Search in sources :

Example 1 with UserProfile

use of org.apache.wiki.auth.user.UserProfile in project jspwiki by apache.

the class Installer method createAdministrator.

/**
 * Creates an administrative user and returns the new password.
 * If the admin user exists, the password will be <code>null</code>.
 * @return the password
 * @throws WikiSecurityException
 */
public String createAdministrator() throws WikiSecurityException {
    if (!m_validated) {
        throw new WikiSecurityException("Cannot create administrator because one or more of the installation settings are invalid.");
    }
    if (adminExists()) {
        return null;
    }
    // See if the admin user exists already
    UserManager userMgr = m_engine.getUserManager();
    UserDatabase userDb = userMgr.getUserDatabase();
    String password = null;
    try {
        userDb.findByLoginName(ADMIN_ID);
    } catch (NoSuchPrincipalException e) {
        // Create a random 12-character password
        password = TextUtil.generateRandomPassword();
        UserProfile profile = userDb.newProfile();
        profile.setLoginName(ADMIN_ID);
        profile.setFullname(ADMIN_NAME);
        profile.setPassword(password);
        userDb.save(profile);
    }
    // Create a new admin group
    GroupManager groupMgr = m_engine.getGroupManager();
    Group group = null;
    try {
        group = groupMgr.getGroup(ADMIN_GROUP);
        group.add(new WikiPrincipal(ADMIN_NAME));
    } catch (NoSuchPrincipalException e) {
        group = groupMgr.parseGroup(ADMIN_GROUP, ADMIN_NAME, true);
    }
    groupMgr.setGroup(m_session, group);
    return password;
}
Also used : WikiSecurityException(org.apache.wiki.auth.WikiSecurityException) Group(org.apache.wiki.auth.authorize.Group) UserProfile(org.apache.wiki.auth.user.UserProfile) WikiPrincipal(org.apache.wiki.auth.WikiPrincipal) UserManager(org.apache.wiki.auth.UserManager) UserDatabase(org.apache.wiki.auth.user.UserDatabase) NoSuchPrincipalException(org.apache.wiki.auth.NoSuchPrincipalException) GroupManager(org.apache.wiki.auth.authorize.GroupManager)

Example 2 with UserProfile

use of org.apache.wiki.auth.user.UserProfile in project jspwiki by apache.

the class UserBean method doPost.

public String doPost(WikiContext context) {
    HttpServletRequest request = context.getHttpRequest();
    WikiSession session = context.getWikiSession();
    UserManager mgr = context.getEngine().getUserManager();
    String loginid = request.getParameter("loginid");
    String loginname = request.getParameter("loginname");
    String fullname = request.getParameter("fullname");
    String password = request.getParameter("password");
    String password2 = request.getParameter("password2");
    String email = request.getParameter("email");
    if (request.getParameter("action").equalsIgnoreCase("remove")) {
        try {
            mgr.getUserDatabase().deleteByLoginName(loginid);
            session.addMessage("User profile " + loginid + " (" + fullname + ") has been deleted");
        } catch (NoSuchPrincipalException e) {
            session.addMessage("User profile has already been removed");
        } catch (WikiSecurityException e) {
            session.addMessage("Security problem: " + e);
        }
        return "";
    }
    if (password != null && password.length() > 0 && !password.equals(password2)) {
        session.addMessage("Passwords do not match!");
        return "";
    }
    UserProfile p;
    if (loginid.equals("--New--")) {
        // Create new user
        p = mgr.getUserDatabase().newProfile();
        p.setCreated(new Date());
    } else {
        try {
            p = mgr.getUserDatabase().findByLoginName(loginid);
        } catch (NoSuchPrincipalException e) {
            session.addMessage("I could not find user profile " + loginid);
            return "";
        }
    }
    p.setEmail(email);
    p.setFullname(fullname);
    if (password != null && password.length() > 0)
        p.setPassword(password);
    p.setLoginName(loginname);
    try {
        mgr.getUserDatabase().save(p);
    } catch (WikiSecurityException e) {
        session.addMessage("Unable to save " + e.getMessage());
    }
    session.addMessage("User profile has been updated");
    return "";
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) WikiSession(org.apache.wiki.WikiSession) WikiSecurityException(org.apache.wiki.auth.WikiSecurityException) UserProfile(org.apache.wiki.auth.user.UserProfile) UserManager(org.apache.wiki.auth.UserManager) NoSuchPrincipalException(org.apache.wiki.auth.NoSuchPrincipalException) Date(java.util.Date)

Example 3 with UserProfile

use of org.apache.wiki.auth.user.UserProfile in project jspwiki by apache.

the class AuthorizationManager method resolvePrincipal.

/**
 * <p>Given a supplied string representing a Principal's name from an Acl, this
 * method resolves the correct type of Principal (role, group, or user).
 * This method is guaranteed to always return a Principal.
 * The algorithm is straightforward:</p>
 * <ol>
 * <li>If the name matches one of the built-in {@link org.apache.wiki.auth.authorize.Role} names,
 * return that built-in Role</li>
 * <li>If the name matches one supplied by the current
 * {@link org.apache.wiki.auth.Authorizer}, return that Role</li>
 * <li>If the name matches a group managed by the
 * current {@link org.apache.wiki.auth.authorize.GroupManager}, return that Group</li>
 * <li>Otherwise, assume that the name represents a user
 * principal. Using the current {@link org.apache.wiki.auth.user.UserDatabase}, find the
 * first user who matches the supplied name by calling
 * {@link org.apache.wiki.auth.user.UserDatabase#find(String)}.</li>
 * <li>Finally, if a user cannot be found, manufacture
 * and return a generic {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}</li>
 * </ol>
 * @param name the name of the Principal to resolve
 * @return the fully-resolved Principal
 */
public Principal resolvePrincipal(String name) {
    // Check built-in Roles first
    Role role = new Role(name);
    if (Role.isBuiltInRole(role)) {
        return role;
    }
    // Check Authorizer Roles
    Principal principal = m_authorizer.findRole(name);
    if (principal != null) {
        return principal;
    }
    // Check Groups
    principal = m_engine.getGroupManager().findRole(name);
    if (principal != null) {
        return principal;
    }
    // Ok, no luck---this must be a user principal
    Principal[] principals = null;
    UserProfile profile = null;
    UserDatabase db = m_engine.getUserManager().getUserDatabase();
    try {
        profile = db.find(name);
        principals = db.getPrincipals(profile.getLoginName());
        for (int i = 0; i < principals.length; i++) {
            principal = principals[i];
            if (principal.getName().equals(name)) {
                return principal;
            }
        }
    } catch (NoSuchPrincipalException e) {
    // We couldn't find the user...
    }
    // Ok, no luck---mark this as unresolved and move on
    return new UnresolvedPrincipal(name);
}
Also used : Role(org.apache.wiki.auth.authorize.Role) UserProfile(org.apache.wiki.auth.user.UserProfile) UserDatabase(org.apache.wiki.auth.user.UserDatabase) Principal(java.security.Principal) UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal) UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal)

Example 4 with UserProfile

use of org.apache.wiki.auth.user.UserProfile in project jspwiki by apache.

the class SecurityVerifier method verifyUserDatabase.

/**
 * Verifies that the user datbase was initialized properly, and that
 * user add and delete operations work as they should.
 */
protected void verifyUserDatabase() {
    UserDatabase db = m_engine.getUserManager().getUserDatabase();
    // Check for obvious error conditions
    if (db == null) {
        m_session.addMessage(ERROR_DB, "UserDatabase is null; JSPWiki could not " + "initialize it. Check the error logs.");
        return;
    }
    if (db instanceof UserManager.DummyUserDatabase) {
        m_session.addMessage(ERROR_DB, "UserDatabase is DummyUserDatabase; JSPWiki " + "may not have been able to initialize the database you supplied in " + "jspwiki.properties, or you left the 'jspwiki.userdatabase' property " + "blank. Check the error logs.");
    }
    // Tell user what class of database this is.
    m_session.addMessage(INFO_DB, "UserDatabase is of type '" + db.getClass().getName() + "'. It appears to be initialized properly.");
    // Now, see how many users we have.
    int oldUserCount = 0;
    try {
        Principal[] users = db.getWikiNames();
        oldUserCount = users.length;
        m_session.addMessage(INFO_DB, "The user database contains " + oldUserCount + " users.");
    } catch (WikiSecurityException e) {
        m_session.addMessage(ERROR_DB, "Could not obtain a list of current users: " + e.getMessage());
        return;
    }
    // Try adding a bogus user with random name
    String loginName = "TestUser" + System.currentTimeMillis();
    try {
        UserProfile profile = db.newProfile();
        profile.setEmail("jspwiki.tests@mailinator.com");
        profile.setLoginName(loginName);
        profile.setFullname("FullName" + loginName);
        profile.setPassword("password");
        db.save(profile);
        // Make sure the profile saved successfully
        if (db.getWikiNames().length == oldUserCount) {
            m_session.addMessage(ERROR_DB, "Could not add a test user to the database.");
            return;
        }
        m_session.addMessage(INFO_DB, "The user database allows new users to be created, as it should.");
    } catch (WikiSecurityException e) {
        m_session.addMessage(ERROR_DB, "Could not add a test user to the database: " + e.getMessage());
        return;
    }
    // Now delete the profile; should be back to old count
    try {
        db.deleteByLoginName(loginName);
        if (db.getWikiNames().length != oldUserCount) {
            m_session.addMessage(ERROR_DB, "Could not delete a test user from the database.");
            return;
        }
        m_session.addMessage(INFO_DB, "The user database allows users to be deleted, as it should.");
    } catch (WikiSecurityException e) {
        m_session.addMessage(ERROR_DB, "Could not delete a test user to the database: " + e.getMessage());
        return;
    }
    m_session.addMessage(INFO_DB, "The user database configuration looks fine.");
}
Also used : UserProfile(org.apache.wiki.auth.user.UserProfile) UserDatabase(org.apache.wiki.auth.user.UserDatabase) Principal(java.security.Principal)

Example 5 with UserProfile

use of org.apache.wiki.auth.user.UserProfile in project jspwiki by apache.

the class WikiSession method injectUserProfilePrincipals.

/**
 * Adds Principal objects to the Subject that correspond to the
 * logged-in user's profile attributes for the wiki name, full name
 * and login name. These Principals will be WikiPrincipals, and they
 * will replace all other WikiPrincipals in the Subject. <em>Note:
 * this method is never called during anonymous or asserted sessions.</em>
 */
protected void injectUserProfilePrincipals() {
    // Search for the user profile
    String searchId = m_loginPrincipal.getName();
    if (searchId == null) {
        // Oh dear, this wasn't an authenticated user after all
        log.info("Refresh principals failed because WikiSession had no user Principal; maybe not logged in?");
        return;
    }
    // Look up the user and go get the new Principals
    UserDatabase database = m_engine.getUserManager().getUserDatabase();
    if (database == null) {
        throw new IllegalStateException("User database cannot be null.");
    }
    try {
        UserProfile profile = database.find(searchId);
        Principal[] principals = database.getPrincipals(profile.getLoginName());
        for (Principal principal : principals) {
            // Add the Principal to the Subject
            m_subject.getPrincipals().add(principal);
            // Set the user principal if needed; we prefer FullName, but the WikiName will also work
            boolean isFullNamePrincipal = (principal instanceof WikiPrincipal && ((WikiPrincipal) principal).getType() == WikiPrincipal.FULL_NAME);
            if (isFullNamePrincipal) {
                m_userPrincipal = principal;
            } else if (!(m_userPrincipal instanceof WikiPrincipal)) {
                m_userPrincipal = principal;
            }
        }
    } catch (NoSuchPrincipalException e) {
        // We will get here if the user has a principal but not a profile
        // For example, it's a container-managed user who hasn't set up a profile yet
        log.warn("User profile '" + searchId + "' not found. This is normal for container-auth users who haven't set up a profile yet.");
    }
}
Also used : UserProfile(org.apache.wiki.auth.user.UserProfile) UserDatabase(org.apache.wiki.auth.user.UserDatabase) Principal(java.security.Principal)

Aggregations

UserProfile (org.apache.wiki.auth.user.UserProfile)19 Principal (java.security.Principal)10 WikiSession (org.apache.wiki.WikiSession)9 WikiSessionTest (org.apache.wiki.WikiSessionTest)6 Test (org.junit.Test)6 UserDatabase (org.apache.wiki.auth.user.UserDatabase)5 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 WikiPrincipal (org.apache.wiki.auth.WikiPrincipal)4 Collection (java.util.Collection)3 NoSuchPrincipalException (org.apache.wiki.auth.NoSuchPrincipalException)3 UserManager (org.apache.wiki.auth.UserManager)3 WikiSecurityException (org.apache.wiki.auth.WikiSecurityException)3 Group (org.apache.wiki.auth.authorize.Group)3 Decision (org.apache.wiki.workflow.Decision)3 DecisionRequiredException (org.apache.wiki.workflow.DecisionRequiredException)3 Fact (org.apache.wiki.workflow.Fact)3 List (java.util.List)2 WikiException (org.apache.wiki.api.exceptions.WikiException)2 GroupPrincipal (org.apache.wiki.auth.GroupPrincipal)2 UnresolvedPrincipal (org.apache.wiki.auth.acl.UnresolvedPrincipal)2