com.xmlserv.security
Class SecurityManager

java.lang.Object
  |
  +--com.xmlserv.security.SecurityManager

Direct Known Subclasses:

RoleSecurityManager

public class SecurityManager

extends java.lang.Object

This is currently the intended Baseclass for all SecurityManager implementations. Warning: Default is 'allow' ... It defines objects and methods intended for a role-based security system incorporating the following objects:

• A User is the basic entity of authentication.
• A Resource is the basic entity which access is granted/denied to.
• An AccessRight is a specific access to a resource (i.e. UPDATE/Document)
• A Role is a collection of AccessRight objects.

A User can have several different roles, but to keep the setup clean and understandable a 1:1 relationship between User and Role is preferable.
The first step in the process of checking access rights for a user is to call authenticate() to create a User object (most likely to be stored in the session context). This User object can later on be used to check for specific authorizations using authorize().
The access rights are similar to an SQL Database. The following values are defined as constants in this implementation:

• SELECT: Get a listing of objects.
• INSERT: Create a new object.
• UPDATE: Change an existing object.
• DELETE: Remove an object.

The following should outline the processing to be implemented in a SecurityManager that actually controls access (for example RoleSecurityManager):

1. The Servlet calls the doLogin() method before processing the request.
2. If SecurityManager cannot find a SecurityManager.User object in the session context it will look for login parameters in the Request object passed in.
   • If login parameters are found (their name/number/datatype etc. is solely used in the subclass implementing this security policy) a SecurityManager.User object must be placed in the SessionContext (also passed in).

Version:

$Id: SecurityManager.java,v 1.25 2002/12/11 18:00:14 muecke Exp $

Author:

Wolfram Saringer

Inner Class Summary

class	SecurityManager.AccessRight Abstraction of access to a resource.
class	SecurityManager.Authorization Abstraction of authorization.
class	SecurityManager.Resource Inner class encapsulating a named resource.
class	SecurityManager.Role A role is a collection of access rights.
class	SecurityManager.User This inner class encapsulates user credentials.

Field Summary

static java.lang.String	DELETE Remove an object.
static java.lang.String	INSERT Create a new object.
static java.lang.String	SELECT Constant signifying SEARCH access: List objects and read object data.
static java.lang.String	UPDATE Update an existing object.

Constructor Summary

SecurityManager()
Empty default constructor.

Method Summary

org.jdom.Element	addACL(org.jdom.Element el, SecurityManager.Resource resource, SecurityManager.User user) Add the ACL attributes can_select, can_isnert, can_update and can_delete according to the given users access rights on the given resource.
SecurityManager.User	authenticate(java.lang.String username, java.lang.String password) Check if a valid user account/password combination is given.
SecurityManager.Authorization	authorize(SecurityManager.User user, SecurityManager.Resource resource, java.lang.String access) Check if the given SecurityManager.User is authorized to access the named resource.
void	destroy() Free resources (such as DB connections) held by this SecurityManager.
java.lang.String	doLogin(javax.servlet.ServletContext context, javax.servlet.http.HttpServletRequest req) Handle login.
SecurityManager.Resource	getResource(java.lang.String identifier) Create a Resource object for the given resource.
java.lang.String	getUser(javax.servlet.http.HttpServletRequest req) Return the uid of the authenticated user.
SecurityManager.User	getUserById(int id) Load a user object identified by its numeric ID.
java.lang.String	getUserID(javax.servlet.http.HttpServletRequest req) Return the numeric user id of the authenticated user.
SecurityManager.User	getUserObj(javax.servlet.http.HttpServletRequest req) Return the SecurityManager.User object of the authenticated user.
java.lang.String	getUserRoleGroup(javax.servlet.http.HttpServletRequest req) Get the RoleGroup for the logged in user.
int	getUserRoleGroupId(javax.servlet.http.HttpServletRequest req) Get numeric RoleGroup ID.
org.jdom.Element	getUserStatus(javax.servlet.http.HttpServletRequest req) Get an org.jdom.Element describing the user status.
boolean	hasAuth(SecurityManager.User user, SecurityManager.Resource resource, java.lang.String access) Utility method to check for an authorization.
void	init() Initialize SecurityManager.
boolean	isAnon(SecurityManager.User userobj) Check if the given userobj is an anonymous login.
void	logout(javax.servlet.http.HttpServletRequest req) Destroy any login information in the users session.
void	signout(SecurityManager.Authorization authorization) Invalidate an authorization object issued by this SecurityManager.
org.jdom.Element	toUserStatus(javax.servlet.http.HttpServletRequest req, int id) Get a user status Element for the given userid.
boolean	validate(SecurityManager.Authorization authorization) Check whether this Authorization object was actually created by this SecurityManager and is still valid.
boolean	validate(SecurityManager.User userobj) Check whether this User object was actually created by this SecurityManager.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SELECT

public static final java.lang.String SELECT

Constant signifying SEARCH access: List objects and read object data.

INSERT

public static final java.lang.String INSERT

Create a new object.

UPDATE

public static final java.lang.String UPDATE

Update an existing object.

DELETE

public static final java.lang.String DELETE

Remove an object.

Constructor Detail

SecurityManager

public SecurityManager()

Empty default constructor.

Method Detail

init

public void init()
          throws SecurityManagerException

Initialize SecurityManager.

destroy

public void destroy()

Free resources (such as DB connections) held by this SecurityManager.

doLogin

public java.lang.String doLogin(javax.servlet.ServletContext context,
                                javax.servlet.http.HttpServletRequest req)

Handle login. This involves several steps: Check whether a SecurityManager.User object exists in the session context. If not, check if username (sm_username) and password (sm_password) are given in the request. In this case authenticate() is called to create a SecurityManager.User object which is placed in the session context. If login data is missing an error document is returned.

Parameters:

context - The servlet context.

req - The original request.

Returns:

null If login is completed, an error document otherwise. This default implementation always returns null.

authenticate

public SecurityManager.User authenticate(java.lang.String username,
                                         java.lang.String password)
                                  throws SecurityManagerException

Check if a valid user account/password combination is given.

Parameters:

username - The username.

password - The password.

Returns:

A SecurityManager.User instance upon successful authentication.

Throws:

SecurityManagerException - When invalid account credentials are given.

getUserById

public SecurityManager.User getUserById(int id)
                                 throws SecurityManagerException

Load a user object identified by its numeric ID.

authorize

public SecurityManager.Authorization authorize(SecurityManager.User user,
                                               SecurityManager.Resource resource,
                                               java.lang.String access)
                                        throws SecurityManagerException

Check if the given SecurityManager.User is authorized to access the named resource.

Parameters:

user - The SecurityManager.User object as returned by authenticate().

resource - The named resource.

access - One of the defined access methods.

Returns:

An Authorization object upon successful authorization.

Throws:

SecurityManagerException - When access is denied.

hasAuth

public boolean hasAuth(SecurityManager.User user,
                       SecurityManager.Resource resource,
                       java.lang.String access)

Utility method to check for an authorization.

Parameters:

user - The SecurityManager.User object as returned by authenticate().

resource - The named resource.

access - One of the defined access methods.

Returns:

true if the authorization is granted, false otherwise.

isAnon

public boolean isAnon(SecurityManager.User userobj)

Check if the given userobj is an anonymous login.

getUserStatus

public org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)

Get an org.jdom.Element describing the user status. This element contains the following info:

• authenticated: The user is authenticated.
• username: The username of the current user.

Parameters:

req - The servlet request object.

Returns:

org.jdom.Element with user status info.

toUserStatus

public org.jdom.Element toUserStatus(javax.servlet.http.HttpServletRequest req,
                                     int id)

Get a user status Element for the given userid. The subelement 'authenticated' is only present if this is the currently logged in user.

Parameters:

id - The numeric user ID.

addACL

public org.jdom.Element addACL(org.jdom.Element el,
                               SecurityManager.Resource resource,
                               SecurityManager.User user)

Add the ACL attributes can_select, can_isnert, can_update and can_delete according to the given users access rights on the given resource.

validate

public boolean validate(SecurityManager.User userobj)

Check whether this User object was actually created by this SecurityManager. If this cannot be verified (by using a cache e.g.), information should be validated against authoritative user data (the backend DB, the LDAP server etc.).

Parameters:

userobj - The SecurityManager.User instance to validate.

Returns:

boolean indicating success (true) or failure (false).

validate

public boolean validate(SecurityManager.Authorization authorization)

Check whether this Authorization object was actually created by this SecurityManager and is still valid.

Parameters:

authorization - The SecurityManager.Authorization instance to validate.

Returns:

boolean indicating success (true) or failure (false).

signout

public void signout(SecurityManager.Authorization authorization)

Invalidate an authorization object issued by this SecurityManager.

Parameters:

authorization - The SecurityManager.Authorization object.

logout

public void logout(javax.servlet.http.HttpServletRequest req)

Destroy any login information in the users session.

Parameters:

context - The session context.

getUser

public java.lang.String getUser(javax.servlet.http.HttpServletRequest req)
                         throws SecurityManagerException

Return the uid of the authenticated user.

Parameters:

req - The HTTP request.

Returns:

The UID as a String.

getUserID

public java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
                           throws SecurityManagerException

Return the numeric user id of the authenticated user.

Parameters:

req - The HTTP request.

Returns:

The UID as a String.

getUserObj

public SecurityManager.User getUserObj(javax.servlet.http.HttpServletRequest req)
                                throws SecurityManagerException

Return the SecurityManager.User object of the authenticated user.

Parameters:

req - The HTTP request.

Returns:

The SecurityManager.User instance.

Throws:

SecurityManagerException - Upon failure.

getUserRoleGroup

public java.lang.String getUserRoleGroup(javax.servlet.http.HttpServletRequest req)
                                  throws SecurityManagerException

Get the RoleGroup for the logged in user.

Returns:

An empty String in case no RoleGroup is set, the RoleGroup name otherwise.

getUserRoleGroupId

public int getUserRoleGroupId(javax.servlet.http.HttpServletRequest req)
                       throws SecurityManagerException

Get numeric RoleGroup ID.

getResource

public SecurityManager.Resource getResource(java.lang.String identifier)

Create a Resource object for the given resource.

Parameters:

identifier - The resource identifier (name).

Returns:

A SecurityManager.Resource instance.