: Class AppSecurityManager

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: INNER | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.xmlserv.app
Class AppSecurityManager

java.lang.Object
  |
  +--com.xmlserv.security.SecurityManager
        |
        +--com.xmlserv.security.RoleSecurityManager
              |
              +--com.xmlserv.app.AppSecurityManager

Direct Known Subclasses:: AnonSecurityManager, NewsSecurityManager, NonAnonSecurityManager

public class AppSecurityManager
extends RoleSecurityManager

The basic Securitymanager used by the Applications. This implements the abstract methods of RoleSecurityManager by utilizing a PostgreSQL backend. A PGConnectionPool is used to keep the number of connections reasonable.
The usertable has the following fields:

id SERIAL NOT NULL PRIMARY KEY
uid VARCHAR(255) NOT NULL CHECK(uid<>'')
password VARCHAR(255)
pw_enc VARCHAR(255) NOT NULL CHECK(pw_enc<>'')

The password field is used to store a cleartext password. It has no meaning for this SecurityManager. The other password field pw_enc holds the MD5 hash of the original password and is used to check the provided password. The field uid is the loginname.

Version:: $Id: AppSecurityManager.java,v 1.24 2002/11/10 21:28:39 muecke Exp $
Author:: Wolfram Saringer
See Also:: ConnectionPool, PGConnectionPool

Inner classes inherited from class com.xmlserv.security.SecurityManager

SecurityManager.AccessRight, SecurityManager.Authorization, SecurityManager.Resource, SecurityManager.Role, SecurityManager.User

Fields inherited from class com.xmlserv.security.SecurityManager

DELETE, INSERT, SELECT, UPDATE

Constructor Summary

AppSecurityManager()
          Create empty object. init() must be called before the SecurityManager is usable.

Method Summary

protected void checkAuth(SecurityManager.User user, SecurityManager.Resource resource, java.lang.String access)
          This routine checks an access method against the ACL table as defined in the class description.

protected java.sql.Connection checkoutConn()
          Aggregation method delegated to PGConnectionPool.

protected java.lang.String checkUser(java.lang.String user, java.lang.String password)
          Implementation of the abstract method defined in RoleSecurityManager.

void destroy()
          Destroy ConnectionPool.

protected java.lang.String getEmail(java.lang.String username)
          Return the users email address.

protected int getId(java.lang.String username)
          Return the users numeric id.

protected java.lang.String getRoleGroup(java.lang.String username)
          Get the RoleGroup the given user belongs to.

protected int getRoleGroupId(java.lang.String username)
          Get the numerical RoleGroup id the given user belongs to.

SecurityManager.User getUserById(int id)
          Load a user object identified by its numeric ID.

java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
          Return the numeric user id of the authenticated user.

org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)
          Get an org.jdom.Element describing the user status.

void init()
          Initialize SecurityManager.

protected void returnConn(java.sql.Connection conn)
          Aggregation method delegated to PGConnectionPool.

Methods inherited from class com.xmlserv.security.RoleSecurityManager

authenticate, authorize, doLogin, errorPage, getUser, getUserObj, getUserRoleGroup, getUserRoleGroupId, loginPage, loginPage, logout, signout, validate, validate

Methods inherited from class com.xmlserv.security.SecurityManager

addACL, getResource, hasAuth, isAnon, toUserStatus

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AppSecurityManager

public AppSecurityManager()

Create empty object. init() must be called before the SecurityManager is usable.

See Also:: init()

Method Detail

init

public void init()
          throws SecurityManagerException

Initialize SecurityManager. This instantiates the ConnectionPool if not already present and initializes the mapping betwen access strings and column names used in the tables in the DB.

Overrides:: init in class RoleSecurityManager

Throws:: SecurityManagerException - Upon any error.

destroy

public void destroy()

Destroy ConnectionPool.

Overrides:: destroy in class RoleSecurityManager

checkUser

protected java.lang.String checkUser(java.lang.String user,
                                     java.lang.String password)
                              throws SecurityManagerException

Implementation of the abstract method defined in RoleSecurityManager. This uses a DB table as defined in the class description.

Overrides:: checkUser in class RoleSecurityManager

Parameters:: user - The username to check.; password - The password for the given username.
Returns:: The numeric user id.
Throws:: SecurityManagerException - In case the account is not valid (it either does not exist or the password is not correct).

checkAuth

protected void checkAuth(SecurityManager.User user,
                         SecurityManager.Resource resource,
                         java.lang.String access)
                  throws SecurityManagerException

This routine checks an access method against the ACL table as defined in the class description. The method first tries to find an ACL for the named resource. If this is not found, it searches for the default access rights associated with the primary role for that user. If this ACL does not grant the requested access, an exceptino is thrown.

Overrides:: checkAuth in class RoleSecurityManager

Parameters:: user - The SecurityManager.User object providing login data.; resource - The named resource.; access - One of the defined access strings from SecurityManager.
Throws:: In - case access cannot be granted.
See Also:: SecurityManager

getRoleGroupId

protected int getRoleGroupId(java.lang.String username)
                      throws SecurityManagerException

Get the numerical RoleGroup id the given user belongs to. To be supplied by an implementation.

Overrides:: getRoleGroupId in class RoleSecurityManager

getRoleGroup

protected java.lang.String getRoleGroup(java.lang.String username)
                                 throws SecurityManagerException

Get the RoleGroup the given user belongs to.

Overrides:: getRoleGroup in class RoleSecurityManager

getUserID

public java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
                           throws SecurityManagerException

Return the numeric user id of the authenticated user.

Overrides:: getUserID in class SecurityManager

Parameters:: req - The HTTP request.
Returns:: The UID as a String.

getEmail

protected java.lang.String getEmail(java.lang.String username)
                             throws SecurityManagerException

Return the users email address.

Overrides:: getEmail in class RoleSecurityManager

Parameters:: username - The username to search for.
Returns:: The Email address or an empty string if user not found or email fot available

getId

protected int getId(java.lang.String username)
             throws SecurityManagerException

Return the users numeric id.

Overrides:: getId in class RoleSecurityManager

Parameters:: username - The username to search for.
Returns:: The users numeric id.

getUserStatus

public org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)

Get an org.jdom.Element describing the user status. This element contains the following info:

authenticated: The user is authenticated.
username: The username of the current user.

This overriding method adds the complete user info as provided by User.toElement().

Overrides:: getUserStatus in class SecurityManager

Parameters:: req - The servlet request object.
Returns:: org.jdom.Element with user status info.
See Also:: User.toElement()

getUserById

public SecurityManager.User getUserById(int id)
                                 throws SecurityManagerException

Load a user object identified by its numeric ID.

Overrides:: getUserById in class SecurityManager

checkoutConn

protected java.sql.Connection checkoutConn()
                                    throws java.sql.SQLException

Aggregation method delegated to PGConnectionPool.

Returns:: The Connection object from the pool.
Throws:: java.sql.SQLException - Error checking out Connection.

returnConn

protected void returnConn(java.sql.Connection conn)
                   throws java.sql.SQLException