jetspeeddbsecurityservice.java

来自「jetspeed源代码」· Java 代码 · 共 509 行 · 第 1/2 页

/*
 * Copyright 2000-2001,2004 The Apache Software Foundation.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.jetspeed.services.security;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;

import javax.servlet.ServletConfig;

import org.apache.jetspeed.om.security.JetspeedUser;
import org.apache.jetspeed.om.security.JetspeedUserFactory;
import org.apache.jetspeed.om.security.UserNamePrincipal;
import org.apache.jetspeed.portal.Portlet;
import org.apache.jetspeed.services.JetspeedPortalAccessController;
import org.apache.jetspeed.services.JetspeedSecurity;
import org.apache.jetspeed.services.JetspeedUserManagement;
import org.apache.jetspeed.services.logging.JetspeedLogFactoryService;
import org.apache.jetspeed.services.logging.JetspeedLogger;
import org.apache.jetspeed.services.rundata.JetspeedRunData;
import org.apache.turbine.om.security.User;
import org.apache.turbine.services.InitializationException;
import org.apache.turbine.services.TurbineBaseService;
import org.apache.turbine.services.TurbineServices;
import org.apache.turbine.services.resources.ResourceService;

/**
 * <p>This is an implementation of the <code>JetspeedSecurityService</code> interface.
 *
 *
 * @author <a href="mailto:david@bluesunrise.com">David Sean Taylor</a>
 * @author <a href="mailto:sgala@hisitech.com">Santiago Gala</a>
 * @version $Id: JetspeedDBSecurityService.java,v 1.25 2004/03/31 04:49:10 morciuch Exp $
 */

public class JetspeedDBSecurityService extends TurbineBaseService
                                       implements JetspeedSecurityService
{
    /**
     * Static initialization of the logger for this class
     */    
    private static final JetspeedLogger logger = JetspeedLogFactoryService.getLogger(JetspeedDBSecurityService.class.getName());
    
    private final static String CONFIG_CASEINSENSITIVE_USERNAME = "caseinsensitive.username";
    private final static String CONFIG_CASEINSENSITIVE_PASSWORD = "caseinsensitive.password";
    private final static String CONFIG_CASEINSENSITIVE_UPPER = "caseinsensitive.upper";
    private final static String CONFIG_LOGON_STRIKE_COUNT = "logon.strike.count";
    private final static String CONFIG_LOGON_STRIKE_MAX = "logon.strike.max";
    private final static String CONFIG_LOGON_STRIKE_INTERVAL = "logon.strike.interval";
    private final static String CONFIG_LOGON_AUTO_DISABLE = "logon.auto.disable";
    private final static String CONFIG_ACTIONS_ANON_DISABLE = "actions.anon.disable";
    private final static String CONFIG_ACTIONS_ALLUSERS_DISABLE = "actions.allusers.disable";
	private final static String CONFIG_ACTIONS_ADMIN_ROLES = "admin.roles";

    private final static String CONFIG_NEWUSER_ROLES     = "newuser.roles";
    private final static String CONFIG_DEFAULT_PERMISSION_LOGGEDIN     = "permission.default.loggedin";
    private final static String CONFIG_DEFAULT_PERMISSION_ANONYMOUS     = "permission.default.anonymous";
    private final static String CONFIG_ANONYMOUS_USER = "user.anonymous";
    private final static String [] DEFAULT_PERMISSIONS = {""};
    private final static String [] DEFAULT_CONFIG_NEWUSER_ROLES = 
    { "user" };
	private final static String [] DEFAULT_ADMIN_ROLES = 
	{ "admin" };

    String roles[] = null;
    boolean caseInsensitiveUsername = false;
    boolean caseInsensitivePassword = false;
    boolean caseInsensitiveUpper = true;
    boolean actionsAnonDisable = true;
    boolean actionsAllUsersDisable = false;
    String anonymousUser = "anon";
	String[] adminRoles = null;

    int strikeCount = 3;             // 3 within the interval
    int strikeMax = 20;              // 20 total failures 
    long strikeInterval = 300;  // five minutes

    boolean autoLogonDisable = false;

    private static HashMap users = new HashMap();

    private static Object sem = new Object();

    /**
     * This is the early initialization method called by the 
     * Turbine <code>Service</code> framework
     * @param conf The <code>ServletConfig</code>
     * @exception throws a <code>InitializationException</code> if the service
     * fails to initialize
     */
    public synchronized void init(ServletConfig conf) throws InitializationException 
    {
        // already initialized
        if (getInit()) return;

        super.init(conf);

        // get configuration parameters from Jetspeed Resources
        ResourceService serviceConf = ((TurbineServices)TurbineServices.getInstance())
                                                     .getResources(JetspeedSecurityService.SERVICE_NAME);
        
        try
        {
            roles = serviceConf.getStringArray(CONFIG_NEWUSER_ROLES);
			adminRoles = serviceConf.getStringArray(CONFIG_ACTIONS_ADMIN_ROLES);
        }
        catch (Exception e)
        {}
            
        if (null == roles || roles.length == 0)
        {
            roles = DEFAULT_CONFIG_NEWUSER_ROLES;
        }

		if (null == adminRoles || adminRoles.length == 0)
		{
			adminRoles = DEFAULT_ADMIN_ROLES;
		}

        caseInsensitiveUsername = serviceConf.getBoolean(CONFIG_CASEINSENSITIVE_USERNAME, caseInsensitiveUsername);
        caseInsensitivePassword = serviceConf.getBoolean(CONFIG_CASEINSENSITIVE_PASSWORD, caseInsensitivePassword);
        caseInsensitiveUpper = serviceConf.getBoolean(CONFIG_CASEINSENSITIVE_UPPER, caseInsensitiveUpper);

        strikeCount = serviceConf.getInt(CONFIG_LOGON_STRIKE_COUNT, strikeCount);
        strikeInterval = serviceConf.getLong(CONFIG_LOGON_STRIKE_INTERVAL, strikeInterval);
        strikeMax = serviceConf.getInt(CONFIG_LOGON_STRIKE_MAX, strikeMax);

        autoLogonDisable = serviceConf.getBoolean(CONFIG_LOGON_AUTO_DISABLE, autoLogonDisable);
        actionsAnonDisable = serviceConf.getBoolean(CONFIG_ACTIONS_ANON_DISABLE, actionsAnonDisable);
        actionsAllUsersDisable = serviceConf.getBoolean(CONFIG_ACTIONS_ALLUSERS_DISABLE, actionsAllUsersDisable);

        anonymousUser = serviceConf.getString(CONFIG_ANONYMOUS_USER, anonymousUser);

        // initialization done
        setInit(true);
     }


    //////////////////////////////////////////////////////////////////////////
    //
    // Required JetspeedSecurity Functions
    //
    // Required Features provided by default JetspeedSecurity
    //
    //////////////////////////////////////////////////////////////////////////

    /*
     * Factory to create a new JetspeedUser, using JetspeedUserFactory.
     * The class that is created by the default JetspeedUserFactory is configured
     * in the JetspeedSecurity properties:
     *
     *    services.JetspeedSecurity.user.class=
     *        org.apache.jetspeed.om.security.BaseJetspeedUser
     *
     * @return JetspeedUser a newly created user that implements JetspeedUser.
     */
    public JetspeedUser getUserInstance()
    {
        try
        {
            return JetspeedUserFactory.getInstance();
        }
        catch (UserException e)
        {
            return null;
        }
    }

    //////////////////////////////////////////////////////////////////////////
    //
    // Optional JetspeedSecurity Features 
    //
    // Features are not required to be implemented by Security Provider
    //
    //////////////////////////////////////////////////////////////////////////

    /*
     * During logon, the username can be case sensitive or case insensitive.
     *
     * Given a username, converts the username to either lower or upper case.
     * This optional feature is configurable from the JetspeedSecurity.properties:
     *
     *     <code>services.JetspeedSecurity.caseinsensitive.username = true/false</code>
     *     <code>services.JetspeedSecurity.caseinsensitive.upper = true/false</code>
     *
     * If <code>caseinsensitive.username</code> is true,  
     * then conversion is enabled and the username will be converted before 
     * being sent to the Authentication provider.
     *
     * @param username The username to be converted depending on configuration.
     * @return The converted username.
     *
     */
    public String convertUserName(String username)
    {
        if (caseInsensitiveUsername)
        { 
            username = (caseInsensitiveUpper) ? username.toUpperCase() : username.toLowerCase(); 
        } 
        return username;
    }

    /*
     * During logon, the password can be case sensitive or case insensitive.
     *
     * Given a password, converts the password to either lower or upper case.
     * This optional feature is configurable from the JetspeedSecurity.properties:
     *
     *     <code>services.JetspeedSecurity.caseinsensitive.password = true/false</code>
     *     <code>services.JetspeedSecurity.caseinsensitive.upper = true/false</code>
     *
     * If <code>caseinsensitive.password</code> is true,  
     * then conversion is enabled and the password will be converted before 
     * being sent to the Authentication provider.
     *
     * @param password The password to be converted depending on configuration.
     * @return The converted password.
     *
     */
    public String convertPassword(String password)
    {
        if (caseInsensitivePassword)
        { 
            password = (caseInsensitiveUpper) ? password.toUpperCase() : password.toLowerCase(); 
        } 
        return password;
    }

    /*
     * Logon Failure / Account Disabling Feature
     *
     * Checks and tracks failed user-logon attempts.
     * If the user fails to logon after a configurable number of logon attempts,
     * then the user's account will be disabled.
     *
     * This optional feature is configurable from the JetspeedSecurity.properties:
     *
     *     <code>services.JetspeedSecurity.logon.auto.disable=false</code>
     *
     * The example setting below allows for 3 logon strikes per 300 seconds.