001    //$HeadURL: svn+ssh://jwilden@svn.wald.intevation.org/deegree/base/branches/2.5_testing/src/org/deegree/portal/standard/security/control/SecurityHelper.java $
002    /*----------------------------------------------------------------------------
003     This file is part of deegree, http://deegree.org/
004     Copyright (C) 2001-2009 by:
005       Department of Geography, University of Bonn
006     and
007       lat/lon GmbH
008    
009     This library is free software; you can redistribute it and/or modify it under
010     the terms of the GNU Lesser General Public License as published by the Free
011     Software Foundation; either version 2.1 of the License, or (at your option)
012     any later version.
013     This library is distributed in the hope that it will be useful, but WITHOUT
014     ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
015     FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
016     details.
017     You should have received a copy of the GNU Lesser General Public License
018     along with this library; if not, write to the Free Software Foundation, Inc.,
019     59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
020    
021     Contact information:
022    
023     lat/lon GmbH
024     Aennchenstr. 19, 53177 Bonn
025     Germany
026     http://lat-lon.de/
027    
028     Department of Geography, University of Bonn
029     Prof. Dr. Klaus Greve
030     Postfach 1147, 53001 Bonn
031     Germany
032     http://www.geographie.uni-bonn.de/deegree/
033    
034     e-mail: info@deegree.org
035    ----------------------------------------------------------------------------*/
036    package org.deegree.portal.standard.security.control;
037    
038    import java.util.HashSet;
039    import java.util.Iterator;
040    import java.util.Set;
041    
042    import javax.servlet.http.HttpServletRequest;
043    import javax.servlet.http.HttpSession;
044    
045    import org.deegree.enterprise.control.AbstractListener;
046    import org.deegree.i18n.Messages;
047    import org.deegree.security.GeneralSecurityException;
048    import org.deegree.security.UnauthorizedException;
049    import org.deegree.security.drm.SecurityAccess;
050    import org.deegree.security.drm.SecurityAccessManager;
051    import org.deegree.security.drm.SecurityTransaction;
052    import org.deegree.security.drm.model.RightType;
053    import org.deegree.security.drm.model.Role;
054    import org.deegree.security.drm.model.User;
055    
056    /**
057     * Helper class that performs common security access tasks and checks used in the <code>Listener</code> classes.
058     *
059     * @author <a href="mschneider@lat-lon.de">Markus Schneider </a>
060     * @author last edited by: $Author: mschneider $
061     *
062     * @version $Revision: 18195 $, $Date: 2009-06-18 17:55:39 +0200 (Do, 18 Jun 2009) $
063     */
064    public class SecurityHelper {
065    
066        /**
067         * Tries to acquire a <code>SecurityAccess</code> for the credentials (username, password) stored in the associated
068         * <code>HttpSesssion</code> of the given <code>AbstractListener</code>.
069         *
070         * @param listener
071         * @return SecurityAccess
072         * @throws GeneralSecurityException
073         */
074        public static SecurityAccess acquireAccess( AbstractListener listener )
075                                throws GeneralSecurityException {
076            // get USERNAME and PASSWORD from HttpSession
077            HttpSession session = ( (HttpServletRequest) listener.getRequest() ).getSession( false );
078            if ( session == null ) {
079                throw new UnauthorizedException( Messages.getMessage( "IGEO_STD_SEC_ERROR_UNAUTHORIZED_ACCESS" ) );
080    
081            }
082            String userName = (String) session.getAttribute( ClientHelper.KEY_USERNAME );
083            String password = (String) session.getAttribute( ClientHelper.KEY_PASSWORD );
084    
085            if ( userName == null ) {
086                return null;
087            }
088    
089            // perform access check
090            SecurityAccessManager manager = SecurityAccessManager.getInstance();
091            User user = manager.getUserByName( userName );
092            user.authenticate( password );
093            return manager.acquireAccess( user );
094        }
095    
096        /**
097         * Tries to acquire a <code>SecurityTransaction</code> for the credentials (username, password) stored in the
098         * associated <code>HttpSesssion</code>.
099         *
100         * @param listener
101         * @return SecurityTransaction
102         * @throws GeneralSecurityException
103         */
104        public static SecurityTransaction acquireTransaction( AbstractListener listener )
105                                throws GeneralSecurityException {
106            // get USERNAME and PASSWORD from HttpSession
107            HttpSession session = ( (HttpServletRequest) listener.getRequest() ).getSession( false );
108            String userName = (String) session.getAttribute( ClientHelper.KEY_USERNAME );
109            String password = (String) session.getAttribute( ClientHelper.KEY_PASSWORD );
110    
111            // perform access check
112            SecurityAccessManager manager = SecurityAccessManager.getInstance();
113            User user = manager.getUserByName( userName );
114            user.authenticate( password );
115            return manager.acquireTransaction( user );
116        }
117    
118        /**
119         * Returns the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
120         *
121         * @param access
122         * @param role
123         * @throws GeneralSecurityException
124         * @return Role
125         */
126        public static Role findAdminForRole( SecurityAccess access, Role role )
127                                throws GeneralSecurityException {
128            Role[] allRoles = access.getAllRoles();
129            Role admin = access.getRoleById( Role.ID_SEC_ADMIN );
130            for ( int i = 0; i < allRoles.length; i++ ) {
131                if ( allRoles[i].getName().startsWith( "SUBADMIN:" ) ) {
132                    // if a subadmin-role has the update right, it is
133                    // considered to be administrative for the role
134                    if ( allRoles[i].hasRight( access, RightType.UPDATE, role ) ) {
135                        admin = allRoles[i];
136                    }
137                }
138            }
139            return admin;
140        }
141    
142        /**
143         * Returns the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
144         *
145         * @param access
146         * @return Role
147         * @throws GeneralSecurityException
148         */
149        public static Role checkForAdminOrSubadminRole( SecurityAccess access )
150                                throws GeneralSecurityException {
151            Role adminOrSubadminRole = null;
152            Role[] roles = access.getUser().getRoles( access );
153            for ( int i = 0; i < roles.length; i++ ) {
154                if ( roles[i].getID() == Role.ID_SEC_ADMIN || roles[i].getName().startsWith( "SUBADMIN:" ) ) {
155                    if ( adminOrSubadminRole == null ) {
156                        adminOrSubadminRole = roles[i];
157                    } else {
158                        throw new GeneralSecurityException( Messages.getMessage( "IGEO_STD_SEC_WRONG_ROLE" ) );
159                    }
160                }
161            }
162            if ( adminOrSubadminRole == null ) {
163                throw new UnauthorizedException( Messages.getMessage( "IGEO_STD_SEC_MISSING_SUBADMIN_ROLE" ) );
164    
165            }
166            return adminOrSubadminRole;
167        }
168    
169        /**
170         * Tests if the given token is associated with the 'Administrator'-role.
171         *
172         * @param access
173         * @throws GeneralSecurityException
174         *             , this is an UnauthorizedException if the user does not have the 'Administrator'-role
175         */
176        public static void checkForAdminRole( SecurityAccess access )
177                                throws GeneralSecurityException {
178            Role[] roles = access.getUser().getRoles( access );
179            for ( int i = 0; i < roles.length; i++ ) {
180                if ( roles[i].getID() == Role.ID_SEC_ADMIN ) {
181                    return;
182                }
183            }
184            throw new UnauthorizedException( Messages.getMessage( "IGEO_STD_SEC_MISSING_ADMIN_ROLE" ) );
185        }
186    
187        /**
188         * Tests if the 'SUBADMIN:' and 'Administrator'-roles are all disjoint (so that there are no users that have more
189         * than 1 role).
190         *
191         * @param access
192         * @throws GeneralSecurityException
193         *             if there is a user with more than one role
194         */
195        public static void checkSubadminRoleValidity( SecurityAccess access )
196                                throws GeneralSecurityException {
197    
198            Role[] subadminRoles = access.getRolesByNS( "SUBADMIN" );
199            Set<User>[] rolesAndUsers = new Set[subadminRoles.length + 1];
200            String[] roleNames = new String[subadminRoles.length + 1];
201    
202            // admin role
203            User[] users = access.getRoleById( Role.ID_SEC_ADMIN ).getAllUsers( access );
204            rolesAndUsers[0] = new HashSet<User>();
205            roleNames[0] = "Administrator";
206            for ( int i = 0; i < users.length; i++ ) {
207                rolesAndUsers[0].add( users[i] );
208            }
209    
210            // subadmin roles
211            for ( int i = 1; i < rolesAndUsers.length; i++ ) {
212                users = subadminRoles[i - 1].getAllUsers( access );
213                rolesAndUsers[i] = new HashSet<User>();
214                roleNames[i] = subadminRoles[i - 1].getTitle();
215                for ( int j = 0; j < users.length; j++ ) {
216                    rolesAndUsers[i].add( users[j] );
217                }
218            }
219    
220            // now check if all usersets are disjoint
221            for ( int i = 0; i < rolesAndUsers.length - 1; i++ ) {
222                Set userSet1 = rolesAndUsers[i];
223                for ( int j = i + 1; j < rolesAndUsers.length; j++ ) {
224                    Set userSet2 = rolesAndUsers[j];
225                    Iterator it = userSet2.iterator();
226                    while ( it.hasNext() ) {
227                        User user = (User) it.next();
228                        if ( userSet1.contains( user ) ) {
229                            throw new GeneralSecurityException( Messages.getMessage( "IGEO_STD_SEC_INVALID_SUBADMIN_ROLE" ) );
230                        }
231                    }
232                }
233            }
234        }
235    }