001 //$HeadURL: svn+ssh://rbezema@svn.wald.intevation.org/deegree/base/branches/2.2_testing/src/org/deegree/security/drm/SecurityHelper.java $
002 /*---------------- FILE HEADER ------------------------------------------
003
004 This file is part of deegree.
005 Copyright (C) 2001-2008 by:
006 EXSE, Department of Geography, University of Bonn
007 http://www.giub.uni-bonn.de/deegree/
008 lat/lon GmbH
009 http://www.lat-lon.de
010
011 This library is free software; you can redistribute it and/or
012 modify it under the terms of the GNU Lesser General Public
013 License as published by the Free Software Foundation; either
014 version 2.1 of the License, or (at your option) any later version.
015
016 This library is distributed in the hope that it will be useful,
017 but WITHOUT ANY WARRANTY; without even the implied warranty of
018 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
019 Lesser General Public License for more details.
020
021 You should have received a copy of the GNU Lesser General Public
022 License along with this library; if not, write to the Free Software
023 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
024
025 Contact:
026
027 Andreas Poth
028 lat/lon GmbH
029 Aennchenstr. 19
030 53115 Bonn
031 Germany
032 E-Mail: poth@lat-lon.de
033
034 Prof. Dr. Klaus Greve
035 Department of Geography
036 University of Bonn
037 Meckenheimer Allee 166
038 53115 Bonn
039 Germany
040 E-Mail: greve@giub.uni-bonn.de
041
042 ---------------------------------------------------------------------------*/
043 package org.deegree.security.drm;
044
045 import java.util.HashSet;
046 import java.util.Iterator;
047 import java.util.Set;
048
049 import org.deegree.security.GeneralSecurityException;
050 import org.deegree.security.UnauthorizedException;
051 import org.deegree.security.drm.model.RightType;
052 import org.deegree.security.drm.model.Role;
053 import org.deegree.security.drm.model.User;
054
055 /**
056 * Helper class that performs access checks.
057 * <p>
058 *
059 * @author <a href="mschneider@lat-lon.de">Markus Schneider</a>
060 * @author last edited by: $Author: apoth $
061 *
062 * @version $Revision: 9346 $, $Date: 2007-12-27 17:39:07 +0100 (Do, 27 Dez 2007) $
063 */
064 public class SecurityHelper {
065
066 /**
067 * Returns the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
068 * <p>
069 *
070 * @param access
071 * @param role
072 * @return the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
073 * @throws GeneralSecurityException
074 *
075 */
076 public static Role findAdminForRole( SecurityAccess access, Role role )
077 throws GeneralSecurityException {
078
079 Role[] allRoles = access.getAllRoles();
080 Role admin = access.getRoleById( Role.ID_SEC_ADMIN );
081 for ( int i = 0; i < allRoles.length; i++ ) {
082 if ( allRoles[i].getName().startsWith( "SUBADMIN:" ) ) {
083 // if a subadmin-role has the update right, it is
084 // considered to be the administrative for the role
085 if ( allRoles[i].hasRight( access, RightType.UPDATE, role ) ) {
086 admin = allRoles[i];
087 }
088 }
089 }
090 return admin;
091 }
092
093 /**
094 * Returns the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
095 * <p>
096 *
097 * @param access
098 * @return the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
099 * <p>
100 * @throws ManagementException
101 * @throws GeneralSecurityException
102 */
103 public static Role checkForAdminOrSubadminRole( SecurityAccess access )
104 throws ManagementException, GeneralSecurityException {
105 Role adminOrSubadminRole = null;
106 Role[] roles = access.getUser().getRoles( access );
107 for ( int i = 0; i < roles.length; i++ ) {
108 if ( roles[i].getID() == Role.ID_SEC_ADMIN || roles[i].getName().startsWith( "SUBADMIN:" ) ) {
109 if ( adminOrSubadminRole == null ) {
110 adminOrSubadminRole = roles[i];
111 } else {
112 throw new ManagementException( "Unzulässige Rollenvergabe: Benutzer '"
113 + access.getUser().getTitle() + "' hat sowohl die Rolle '"
114 + adminOrSubadminRole.getTitle() + "' als auch die Rolle '"
115 + roles[i].getTitle() + "'." );
116 }
117 }
118 }
119 if ( adminOrSubadminRole == null ) {
120 throw new UnauthorizedException( "Sie haben nicht die für den Zugriff " + "benötigte 'Administrator'- "
121 + "bzw. Subadministrator-Rolle." );
122 }
123 return adminOrSubadminRole;
124 }
125
126 /**
127 * Tests if the given token is associated with the 'Administrator'-role.
128 * <p>
129 *
130 * @param access
131 * @throws GeneralSecurityException
132 * this is an UnauthorizedException if the user does not have the
133 * 'Administrator'-role
134 */
135 public static void checkForAdminRole( SecurityAccess access )
136 throws GeneralSecurityException {
137 Role[] roles = access.getUser().getRoles( access );
138 for ( int i = 0; i < roles.length; i++ ) {
139 if ( roles[i].getID() == Role.ID_SEC_ADMIN ) {
140 return;
141 }
142 }
143 throw new UnauthorizedException( "Sie haben nicht die für den Zugriff " + "benötigte 'Administrator'-Rolle." );
144 }
145
146 /**
147 * Tests if the 'SUBADMIN:' and 'Administrator'-roles are all disjoint (so that there are no
148 * users that have more than 1 role).
149 * <p>
150 *
151 * @param access
152 * @throws ManagementException
153 * if there is a user with more than one role
154 * @throws GeneralSecurityException
155 */
156 public static void checkSubadminRoleValidity( SecurityAccess access )
157 throws ManagementException, GeneralSecurityException {
158
159 Role[] subadminRoles = access.getRolesByNS( "SUBADMIN" );
160 Set<User>[] rolesAndUsers = new Set[subadminRoles.length + 1];
161 String[] roleNames = new String[subadminRoles.length + 1];
162
163 // admin role
164 User[] users = access.getRoleById( Role.ID_SEC_ADMIN ).getAllUsers( access );
165 rolesAndUsers[0] = new HashSet<User>();
166 roleNames[0] = "Administrator";
167 for ( int i = 0; i < users.length; i++ ) {
168 rolesAndUsers[0].add( users[i] );
169 }
170
171 // subadmin roles
172 for ( int i = 1; i < rolesAndUsers.length; i++ ) {
173 users = subadminRoles[i - 1].getAllUsers( access );
174 rolesAndUsers[i] = new HashSet<User>();
175 roleNames[i] = subadminRoles[i - 1].getTitle();
176 for ( int j = 0; j < users.length; j++ ) {
177 rolesAndUsers[i].add( users[j] );
178 }
179 }
180
181 // now check if all usersets are disjoint
182 for ( int i = 0; i < rolesAndUsers.length - 1; i++ ) {
183 Set userSet1 = rolesAndUsers[i];
184 for ( int j = i + 1; j < rolesAndUsers.length; j++ ) {
185 Set userSet2 = rolesAndUsers[j];
186 Iterator it = userSet2.iterator();
187 while ( it.hasNext() ) {
188 User user = (User) it.next();
189 if ( userSet1.contains( user ) ) {
190 throw new ManagementException( "Ungültige Subadmin-Rollenvergabe. Benutzer '" + user.getTitle()
191 + "' würde sowohl die Rolle '" + roleNames[i]
192 + "' als auch die Rolle '" + roleNames[j] + "' erhalten." );
193 }
194 }
195 }
196 }
197 }
198 }