Examples with Session org.apache.directory.fortress.core.model.Session used on opensource projects

Example 66 with Session

use of org.apache.directory.fortress.core.model.Session in project directory-fortress-core by apache.

the class DelAccessMgrRestImpl method addActiveRole.

/**
 * {@inheritDoc}
 */
@Override
public void addActiveRole(Session session, UserAdminRole role) throws SecurityException {
    String methodName = CLS_NM + ".addActiveRole";
    VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, methodName);
    VUtil.assertNotNull(role, GlobalErrIds.ARLE_NULL, methodName);
    FortRequest request = new FortRequest();
    request.setContextId(this.contextId);
    request.setSession(session);
    request.setEntity(role);
    String szRequest = RestUtils.marshal(request);
    String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.ADMIN_ADD);
    FortResponse response = RestUtils.unmarshall(szResponse);
    if (response.getErrorCode() == 0) {
        Session outSession = response.getSession();
        session.copy(outSession);
    } else {
        throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
    }
}

Example 67 with Session

use of org.apache.directory.fortress.core.model.Session in project directory-fortress-core by apache.

the class DelAccessMgrRestImpl method canAssign.

/**
 * {@inheritDoc}
 */
@Override
public boolean canAssign(Session session, User user, Role role) throws SecurityException {
    String methodName = CLS_NM + ".canAssign";
    VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, methodName);
    VUtil.assertNotNull(user, GlobalErrIds.USER_NULL, methodName);
    VUtil.assertNotNull(role, GlobalErrIds.ROLE_NULL, methodName);
    boolean result;
    FortRequest request = new FortRequest();
    request.setContextId(this.contextId);
    UserRole uRole = new UserRole(user.getUserId(), role.getName());
    request.setSession(session);
    request.setEntity(uRole);
    String szRequest = RestUtils.marshal(request);
    String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.ADMIN_ASSIGN);
    FortResponse response = RestUtils.unmarshall(szResponse);
    if (response.getErrorCode() == 0) {
        result = response.getAuthorized();
        Session outSession = response.getSession();
        session.copy(outSession);
    } else {
        throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
    }
    return result;
}

Example 68 with Session

use of org.apache.directory.fortress.core.model.Session in project directory-fortress-core by apache.

the class DelAccessMgrRestImpl method sessionAdminRoles.

/**
 * {@inheritDoc}
 */
@Override
public List<UserAdminRole> sessionAdminRoles(Session session) throws SecurityException {
    VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".sessionAdminRoles");
    List<UserAdminRole> roles;
    FortRequest request = new FortRequest();
    request.setContextId(this.contextId);
    request.setSession(session);
    String szRequest = RestUtils.marshal(request);
    String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.ADMIN_ROLES);
    FortResponse response = RestUtils.unmarshall(szResponse);
    if (response.getErrorCode() == 0) {
        roles = response.getEntities();
        Session outSession = response.getSession();
        session.copy(outSession);
    } else {
        throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
    }
    return roles;
}

Example 69 with Session

use of org.apache.directory.fortress.core.model.Session in project directory-fortress-core by apache.

the class UserDAO method checkPassword.

/**
 * @param user
 * @return
 * @throws org.apache.directory.fortress.core.FinderException,  org.apache.directory.fortress.core.PasswordException
 */
Session checkPassword(User user) throws FinderException, PasswordException {
    Session session = null;
    LdapConnection ld = null;
    String userDn = getDn(user.getUserId(), user.getContextId());
    try {
        session = new ObjectFactory().createSession();
        session.setAuthenticated(false);
        session.setUserId(user.getUserId());
        ld = getUserConnection();
        BindResponse bindResponse = bind(ld, userDn, user.getPassword());
        String info;
        if (bindResponse.getLdapResult().getResultCode() != ResultCodeEnum.SUCCESS) {
            info = "PASSWORD INVALID for userId [" + user.getUserId() + "], resultCode [" + bindResponse.getLdapResult().getResultCode() + "]";
            session.setMsg(info);
            session.setErrorId(GlobalErrIds.USER_PW_INVLD);
        }
        PasswordPolicy respCtrl = getPwdRespCtrl(bindResponse);
        if (respCtrl != null) {
            // check IETF password policies here
            checkPwPolicies(session, respCtrl);
        }
        if (session.getErrorId() == 0) {
            session.setAuthenticated(true);
        } else {
            // pw invalid or pw policy violation:
            throw new PasswordException(session.getErrorId(), session.getMsg());
        }
    } catch (LdapAuthenticationException e) {
        String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "] exception [" + e + "]";
        throw new PasswordException(GlobalErrIds.USER_PW_INVLD, info);
    } catch (LdapException e) {
        String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException=" + e.getMessage();
        throw new FinderException(GlobalErrIds.USER_READ_FAILED, error, e);
    } finally {
        closeUserConnection(ld);
    }
    return session;
}

Example 70 with Session

use of org.apache.directory.fortress.core.model.Session in project directory-fortress-core by apache.

the class UserP method createSession.

/**
 * CreateSession
 * <p>
 * This method is called by AccessMgr and is not intended for use outside Fortress core.  The successful
 * result is Session object that contains target user's RBAC and Admin role activations.  In addition to checking
 * user password validity it will apply configured password policy checks.  Method may also store parms passed in for
 * audit trail..
 * <ul>
 * <li> authenticate user password
 * <li> password policy evaluation with OpenLDAP PwPolicy
 * <li> evaluate temporal constraints on User and UserRole entities.
 * <li> allow selective role activations into User RBAC Session.
 * <li> require valid password if trusted == false.
 * <li> will disallow any user who is locked out due to OpenLDAP pw policy, regardless of trusted flag being set as parm on API.
 * <li> return User's RBAC Session containing User and UserRole attributes.
 * <li> throw a SecurityException for authentication failures, other policy violations, data validation errors or system failure.
 * </ul>
 * <p>
 * <p>
 * The function is valid if and only if:
 * <ul>
 * <li> the user is a member of the USERS data set
 * <li> the password is supplied (unless trusted).
 * <li> the (optional) active role set is a subset of the roles authorized for that user.
 * </ul>
 * <p>
 * <p>
 * The User parm contains the following (* indicates required)
 * <ul>
 * <li> String userId*
 * <li> char[] password
 * <li> List<UserRole> userRoles contains a list of RBAC role names authorized for user and targeted for activation within this session.
 * <li> List<UserAdminRole> userAdminRoles contains a list of Admin role names authorized for user and targeted for activation.
 * <li> Properties logonProps collection of auditable name/value pairs to store.  For example hostname:myservername or ip:192.168.1.99
 * </ul>
 * <p>
 * <p>
 * Notes:
 * <ul>
 * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
 * <li> role activations will proceed in same order as supplied to User entity setter.
 * </ul>
 * <p>
 *
 * @param user    Contains userId, password (optional if "trusted"), optional User RBAC Roles: List<UserRole> rolesToBeActivated., optional User Admin Roles: List<UserAdminRole> adminRolesToBeActivated.
 * @param trusted if true password is not required.
 * @return Session object will contain authentication result code, RBAC and Admin role activations, OpenLDAP pw policy output and more.
 * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
 */
Session createSession(User user, boolean trusted) throws SecurityException {
    Session session;
    if (trusted) {
        // Create the impl session without authentication of password.
        session = createSessionTrusted(user);
        // Check user temporal constraints.  This op usually performed during authentication.
        VUtil.getInstance().validateConstraints(session, VUtil.ConstraintType.USER, false);
    } else {
        // Create the impl session if the user authentication succeeds:
        VUtil.assertNotNullOrEmpty(user.getPassword(), GlobalErrIds.USER_PW_NULL, CLS_NM + ".createSession");
        session = createSession(user);
    }
    // Did the caller pass in a set of roles for selective activation?
    if (CollectionUtils.isNotEmpty(user.getRoles())) {
        // Process selective activation of user's RBAC roles into session:
        List<UserRole> rlsActual = session.getRoles();
        List<UserRole> rlsFinal = new ArrayList<>();
        session.setRoles(rlsFinal);
        // Activate only the intersection between assigned and roles passed into this method:
        for (UserRole role : user.getRoles()) {
            int indx = rlsActual.indexOf(role);
            if (indx != -1) {
                UserRole candidateRole = rlsActual.get(indx);
                rlsFinal.add(candidateRole);
            }
        }
    }
    // Check role temporal constraints + activate roles:
    VUtil.getInstance().validateConstraints(session, VUtil.ConstraintType.ROLE, true);
    return session;
}