Examples with SecurityException org.apache.directory.fortress.core.SecurityException used on opensource projects

Example 1 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AcceleratorDAO method sessionRoles.

/**
 * SessionRoles returns a list of UserRole's activated for user on impl server.
 * It uses the {@link RbacSessionRolesRequest} and {@link RbacSessionRolesResponse} accelerator APIs.
 *
 * todo: This method does not yet, but will soon populate temporal constraints associated with entities returned.
 *
 * @param session contains a valid sessionId captured from accelerator createSession method.
 * @return List of type UserRole.  May be null if user has no roles activated in session stored - server side.
 * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_SESSION_ROLES_ERR}.
 */
List<UserRole> sessionRoles(Session session) throws SecurityException {
    LdapConnection ld = null;
    List<UserRole> userRoleList = null;
    try {
        ld = getAdminConnection();
        RbacSessionRolesRequest sessionRolesRequest = new RbacSessionRolesRequestImpl();
        sessionRolesRequest.setSessionId(session.getSessionId());
        sessionRolesRequest.setUserIdentity(session.getUserId());
        // Send the request
        RbacSessionRolesResponse sessionRolesResponse = (RbacSessionRolesResponse) ld.extended(sessionRolesRequest);
        LOG.debug("sessionRoles result: {}", sessionRolesResponse.getLdapResult().getResultCode().getResultCode());
        if (CollectionUtils.isNotEmpty(sessionRolesResponse.getRoles())) {
            userRoleList = new ArrayList<UserRole>();
            for (String roleNm : sessionRolesResponse.getRoles()) {
                userRoleList.add(new UserRole(session.getUserId(), roleNm));
            // todo: add temporal constraints here
            }
        }
    } catch (LdapException e) {
        String error = "sessionRoles caught LDAPException=" + " msg=" + e.getMessage();
        throw new SecurityException(GlobalErrIds.ACEL_SESSION_ROLES_ERR, error, e);
    } finally {
        closeAdminConnection(ld);
    }
    return userRoleList;
}

Example 2 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AcceleratorDAO method dropActiveRole.

/**
 * Deactivate user role from impl session
 * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#dropActiveRole(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.UserRole)}.
 * Success will result in impl session state to be modified inside server-side cache.
 * It uses the {@link RbacDropRoleRequest} and {@link RbacDropRoleResponse} accelerator APIs.
 *
 * @param session contains a valid sessionId captured from accelerator createSession method.
 * @param userRole both the {@link org.apache.directory.fortress.core.model.UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
 * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DROP_ROLE_ERR}.
 */
void dropActiveRole(Session session, UserRole userRole) throws SecurityException {
    LdapConnection ld = null;
    try {
        ld = getAdminConnection();
        RbacDropRoleRequest dropRoleRequest = new RbacDropRoleRequestImpl();
        dropRoleRequest.setSessionId(session.getSessionId());
        dropRoleRequest.setRole(userRole.getName());
        dropRoleRequest.setUserIdentity(userRole.getUserId());
        // Send the request
        RbacDropRoleResponse rbacDropRoleResponse = (RbacDropRoleResponse) ld.extended(dropRoleRequest);
        LOG.debug("dropActiveRole result: {}", rbacDropRoleResponse.getLdapResult().getResultCode());
        if (rbacDropRoleResponse.getLdapResult().getResultCode() != ResultCodeEnum.SUCCESS) {
            String info = "dropActiveRole Role [" + userRole.getName() + "] User [" + session.getUserId() + "], not previously activated.";
            throw new SecurityException(GlobalErrIds.URLE_NOT_ACTIVE, info);
        }
    } catch (LdapException e) {
        String error = "dropActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e.getMessage();
        throw new SecurityException(GlobalErrIds.ACEL_DROP_ROLE_ERR, error, e);
    } finally {
        closeAdminConnection(ld);
    }
}

Example 3 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AcceleratorDAO method createSession.

/**
 * Authenticate user and return sessionId inside {@link org.apache.directory.fortress.core.model.Session#sessionId}.
 * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#createSession(org.apache.directory.fortress.core.model.User, boolean)}
 * Success will result in impl session state, i.e. {@link org.apache.directory.fortress.core.model.Session}, to be stored on server-side.
 * Result may be stored inside RBAC server-side audit record and retrieved with {@link org.apache.directory.fortress.core.AuditMgr#searchBinds(org.apache.directory.fortress.core.model.UserAudit)}
 *
 * It uses the {@link RbacCreateSessionRequest} and {@link RbacCreateSessionResponse} accelerator APIs.
 *
 * @param user
 * @return session contains a valid sessionId captured from accelerator createSession method.
 *
 * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CREATE_SESSION_ERR}.
 */
Session createSession(User user) throws SecurityException {
    Session session = null;
    LdapConnection ld = null;
    try {
        ld = getAdminConnection();
        ld.setTimeOut(0);
        // Create a new RBAC session
        RbacCreateSessionRequest rbacCreateSessionRequest = new RbacCreateSessionRequestImpl();
        // rbacCreateSessionRequest.setTenantId( "jts" );
        rbacCreateSessionRequest.setTenantId(user.getContextId());
        rbacCreateSessionRequest.setUserIdentity(user.getUserId());
        rbacCreateSessionRequest.setPassword(new String(user.getPassword()));
        if (CollectionUtils.isNotEmpty(user.getRoles())) {
            for (UserRole userRole : user.getRoles()) {
                rbacCreateSessionRequest.addRole(userRole.getName());
            }
        }
        // Send the request
        RbacCreateSessionResponse rbacCreateSessionResponse = (RbacCreateSessionResponse) ld.extended(rbacCreateSessionRequest);
        LOG.debug("createSession userId: {}, sessionId: {}, resultCode: {}", user.getUserId(), rbacCreateSessionResponse.getSessionId(), rbacCreateSessionResponse.getLdapResult().getResultCode());
        session = new Session(user, rbacCreateSessionResponse.getSessionId());
        if (rbacCreateSessionResponse.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS) {
            session.setAuthenticated(true);
        } else {
            session.setAuthenticated(false);
            String info = "createSession UserId [" + user.getUserId() + "] failed: " + rbacCreateSessionResponse.getLdapResult() + " , resultCode: " + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode();
            throw new SecurityException(GlobalErrIds.USER_PW_INVLD, info);
        }
    } catch (LdapException e) {
        String error = "createSession userId [" + user.getUserId() + "] caught LDAPException=" + " msg=" + e.getMessage();
        throw new SecurityException(GlobalErrIds.ACEL_CREATE_SESSION_ERR, error, e);
    } finally {
        closeAdminConnection(ld);
    }
    return session;
}

Example 4 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AdminRoleP method validate.

/**
 * Method will perform simple validations to ensure the integrity of the Admin Role entity targeted for insertion
 * or updating in directory.  For example the Admin Role temporal constraints will be validated.  Data reasonability
 * checks will be performed on all non-null attributes.  Validations will be performed on ARBAC constraints as well.
 *
 * @param entity contains data targeted for insertion or update.
 * @throws SecurityException in the event of data validation error or DAO error on Org validation.
 */
private void validate(AdminRole entity) throws SecurityException {
    VUtil.safeText(entity.getName(), GlobalIds.ROLE_LEN);
    if (StringUtils.isNotEmpty(entity.getBeginRange()) && StringUtils.isNotEmpty(entity.getEndRange())) {
        VUtil.safeText(entity.getBeginRange(), GlobalIds.ROLE_LEN);
        VUtil.safeText(entity.getEndRange(), GlobalIds.ROLE_LEN);
        if (entity.getBeginRange().equalsIgnoreCase(entity.getEndRange()) && (!entity.isBeginInclusive() || !entity.isEndInclusive())) {
            String error = "validate invalid range detected for role name [" + entity.getName() + "] non inclusive endpoint for identical range [" + entity.getBeginRange() + "] begin inclusive [" + entity.isBeginInclusive() + "] end inclusive [" + entity.isEndInclusive() + "]";
            LOG.warn(error);
            throw new SecurityException(GlobalErrIds.ARLE_INVLD_RANGE_INCLUSIVE, error);
        } else if (!RoleUtil.getInstance().isParent(entity.getBeginRange(), entity.getEndRange(), entity.getContextId()) && !entity.getBeginRange().equalsIgnoreCase(entity.getEndRange())) {
            String error = "validate invalid range detected for role name [" + entity.getName() + "] begin range [" + entity.getBeginRange() + "] end range [" + entity.getEndRange() + "]";
            LOG.warn(error);
            throw new SecurityException(GlobalErrIds.ARLE_INVLD_RANGE, error);
        }
    } else if (StringUtils.isEmpty(entity.getBeginRange()) && StringUtils.isNotEmpty(entity.getEndRange())) {
        String error = "validate role name [" + entity.getName() + "] begin range value null or empty.";
        LOG.warn(error);
        throw new SecurityException(GlobalErrIds.ARLE_BEGIN_RANGE_NULL, error);
    } else if (StringUtils.isNotEmpty(entity.getBeginRange()) && StringUtils.isEmpty(entity.getEndRange())) {
        String error = "validate role name [" + entity.getName() + "] end range value null or empty.";
        LOG.warn(error);
        throw new SecurityException(GlobalErrIds.ARLE_END_RANGE_NULL, error);
    }
    if (StringUtils.isNotEmpty(entity.getDescription())) {
        VUtil.description(entity.getDescription());
    }
    if (entity.getTimeout() >= 0) {
        constraintValidator.timeout(entity.getTimeout());
    }
    if (StringUtils.isNotEmpty(entity.getBeginTime())) {
        constraintValidator.beginTime(entity.getBeginTime());
    }
    if (StringUtils.isNotEmpty(entity.getEndTime())) {
        constraintValidator.endTime(entity.getEndTime());
    }
    if (StringUtils.isNotEmpty(entity.getBeginDate())) {
        constraintValidator.beginDate(entity.getBeginDate());
    }
    if (StringUtils.isNotEmpty(entity.getEndDate())) {
        constraintValidator.endDate(entity.getEndDate());
    }
    if (StringUtils.isNotEmpty(entity.getDayMask())) {
        constraintValidator.dayMask(entity.getDayMask());
    }
    if (StringUtils.isNotEmpty(entity.getBeginLockDate())) {
        constraintValidator.beginDate(entity.getBeginDate());
    }
    if (StringUtils.isNotEmpty(entity.getEndLockDate())) {
        constraintValidator.endDate(entity.getEndLockDate());
    }
    if (CollectionUtils.isNotEmpty(entity.getOsUSet())) {
        validateOrgs(entity.getOsUSet(), OrgUnit.Type.USER, entity.getContextId());
    }
    if (CollectionUtils.isNotEmpty(entity.getOsPSet())) {
        validateOrgs(entity.getOsPSet(), OrgUnit.Type.PERM, entity.getContextId());
    }
}

Example 5 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AdminRoleP method removeOccupant.

/**
 * Remove the User dn occupant attribute from the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
 * when the User is being deleted.
 *
 * @param userDn contains the userId targeted for attribute removal.
 * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
 * @throws SecurityException in the event of DAO search error.
 */
void removeOccupant(String userDn, String contextId) throws SecurityException {
    List<String> list;
    try {
        list = rDao.findAssignedRoles(userDn, contextId);
        for (String roleNm : list) {
            AdminRole role = new AdminRole(roleNm);
            role.setContextId(contextId);
            deassign(role, userDn);
        }
    } catch (FinderException fe) {
        String error = "removeOccupant userDn [" + userDn + "] caught FinderException=" + fe;
        throw new SecurityException(GlobalErrIds.ARLE_REMOVE_OCCUPANT_FAILED, error, fe);
    }
}