Class SecurityContext

java.lang.Object
com.randomnoun.common.security.SecurityContext

public class SecurityContext extends Object
This class manages users, roles, resources and permissions for an application.

Most of the code that adds/deletes/maintains these objects has been removed, that is now the responsibility of the security implementation code.

Methods to read user and permission data are delegated to the SecurityLoader, and methods that authenticate users are delegated to the SecurityAuthenticator.

This class now mostly acts as a cache for user and role data, and can perform simple and complex permission checks for users against resources.

The following properties can be passed to the SecurityContext during construction; property keys are defined as static public final Strings in this class.

  • INIT_CASE_INSENSITIVE - make the security cache case-insensitive, typically when interfacing with Active Directory. Defaults to false.
  • INIT_USER_CACHE_SIZE - maximum size of user cache
  • INIT_USER_CACHE_EXPIRY - expiry time of users from the user cache (in milliseconds). If this property is not set, user caching is disabled.

Additional properties may also be required based on the SecurityLoader implementation used.

Author:
knoxg
See Also:
  • Field Details

  • Constructor Details

  • Method Details

    • getUserPermissions

      Retrieve a list of permissions for this user, as Permission objects.
      Parameters:
      user -
      Returns:
      Throws:
      IOException
    • getRolePermissions

      Returns a list of Permission objects that apply to the specified rolename.
      Parameters:
      roleName - the role name
      Returns:
      A List of Permission objects that apply to that role
    • getAllUsers

      public List<User> getAllUsers() throws IOException
      Return a list of User objects representing all users contained in this security context. Permission information relating to that user is not populated unless the 'populatePermission' parameter is set to true.

      The information returned by this function may be cached, depending on the initialisation properties of the security context.

      Returns:
      A List of Users.
      Throws:
      IOException
    • getAllResources

      Return a List of all resources in this security context, identified by String.

      The information returned by this function may be cached, depending on the initialisation properties of the security context.

      Returns:
      A List of resources
      Throws:
      IOException
    • getAllPermissions

      Return a List of all Permissions in this security context.

      The information returned by this function may be cached, depending on the initialisation properties of the security context.

      Returns:
      A List of resources
      Throws:
      IOException
    • getAllActivities

      public List<String> getAllActivities(String resourceName) throws IOException
      Return a List of all activities in this security context for a given resource, identified by String.

      The information returned by this function may be cached, depending on the initialisation properties of the security context.

      Parameters:
      resourceName - The resource we wish to retrieve activities for
      Returns:
      A List of activities.
      Throws:
      SecurityException
      IOException
    • getAllRoles

      public List<String> getAllRoles() throws IOException
      Return a List of roles in this security context for the User, identified by String.

      The information returned by this function may be cached, depending on the initialisation properties of the security context.

      Returns:
      A List of roles.
      Throws:
      IOException
    • getUserRoles

      public List<String> getUserRoles(User user) throws IOException
      Return a List of all roles in this security context, identified by String.

      The information returned by this function may be cached, depending on the initialisation properties of the security context.

      Returns:
      A List of roles.
      Throws:
      IOException
    • getAllRoleDetails

      Returns a detailed list of roles from the security context. Each role is defined as a Map with the following keys: roleId - the numeric id for the role roleName - the name of the role for system - (Number) set to 1 if this role is read-only, 0 otherwise description - a description for the role
      Returns:
      a list of roles, as described above
      Throws:
      IOException
    • getAllUserDetails

      Returns a detailed list of users from the security context. Each user is defined as a Map with the following keys: userId - the login name for the user name - the full name of the user system - (Number) set to 1 if this role is read-only, 0 otherwise
      Returns:
      a list of users, as described above
      Throws:
      IOException
    • hasPermission

      public boolean hasPermission(User user, String permission)
      Returns true if a user is allowed to perform the permission supplied. The permission is expressed in 'activity.resourceType' format, e.g. 'update.message'. No expression context is supplied; this method will not evaluate any conditional resource restrictions. This is useful in cases where the full resource context is not known, for example when a message is first created by a user.

      In this case, the 'create.message' permission can be checked using this method before the user starts entering information, and 'create.message' can be checked with an expression context after the header fields have been populated.

      If a permission is supplied that is not known by the application, this method will return false.

      Parameters:
      user - The user we are determining
      permission - The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.
      Returns:
      true if the permission is allowed, false is the permission is denied.
      Throws:
      NullPointerException - if either parameter to this method is null
      IllegalArgumentException - if the permission supplied is formatted incorrectly.
    • hasPermission

      public boolean hasPermission(User user, String permission, Map<String,Object> context)
      Returns true if a user is allowed to perform the permission supplied, with given resource context. If a permission is assigned to both the user and the role, then the user permission is evaluated first.
      Parameters:
      user - The user we are determining
      permission - The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.
      context - The resource context used to evaluate against the resource expression
      Returns:
      true if the permission is allowed, false is the permission is denied.
      Throws:
      NullPointerException - if either parameter to this method is null
      IllegalArgumentException - if the permission supplied is formatted incorrectly.
    • getPermission

      public Permission getPermission(User user, String permission)
      Returns the Permission object for a specific user/permission combination, or null if this permission is not granted. This method will not search the user's role-based permissions.
      Parameters:
      user - The user we are determining
      permission - The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.
      Returns:
      a permission object.
      Throws:
      NullPointerException - if either parameter to this method is null
      IllegalArgumentException - if the permission supplied is formatted incorrectly.
    • getPermissions

      public List<Permission> getPermissions(User user, String permission)
      Returns a list of all Permission objects assigned to a user and all the roles that the user is a member of. This allows multiple permission conditions to be applied to a user, one for each role.
      Parameters:
      user - The user we are determining
      permission - The permission we are testing for. Permissions are expressed in 'activity.resourceType' format.
      Returns:
      a List of Permission objects, or an empty list if the user (and none of their roles) contains this permission
      Throws:
      NullPointerException - if either parameter to this method is null
      IllegalArgumentException - if the permission supplied is formatted incorrectly.
    • toString

      public String toString()
      Returns a string representation of this security context.
      Overrides:
      toString in class Object
      Returns:
      a string representation of this security context.
    • resetSecurityContext

      public void resetSecurityContext()
      Clear all caches and re-initialises this security context (as defined in this instance's initial initialisation properties). This method also resets this security context's loader.
    • authenticate

      public boolean authenticate(User user, String password) throws IOException
      Authenticate the supplied username and password with the authentication provider. Returns true if the username/password combination is valid, false otherwise

      Some authentication providers may require more complex handshakes (e.g. TFA authentication) which are currently suported by setting flags in a subclassed User object. Possible mangling the password parameter as well. See the securityAuthenticator documentation for details.

      The User object passed to this method may not have a valid userId assigned to it (this may be set by the authentication provider).

      Parameters:
      user - user
      password - password
      Returns:
      true if the username/password combination is valid, false otherwise
      Throws:
      IOException - an exception occurred accessing the authentication provider.
    • getUser

      public User getUser(long userId)
      Returns a User, given their userId

      This method will not load role or permissions data for the user.

      Parameters:
      userId -
      Returns:
    • loadRolePermissions

      Throws:
      IOException
    • loadUserRolePermissions

      Throws:
      IOException