001: //$HeadURL: https://svn.wald.intevation.org/svn/deegree/base/trunk/src/org/deegree/portal/standard/security/control/ClientHelper.java $
002: /*---------------- FILE HEADER ------------------------------------------
003:
004: This file is part of deegree.
005: Copyright (C) 2001-2008 by:
006: EXSE, Department of Geography, University of Bonn
007: http://www.giub.uni-bonn.de/deegree/
008: lat/lon GmbH
009: http://www.lat-lon.de
010:
011: This library is free software; you can redistribute it and/or
012: modify it under the terms of the GNU Lesser General Public
013: License as published by the Free Software Foundation; either
014: version 2.1 of the License, or (at your option) any later version.
015:
016: This library is distributed in the hope that it will be useful,
017: but WITHOUT ANY WARRANTY; without even the implied warranty of
018: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
019: Lesser General Public License for more details.
020:
021: You should have received a copy of the GNU Lesser General Public
022: License along with this library; if not, write to the Free Software
023: Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
024:
025: Contact:
026:
027: Andreas Poth
028: lat/lon GmbH
029: Aennchenstr. 19
030: 53177 Bonn
031: Germany
032: E-Mail: poth@lat-lon.de
033:
034: Prof. Dr. Klaus Greve
035: Department of Geography
036: University of Bonn
037: Meckenheimer Allee 166
038: 53115 Bonn
039: Germany
040: E-Mail: greve@giub.uni-bonn.de
041:
042: ---------------------------------------------------------------------------*/
043: package org.deegree.portal.standard.security.control;
044:
045: import java.util.HashSet;
046: import java.util.Iterator;
047: import java.util.Set;
048:
049: import javax.servlet.http.HttpServletRequest;
050: import javax.servlet.http.HttpSession;
051:
052: import org.deegree.enterprise.control.AbstractListener;
053: import org.deegree.i18n.Messages;
054: import org.deegree.security.GeneralSecurityException;
055: import org.deegree.security.UnauthorizedException;
056: import org.deegree.security.drm.SecurityAccess;
057: import org.deegree.security.drm.SecurityAccessManager;
058: import org.deegree.security.drm.SecurityTransaction;
059: import org.deegree.security.drm.model.RightType;
060: import org.deegree.security.drm.model.Role;
061: import org.deegree.security.drm.model.User;
062:
063: /**
064: * Helper class that performs common security access tasks and checks used in the
065: * <code>Listener</code> classes.
066: *
067: * @author <a href="mschneider@lat-lon.de">Markus Schneider </a>
068: * @author last edited by: $Author: apoth $
069: *
070: * @version $Revision: 9346 $, $Date: 2007-12-27 08:39:07 -0800 (Thu, 27 Dec 2007) $
071: */
072: public class ClientHelper {
073:
074: public static final String KEY_USERNAME = "USERNAME";
075:
076: public static final String KEY_PASSWORD = "PASSWORD";
077:
078: public static final String TYPE_LAYER = "Layer";
079:
080: public static final String TYPE_FEATURETYPE = "Featuretype";
081:
082: public static final String TYPE_METADATASCHEMA = "MetadataSchema";
083:
084: /**
085: * Tries to acquire a <code>SecurityAccess</code> for the credentials (username, password)
086: * stored in the associated <code>HttpSesssion</code> of the given
087: * <code>AbstractListener</code>.
088: *
089: * @param listener
090: * @throws GeneralSecurityException
091: * @return SecurityAccess
092: */
093: public static SecurityAccess acquireAccess(AbstractListener listener)
094: throws GeneralSecurityException {
095: // get USERNAME and PASSWORD from HttpSession
096: HttpSession session = ((HttpServletRequest) listener
097: .getRequest()).getSession(false);
098: if (session == null) {
099: throw new UnauthorizedException(
100: Messages
101: .getMessage("IGEO_STD_SEC_ERROR_UNAUTHORIZED_ACCESS"));
102: }
103: String userName = (String) session.getAttribute(KEY_USERNAME);
104: String password = (String) session.getAttribute(KEY_PASSWORD);
105:
106: // perform access check
107: SecurityAccessManager manager = SecurityAccessManager
108: .getInstance();
109: User user = manager.getUserByName(userName);
110: user.authenticate(password);
111: return manager.acquireAccess(user);
112: }
113:
114: /**
115: * Tries to acquire a <code>SecurityTransaction</code> for the credentials (username,
116: * password) stored in the associated <code>HttpSesssion</code>.
117: *
118: * @param listener
119: * @throws GeneralSecurityException
120: * @return SecurityTransaction
121: */
122: public static SecurityTransaction acquireTransaction(
123: AbstractListener listener) throws GeneralSecurityException {
124: // get USERNAME and PASSWORD from HttpSession
125: HttpSession session = ((HttpServletRequest) listener
126: .getRequest()).getSession(false);
127: String userName = (String) session.getAttribute(KEY_USERNAME);
128: String password = (String) session.getAttribute(KEY_PASSWORD);
129:
130: // perform access check
131: SecurityAccessManager manager = SecurityAccessManager
132: .getInstance();
133: User user = manager.getUserByName(userName);
134: user.authenticate(password);
135: return manager.acquireTransaction(user);
136: }
137:
138: /**
139: * Returns the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
140: *
141: * @param access
142: * @param role
143: * @throws GeneralSecurityException
144: * @return Role
145: */
146: public static Role findAdminForRole(SecurityAccess access, Role role)
147: throws GeneralSecurityException {
148: Role[] allRoles = access.getAllRoles();
149: Role admin = access.getRoleById(Role.ID_SEC_ADMIN);
150: for (int i = 0; i < allRoles.length; i++) {
151: if (allRoles[i].getName().startsWith("SUBADMIN:")) {
152: // if a subadmin-role has the update right, it is
153: // considered to be administrative for the role
154: if (allRoles[i]
155: .hasRight(access, RightType.UPDATE, role)) {
156: admin = allRoles[i];
157: }
158: }
159: }
160: return admin;
161: }
162:
163: /**
164: * Returns the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
165: *
166: * @param access
167: * @throws GeneralSecurityException
168: * @return Role
169: */
170: public static Role checkForAdminOrSubadminRole(SecurityAccess access)
171: throws GeneralSecurityException {
172: Role adminOrSubadminRole = null;
173: Role[] roles = access.getUser().getRoles(access);
174: for (int i = 0; i < roles.length; i++) {
175: if (roles[i].getID() == Role.ID_SEC_ADMIN
176: || roles[i].getName().startsWith("SUBADMIN:")) {
177: if (adminOrSubadminRole == null) {
178: adminOrSubadminRole = roles[i];
179: } else {
180: throw new GeneralSecurityException(Messages
181: .getMessage("IGEO_STD_SEC_WRONG_ROLE",
182: access.getUser().getTitle(),
183: adminOrSubadminRole.getTitle(),
184: roles[i].getTitle()));
185: }
186: }
187: }
188: if (adminOrSubadminRole == null) {
189: throw new UnauthorizedException(Messages
190: .getMessage("IGEO_STD_SEC_MISSING_SUBADMIN_ROLE"));
191: }
192: return adminOrSubadminRole;
193: }
194:
195: /**
196: * Tests if the given token is associated with the 'Administrator'-role.
197: *
198: * @param access
199: * @throws GeneralSecurityException,
200: * this is an UnauthorizedException if the user does not have the
201: * 'Administrator'-role
202: */
203: public static void checkForAdminRole(SecurityAccess access)
204: throws GeneralSecurityException {
205: Role[] roles = access.getUser().getRoles(access);
206: for (int i = 0; i < roles.length; i++) {
207: if (roles[i].getID() == Role.ID_SEC_ADMIN) {
208: return;
209: }
210: }
211: throw new UnauthorizedException(Messages
212: .getMessage("IGEO_STD_SEC_MISSING_ADMIN_ROLE"));
213: }
214:
215: /**
216: * Tests if the 'SUBADMIN:' and 'Administrator'-roles are all disjoint (so that there are no
217: * users that have more than 1 role).
218: *
219: * @param access
220: * @throws GeneralSecurityException
221: * if there is a user with more than one role
222: */
223: public static void checkSubadminRoleValidity(SecurityAccess access)
224: throws GeneralSecurityException {
225:
226: Role[] subadminRoles = access.getRolesByNS("SUBADMIN");
227: Set<User>[] rolesAndUsers = new Set[subadminRoles.length + 1];
228:
229: String[] roleNames = new String[subadminRoles.length + 1];
230:
231: // admin role
232: User[] users = access.getRoleById(Role.ID_SEC_ADMIN)
233: .getAllUsers(access);
234: rolesAndUsers[0] = new HashSet<User>();
235: roleNames[0] = "Administrator";
236: for (int i = 0; i < users.length; i++) {
237: rolesAndUsers[0].add(users[i]);
238: }
239:
240: // subadmin roles
241: for (int i = 1; i < rolesAndUsers.length; i++) {
242: users = subadminRoles[i - 1].getAllUsers(access);
243: rolesAndUsers[i] = new HashSet<User>();
244: roleNames[i] = subadminRoles[i - 1].getTitle();
245: for (int j = 0; j < users.length; j++) {
246: rolesAndUsers[i].add(users[j]);
247: }
248: }
249:
250: // now check if all usersets are disjoint
251: for (int i = 0; i < rolesAndUsers.length - 1; i++) {
252: Set userSet1 = rolesAndUsers[i];
253: for (int j = i + 1; j < rolesAndUsers.length; j++) {
254: Set userSet2 = rolesAndUsers[j];
255: Iterator it = userSet2.iterator();
256: while (it.hasNext()) {
257: User user = (User) it.next();
258: if (userSet1.contains(user)) {
259: throw new GeneralSecurityException(
260: Messages
261: .getMessage(
262: "IGEO_STD_SEC_INVALID_SUBADMIN_ROLE",
263: user.getTitle(),
264: roleNames[i],
265: roleNames[j]));
266: }
267: }
268: }
269: }
270: }
271: }
|