org.rhq.enterprise.server.auth

Class SubjectManagerBean

java.lang.Object

org.rhq.enterprise.server.auth.SubjectManagerBean

All Implemented Interfaces:

SubjectManagerLocal, SubjectManagerRemote

public class SubjectManagerBean
extends Object
implements SubjectManagerLocal, SubjectManagerRemote

Provides functionality to access and manipulate subjects and principals, mainly for authentication purposes.

Author:

John Mazzitelli

Constructor Summary

Constructors

Constructor and Description
SubjectManagerBean()

Method Summary

Methods

Modifier and Type	Method and Description
void	changePassword(org.rhq.core.domain.auth.Subject whoami, String username, String password) Change the password for a user.
org.rhq.core.domain.auth.Subject	checkAuthentication(String username, String password) Checks whether a user would successfully login with the provided credentials.
void	createPrincipal(org.rhq.core.domain.auth.Subject whoami, org.rhq.core.domain.auth.Principal principal) Creates a new principal (username and password) in the internal database.
void	createPrincipal(org.rhq.core.domain.auth.Subject whoami, String username, String password) Creates a new principal (username and password) in the internal database.
org.rhq.core.domain.auth.Subject	createSubject(org.rhq.core.domain.auth.Subject whoami, org.rhq.core.domain.auth.Subject subject) Create a a new subject.
org.rhq.core.domain.auth.Subject	createSubject(org.rhq.core.domain.auth.Subject whoami, org.rhq.core.domain.auth.Subject subjectToCreate, String password) Creates a new subject, including their assigned roles, as well as an associated principal with the specified password.
void	deleteSubjects(org.rhq.core.domain.auth.Subject sessionSubject, int[] subjectIds) Deletes the given set of users, including both the Subject and Principal objects associated with those users.
void	deleteUsers(org.rhq.core.domain.auth.Subject subject, int[] subjectIds) Deletes the given set of users, including both the Subject and Principal objects associated with those users.
Collection<String>	findAllUsersWithPrincipals() Get a collection of all user names, where the collection contains the names of all users that have principals only.
org.rhq.core.domain.util.PageList<org.rhq.core.domain.auth.Subject>	findAvailableSubjectsForRole(org.rhq.core.domain.auth.Subject whoami, Integer roleId, Integer[] pendingSubjectIds, org.rhq.core.domain.util.PageControl pc) This returns a list of subjects that are available to be assigned to a given role but not yet assigned to that role.
org.rhq.core.domain.util.PageList<org.rhq.core.domain.auth.Subject>	findSubjectsByCriteria(org.rhq.core.domain.auth.Subject subject, org.rhq.core.domain.criteria.SubjectCriteria criteria)
org.rhq.core.domain.auth.Subject	getOverlord() This returns the system super user subject that can be used to authorize the caller for any other system call.
org.rhq.core.domain.auth.Subject	getSubjectById(int id)
org.rhq.core.domain.auth.Subject	getSubjectByName(String username) Looks up the existing subject using the given username.
org.rhq.core.domain.auth.Subject	getSubjectByNameAndSessionId(String username, int sessionId) Adds more security in the remote api call by requiring matching username
org.rhq.core.domain.auth.Subject	getSubjectBySessionId(int sessionId)
boolean	isUserWithPrincipal(String username) Checks that the user exists and has a Principal associated with it.
boolean	isValidSessionId(int session, String username, int userid) Determines if the given session ID is valid and it is associated with the given username and user ID.
org.rhq.core.domain.auth.Subject	loadUserConfiguration(Integer subjectId) Loads in the given subject's preferences and roles.
org.rhq.core.domain.auth.Subject	login(String username, String password) Logs a user into the system.
org.rhq.core.domain.auth.Subject	loginLocal(String username, String password) Logs in a user performing the authentication.
org.rhq.core.domain.auth.Subject	loginUnauthenticated(String username) Logs in a user without performing any authentication.
void	logout(int sessionId)
void	logout(org.rhq.core.domain.auth.Subject subject) Logs out a user.
org.rhq.core.domain.auth.Subject	processSubjectForLdap(org.rhq.core.domain.auth.Subject subject, String subjectPassword) This method is applied to Subject instances that may require LDAP auth/authz processing.
void	purgeTimedOutSessions()
void	scheduleSessionPurgeJob() For internal use only - used by the StartupBean only - don't call this.
org.rhq.core.domain.auth.Subject	updateSubject(org.rhq.core.domain.auth.Subject whoami, org.rhq.core.domain.auth.Subject subjectToModify) Updates an existing subject with new data.
org.rhq.core.domain.auth.Subject	updateSubject(org.rhq.core.domain.auth.Subject whoami, org.rhq.core.domain.auth.Subject subjectToModify, String newPassword) Updates an existing subject, including their assigned roles, and optionally their password.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SubjectManagerBean

public SubjectManagerBean()

Method Detail

scheduleSessionPurgeJob

public void scheduleSessionPurgeJob()

Description copied from interface: SubjectManagerLocal

For internal use only - used by the StartupBean only - don't call this. This will schedule the periodic EJB timer to trigger a purge of all timed out sessions.

Specified by:

scheduleSessionPurgeJob in interface SubjectManagerLocal

purgeTimedOutSessions

public void purgeTimedOutSessions()

loadUserConfiguration

public org.rhq.core.domain.auth.Subject loadUserConfiguration(Integer subjectId)

Description copied from interface: SubjectManagerLocal

Loads in the given subject's preferences and roles.

Specified by:

loadUserConfiguration in interface SubjectManagerLocal

Parameters:

subjectId - identifies the subject whose preferences and roles are to be loaded

Returns:

the subject, with its preferences and roles loaded

See Also:

SubjectManagerLocal.loadUserConfiguration(Integer)

updateSubject

public org.rhq.core.domain.auth.Subject updateSubject(org.rhq.core.domain.auth.Subject whoami,
                                             org.rhq.core.domain.auth.Subject subjectToModify)

Description copied from interface: SubjectManagerRemote

Updates an existing subject with new data. This does not cascade any changes to the roles but it will save the subject's configuration.

Specified by:

updateSubject in interface SubjectManagerRemote

Parameters:

whoami - The logged in user's subject.

subjectToModify - the subject whose data is to be updated (which may or may not be the same as user)

Returns:

the merged subject, which may or may not be the same instance of subjectToModify

See Also:

SubjectManagerRemote.updateSubject(Subject, Subject)

createSubject

public org.rhq.core.domain.auth.Subject createSubject(org.rhq.core.domain.auth.Subject whoami,
                                             org.rhq.core.domain.auth.Subject subjectToCreate,
                                             String password)
                                               throws SubjectException,
                                                      javax.persistence.EntityExistsException

Description copied from interface: SubjectManagerLocal

Creates a new subject, including their assigned roles, as well as an associated principal with the specified password.

Specified by:

createSubject in interface SubjectManagerLocal

Parameters:

whoami - the logged in user's subject

subjectToCreate - the subject to be created (which will never be the same as subject)

password - the password for the principal to be created for the new user

Returns:

the persisted subject

Throws:

SubjectException

javax.persistence.EntityExistsException

updateSubject

public org.rhq.core.domain.auth.Subject updateSubject(org.rhq.core.domain.auth.Subject whoami,
                                             org.rhq.core.domain.auth.Subject subjectToModify,
                                             String newPassword)

Description copied from interface: SubjectManagerLocal

Updates an existing subject, including their assigned roles, and optionally their password.

Specified by:

updateSubject in interface SubjectManagerLocal

Parameters:

whoami - the logged in user's subject

subjectToModify - the subject whose data is to be updated (which may or may not be the same as subject)

newPassword - if non-null, a new password to be set on the user's associated principal

Returns:

the merged subject, which may or may not be the subjectToModify instance

getOverlord

public org.rhq.core.domain.auth.Subject getOverlord()

Description copied from interface: SubjectManagerLocal

This returns the system super user subject that can be used to authorize the caller for any other system call. This must not be exposed to remote clients.

Specified by:

getOverlord in interface SubjectManagerLocal

Returns:

a subject that is authorized to do anything

See Also:

SubjectManagerLocal.getOverlord()

getSubjectByName

public org.rhq.core.domain.auth.Subject getSubjectByName(String username)

Description copied from interface: SubjectManagerRemote

Looks up the existing subject using the given username.

Specified by:

getSubjectByName in interface SubjectManagerRemote

Parameters:

username - the name of the subject to look for

Returns:

the subject that was found or null if not found

See Also:

SubjectManagerRemote.getSubjectByName(String)

createSubject

public org.rhq.core.domain.auth.Subject createSubject(org.rhq.core.domain.auth.Subject whoami,
                                             org.rhq.core.domain.auth.Subject subject)
                                               throws SubjectException

Description copied from interface: SubjectManagerRemote

Create a a new subject. This ignores the roles in subject. The created subject will not be assigned to any roles; use the role manager to assign roles to a subject.

Specified by:

createSubject in interface SubjectManagerRemote

Parameters:

whoami - The logged in user's subject.

subject - The subject to be created.

Returns:

the newly persisted Subject

Throws:

SubjectException

See Also:

SubjectManagerRemote.createSubject(Subject, Subject)

getSubjectById

public org.rhq.core.domain.auth.Subject getSubjectById(int id)

Specified by:

getSubjectById in interface SubjectManagerLocal

See Also:

SubjectManagerLocal.getSubjectById(int)

login

public org.rhq.core.domain.auth.Subject login(String username,
                                     String password)
                                       throws LoginException

Description copied from interface: SubjectManagerRemote

Logs a user into the system. This will authenticate the given user with the given password. If the user was already logged in, the current session will be used but the password will still need to be authenticated.

Specified by:

login in interface SubjectManagerRemote

Parameters:

username - The name of the user.

password - The password.

Returns:

The subject of the authenticated user.

Throws:

LoginException - if the login failed for some reason

loginLocal

public org.rhq.core.domain.auth.Subject loginLocal(String username,
                                          String password)
                                            throws LoginException

Description copied from interface: SubjectManagerLocal

Logs in a user performing the authentication. The difference between this method and SubjectManagerRemote.login(String, String) method is that the latter is meant to be used only for CLI, because if LDAP user without any role is trying to log in (and it is disabled) this one lets the user in because of the LDAP registration form.

Specified by:

loginLocal in interface SubjectManagerLocal

Parameters:

username - The user to login

Returns:

A Subject with an active session for the the user

Throws:

LoginException - if failed to create a new session for the given user

checkAuthentication

public org.rhq.core.domain.auth.Subject checkAuthentication(String username,
                                                   String password)

Description copied from interface: SubjectManagerLocal

Checks whether a user would successfully login with the provided credentials.

Specified by:

checkAuthentication in interface SubjectManagerLocal

Parameters:

username - the username

password - the password

Returns:

the subject if the credentials are correct, null otherwise

processSubjectForLdap

public org.rhq.core.domain.auth.Subject processSubjectForLdap(org.rhq.core.domain.auth.Subject subject,
                                                     String subjectPassword)
                                                       throws LoginException

This method is applied to Subject instances that may require LDAP auth/authz processing. Called from both SLSB and SubjectGWTServiceImpl and: -if Subject passed in has Principal(not LDAP account) then we immediately return Subject as no processing needed. -if Subject for LDAP account

Specified by:

processSubjectForLdap in interface SubjectManagerLocal

Parameters:

subject - Authenticated subject.

Returns:

same or new Subject returned from LDAP processing.

Throws:

LoginException

logout

public void logout(org.rhq.core.domain.auth.Subject subject)

Description copied from interface: SubjectManagerRemote

Logs out a user.

Specified by:

logout in interface SubjectManagerRemote

Parameters:

subject - The Subject to log out. The sessionId must be valid.

See Also:

SubjectManagerRemote.logout(Subject)

logout

public void logout(int sessionId)

Specified by:

logout in interface SubjectManagerLocal

See Also:

SubjectManagerLocal.logout(int)

createPrincipal

public void createPrincipal(org.rhq.core.domain.auth.Subject whoami,
                   String username,
                   String password)
                     throws SubjectException

Description copied from interface: SubjectManagerRemote

Creates a new principal (username and password) in the internal database. The password will be encoded before being stored.

Specified by:

createPrincipal in interface SubjectManagerRemote

Parameters:

whoami - The logged in user's subject.

username - The username part of the principal

password - The password part of the principal

Throws:

SubjectException - if the principal could not be added

See Also:

SubjectManagerRemote.createPrincipal(Subject, String, String)

createPrincipal

public void createPrincipal(org.rhq.core.domain.auth.Subject whoami,
                   org.rhq.core.domain.auth.Principal principal)
                     throws SubjectException

Description copied from interface: SubjectManagerLocal

Creates a new principal (username and password) in the internal database.

Specified by:

createPrincipal in interface SubjectManagerLocal

Parameters:

whoami - The subject of the currently logged in user

principal - The principal to add

Throws:

SubjectException

See Also:

SubjectManagerLocal.createPrincipal(Subject, Principal)

changePassword

public void changePassword(org.rhq.core.domain.auth.Subject whoami,
                  String username,
                  String password)

Description copied from interface: SubjectManagerRemote

Change the password for a user.

Specified by:

changePassword in interface SubjectManagerRemote

Parameters:

whoami - The logged in user's subject.

username - The user whose password will be changed

password - The new password for the user

See Also:

SubjectManagerRemote.changePassword(Subject, String, String)

isUserWithPrincipal

public boolean isUserWithPrincipal(String username)

Description copied from interface: SubjectManagerLocal

Checks that the user exists and has a Principal associated with it. This means that the user both exists and is authenticated via JDBC. An LDAP user will not have a Principal because it is authenticated via the LDAP server, not from the database.

Specified by:

isUserWithPrincipal in interface SubjectManagerLocal

Parameters:

username - the user whose existence is to be checked

Returns:

true if the user exists and has a Principal, false otherwise

See Also:

SubjectManagerLocal.isUserWithPrincipal(String)

findAllUsersWithPrincipals

public Collection<String> findAllUsersWithPrincipals()

Description copied from interface: SubjectManagerLocal

Get a collection of all user names, where the collection contains the names of all users that have principals only. You will not get a list of usernames for those users authenticated by LDAP.

Specified by:

findAllUsersWithPrincipals in interface SubjectManagerLocal

Returns:

collection of all user names that have principals

See Also:

SubjectManagerLocal.findAllUsersWithPrincipals()

loginUnauthenticated

public org.rhq.core.domain.auth.Subject loginUnauthenticated(String username)
                                                      throws LoginException

Description copied from interface: SubjectManagerLocal

Logs in a user without performing any authentication. This method should be used with care and is not available to remote clients. Because of the unauthenticated nature of this login, the new login session will have a session timeout of only two minutes.

Specified by:

loginUnauthenticated in interface SubjectManagerLocal

Parameters:

username - The user to login

Returns:

A Subject with an active session for the the user

Throws:

LoginException - if failed to create a new session for the given user

See Also:

SubjectManagerLocal.loginUnauthenticated(String)

deleteUsers

public void deleteUsers(org.rhq.core.domain.auth.Subject subject,
               int[] subjectIds)

Description copied from interface: SubjectManagerLocal

Deletes the given set of users, including both the Subject and Principal objects associated with those users.

Specified by:

deleteUsers in interface SubjectManagerLocal

Parameters:

subject - the person requesting the deletion

subjectIds - identifies the subject IDs for all the users that are to be deleted

See Also:

SubjectManagerLocal.deleteUsers(Subject, int[])

deleteSubjects

public void deleteSubjects(org.rhq.core.domain.auth.Subject sessionSubject,
                  int[] subjectIds)

Description copied from interface: SubjectManagerRemote

Deletes the given set of users, including both the Subject and Principal objects associated with those users.

Specified by:

deleteSubjects in interface SubjectManagerRemote

Parameters:

sessionSubject - The logged in user's subject.

subjectIds - identifies the subject IDs for all the users that are to be deleted

See Also:

TODO: A wrapper method for deleteUsers, exposed in remote, both should be merged at some point.

getSubjectBySessionId

public org.rhq.core.domain.auth.Subject getSubjectBySessionId(int sessionId)
                                                       throws Exception

Specified by:

getSubjectBySessionId in interface SubjectManagerLocal

Throws:

Exception

See Also:

SubjectManagerLocal.getSubjectBySessionId(int)

getSubjectByNameAndSessionId

public org.rhq.core.domain.auth.Subject getSubjectByNameAndSessionId(String username,
                                                            int sessionId)
                                                              throws Exception

Adds more security in the remote api call by requiring matching username

Specified by:

getSubjectByNameAndSessionId in interface SubjectManagerRemote

Parameters:

username - The name of the user.

sessionId - The sessionId of the desired Subject.

Returns:

The Subject that was found

Throws:

Exception - if the sessionId is not valid

isValidSessionId

public boolean isValidSessionId(int session,
                       String username,
                       int userid)

Description copied from interface: SubjectManagerLocal

Determines if the given session ID is valid and it is associated with the given username and user ID.

Specified by:

isValidSessionId in interface SubjectManagerLocal

Returns:

true if the session ID indentifies a valid session; false if it is invalid or has timed out

See Also:

SubjectManagerLocal.isValidSessionId(int, String, int)

findAvailableSubjectsForRole

public org.rhq.core.domain.util.PageList<org.rhq.core.domain.auth.Subject> findAvailableSubjectsForRole(org.rhq.core.domain.auth.Subject whoami,
                                                                                               Integer roleId,
                                                                                               Integer[] pendingSubjectIds,
                                                                                               org.rhq.core.domain.util.PageControl pc)

Description copied from interface: SubjectManagerLocal

This returns a list of subjects that are available to be assigned to a given role but not yet assigned to that role. This excludes subjects already assigned to the role. The returned list will not include the subjects identified by pendingSubjectIds since it is assumed the pending subjects will be assigned to the role.

Specified by:

findAvailableSubjectsForRole in interface SubjectManagerLocal

Parameters:

whoami - user attempting to make this call

roleId - the role whose list of available subjects are to be returned

pendingSubjectIds - the list of subjects that are planned to be given to the role

Returns:

the list of subjects that can be assigned to the given role, not including the pending subjects

findSubjectsByCriteria

public org.rhq.core.domain.util.PageList<org.rhq.core.domain.auth.Subject> findSubjectsByCriteria(org.rhq.core.domain.auth.Subject subject,
                                                                                         org.rhq.core.domain.criteria.SubjectCriteria criteria)

Specified by:

findSubjectsByCriteria in interface SubjectManagerRemote

Returns:

not null