Class SecurityContext
Most of the code that adds/deletes/maintains these objects has been removed, that is now the responsibility of the security implementation code.
Methods to read user and permission data are delegated to the SecurityLoader, and methods that authenticate users are delegated to the SecurityAuthenticator.
This class now mostly acts as a cache for user and role data, and can perform simple and complex permission checks for users against resources.
The following properties can be passed to the SecurityContext during construction; property keys are defined as static public final Strings in this class.
- INIT_CASE_INSENSITIVE - make the security cache case-insensitive, typically when interfacing with Active Directory. Defaults to false.
- INIT_USER_CACHE_SIZE - maximum size of user cache
- INIT_USER_CACHE_EXPIRY - expiry time of users from the user cache (in milliseconds). If this property is not set, user caching is disabled.
Additional properties may also be required based on the SecurityLoader implementation used.
- Author:
- knoxg
- See Also:
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionSecurityContext
(Map<String, Object> properties, SecurityLoader securityLoader, SecurityAuthenticator securityAuthenticator) Creates a new SecurityContext object. -
Method Summary
Modifier and TypeMethodDescriptionboolean
authenticate
(User user, String password) Authenticate the supplied username and password with the authentication provider.getAllActivities
(String resourceName) Return a List of all activities in this security context for a given resource, identified by String.Return a List of all Permissions in this security context.Return a List of all resources in this security context, identified by String.Returns a detailed list of roles from the security context.Return a List of roles in this security context for the User, identified by String.Returns a detailed list of users from the security context.Return a list of User objects representing all users contained in this security context.getPermission
(User user, String permission) Returns the Permission object for a specific user/permission combination, or null if this permission is not granted.getPermissions
(User user, String permission) Returns a list of all Permission objects assigned to a user and all the roles that the user is a member of.getRolePermissions
(String roleName) Returns a list of Permission objects that apply to the specified rolename.getUser
(long userId) Returns a User, given their userIdgetUserPermissions
(User user) Retrieve a list of permissions for this user, as Permission objects.getUserRoles
(User user) Return a List of all roles in this security context, identified by String.boolean
hasPermission
(User user, String permission) Returns true if a user is allowed to perform the permission supplied.boolean
Returns true if a user is allowed to perform the permission supplied, with given resource context.loadRolePermissions
(String role) loadUserRolePermissions
(User user) void
Clear all caches and re-initialises this security context (as defined in this instance's initial initialisation properties).toString()
Returns a string representation of this security context.
-
Field Details
-
INIT_USER_CACHE_SIZE
An initialisation property key. See the class documentation for details.- See Also:
-
INIT_USER_CACHE_EXPIRY
An initialisation property key. See the class documentation for details.- See Also:
-
INIT_USERNAME_MASK
An initialisation property key. See the class documentation for details.- See Also:
-
INIT_CASE_INSENSITIVE
An initialisation property key. See the class documentation for details.- See Also:
-
-
Constructor Details
-
SecurityContext
public SecurityContext(Map<String, Object> properties, SecurityLoader securityLoader, SecurityAuthenticator securityAuthenticator) Creates a new SecurityContext object.- Parameters:
properties
- Initialisation properties for this SecurityContext, its SecurityLoader, and SecurityAuthenticator- Throws:
IllegalStateException
- if the context is configured to preload, and it fails to do so.
-
-
Method Details
-
getUserPermissions
Retrieve a list of permissions for this user, as Permission objects.- Parameters:
user
-- Returns:
- Throws:
IOException
-
getRolePermissions
Returns a list of Permission objects that apply to the specified rolename.- Parameters:
roleName
- the role name- Returns:
- A List of Permission objects that apply to that role
-
getAllUsers
Return a list of User objects representing all users contained in this security context. Permission information relating to that user is not populated unless the 'populatePermission' parameter is set to true.The information returned by this function may be cached, depending on the initialisation properties of the security context.
- Returns:
- A List of Users.
- Throws:
IOException
-
getAllResources
Return a List of all resources in this security context, identified by String.The information returned by this function may be cached, depending on the initialisation properties of the security context.
- Returns:
- A List of resources
- Throws:
IOException
-
getAllPermissions
Return a List of all Permissions in this security context.The information returned by this function may be cached, depending on the initialisation properties of the security context.
- Returns:
- A List of resources
- Throws:
IOException
-
getAllActivities
Return a List of all activities in this security context for a given resource, identified by String.The information returned by this function may be cached, depending on the initialisation properties of the security context.
- Parameters:
resourceName
- The resource we wish to retrieve activities for- Returns:
- A List of activities.
- Throws:
SecurityException
IOException
-
getAllRoles
Return a List of roles in this security context for the User, identified by String.The information returned by this function may be cached, depending on the initialisation properties of the security context.
- Returns:
- A List of roles.
- Throws:
IOException
-
getUserRoles
Return a List of all roles in this security context, identified by String.The information returned by this function may be cached, depending on the initialisation properties of the security context.
- Returns:
- A List of roles.
- Throws:
IOException
-
getAllRoleDetails
Returns a detailed list of roles from the security context. Each role is defined as a Map with the following keys:roleId - the numeric id for the role roleName - the name of the role for system - (Number) set to 1 if this role is read-only, 0 otherwise description - a description for the role - Returns:
- a list of roles, as described above
- Throws:
IOException
-
getAllUserDetails
Returns a detailed list of users from the security context. Each user is defined as a Map with the following keys:userId - the login name for the user name - the full name of the user system - (Number) set to 1 if this role is read-only, 0 otherwise - Returns:
- a list of users, as described above
- Throws:
IOException
-
hasPermission
Returns true if a user is allowed to perform the permission supplied. The permission is expressed in 'activity.resourceType' format, e.g. 'update.message'. No expression context is supplied; this method will not evaluate any conditional resource restrictions. This is useful in cases where the full resource context is not known, for example when a message is first created by a user.In this case, the 'create.message' permission can be checked using this method before the user starts entering information, and 'create.message' can be checked with an expression context after the header fields have been populated.
If a permission is supplied that is not known by the application, this method will return false.
- Parameters:
user
- The user we are determiningpermission
- The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.- Returns:
- true if the permission is allowed, false is the permission is denied.
- Throws:
NullPointerException
- if either parameter to this method is nullIllegalArgumentException
- if the permission supplied is formatted incorrectly.
-
hasPermission
Returns true if a user is allowed to perform the permission supplied, with given resource context. If a permission is assigned to both the user and the role, then the user permission is evaluated first.- Parameters:
user
- The user we are determiningpermission
- The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.context
- The resource context used to evaluate against the resource expression- Returns:
- true if the permission is allowed, false is the permission is denied.
- Throws:
NullPointerException
- if either parameter to this method is nullIllegalArgumentException
- if the permission supplied is formatted incorrectly.
-
getPermission
Returns the Permission object for a specific user/permission combination, or null if this permission is not granted. This method will not search the user's role-based permissions.- Parameters:
user
- The user we are determiningpermission
- The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.- Returns:
- a permission object.
- Throws:
NullPointerException
- if either parameter to this method is nullIllegalArgumentException
- if the permission supplied is formatted incorrectly.
-
getPermissions
Returns a list of all Permission objects assigned to a user and all the roles that the user is a member of. This allows multiple permission conditions to be applied to a user, one for each role.- Parameters:
user
- The user we are determiningpermission
- The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.- Returns:
- a List of Permission objects, or an empty list if the user (and none of their roles) contains this permission
- Throws:
NullPointerException
- if either parameter to this method is nullIllegalArgumentException
- if the permission supplied is formatted incorrectly.
-
toString
Returns a string representation of this security context. -
resetSecurityContext
Clear all caches and re-initialises this security context (as defined in this instance's initial initialisation properties). This method also resets this security context's loader. -
authenticate
Authenticate the supplied username and password with the authentication provider. Returns true if the username/password combination is valid, false otherwiseSome authentication providers may require more complex handshakes (e.g. TFA authentication) which are currently suported by setting flags in a subclassed User object. Possible mangling the password parameter as well. See the securityAuthenticator documentation for details.
The User object passed to this method may not have a valid userId assigned to it (this may be set by the authentication provider).
- Parameters:
user
- userpassword
- password- Returns:
- true if the username/password combination is valid, false otherwise
- Throws:
IOException
- an exception occurred accessing the authentication provider.
-
getUser
Returns a User, given their userIdThis method will not load role or permissions data for the user.
- Parameters:
userId
-- Returns:
-
loadRolePermissions
- Throws:
IOException
-
loadUserRolePermissions
- Throws:
IOException
-