com.xmlserv.app
Class AppSecurityManager

java.lang.Object
  |
  +--com.xmlserv.security.SecurityManager
        |
        +--com.xmlserv.security.RoleSecurityManager
              |
              +--com.xmlserv.app.AppSecurityManager
Direct Known Subclasses:
AnonSecurityManager, NewsSecurityManager, NonAnonSecurityManager

public class AppSecurityManager
extends RoleSecurityManager

The basic Securitymanager used by the Applications. This implements the abstract methods of RoleSecurityManager by utilizing a PostgreSQL backend. A PGConnectionPool is used to keep the number of connections reasonable.
The usertable has the following fields:

The password field is used to store a cleartext password. It has no meaning for this SecurityManager. The other password field pw_enc holds the MD5 hash of the original password and is used to check the provided password. The field uid is the loginname.

Version:
$Id: AppSecurityManager.java,v 1.24 2002/11/10 21:28:39 muecke Exp $
Author:
Wolfram Saringer
See Also:
ConnectionPool, PGConnectionPool

Inner classes inherited from class com.xmlserv.security.SecurityManager
SecurityManager.AccessRight, SecurityManager.Authorization, SecurityManager.Resource, SecurityManager.Role, SecurityManager.User
 
Fields inherited from class com.xmlserv.security.SecurityManager
DELETE, INSERT, SELECT, UPDATE
 
Constructor Summary
AppSecurityManager()
          Create empty object. init() must be called before the SecurityManager is usable.
 
Method Summary
protected  void checkAuth(SecurityManager.User user, SecurityManager.Resource resource, java.lang.String access)
          This routine checks an access method against the ACL table as defined in the class description.
protected  java.sql.Connection checkoutConn()
          Aggregation method delegated to PGConnectionPool.
protected  java.lang.String checkUser(java.lang.String user, java.lang.String password)
          Implementation of the abstract method defined in RoleSecurityManager.
 void destroy()
          Destroy ConnectionPool.
protected  java.lang.String getEmail(java.lang.String username)
          Return the users email address.
protected  int getId(java.lang.String username)
          Return the users numeric id.
protected  java.lang.String getRoleGroup(java.lang.String username)
          Get the RoleGroup the given user belongs to.
protected  int getRoleGroupId(java.lang.String username)
          Get the numerical RoleGroup id the given user belongs to.
 SecurityManager.User getUserById(int id)
          Load a user object identified by its numeric ID.
 java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
          Return the numeric user id of the authenticated user.
 org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)
          Get an org.jdom.Element describing the user status.
 void init()
          Initialize SecurityManager.
protected  void returnConn(java.sql.Connection conn)
          Aggregation method delegated to PGConnectionPool.
 
Methods inherited from class com.xmlserv.security.RoleSecurityManager
authenticate, authorize, doLogin, errorPage, getUser, getUserObj, getUserRoleGroup, getUserRoleGroupId, loginPage, loginPage, logout, signout, validate, validate
 
Methods inherited from class com.xmlserv.security.SecurityManager
addACL, getResource, hasAuth, isAnon, toUserStatus
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AppSecurityManager

public AppSecurityManager()
Create empty object. init() must be called before the SecurityManager is usable.
See Also:
init()
Method Detail

init

public void init()
          throws SecurityManagerException
Initialize SecurityManager. This instantiates the ConnectionPool if not already present and initializes the mapping betwen access strings and column names used in the tables in the DB.
Overrides:
init in class RoleSecurityManager
Throws:
SecurityManagerException - Upon any error.

destroy

public void destroy()
Destroy ConnectionPool.
Overrides:
destroy in class RoleSecurityManager

checkUser

protected java.lang.String checkUser(java.lang.String user,
                                     java.lang.String password)
                              throws SecurityManagerException
Implementation of the abstract method defined in RoleSecurityManager. This uses a DB table as defined in the class description.
Overrides:
checkUser in class RoleSecurityManager
Parameters:
user - The username to check.
password - The password for the given username.
Returns:
The numeric user id.
Throws:
SecurityManagerException - In case the account is not valid (it either does not exist or the password is not correct).

checkAuth

protected void checkAuth(SecurityManager.User user,
                         SecurityManager.Resource resource,
                         java.lang.String access)
                  throws SecurityManagerException
This routine checks an access method against the ACL table as defined in the class description. The method first tries to find an ACL for the named resource. If this is not found, it searches for the default access rights associated with the primary role for that user. If this ACL does not grant the requested access, an exceptino is thrown.
Overrides:
checkAuth in class RoleSecurityManager
Parameters:
user - The SecurityManager.User object providing login data.
resource - The named resource.
access - One of the defined access strings from SecurityManager.
Throws:
In - case access cannot be granted.
See Also:
SecurityManager

getRoleGroupId

protected int getRoleGroupId(java.lang.String username)
                      throws SecurityManagerException
Get the numerical RoleGroup id the given user belongs to. To be supplied by an implementation.
Overrides:
getRoleGroupId in class RoleSecurityManager

getRoleGroup

protected java.lang.String getRoleGroup(java.lang.String username)
                                 throws SecurityManagerException
Get the RoleGroup the given user belongs to.
Overrides:
getRoleGroup in class RoleSecurityManager

getUserID

public java.lang.String getUserID(javax.servlet.http.HttpServletRequest req)
                           throws SecurityManagerException
Return the numeric user id of the authenticated user.
Overrides:
getUserID in class SecurityManager
Parameters:
req - The HTTP request.
Returns:
The UID as a String.

getEmail

protected java.lang.String getEmail(java.lang.String username)
                             throws SecurityManagerException
Return the users email address.
Overrides:
getEmail in class RoleSecurityManager
Parameters:
username - The username to search for.
Returns:
The Email address or an empty string if user not found or email fot available

getId

protected int getId(java.lang.String username)
             throws SecurityManagerException
Return the users numeric id.
Overrides:
getId in class RoleSecurityManager
Parameters:
username - The username to search for.
Returns:
The users numeric id.

getUserStatus

public org.jdom.Element getUserStatus(javax.servlet.http.HttpServletRequest req)
Get an org.jdom.Element describing the user status. This element contains the following info: This overriding method adds the complete user info as provided by User.toElement().
Overrides:
getUserStatus in class SecurityManager
Parameters:
req - The servlet request object.
Returns:
org.jdom.Element with user status info.
See Also:
User.toElement()

getUserById

public SecurityManager.User getUserById(int id)
                                 throws SecurityManagerException
Load a user object identified by its numeric ID.
Overrides:
getUserById in class SecurityManager

checkoutConn

protected java.sql.Connection checkoutConn()
                                    throws java.sql.SQLException
Aggregation method delegated to PGConnectionPool.
Returns:
The Connection object from the pool.
Throws:
java.sql.SQLException - Error checking out Connection.

returnConn

protected void returnConn(java.sql.Connection conn)
                   throws java.sql.SQLException
Aggregation method delegated to PGConnectionPool.
Parameters:
conn - The Connection object to return to the pool.
Throws:
java.sql.SQLException - Error returning Connection.