001 //$HeadURL: svn+ssh://jwilden@svn.wald.intevation.org/deegree/base/branches/2.5_testing/src/org/deegree/portal/standard/security/control/SecurityHelper.java $
002 /*----------------------------------------------------------------------------
003 This file is part of deegree, http://deegree.org/
004 Copyright (C) 2001-2009 by:
005 Department of Geography, University of Bonn
006 and
007 lat/lon GmbH
008
009 This library is free software; you can redistribute it and/or modify it under
010 the terms of the GNU Lesser General Public License as published by the Free
011 Software Foundation; either version 2.1 of the License, or (at your option)
012 any later version.
013 This library is distributed in the hope that it will be useful, but WITHOUT
014 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
015 FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
016 details.
017 You should have received a copy of the GNU Lesser General Public License
018 along with this library; if not, write to the Free Software Foundation, Inc.,
019 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
020
021 Contact information:
022
023 lat/lon GmbH
024 Aennchenstr. 19, 53177 Bonn
025 Germany
026 http://lat-lon.de/
027
028 Department of Geography, University of Bonn
029 Prof. Dr. Klaus Greve
030 Postfach 1147, 53001 Bonn
031 Germany
032 http://www.geographie.uni-bonn.de/deegree/
033
034 e-mail: info@deegree.org
035 ----------------------------------------------------------------------------*/
036 package org.deegree.portal.standard.security.control;
037
038 import java.util.HashSet;
039 import java.util.Iterator;
040 import java.util.Set;
041
042 import javax.servlet.http.HttpServletRequest;
043 import javax.servlet.http.HttpSession;
044
045 import org.deegree.enterprise.control.AbstractListener;
046 import org.deegree.i18n.Messages;
047 import org.deegree.security.GeneralSecurityException;
048 import org.deegree.security.UnauthorizedException;
049 import org.deegree.security.drm.SecurityAccess;
050 import org.deegree.security.drm.SecurityAccessManager;
051 import org.deegree.security.drm.SecurityTransaction;
052 import org.deegree.security.drm.model.RightType;
053 import org.deegree.security.drm.model.Role;
054 import org.deegree.security.drm.model.User;
055
056 /**
057 * Helper class that performs common security access tasks and checks used in the <code>Listener</code> classes.
058 *
059 * @author <a href="mschneider@lat-lon.de">Markus Schneider </a>
060 * @author last edited by: $Author: mschneider $
061 *
062 * @version $Revision: 18195 $, $Date: 2009-06-18 17:55:39 +0200 (Do, 18 Jun 2009) $
063 */
064 public class SecurityHelper {
065
066 /**
067 * Tries to acquire a <code>SecurityAccess</code> for the credentials (username, password) stored in the associated
068 * <code>HttpSesssion</code> of the given <code>AbstractListener</code>.
069 *
070 * @param listener
071 * @return SecurityAccess
072 * @throws GeneralSecurityException
073 */
074 public static SecurityAccess acquireAccess( AbstractListener listener )
075 throws GeneralSecurityException {
076 // get USERNAME and PASSWORD from HttpSession
077 HttpSession session = ( (HttpServletRequest) listener.getRequest() ).getSession( false );
078 if ( session == null ) {
079 throw new UnauthorizedException( Messages.getMessage( "IGEO_STD_SEC_ERROR_UNAUTHORIZED_ACCESS" ) );
080
081 }
082 String userName = (String) session.getAttribute( ClientHelper.KEY_USERNAME );
083 String password = (String) session.getAttribute( ClientHelper.KEY_PASSWORD );
084
085 if ( userName == null ) {
086 return null;
087 }
088
089 // perform access check
090 SecurityAccessManager manager = SecurityAccessManager.getInstance();
091 User user = manager.getUserByName( userName );
092 user.authenticate( password );
093 return manager.acquireAccess( user );
094 }
095
096 /**
097 * Tries to acquire a <code>SecurityTransaction</code> for the credentials (username, password) stored in the
098 * associated <code>HttpSesssion</code>.
099 *
100 * @param listener
101 * @return SecurityTransaction
102 * @throws GeneralSecurityException
103 */
104 public static SecurityTransaction acquireTransaction( AbstractListener listener )
105 throws GeneralSecurityException {
106 // get USERNAME and PASSWORD from HttpSession
107 HttpSession session = ( (HttpServletRequest) listener.getRequest() ).getSession( false );
108 String userName = (String) session.getAttribute( ClientHelper.KEY_USERNAME );
109 String password = (String) session.getAttribute( ClientHelper.KEY_PASSWORD );
110
111 // perform access check
112 SecurityAccessManager manager = SecurityAccessManager.getInstance();
113 User user = manager.getUserByName( userName );
114 user.authenticate( password );
115 return manager.acquireTransaction( user );
116 }
117
118 /**
119 * Returns the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
120 *
121 * @param access
122 * @param role
123 * @throws GeneralSecurityException
124 * @return Role
125 */
126 public static Role findAdminForRole( SecurityAccess access, Role role )
127 throws GeneralSecurityException {
128 Role[] allRoles = access.getAllRoles();
129 Role admin = access.getRoleById( Role.ID_SEC_ADMIN );
130 for ( int i = 0; i < allRoles.length; i++ ) {
131 if ( allRoles[i].getName().startsWith( "SUBADMIN:" ) ) {
132 // if a subadmin-role has the update right, it is
133 // considered to be administrative for the role
134 if ( allRoles[i].hasRight( access, RightType.UPDATE, role ) ) {
135 admin = allRoles[i];
136 }
137 }
138 }
139 return admin;
140 }
141
142 /**
143 * Returns the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
144 *
145 * @param access
146 * @return Role
147 * @throws GeneralSecurityException
148 */
149 public static Role checkForAdminOrSubadminRole( SecurityAccess access )
150 throws GeneralSecurityException {
151 Role adminOrSubadminRole = null;
152 Role[] roles = access.getUser().getRoles( access );
153 for ( int i = 0; i < roles.length; i++ ) {
154 if ( roles[i].getID() == Role.ID_SEC_ADMIN || roles[i].getName().startsWith( "SUBADMIN:" ) ) {
155 if ( adminOrSubadminRole == null ) {
156 adminOrSubadminRole = roles[i];
157 } else {
158 throw new GeneralSecurityException( Messages.getMessage( "IGEO_STD_SEC_WRONG_ROLE" ) );
159 }
160 }
161 }
162 if ( adminOrSubadminRole == null ) {
163 throw new UnauthorizedException( Messages.getMessage( "IGEO_STD_SEC_MISSING_SUBADMIN_ROLE" ) );
164
165 }
166 return adminOrSubadminRole;
167 }
168
169 /**
170 * Tests if the given token is associated with the 'Administrator'-role.
171 *
172 * @param access
173 * @throws GeneralSecurityException
174 * , this is an UnauthorizedException if the user does not have the 'Administrator'-role
175 */
176 public static void checkForAdminRole( SecurityAccess access )
177 throws GeneralSecurityException {
178 Role[] roles = access.getUser().getRoles( access );
179 for ( int i = 0; i < roles.length; i++ ) {
180 if ( roles[i].getID() == Role.ID_SEC_ADMIN ) {
181 return;
182 }
183 }
184 throw new UnauthorizedException( Messages.getMessage( "IGEO_STD_SEC_MISSING_ADMIN_ROLE" ) );
185 }
186
187 /**
188 * Tests if the 'SUBADMIN:' and 'Administrator'-roles are all disjoint (so that there are no users that have more
189 * than 1 role).
190 *
191 * @param access
192 * @throws GeneralSecurityException
193 * if there is a user with more than one role
194 */
195 public static void checkSubadminRoleValidity( SecurityAccess access )
196 throws GeneralSecurityException {
197
198 Role[] subadminRoles = access.getRolesByNS( "SUBADMIN" );
199 Set<User>[] rolesAndUsers = new Set[subadminRoles.length + 1];
200 String[] roleNames = new String[subadminRoles.length + 1];
201
202 // admin role
203 User[] users = access.getRoleById( Role.ID_SEC_ADMIN ).getAllUsers( access );
204 rolesAndUsers[0] = new HashSet<User>();
205 roleNames[0] = "Administrator";
206 for ( int i = 0; i < users.length; i++ ) {
207 rolesAndUsers[0].add( users[i] );
208 }
209
210 // subadmin roles
211 for ( int i = 1; i < rolesAndUsers.length; i++ ) {
212 users = subadminRoles[i - 1].getAllUsers( access );
213 rolesAndUsers[i] = new HashSet<User>();
214 roleNames[i] = subadminRoles[i - 1].getTitle();
215 for ( int j = 0; j < users.length; j++ ) {
216 rolesAndUsers[i].add( users[j] );
217 }
218 }
219
220 // now check if all usersets are disjoint
221 for ( int i = 0; i < rolesAndUsers.length - 1; i++ ) {
222 Set userSet1 = rolesAndUsers[i];
223 for ( int j = i + 1; j < rolesAndUsers.length; j++ ) {
224 Set userSet2 = rolesAndUsers[j];
225 Iterator it = userSet2.iterator();
226 while ( it.hasNext() ) {
227 User user = (User) it.next();
228 if ( userSet1.contains( user ) ) {
229 throw new GeneralSecurityException( Messages.getMessage( "IGEO_STD_SEC_INVALID_SUBADMIN_ROLE" ) );
230 }
231 }
232 }
233 }
234 }
235 }