001: /*
002: * argun 1.0
003: * Web 2.0 delivery framework
004: * Copyright (C) 2007 Hammurapi Group
005: *
006: * This program is free software; you can redistribute it and/or
007: * modify it under the terms of the GNU Lesser General Public
008: * License as published by the Free Software Foundation; either
009: * version 2 of the License, or (at your option) any later version.
010: *
011: * This program is distributed in the hope that it will be useful,
012: * but WITHOUT ANY WARRANTY; without even the implied warranty of
013: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014: * Lesser General Public License for more details.
015: *
016: * You should have received a copy of the GNU Lesser General Public
017: * License along with this library; if not, write to the Free Software
018: * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
019: *
020: * URL: http://www.hammurapi.biz
021: * e-Mail: support@hammurapi.biz
022: */
023: package biz.hammurapi.web.security;
024:
025: import java.sql.SQLException;
026: import java.util.Collection;
027: import java.util.HashMap;
028: import java.util.Map;
029:
030: import javax.servlet.http.HttpServletRequest;
031: import javax.servlet.http.HttpServletResponse;
032:
033: import org.apache.commons.codec.digest.DigestUtils;
034:
035: import biz.hammurapi.config.ConfigurationException;
036: import biz.hammurapi.sql.SQLProcessor;
037: import biz.hammurapi.web.ActionServlet;
038: import biz.hammurapi.web.RequestParametersContext;
039: import biz.hammurapi.web.SimpleRedirect;
040: import biz.hammurapi.web.security.sql.ApplicationUser;
041: import biz.hammurapi.web.security.sql.ApplicationUserImpl;
042: import biz.hammurapi.web.security.sql.SecurityEngine;
043: import biz.hammurapi.web.security.sql.permission.PermissionEngine;
044:
045: /**
046: * Web actions class for ApplicationUser.
047: * @author Pavel Vlasov
048: * @version $Revision$
049: */
050: public class ApplicationUserActions extends ActionsBase {
051:
052: private static final String VIEW_PATH = "get/ApplicationUser/view.html?id=";
053: private static final String INITIAL_PASSWORD_HASH = hashPassword("welcome");
054:
055: /**
056: * Retrieves list of ApplicationUser
057: * @param request
058: * @param response
059: * @param servlet
060: * @return
061: */
062: public Collection list(HttpServletRequest request,
063: HttpServletResponse response, ActionServlet servlet) {
064: return getEngine(request).getApplicationUser();
065: }
066:
067: /**
068: * Retrieves ApplicationUser information by 'id' parameter
069: * @param request
070: * @param response
071: * @param servlet
072: * @return
073: * @throws SQLException
074: * @throws ConfigurationException
075: */
076: public Object get(HttpServletRequest request,
077: HttpServletResponse response, ActionServlet servlet)
078: throws SQLException, ConfigurationException {
079: if ("yes".equals(request.getParameter("new"))) {
080: ApplicationUserImpl ret = new ApplicationUserImpl();
081: ret.configure(new RequestParametersContext(request),
082: converter); //
083: ret.setAttribute("new", "yes");
084: setReferrer(request, ret);
085: return ret;
086: }
087:
088: String id = request.getParameter("id");
089: if (id == null) {
090: return "ApplicationUser id parameter is missing";
091: }
092:
093: User ret = (User) getEngine(request).getApplicationUser(id,
094: User.class);
095: if (ret == null) {
096: return "Invalid User id: " + id;
097: }
098:
099: setReferrer(request, ret);
100:
101: if (hasPermission(request, Permission.class, "list")) {
102: ret.setAttribute("list-permissions", "true");
103: }
104:
105: if (hasPermission(request, Role.class, "list")) {
106: ret.setAttribute("list-roles", "true");
107: }
108:
109: if (hasPermission(request, Group.class, "list")) {
110: ret.setAttribute("list-groups", "true");
111: }
112:
113: String alert = request.getParameter("alert");
114: if (alert != null) {
115: ret.setAttribute("alert", alert);
116: }
117:
118: return ret;
119: }
120:
121: static String hashPassword(String password) {
122: return DigestUtils.shaHex(password);
123: }
124:
125: /**
126: * Updates ApplicationUser.
127: * @param request
128: * @param response
129: * @param servlet
130: * @return
131: * @throws SQLException
132: * @throws ConfigurationException
133: */
134: public Object update(HttpServletRequest request,
135: HttpServletResponse response, ActionServlet servlet)
136: throws SQLException, ConfigurationException {
137: boolean isUpdate = !"yes".equals(request.getParameter("_new"));
138:
139: ApplicationUserImpl obj = new ApplicationUserImpl(isUpdate);
140: obj.setIsBlocked(false);
141: obj.configure(new RequestParametersContext(request), converter);
142: SecurityEngine engine = getEngine(request);
143:
144: if (isUpdate) {
145: int numRows = engine.updateApplicationUser(obj);
146: if (numRows != 1) {
147: return "Could not update user";
148: }
149: } else {
150: if (engine.getApplicationUser(obj.getLoginName()) != null) {
151: obj.setAttribute("new", "yes");
152: obj.setAttribute("referrer", getReferrer(request));
153: obj.setColumnAttribute("LOGIN_NAME",
154: "validation-error", "Duplicate login");
155: return obj;
156: }
157:
158: obj.setUserPassword(INITIAL_PASSWORD_HASH);
159:
160: int numRows = engine.insertApplicationUser(obj);
161: if (numRows != 1) {
162: return "Could not insert User";
163: }
164:
165: }
166:
167: String referrer = getReferrer(request);
168: if (referrer == null) {
169: referrer = "list/ApplicationUser/list.html";
170: }
171:
172: return new SimpleRedirect(referrer, "ApplicationUser "
173: + (isUpdate ? "updated" : "inserted"));
174: }
175:
176: public String resetPassword(HttpServletRequest request,
177: HttpServletResponse response, ActionServlet servlet)
178: throws SQLException, ConfigurationException {
179: String loginName = request.getParameter("id");
180: if (loginName == null) {
181: return "User name is not provided";
182: }
183:
184: SecurityEngine engine = getEngine(request);
185: ApplicationUser user = engine.getApplicationUser(loginName);
186: if (user == null) {
187: return "Invalid user name: " + loginName;
188: }
189: user.setLastPasswordChange(0);
190: user.setUserPassword(INITIAL_PASSWORD_HASH);
191: int numRows = engine.updateApplicationUser(user);
192: if (numRows == 1) {
193: return "Password reset for user " + loginName;
194: }
195:
196: return "Invalid user name: " + loginName;
197: }
198:
199: public String changePassword(HttpServletRequest request,
200: HttpServletResponse response, ActionServlet servlet)
201: throws SQLException, ConfigurationException {
202: String loginName = request.getParameter("id");
203: if (loginName == null) {
204: return "User name is not provided";
205: }
206:
207: String newPassword = request.getParameter("newPassword");
208: if (newPassword == null) {
209: return "New password is not set";
210: }
211:
212: String confirmPassword = request
213: .getParameter("confirmPassword");
214: if (confirmPassword == null) {
215: return "Confirm password is not set";
216: }
217:
218: if (!newPassword.equals(confirmPassword)) {
219: return "Passwords don't match";
220: }
221:
222: if (newPassword.length() < 8) {
223: return "New password is too short";
224: }
225:
226: String oldPassword = request.getParameter("oldPassword");
227: if (oldPassword == null) {
228: return "Old password is not set";
229: }
230:
231: if (newPassword.equals(oldPassword)) {
232: return "New passwords shouldn't be equal to old password";
233: }
234:
235: SecurityEngine engine = getEngine(request);
236: ApplicationUser user = engine.getApplicationUser(loginName);
237: if (user == null) {
238: return "Invalid user name: " + loginName;
239: }
240: if (!hashPassword(oldPassword).equals(user.getUserPassword())) {
241: return "Invalid password";
242: }
243:
244: user.setLastPasswordChange(System.currentTimeMillis());
245: user.setUserPassword(hashPassword(newPassword));
246: int numRows = engine.updateApplicationUser(user);
247: if (numRows == 1) {
248: return "Password changed for user " + loginName;
249: }
250:
251: return "Invalid user name: " + loginName;
252: }
253:
254: /**
255: * Iterates over permissions parameter values and updates database.
256: * @param request
257: * @param response
258: * @param servlet
259: * @return
260: * @throws SQLException
261: * @throws ConfigurationException
262: */
263: public Object getPermissions(HttpServletRequest request,
264: HttpServletResponse response, ActionServlet servlet)
265: throws SQLException, ConfigurationException {
266: Map ret = new HashMap();
267: SecurityEngine engine = getEngine(request);
268: String loginName = request.getParameter("id");
269: ret.put("id", loginName);
270: ret.put("assigned-permissions", engine
271: .getAssignedPermission(loginName));
272: ret.put("permissions", engine.getApplicationPermission());
273: ret.put("classes", new PermissionEngine(
274: (SQLProcessor) getGlobal(request, "sql-processor"))
275: .getClasses());
276: return ret;
277: }
278:
279: /**
280: * Iterates over permissions parameter values and updates database.
281: * @param request
282: * @param response
283: * @param servlet
284: * @return
285: * @throws SQLException
286: * @throws ConfigurationException
287: */
288: public Object updatePermissions(HttpServletRequest request,
289: HttpServletResponse response, ActionServlet servlet)
290: throws SQLException, ConfigurationException {
291: SecurityEngine engine = getEngine(request);
292: String loginName = request.getParameter("id");
293: engine.deleteUserPermissionByUser(loginName);
294: java.util.Set idSet = new java.util.HashSet();
295: String[] values = request.getParameterValues("Denied");
296: if (values != null) {
297: for (int i = 0; i < values.length; i++) {
298: if (idSet.add(values[i])) {
299: int pid = Integer.parseInt(values[i]);
300: engine.insertUserPermission(pid, loginName, true);
301: }
302: }
303: }
304:
305: values = request.getParameterValues("Allowed");
306: if (values != null) {
307: for (int i = 0; i < values.length; i++) {
308: if (idSet.add(values[i])) {
309: int pid = Integer.parseInt(values[i]);
310: engine.insertUserPermission(pid, loginName, false);
311: }
312: }
313: }
314: return new SimpleRedirect(
315: "../../get/ApplicationUser/view.html?id=" + loginName,
316: "Permissions updated");
317: }
318:
319: /**
320: * Iterates over permissions parameter values and updates database.
321: * @param request
322: * @param response
323: * @param servlet
324: * @return
325: * @throws SQLException
326: * @throws ConfigurationException
327: */
328: public Object getGroups(HttpServletRequest request,
329: HttpServletResponse response, ActionServlet servlet)
330: throws SQLException, ConfigurationException {
331: Map ret = new HashMap();
332: SecurityEngine engine = getEngine(request);
333: String loginName = request.getParameter("id");
334: ret.put("id", loginName);
335: ret.put("assigned-groups", engine.getUserGroups(loginName));
336: ret.put("groups", engine.getUserGroup());
337: return ret;
338: }
339:
340: /**
341: * Iterates over groups parameter values and updates database.
342: * @param request
343: * @param response
344: * @param servlet
345: * @return
346: * @throws SQLException
347: * @throws ConfigurationException
348: */
349: public Object updateGroups(HttpServletRequest request,
350: HttpServletResponse response, ActionServlet servlet)
351: throws SQLException, ConfigurationException {
352: SecurityEngine engine = getEngine(request);
353: String loginName = request.getParameter("id");
354: engine.deleteUserInGroupByUser(loginName);
355: // if (!User.GUEST_NAME.equals(loginName)) {
356: // engine.insertUserInGroup(loginName, EVERYONE_GROUP);
357: // }
358: String[] values = request.getParameterValues("group");
359: if (values != null) {
360: for (int i = 0; i < values.length; i++) {
361: engine.insertUserInGroup(loginName, values[i]);
362: }
363: }
364: return new SimpleRedirect(VIEW_PATH + loginName,
365: "Groups updated");
366: }
367:
368: /**
369: * Iterates over permissions parameter values and updates database.
370: * @param request
371: * @param response
372: * @param servlet
373: * @return
374: * @throws SQLException
375: * @throws ConfigurationException
376: */
377: public Object getRoles(HttpServletRequest request,
378: HttpServletResponse response, ActionServlet servlet)
379: throws SQLException, ConfigurationException {
380: Map ret = new HashMap();
381: SecurityEngine engine = getEngine(request);
382: String loginName = request.getParameter("id");
383: ret.put("id", loginName);
384: ret.put("assigned-roles", engine.getUserRoles(loginName));
385: ret.put("roles", engine.getUserRole());
386: return ret;
387: }
388:
389: /**
390: * Iterates over roles parameter values and updates database.
391: * @param request
392: * @param response
393: * @param servlet
394: * @return
395: * @throws SQLException
396: * @throws ConfigurationException
397: */
398: public Object updateRoles(HttpServletRequest request,
399: HttpServletResponse response, ActionServlet servlet)
400: throws SQLException, ConfigurationException {
401: SecurityEngine engine = getEngine(request);
402: String loginName = request.getParameter("id");
403: engine.deleteUserInRoleByUser(loginName);
404: String[] values = request.getParameterValues("role");
405: if (values != null) {
406: for (int i = 0; i < values.length; i++) {
407: engine.insertUserInRole(loginName, values[i]);
408: }
409: }
410: return new SimpleRedirect(VIEW_PATH + loginName,
411: "Roles updated");
412: }
413:
414: /**
415: * Deletes ApplicationUser by "id" parameter.
416: * @param request
417: * @param response
418: * @param servlet
419: * @return
420: * @throws SQLException
421: * @throws ConfigurationException
422: */
423: public Object delete(HttpServletRequest request,
424: HttpServletResponse response, ActionServlet servlet)
425: throws SQLException {
426: String id = request.getParameter("id");
427: if (id == null) {
428: return "id parameter is missing";
429: }
430:
431: getEngine(request).deleteApplicationUser(id);
432:
433: String referrer = getReferrer(request);
434: // if (referrer == null) {
435: referrer = "list/ApplicationUser/list.html";
436: // }
437:
438: return new SimpleRedirect(referrer, "ApplicationUser deleted");
439: }
440: }
|