You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:44:28 UTC
[09/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/package.html
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/package.html b/src/main/java/org/apache/directory/fortress/core/rbac/package.html
new file mode 100755
index 0000000..70488a4
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/package.html
@@ -0,0 +1,52 @@
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+-->
+<html>
+ <head>
+ <title>Package Documentation for org.apache.directory.fortress.core.rbac</title>
+ </head>
+ <body>
+ <p>
+ <ol>
+ <li>This package provides data entities and apis that adhere to standards like <a href="http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf">RBAC</a></li>
+ <li>This package provides data entities and APIs that adhere to <a href="http://profsandhu.com/journals/tissec/p113-oh.pdf">ARBAC02</a> model to provide delegated administration capabilities.</li>
+ <li>This package provides data entities and APIs to interrogate <a href="http://openldap.org/">OpenLDAP</a>'s slapd access log to obtain fortress audit trail and historical events.</li>
+ <li>This package uses <a href="http://www.jgrapht.org/">JGraphT</a> to provide hierarchical functionality that is reused within several other packages in the fortress system.</li>
+ </ol>
+ </p>
+ <p>
+ The <b>org.apache.directory.fortress.core.rbac</b> package data entities may be manipulated by outside
+ programs but the apis contained within this package are for fortress use only.
+ The entities include {@link org.apache.directory.fortress.core.rbac.User User},{@link org.apache.directory.fortress.core.rbac.Role Role}, {@link org.apache.directory.fortress.core.rbac.PermObj PermObj}, {@link org.apache.directory.fortress.core.rbac.Permission Permission}, and more.
+ See the corresponding javadoc contained with this package for more info.
+ </p>
+ <h3>Fortress Manager APIs implemented in this package</h3>
+ <ol>
+ <li><a href="AccessMgrImpl.html">AccessMgrImpl</a> - This implements using LDAP the runtime access control operations on objects that are provisioned <a href="http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf">RBAC</a> entities that reside in LDAP directory.</li>
+ <li><a href="AdminMgrImpl.html">AdminMgrImpl</a> - This implements using LDAP the administrative functions to provision Fortress <a href="http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf">RBAC</a> entities into the LDAP directory.</li>
+ <li><a href="ReviewMgrImpl.html">ReviewMgrImpl</a> - This implements using LDAP the administrative review functions on already provisioned Fortress <a href="http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf">RBAC</a> entities that reside in LDAP directory.</li>
+ <li><a href="DelegatedAccessMgrImpl.html">DelegatedAccessMgrImpl</a> - This implements using LDAP the APIs for performing runtime delegated access control operations on objects that are provisioned Fortress <a href="http://profsandhu.com/journals/tissec/p113-oh.pdf">ARBAC02</a> entities that reside in LDAP directory.</li>
+ <li><a href="DelegatedAdminMgrImpl.html">DelegatedAdminMgrImpl</a> - This implements using LDAP the <a href="http://profsandhu.com/journals/tissec/p113-oh.pdf">ARBAC02</a> DelegatedAdminMgr interface for performing policy administration of Fortress ARBAC entities that reside in LDAP directory.</li>
+ <li><a href="DelegatedReviewMgrImpl.html">DelegatedReviewMgrImpl</a> - This implements using LDAP the <a href="http://profsandhu.com/journals/tissec/p113-oh.pdf">ARBAC02</a> DelegatedReviewMgr interface for performing policy interrogation of provisioned Fortress ARBAC02 entities that reside in LDAP directory.</li>
+ <li><a href="PwPolicyMgrImpl.html">PwPolicyMgrImpl</a> - Performs CRUD on OpenLDAP password policies stored in directory.</li>
+ <li><a href="AuditMgrImpl.html">AuditMgrImpl</a> - Interrogates Fortress audit data stored in OpenLDAP.</li>
+ </ol>
+ </body>
+</html>
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
new file mode 100644
index 0000000..744eb72
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
@@ -0,0 +1,525 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rest;
+
+import org.apache.directory.fortress.core.AccessMgr;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.rbac.AccessMgrImpl;
+import org.apache.directory.fortress.core.rbac.Manageable;
+import org.apache.directory.fortress.core.rbac.Permission;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rbac.User;
+import org.apache.directory.fortress.core.rbac.UserRole;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+/**
+ * Implementation class that performs runtime access control operations on data objects of type Fortress entities
+ * This object performs runtime access control operations on objects that are provisioned RBAC entities
+ * using HTTP access to En Masse REST server. These APIs map directly to similar named APIs specified by ANSI and NIST
+ * RBAC system functions.
+ * Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004.
+ * The RBAC Functional specification describes administrative operations for the creation
+ * and maintenance of RBAC element sets and relations; administrative review functions for
+ * performing administrative queries; and system functions for creating and managing
+ * RBAC attributes on user sessions and making access control decisions.
+ * <p/>
+ * <hr>
+ * <h4>RBAC0 - Core</h4>
+ * Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.
+ * <p/>
+ * <img src="../doc-files/RbacCore.png">
+ * <hr>
+ * <h4>RBAC1 - General Hierarchical Roles</h4>
+ * Simplifies role engineering tasks using inheritance of one or more parent roles.
+ * <p/>
+ * <img src="../doc-files/RbacHier.png">
+ * <hr>
+ * <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4>
+ * Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.
+ * <p/>
+ * <img src="../doc-files/RbacSSD.png">
+ * <hr>
+ * <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4>
+ * Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.
+ * <p/>
+ * <img src="../doc-files/RbacDSD.png">
+ * <hr>
+ * <p/>
+ * This class is thread safe and may be used in servlet or other multi-threaded environment.
+ * <p/>
+ *
+ *
+ * @author Shawn McKinney
+ */
+public class AccessMgrRestImpl extends Manageable implements AccessMgr
+{
+ private static final String CLS_NM = AccessMgrImpl.class.getName();
+
+ /**
+ * Perform user authentication only. It does not activate RBAC roles in session but will evaluate
+ * password policies.
+ *
+ * @param userId Contains the userid of the user signing on.
+ * @param password Contains the user's password.
+ * @return Session object will be returned if authentication successful. This will not contain user's roles.
+ * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
+ */
+ @Override
+ public Session authenticate(String userId, char[] password)
+ throws SecurityException
+ {
+ VUtil.assertNotNullOrEmpty(userId, GlobalErrIds.USER_ID_NULL, CLS_NM + ".authenticate");
+ VUtil.assertNotNullOrEmpty(password, GlobalErrIds.USER_PW_NULL, ".authenticate");
+ Session retSession;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setEntity(new User(userId, password));
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_AUTHN);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ retSession = response.getSession();
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return retSession;
+ }
+
+ /**
+ * Perform user authentication {@link User#password} and role activations.<br />
+ * This method must be called once per user prior to calling other methods within this class.
+ * The successful result is {@link Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
+ * In addition to checking user password validity it will apply configured password policy checks {@link User#pwPolicy}..<br />
+ * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+ * <h4> This API will...</h4>
+ * <ul>
+ * <li> authenticate user password if trusted == false.
+ * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy evaluation</a>, see {@link org.apache.directory.fortress.core.ldap.openldap.OLPWControlImpl}.
+ * <li> fail for any user who is locked by OpenLDAP's policies {@link User#isLocked()}, regardless of trusted flag being set as parm on API.
+ * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link User}, {@link UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+ * <li> process selective role activations into User RBAC Session {@link User#roles}.
+ * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link User#roles}.
+ * <li> process selective administrative role activations {@link User#adminRoles}.
+ * <li> return a {@link Session} containing {@link Session#getUser()}, {@link Session#getRoles()} and (if admin user) {@link Session#getAdminRoles()} if everything checks out good.
+ * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+ * <li> throw a {@link SecurityException} for system failures.
+ * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+ * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+ * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+ * </ul>
+ * <h4>
+ * The function is valid if and only if:
+ * </h4>
+ * <ul>
+ * <li> the user is a member of the USERS data set
+ * <li> the password is supplied (unless trusted).
+ * <li> the (optional) active role set is a subset of the roles authorized for that user.
+ * </ul>
+ * <h4>
+ * The following attributes may be set when calling this method
+ * </h4>
+ * <ul>
+ * <li> {@link User#userId} - required
+ * <li> {@link User#password}
+ * <li> {@link User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
+ * <li> {@link User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
+ * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
+ * </ul>
+ * <h4>
+ * Notes:
+ * </h4>
+ * <ul>
+ * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+ * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
+ * </ul>
+ * </p>
+ *
+ * @param user Contains {@link User#userId}, {@link User#password} (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional {@link User#adminRoles}
+ * @param isTrusted if true password is not required.
+ * @return Session object will contain authentication result code {@link Session#errorId}, RBAC role activations {@link Session#getRoles()}, Admin Role activations {@link Session#getAdminRoles()},OpenLDAP pw policy codes {@link Session#warningId}, {@link Session#expirationSeconds}, {@link Session#graceLogins} and more.
+ * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
+ */
+ @Override
+ public Session createSession(User user, boolean isTrusted)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(user, GlobalErrIds.USER_NULL, CLS_NM + ".createSession");
+ Session retSession;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setEntity(user);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse;
+ if(isTrusted)
+ {
+ szResponse = RestUtils.post(szRequest, HttpIds.RBAC_CREATE_TRUSTED);
+ }
+ else
+ {
+ szResponse = RestUtils.post(szRequest, HttpIds.RBAC_CREATE);
+ }
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ retSession = response.getSession();
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return retSession;
+ }
+
+ /**
+ * Perform user rbac authorization. This function returns a Boolean value meaning whether the subject of a given session is
+ * allowed or not to perform a given operation on a given object. The function is valid if and
+ * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The session's subject has the permission
+ * to perform the operation on that object if and only if that permission is assigned to (at least)
+ * one of the session's active roles. This implementation will verify the roles or userId correspond
+ * to the subject's active roles are registered in the object's access control list.
+ *
+ * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, of permission User is trying to access.
+ * @param session This object must be instantiated by calling {@link AccessMgrImpl#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
+ * @return True if user has access, false otherwise.
+ * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
+ */
+ @Override
+ public boolean checkAccess(Session session, Permission perm)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(perm, GlobalErrIds.PERM_NULL, CLS_NM + ".checkAccess");
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".checkAccess");
+ boolean result;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ request.setEntity(perm);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_AUTHZ);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ result = response.getAuthorized();
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return result;
+ }
+
+ /**
+ * This function returns the permissions of the session, i.e., the permissions assigned
+ * to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @return List<Permission> containing permissions (op, obj) active for user's session.
+ * @throws SecurityException in the event runtime error occurs with system.
+ */
+ @Override
+ public List<Permission> sessionPermissions(Session session)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".sessionPermissions");
+ List<Permission> retPerms;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_PERMS);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ retPerms = response.getEntities();
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return retPerms;
+ }
+
+ /**
+ * This function returns the active roles associated with a session. The function is valid if
+ * and only if the session is a valid Fortress session.
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @return List<UserRole> containing all roles active in user's session. This will NOT contain inherited roles.
+ * @throws SecurityException
+ * is thrown if session invalid or system. error.
+ */
+ @Override
+ public List<UserRole> sessionRoles(Session session)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".sessionRoles");
+ List<UserRole> retRoles;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_ROLES);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ retRoles = response.getEntities();
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return retRoles;
+ }
+
+ /**
+ * This function returns the authorized roles associated with a session. The function is valid if
+ * and only if the session is a valid Fortress session.
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @return Set<String> containing all roles active in user's session. This will contain inherited roles.
+ * @throws SecurityException is thrown if session invalid or system. error.
+ */
+ @Override
+ public Set<String> authorizedRoles(Session session)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".sessionRoles");
+ Set<String> retRoleNames = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_AUTHZ_ROLES);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ Set<String> tempNames = response.getValueSet();
+ // This is done to use a case insensitive TreeSet for returned names.
+ retRoleNames.addAll(tempNames);
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return retRoleNames;
+ }
+
+ /**
+ * This function adds a role as an active role of a session whose owner is a given user.
+ * <p>
+ * The function is valid if and only if:
+ * <ul>
+ * <li> the user is a member of the USERS data set
+ * <li> the role is a member of the ROLES data set
+ * <li> the role inclusion does not violate Dynamic Separation of Duty Relationships
+ * <li> the session is a valid Fortress session
+ * <li> the user is authorized to that role
+ * <li> the session is owned by that user.
+ * </ul>
+ * </p>
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @param role object contains the role name, {@link UserRole#name}, to be activated into session.
+ * @throws SecurityException is thrown if user is not allowed to activate or runtime error occurs with system.
+ */
+ @Override
+ public void addActiveRole(Session session, UserRole role)
+ throws SecurityException
+ {
+ String fullMethodName = CLS_NM + ".addActiveRole";
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, fullMethodName);
+ VUtil.assertNotNull(role, GlobalErrIds.ROLE_NULL, fullMethodName);
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ request.setEntity(role);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_ADD);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ }
+
+ /**
+ * This function deletes a role from the active role set of a session owned by a given user.
+ * The function is valid if and only if the user is a member of the USERS data set, the
+ * session object contains a valid Fortress session, the session is owned by the user,
+ * and the role is an active role of that session.
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @param role object contains the role name, {@link UserRole#name}, to be deactivated.
+ * @throws SecurityException is thrown if user is not allowed to deactivate or runtime error occurs with system.
+ */
+ @Override
+ public void dropActiveRole(Session session, UserRole role)
+ throws SecurityException
+ {
+ String fullMethodName = ".dropActiveRole";
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + fullMethodName);
+ VUtil.assertNotNull(role, GlobalErrIds.ROLE_NULL, CLS_NM + fullMethodName);
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ request.setEntity(role);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_DROP);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ }
+
+ /**
+ * This function returns the userId value that is contained within the session object.
+ * The function is valid if and only if the session object contains a valid Fortress session.
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @return The userId value
+ * @throws SecurityException is thrown if user session not active or runtime error occurs with system.
+ */
+ @Override
+ public String getUserId(Session session)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".getUserId");
+ String userId;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_USERID);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ User outUser = (User) response.getEntity();
+ userId = outUser.getUserId();
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return userId;
+ }
+
+ /**
+ * This function returns the user object that is contained within the session object.
+ * The function is valid if and only if the session object contains a valid Fortress session.
+ *
+ * @param session object contains the user's returned RBAC session from the createSession method.
+ * @return The user value
+ * Sample User data contained in Session object:
+ * <ul> <code>Session</code>
+ * <li> <code>session.getUserId() => demoUser4</code>
+ * <li> <code>session.getInternalUserId() => be2dd2e:12a82ba707e:-7fee</code>
+ * <li> <code>session.getMessage() => Fortress checkPwPolicies userId <demouser4> VALIDATION GOOD</code>
+ * <li> <code>session.getErrorId() => 0</code>
+ * <li> <code>session.getWarningId() => 11</code>
+ * <li> <code>session.getExpirationSeconds() => 469831</code>
+ * <li> <code>session.getGraceLogins() => 0</code>
+ * <li> <code>session.getIsAuthenticated() => true</code>
+ * <li> <code>session.getLastAccess() => 1283623680440</code>
+ * <li> <code>session.getSessionId() => -7410986f:12addeea576:-7fff</code>
+ * <li> ------------------------------------------
+ * <li> <code>User user = session.getUser();</code>
+ * <ul> <li> <code>user.getUserId() => demoUser4</code>
+ * <li> <code>user.getInternalId() => be2dd2e:12a82ba707e:-7fee</code>
+ * <li> <code>user.getCn() => JoeUser4</code>
+ * <li> <code>user.getDescription() => Demo Test User 4</code>
+ * <li> <code>user.getOu() => test</code>
+ * <li> <code>user.getSn() => User4</code>
+ * <li> <code>user.getBeginDate() => 20090101</code>
+ * <li> <code>user.getEndDate() => none</code>
+ * <li> <code>user.getBeginLockDate() => none</code>
+ * <li> <code>user.getEndLockDate() => none</code>
+ * <li> <code>user.getDayMask() => 1234567</code>
+ * <li> <code>user.getTimeout() => 60</code>
+ * <li> <code>List<UserRole> roles = session.getRoles();</code>
+ * <ul> <li><code>UserRole userRole = roles.get(i);</code>
+ * <li> <code>userRole.getName() => role1</code>
+ * <li> <code>userRole.getBeginTime() => 0000</code>
+ * <li> <code>userRole.getEndTime() => 0000</code>
+ * <li> <code>userRole.getBeginDate() => none</code>
+ * <li> <code>userRole.getEndDate() => none</code>
+ * <li> <code>userRole.getBeginLockDate() => null</code>
+ * <li> <code>userRole.getEndLockDate() => null</code>
+ * <li> <code>userRole.getDayMask() => null</code>
+ * <li> <code>userRole.getTimeout() => 0</code>
+ * </ul>
+ * </ul>
+ * </ul>
+ * @throws SecurityException is thrown if user session not active or runtime error occurs with system.
+ */
+ @Override
+ public User getUser(Session session)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, CLS_NM + ".getUser");
+ User retUser;
+ FortRequest request = new FortRequest();
+ request.setContextId(this.contextId);
+ request.setSession(session);
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.post(szRequest, HttpIds.RBAC_USER);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ retUser = (User) response.getEntity();
+ Session outSession = response.getSession();
+ session.copy(outSession);
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return retUser;
+ }
+}