// --------------------------------------------------------------------------- // jWebSocket - Security Factory // Copyright (c) 2010 Alexander Schulze, Innotrade GmbH // --------------------------------------------------------------------------- // This program is free software; you can redistribute it and/or modify it // under the terms of the GNU Lesser General Public License as published by the // Free Software Foundation; either version 3 of the License, or (at your // option) any later version. // This program is distributed in the hope that it will be useful, but WITHOUT // ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or // FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for // more details. // You should have received a copy of the GNU Lesser General Public License along // with this program; if not, see . // --------------------------------------------------------------------------- package org.jwebsocket.security; import java.util.List; import org.jwebsocket.config.JWebSocketConfig; import org.jwebsocket.config.xml.RightConfig; import org.jwebsocket.config.xml.RoleConfig; import org.jwebsocket.config.xml.UserConfig; /** * implements the security capabilities of jWebSocket. * @author aschulze */ public class SecurityFactory { // private static Logger log = Logging.getLogger(SecurityFactory.class); private static Users users = new Users(); /** * */ public static String USER_ANONYMOUS = "guest"; public static String USER_REG_USER = "user"; public static String USER_ADMIN = "admin"; public static String USER_LOCKED = "locked"; /** * initializes the security system with some default settings to allow to * startup without a config file, this will be removed in the final release! */ public static void initDefault() { /* if (log.isDebugEnabled()) { log.debug("Initializing demo rights, roles and users..."); } */ Rights rights = new Rights(); // specify rights Right lRPC = new Right("org.jWebSocket.plugins.rpc.rpc", "Allow Remote Procedure Calls (RPC) to server"); Right lRRPC = new Right("org.jWebSocket.plugins.rpc.rrpc", "Allow Reverse Remote Procedure Calls (RRPC) to other clients"); rights.addRight(lRPC); rights.addRight(lRRPC); // specify roles and assign rights to roles // TODO: needs to be removed in final release! Role lGuestRole = new Role("guest", "Guests", lRPC, lRRPC); Role lRegRole = new Role("regUser", "Registered Users", lRPC, lRRPC); Role lAdminRole = new Role("admin", "Administrators", lRPC, lRRPC); // specify role sets for a simpler assignment to the users Roles lGuestRoles = new Roles(lGuestRole); Roles lRegRoles = new Roles(lGuestRole, lRegRole); Roles lAdminRoles = new Roles(lGuestRole, lRegRole, lAdminRole); User lGuestUser = new User(USER_ANONYMOUS, "Guest", "Guest", "guest", lGuestRoles); User lRegUser = new User(USER_REG_USER, "User", "User", "user", lRegRoles); User lAdminUser = new User(USER_ADMIN, "Admin", "Admin", "admin", lAdminRoles); // add a locked user for test purposes, e.g. to reject token in system filter User lLockedUser = new User(USER_LOCKED, "Locked", "Locked", "locked", lGuestRoles); lLockedUser.setStatus(User.ST_LOCKED); users.addUser(lGuestUser); users.addUser(lRegUser); users.addUser(lAdminUser); users.addUser(lLockedUser); // log.info("Default rights, roles and users initialized."); } /** * initializes the security system with the settings from the * jWebSocket.xml. * @param aConfig */ public static void initFromConfig(JWebSocketConfig aConfig) { // build list of rights List globalRights = aConfig.getGlobalRights(); Rights rights = new Rights(); for (RightConfig lRightConfig : globalRights) { Right lRight = new Right( lRightConfig.getNamespace() + "." + lRightConfig.getId(), lRightConfig.getDescription()); rights.addRight(lRight); } // build list of roles List globalRoles = aConfig.getGlobalRoles(); Roles roles = new Roles(); for (RoleConfig lRoleConfig : globalRoles) { Rights lRights = new Rights(); for (String lRightId : lRoleConfig.getRights()) { Right lRight = rights.get(lRightId); if (lRight != null) { lRights.addRight(lRight); } } Role lRole = new Role( lRoleConfig.getId(), lRoleConfig.getDescription(), lRights); roles.addRole(lRole); } // build list of users List globalUsers = aConfig.getUsers(); for (UserConfig lUserConfig : globalUsers) { Roles lRoles = new Roles(); for (String lRoleId : lUserConfig.getRoles()) { Role lRole = roles.getRole(lRoleId); if (lRole != null) { lRoles.addRole(lRole); } } User lUser = new User( lUserConfig.getLoginname(), lUserConfig.getFirstname(), lUserConfig.getLastname(), lUserConfig.getPassword(), lRoles); users.addUser(lUser); } // log.info("Rights, roles and users successfully initialized."); } public static void init() { // System.out.println( // "JWEBSOCKET_HOME variable not set, using default configuration..."); // initialize the security factory with some default demo data // to show at least something even with no config // TODO: only temporary, will be removed in the final release! SecurityFactory.initDefault(); } /** * checks if a user identified by it login name has a certain right. * @param aLoginname * @param aRight * @return */ public static boolean checkRight(String aLoginname, String aRight) { boolean lHasRight = false; // if user is not logged in use configured "anonymous" account if (aLoginname == null) { aLoginname = SecurityFactory.USER_ANONYMOUS; } User lUser = users.getUserByLoginName(aLoginname); // if the user is not found use the "anonymous" account // TODO: this process needs to be changed in the final release! if (lUser == null && !SecurityFactory.USER_ANONYMOUS.equals(aLoginname)) { aLoginname = SecurityFactory.USER_ANONYMOUS; lUser = users.getUserByLoginName(aLoginname); } if (lUser != null) { return lUser.hasRight(aRight); } return lHasRight; } }