File xmlFile = new File("config/PrivilegeRoles.xml");
|
||||
File xmlFile = new File(SRC_TEST + "PrivilegeRoles.xml");
|
||||
XmlHelper.parseDocument(xmlFile, xmlHandler);
|
||||
|
||||
List<Role> roles = xmlHandler.getRoles();
|
||||
|
@ -253,7 +240,7 @@ public class XmlTest {
|
|||
// AppUser
|
||||
Role appUser = findRole("AppUser", roles);
|
||||
assertEquals("AppUser", appUser.getName());
|
||||
assertEquals(new HashSet<>(Arrays.asList("li.strolch.privilege.test.model.TestRestrictable")),
|
||||
assertEquals(new HashSet<>(Collections.singletonList("li.strolch.privilege.test.model.TestRestrictable")),
|
||||
appUser.getPrivilegeNames());
|
||||
|
||||
IPrivilege testRestrictable = appUser.getPrivilege("li.strolch.privilege.test.model.TestRestrictable");
|
||||
|
@ -267,8 +254,9 @@ public class XmlTest {
|
|||
Role systemAdminPrivileges = findRole("system_admin_privileges", roles);
|
||||
assertEquals("system_admin_privileges", systemAdminPrivileges.getName());
|
||||
assertEquals(2, systemAdminPrivileges.getPrivilegeNames().size());
|
||||
assertThat(systemAdminPrivileges.getPrivilegeNames(), containsInAnyOrder(
|
||||
"li.strolch.privilege.handler.SystemAction", "li.strolch.privilege.test.model.TestSystemRestrictable"));
|
||||
assertThat(systemAdminPrivileges.getPrivilegeNames(),
|
||||
containsInAnyOrder("li.strolch.privilege.handler.SystemAction",
|
||||
"li.strolch.privilege.test.model.TestSystemRestrictable"));
|
||||
|
||||
IPrivilege testSystemUserAction = systemAdminPrivileges
|
||||
.getPrivilege("li.strolch.privilege.handler.SystemAction");
|
||||
|
@ -302,11 +290,6 @@ public class XmlTest {
|
|||
assertThat(testSystemUserAction2.getDenyList(), containsInAnyOrder("goodbye"));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param username
|
||||
* @param users
|
||||
* @return
|
||||
*/
|
||||
private User findUser(String username, List<User> users) {
|
||||
for (User user : users) {
|
||||
if (user.getUsername().equals(username))
|
||||
|
@ -316,11 +299,6 @@ public class XmlTest {
|
|||
throw new RuntimeException("No user exists with username " + username);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param name
|
||||
* @param roles
|
||||
* @return
|
||||
*/
|
||||
private Role findRole(String name, List<Role> roles) {
|
||||
for (Role role : roles) {
|
||||
if (role.getName().equals(name))
|
||||
|
@ -353,7 +331,7 @@ public class XmlTest {
|
|||
UserState.ENABLED, userRoles, Locale.ENGLISH, propertyMap);
|
||||
users.add(user2);
|
||||
|
||||
File modelFile = new File("./target/test/PrivilegeUsersTest.xml");
|
||||
File modelFile = new File(TARGET_TEST + "PrivilegeUsersTest.xml");
|
||||
PrivilegeUsersDomWriter configSaxWriter = new PrivilegeUsersDomWriter(users, modelFile);
|
||||
configSaxWriter.write();
|
||||
|
||||
|
@ -408,7 +386,7 @@ public class XmlTest {
|
|||
Role role2 = new Role("role2", privilegeMap);
|
||||
roles.add(role2);
|
||||
|
||||
File modelFile = new File("./target/test/PrivilegeRolesTest.xml");
|
||||
File modelFile = new File(TARGET_TEST + "PrivilegeRolesTest.xml");
|
||||
PrivilegeRolesDomWriter configSaxWriter = new PrivilegeRolesDomWriter(roles, modelFile);
|
||||
configSaxWriter.write();
|
||||
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
package li.strolch.privilege.test.model;
|
||||
|
||||
import java.util.*;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import li.strolch.privilege.base.PrivilegeException;
|
||||
import li.strolch.privilege.handler.SingleSignOnHandler;
|
||||
import li.strolch.privilege.model.UserState;
|
||||
import li.strolch.privilege.model.internal.User;
|
||||
|
||||
public class DummySsoHandler implements SingleSignOnHandler {
|
||||
|
||||
@Override
|
||||
public void initialize(Map<String, String> parameterMap) {
|
||||
// do nothing
|
||||
}
|
||||
|
||||
@Override
|
||||
public User authenticateSingleSignOn(Object data) throws PrivilegeException {
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
Map<String, String> map = (Map<String, String>) data;
|
||||
|
||||
Set<String> roles = Arrays.stream(map.get("roles").split(",")).map(String::trim).collect(Collectors.toSet());
|
||||
Map<String, String> properties = new HashMap<>();
|
||||
return new User(map.get("userId"), map.get("username"), null, null, map.get("firstName"), map.get("lastName"),
|
||||
UserState.ENABLED, roles, Locale.ENGLISH, properties);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<Privilege>
|
||||
|
||||
<Container>
|
||||
|
||||
<Parameters>
|
||||
<!-- parameters for the container itself -->
|
||||
<Parameter name="secretKey" value="5185F447-6317-4856-B40E-573919BA0A16"/>
|
||||
<Parameter name="secretSalt" value="00F6E88C-A64F-410A-8FCF-9CD340E340F7"/>
|
||||
<Parameter name="persistSessions" value="true"/>
|
||||
<Parameter name="persistSessionsPath" value="target/${target}/sessions.dat"/>
|
||||
<Parameter name="autoPersistOnUserChangesData" value="true"/>
|
||||
<Parameter name="privilegeConflictResolution" value="STRICT"/>
|
||||
</Parameters>
|
||||
|
||||
<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
|
||||
<Parameters>
|
||||
<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
|
||||
<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
|
||||
<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512"/>
|
||||
<!-- default iterations: 200000 -->
|
||||
<Parameter name="hashIterations" value="10000"/>
|
||||
<!-- default key length: 256 -->
|
||||
<Parameter name="hashKeyLength" value="256"/>
|
||||
</Parameters>
|
||||
</EncryptionHandler>
|
||||
|
||||
<PersistenceHandler class="li.strolch.privilege.handler.XmlPersistenceHandler">
|
||||
<Parameters>
|
||||
<Parameter name="basePath" value="target/${target}"/>
|
||||
<Parameter name="usersXmlFile" value="PrivilegeUsers.xml"/>
|
||||
<Parameter name="rolesXmlFile" value="PrivilegeRoles.xml"/>
|
||||
</Parameters>
|
||||
</PersistenceHandler>
|
||||
|
||||
<UserChallengeHandler class="li.strolch.privilege.test.model.TestUserChallengeHandler">
|
||||
</UserChallengeHandler>
|
||||
|
||||
<SsoHandler class="li.strolch.privilege.test.model.DummySsoHandler"/>
|
||||
|
||||
</Container>
|
||||
|
||||
<Policies>
|
||||
<Policy name="DefaultPrivilege" class="li.strolch.privilege.policy.DefaultPrivilege"/>
|
||||
<Policy name="RoleAccessPrivilege" class="li.strolch.privilege.policy.RoleAccessPrivilege"/>
|
||||
<Policy name="UserAccessPrivilege" class="li.strolch.privilege.policy.UserAccessPrivilege"/>
|
||||
</Policies>
|
||||
|
||||
</Privilege>
|
|
@ -23,7 +23,7 @@
|
|||
|
||||
<PersistenceHandler class="li.strolch.privilege.handler.XmlPersistenceHandler">
|
||||
<Parameters>
|
||||
<Parameter name="basePath" value="./target/${target}" />
|
||||
<Parameter name="basePath" value="target/${target}" />
|
||||
<Parameter name="usersXmlFile" value="PrivilegeUsersMerge.xml" />
|
||||
<Parameter name="rolesXmlFile" value="PrivilegeRolesMerge.xml" />
|
||||
</Parameters>
|
|
@ -116,7 +116,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
|
|||
} else if (this.certificateMap != null) {
|
||||
synchronized (this.certificateMap) {
|
||||
for (Certificate certificate : this.certificateMap.values()) {
|
||||
this.privilegeHandler.invalidateSession(certificate);
|
||||
this.privilegeHandler.invalidate(certificate);
|
||||
}
|
||||
this.certificateMap.clear();
|
||||
}
|
||||
|
@ -154,14 +154,13 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
|
|||
throw new StrolchNotAuthenticatedException(
|
||||
MessageFormat.format("No certificate exists for sessionId {0}", authToken)); //$NON-NLS-1$
|
||||
|
||||
return validate(certificate);
|
||||
return validate(certificate).getCertificate();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Certificate validate(Certificate certificate) throws StrolchNotAuthenticatedException {
|
||||
public PrivilegeContext validate(Certificate certificate) throws StrolchNotAuthenticatedException {
|
||||
try {
|
||||
this.privilegeHandler.isCertificateValid(certificate);
|
||||
return certificate;
|
||||
return this.privilegeHandler.validate(certificate);
|
||||
} catch (PrivilegeException e) {
|
||||
throw new StrolchNotAuthenticatedException(e.getMessage(), e);
|
||||
}
|
||||
|
@ -176,7 +175,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
|
|||
logger.error(MessageFormat
|
||||
.format("No session was registered with token {0}", certificate.getAuthToken())); //$NON-NLS-1$
|
||||
|
||||
this.privilegeHandler.invalidateSession(certificate);
|
||||
this.privilegeHandler.invalidate(certificate);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -255,7 +254,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
|
|||
|
||||
@Override
|
||||
public UserSession getSession(Certificate certificate, String sessionId) {
|
||||
PrivilegeContext ctx = this.privilegeHandler.getPrivilegeContext(certificate);
|
||||
PrivilegeContext ctx = this.privilegeHandler.validate(certificate);
|
||||
ctx.assertHasPrivilege(PRIVILEGE_GET_SESSION);
|
||||
synchronized (this.certificateMap) {
|
||||
for (Certificate cert : certificateMap.values()) {
|
||||
|
@ -271,7 +270,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
|
|||
|
||||
@Override
|
||||
public List<UserSession> getSessions(Certificate certificate) {
|
||||
PrivilegeContext ctx = this.privilegeHandler.getPrivilegeContext(certificate);
|
||||
PrivilegeContext ctx = this.privilegeHandler.validate(certificate);
|
||||
ctx.assertHasPrivilege(PRIVILEGE_GET_SESSION);
|
||||
List<UserSession> sessions = new ArrayList<>(this.certificateMap.size());
|
||||
synchronized (this.certificateMap) {
|
||||
|
@ -289,8 +288,8 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
|
|||
}
|
||||
|
||||
@Override
|
||||
public void invalidateSession(Certificate certificate, String sessionId) {
|
||||
PrivilegeContext ctx = this.privilegeHandler.getPrivilegeContext(certificate);
|
||||
public void invalidate(Certificate certificate, String sessionId) {
|
||||
PrivilegeContext ctx = this.privilegeHandler.validate(certificate);
|
||||
ctx.assertHasPrivilege(PRIVILEGE_INVALIDATE_SESSION);
|
||||
|
||||
Map<String, Certificate> map;
|
||||
|
|
|
@ -21,6 +21,7 @@ import java.util.Locale;
|
|||
import li.strolch.exception.StrolchNotAuthenticatedException;
|
||||
import li.strolch.privilege.base.PrivilegeException;
|
||||
import li.strolch.privilege.model.Certificate;
|
||||
import li.strolch.privilege.model.PrivilegeContext;
|
||||
import li.strolch.privilege.model.Usage;
|
||||
import li.strolch.rest.model.UserSession;
|
||||
|
||||
|
@ -29,46 +30,46 @@ import li.strolch.rest.model.UserSession;
|
|||
*/
|
||||
public interface StrolchSessionHandler {
|
||||
|
||||
public Certificate authenticate(String username, char[] password);
|
||||
Certificate authenticate(String username, char[] password);
|
||||
|
||||
public Certificate validate(String authToken) throws StrolchNotAuthenticatedException;
|
||||
Certificate validate(String authToken) throws StrolchNotAuthenticatedException;
|
||||
|
||||
public Certificate validate(Certificate certificate) throws StrolchNotAuthenticatedException;
|
||||
PrivilegeContext validate(Certificate certificate) throws StrolchNotAuthenticatedException;
|
||||
|
||||
public void invalidate(Certificate certificate);
|
||||
List<UserSession> getSessions(Certificate certificate);
|
||||
|
||||
public List<UserSession> getSessions(Certificate certificate);
|
||||
UserSession getSession(Certificate certificate, String sessionId);
|
||||
|
||||
public UserSession getSession(Certificate certificate, String sessionId);
|
||||
void invalidate(Certificate certificate);
|
||||
|
||||
public void invalidateSession(Certificate certificate, String sessionId);
|
||||
void invalidate(Certificate certificate, String sessionId);
|
||||
|
||||
public void setSessionLocale(Certificate certificate, String sessionId, Locale locale);
|
||||
void setSessionLocale(Certificate certificate, String sessionId, Locale locale);
|
||||
|
||||
/**
|
||||
* Initiate a password reset challenge for the given username
|
||||
*
|
||||
*
|
||||
* @param usage
|
||||
* the usage for which the challenge is requested
|
||||
* the usage for which the challenge is requested
|
||||
* @param username
|
||||
* the username of the user to initiate the challenge for
|
||||
* the username of the user to initiate the challenge for
|
||||
*/
|
||||
public void initiateChallengeFor(Usage usage, String username);
|
||||
void initiateChallengeFor(Usage usage, String username);
|
||||
|
||||
/**
|
||||
* Validate the response of a challenge for the given username
|
||||
*
|
||||
*
|
||||
* @param username
|
||||
* the username of the user for which the challenge is to be validated
|
||||
* the username of the user for which the challenge is to be validated
|
||||
* @param challenge
|
||||
* the challenge from the user
|
||||
*
|
||||
* the challenge from the user
|
||||
*
|
||||
* @return certificate with which the user can access the system with the {@link Usage} set to the value from the
|
||||
* initiated challenge
|
||||
*
|
||||
* initiated challenge
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if anything goes wrong
|
||||
* if anything goes wrong
|
||||
*/
|
||||
public Certificate validateChallenge(String username, String challenge) throws PrivilegeException;
|
||||
Certificate validateChallenge(String username, String challenge) throws PrivilegeException;
|
||||
|
||||
}
|
||||
|
|
|
@ -93,7 +93,7 @@ public class AuthenticationService {
|
|||
|
||||
PrivilegeHandler privilegeHandler = RestfulStrolchComponent.getInstance().getContainer()
|
||||
.getPrivilegeHandler();
|
||||
PrivilegeContext privilegeContext = privilegeHandler.getPrivilegeContext(certificate);
|
||||
PrivilegeContext privilegeContext = privilegeHandler.validate(certificate);
|
||||
loginResult.addProperty("sessionId", certificate.getSessionId());
|
||||
loginResult.addProperty("authToken", certificate.getAuthToken());
|
||||
loginResult.addProperty("username", certificate.getUsername());
|
||||
|
|
|
@ -68,7 +68,7 @@ public class UserSessionsService {
|
|||
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
|
||||
logger.info("[" + cert.getUsername() + "] Invalidating session " + sessionId);
|
||||
StrolchSessionHandler sessionHandler = RestfulStrolchComponent.getInstance().getSessionHandler();
|
||||
sessionHandler.invalidateSession(cert, sessionId);
|
||||
sessionHandler.invalidate(cert, sessionId);
|
||||
return ResponseUtil.toResponse();
|
||||
}
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ public class GreetingServiceTest extends AbstractServiceTest {
|
|||
greetingArgument);
|
||||
assertThat(greetingResult.getGreeting(), containsString("Hello Robert. Nice to meet you!")); //$NON-NLS-1$
|
||||
} finally {
|
||||
runtimeMock.getPrivilegeHandler().invalidateSession(certificate);
|
||||
runtimeMock.getPrivilegeHandler().invalidate(certificate);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -58,16 +58,17 @@ public class ServiceTest extends AbstractServiceTest {
|
|||
public void shouldFailInvalidCertificate1() {
|
||||
this.thrown.expect(PrivilegeException.class);
|
||||
TestService testService = new TestService();
|
||||
getServiceHandler().doService(new Certificate(null, null, null, null, null, null, null, new Date(), null,
|
||||
new HashSet<String>(), null), testService);
|
||||
getServiceHandler().doService(
|
||||
new Certificate(null, null, null, null, null, null, null, new Date(), null, new HashSet<>(), null),
|
||||
testService);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldFailInvalidCertificate2() {
|
||||
TestService testService = new TestService();
|
||||
Certificate badCert = new Certificate(Usage.ANY, "1", "bob", "Bob", "Brown", UserState.ENABLED, "dsdf", //$NON-NLS-1$//$NON-NLS-2$//$NON-NLS-3$
|
||||
new Date(), null,
|
||||
new HashSet<String>(), null);
|
||||
Certificate badCert = new Certificate(Usage.ANY, "1", "bob", "Bob", "Brown", UserState.ENABLED, "dsdf",
|
||||
//$NON-NLS-1$//$NON-NLS-2$//$NON-NLS-3$
|
||||
new Date(), null, new HashSet<>(), null);
|
||||
ServiceResult svcResult = getServiceHandler().doService(badCert, testService);
|
||||
assertThat(svcResult.getThrowable(), instanceOf(NotAuthenticatedException.class));
|
||||
}
|
||||
|
@ -75,21 +76,23 @@ public class ServiceTest extends AbstractServiceTest {
|
|||
@Test
|
||||
public void shouldFailWithNoAccess() {
|
||||
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler()
|
||||
.authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
try {
|
||||
TestService testService = new TestService();
|
||||
ServiceResult svcResult = getServiceHandler().doService(certificate, testService);
|
||||
assertThat(svcResult.getMessage(),
|
||||
containsString("User jill does not have the privilege li.strolch.service.api.Service")); //$NON-NLS-1$
|
||||
assertThat(svcResult.getMessage(), containsString(
|
||||
"User jill does not have the privilege li.strolch.service.api.Service")); //$NON-NLS-1$
|
||||
assertThat(svcResult.getThrowable(), instanceOf(AccessDeniedException.class));
|
||||
} finally {
|
||||
runtimeMock.getPrivilegeHandler().invalidateSession(certificate);
|
||||
runtimeMock.getPrivilegeHandler().invalidate(certificate);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldNotFailWithAccess() {
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler()
|
||||
.authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
try {
|
||||
GreetingService service = new GreetingService();
|
||||
GreetingArgument argument = new GreetingArgument();
|
||||
|
@ -97,25 +100,27 @@ public class ServiceTest extends AbstractServiceTest {
|
|||
GreetingResult greetingResult = getServiceHandler().doService(certificate, service, argument);
|
||||
assertThat(greetingResult.getGreeting(), equalTo("Hello Jill. Nice to meet you!")); //$NON-NLS-1$
|
||||
} finally {
|
||||
runtimeMock.getPrivilegeHandler().invalidateSession(certificate);
|
||||
runtimeMock.getPrivilegeHandler().invalidate(certificate);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldNotFailWithLogin1() {
|
||||
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler()
|
||||
.authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
try {
|
||||
TestService testService = new TestService();
|
||||
getServiceHandler().doService(certificate, testService);
|
||||
} finally {
|
||||
runtimeMock.getPrivilegeHandler().invalidateSession(certificate);
|
||||
runtimeMock.getPrivilegeHandler().invalidate(certificate);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldNotFailWithLogin2() {
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
Certificate certificate = runtimeMock.getPrivilegeHandler()
|
||||
.authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
|
||||
try {
|
||||
GreetingService service = new GreetingService();
|
||||
GreetingArgument argument = new GreetingArgument();
|
||||
|
@ -123,7 +128,7 @@ public class ServiceTest extends AbstractServiceTest {
|
|||
GreetingResult greetingResult = getServiceHandler().doService(certificate, service, argument);
|
||||
assertThat(greetingResult.getGreeting(), equalTo("Hello Bob. Nice to meet you!")); //$NON-NLS-1$
|
||||
} finally {
|
||||
runtimeMock.getPrivilegeHandler().invalidateSession(certificate);
|
||||
runtimeMock.getPrivilegeHandler().invalidate(certificate);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -89,7 +89,7 @@ public class RuntimeMock {
|
|||
}
|
||||
|
||||
public boolean logout(Certificate cert) {
|
||||
return getPrivilegeHandler().invalidateSession(cert);
|
||||
return getPrivilegeHandler().invalidate(cert);
|
||||
}
|
||||
|
||||
public RuntimeMock mockRuntime(String targetPath, String srcPath) {
|
||||
|
@ -235,8 +235,7 @@ public class RuntimeMock {
|
|||
} catch (Exception e) {
|
||||
throw new IllegalStateException("Failed to read " + StrolchAgent.AGENT_VERSION_PROPERTIES, e);
|
||||
}
|
||||
StrolchVersion version = new StrolchVersion(properties);
|
||||
return version;
|
||||
return new StrolchVersion(properties);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue