com.xmlserv.security
Class SecurityManager

java.lang.Object
  |
  +--com.xmlserv.security.SecurityManager
Direct Known Subclasses:
RoleSecurityManager

public class SecurityManager
extends java.lang.Object

This is currently the intended Baseclass for all SecurityManager implementations. Warning: Default is 'allow' ... It defines objects and methods intended for a role-based security system incorporating the following objects:

A User can have several different roles, but to keep the setup clean and understandable a 1:1 relationship between User and Role is preferable.
The first step in the process of checking access rights for a user is to call authenticate() to create a User object (most likely to be stored in the session context). This User object can later on be used to check for specific authorizations using authorize().
The access rights are similar to an SQL Database. The following values are defined as constants in this implementation:
The following should outline the processing to be implemented in a SecurityManager that actually controls access (for example RoleSecurityManager):
  1. The Servlet calls the doLogin() method before processing the request.
  2. If SecurityManager cannot find a SecurityManager.User object in the session context it will look for login parameters in the Request object passed in.

Version:
$Id: SecurityManager.java,v 1.25 2002/12/11 18:00:14 muecke Exp $
Author:
Wolfram Saringer

Inner Class Summary
 class SecurityManager.AccessRight
          Abstraction of access to a resource.
 class SecurityManager.Authorization
          Abstraction of authorization.
 class SecurityManager.Resource
          Inner class encapsulating a named resource.
 class SecurityManager.Role
          A role is a collection of access rights.
 class SecurityManager.User
          This inner class encapsulates user credentials.
 
Field Summary
static java.lang.String DELETE
          Remove an object.
static java.lang.String INSERT
          Create a new object.
static java.lang.String SELECT
          Constant signifying SEARCH access: List objects and read object data.
static java.lang.String UPDATE
          Update an existing object.
 
Constructor Summary
SecurityManager()
          Empty default constructor.
 
Method Summary
 org.jdom.Element addACL(org.jdom.Element el, SecurityManager.Resource resource, SecurityManager.User user)
          Add the ACL attributes can_select, can_isnert, can_update and can_delete according to the given users access rights on the given resource.
 SecurityManager.User authenticate(java.lang.String username, java.lang.String password)
          Check if a valid user account/password combination is given.
 SecurityManager.Authorization authorize(SecurityManager.User user, SecurityManager.Resource resource, java.lang.String access)
          Check if the given SecurityManager.User is authorized to access the named resource.
 void destroy()
          Free resources (such as DB connections) held by this SecurityManager.
 java.lang.String doLogin(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req)
          Handle login.
 SecurityManager.Resource getResource(java.lang.String identifier)
          Create a Resource object for the given resource.
 java.lang.String getUser(javax.servlet.http.HttpServletRequest req)
          Return the uid of the authenticated user.
 SecurityManager.User getUserById(int id)
          Load a user object identified by its numeric ID.
 java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
          Return the numeric user id of the authenticated user.
 SecurityManager.User getUserObj(javax.servlet.http.HttpServletRequest req)
          Return the SecurityManager.User object of the authenticated user.
 java.lang.String getUserRoleGroup(javax.servlet.http.HttpServletRequest req)
          Get the RoleGroup for the logged in user.
 int getUserRoleGroupId(javax.servlet.http.HttpServletRequest req)
          Get numeric RoleGroup ID.
 org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)
          Get an org.jdom.Element describing the user status.
 boolean hasAuth(SecurityManager.User user, SecurityManager.Resource resource, java.lang.String access)
          Utility method to check for an authorization.
 void init()
          Initialize SecurityManager.
 boolean isAnon(SecurityManager.User userobj)
          Check if the given userobj is an anonymous login.
 void logout(javax.servlet.http.HttpServletRequest req)
          Destroy any login information in the users session.
 void signout(SecurityManager.Authorization authorization)
          Invalidate an authorization object issued by this SecurityManager.
 org.jdom.Element toUserStatus(javax.servlet.http.HttpServletRequest req, int id)
          Get a user status Element for the given userid.
 boolean validate(SecurityManager.Authorization authorization)
          Check whether this Authorization object was actually created by this SecurityManager and is still valid.
 boolean validate(SecurityManager.User userobj)
          Check whether this User object was actually created by this SecurityManager.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SELECT

public static final java.lang.String SELECT
Constant signifying SEARCH access: List objects and read object data.

INSERT

public static final java.lang.String INSERT
Create a new object.

UPDATE

public static final java.lang.String UPDATE
Update an existing object.

DELETE

public static final java.lang.String DELETE
Remove an object.
Constructor Detail

SecurityManager

public SecurityManager()
Empty default constructor.
Method Detail

init

public void init()
          throws SecurityManagerException
Initialize SecurityManager.

destroy

public void destroy()
Free resources (such as DB connections) held by this SecurityManager.

doLogin

public java.lang.String doLogin(javax.servlet.ServletContext context,
                                javax.servlet.http.HttpServletRequest req)
Handle login. This involves several steps: Check whether a SecurityManager.User object exists in the session context. If not, check if username (sm_username) and password (sm_password) are given in the request. In this case authenticate() is called to create a SecurityManager.User object which is placed in the session context. If login data is missing an error document is returned.
Parameters:
context - The servlet context.
req - The original request.
Returns:
null If login is completed, an error document otherwise. This default implementation always returns null.

authenticate

public SecurityManager.User authenticate(java.lang.String username,
                                         java.lang.String password)
                                  throws SecurityManagerException
Check if a valid user account/password combination is given.
Parameters:
username - The username.
password - The password.
Returns:
A SecurityManager.User instance upon successful authentication.
Throws:
SecurityManagerException - When invalid account credentials are given.

getUserById

public SecurityManager.User getUserById(int id)
                                 throws SecurityManagerException
Load a user object identified by its numeric ID.

authorize

public SecurityManager.Authorization authorize(SecurityManager.User user,
                                               SecurityManager.Resource resource,
                                               java.lang.String access)
                                        throws SecurityManagerException
Check if the given SecurityManager.User is authorized to access the named resource.
Parameters:
user - The SecurityManager.User object as returned by authenticate().
resource - The named resource.
access - One of the defined access methods.
Returns:
An Authorization object upon successful authorization.
Throws:
SecurityManagerException - When access is denied.

hasAuth

public boolean hasAuth(SecurityManager.User user,
                       SecurityManager.Resource resource,
                       java.lang.String access)
Utility method to check for an authorization.
Parameters:
user - The SecurityManager.User object as returned by authenticate().
resource - The named resource.
access - One of the defined access methods.
Returns:
true if the authorization is granted, false otherwise.

isAnon

public boolean isAnon(SecurityManager.User userobj)
Check if the given userobj is an anonymous login.

getUserStatus

public org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)
Get an org.jdom.Element describing the user status. This element contains the following info:
Parameters:
req - The servlet request object.
Returns:
org.jdom.Element with user status info.

toUserStatus

public org.jdom.Element toUserStatus(javax.servlet.http.HttpServletRequest req,
                                     int id)
Get a user status Element for the given userid. The subelement 'authenticated' is only present if this is the currently logged in user.
Parameters:
id - The numeric user ID.

addACL

public org.jdom.Element addACL(org.jdom.Element el,
                               SecurityManager.Resource resource,
                               SecurityManager.User user)
Add the ACL attributes can_select, can_isnert, can_update and can_delete according to the given users access rights on the given resource.

validate

public boolean validate(SecurityManager.User userobj)
Check whether this User object was actually created by this SecurityManager. If this cannot be verified (by using a cache e.g.), information should be validated against authoritative user data (the backend DB, the LDAP server etc.).
Parameters:
userobj - The SecurityManager.User instance to validate.
Returns:
boolean indicating success (true) or failure (false).

validate

public boolean validate(SecurityManager.Authorization authorization)
Check whether this Authorization object was actually created by this SecurityManager and is still valid.
Parameters:
authorization - The SecurityManager.Authorization instance to validate.
Returns:
boolean indicating success (true) or failure (false).

signout

public void signout(SecurityManager.Authorization authorization)
Invalidate an authorization object issued by this SecurityManager.
Parameters:
authorization - The SecurityManager.Authorization object.

logout

public void logout(javax.servlet.http.HttpServletRequest req)
Destroy any login information in the users session.
Parameters:
context - The session context.

getUser

public java.lang.String getUser(javax.servlet.http.HttpServletRequest req)
                         throws SecurityManagerException
Return the uid of the authenticated user.
Parameters:
req - The HTTP request.
Returns:
The UID as a String.

getUserID

public java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
                           throws SecurityManagerException
Return the numeric user id of the authenticated user.
Parameters:
req - The HTTP request.
Returns:
The UID as a String.

getUserObj

public SecurityManager.User getUserObj(javax.servlet.http.HttpServletRequest req)
                                throws SecurityManagerException
Return the SecurityManager.User object of the authenticated user.
Parameters:
req - The HTTP request.
Returns:
The SecurityManager.User instance.
Throws:
SecurityManagerException - Upon failure.

getUserRoleGroup

public java.lang.String getUserRoleGroup(javax.servlet.http.HttpServletRequest req)
                                  throws SecurityManagerException
Get the RoleGroup for the logged in user.
Returns:
An empty String in case no RoleGroup is set, the RoleGroup name otherwise.

getUserRoleGroupId

public int getUserRoleGroupId(javax.servlet.http.HttpServletRequest req)
                       throws SecurityManagerException
Get numeric RoleGroup ID.

getResource

public SecurityManager.Resource getResource(java.lang.String identifier)
Create a Resource object for the given resource.
Parameters:
identifier - The resource identifier (name).
Returns:
A SecurityManager.Resource instance.