You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:44:42 UTC
[23/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicy.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicy.java b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicy.java
new file mode 100755
index 0000000..759661d
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicy.java
@@ -0,0 +1,779 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * This class contains the Password Policy entity which is used to pass directives into and out of ldap.
+ * <br />The unique key to locate a Policy entity (which is subsequently assigned to Users) is {@link #name}.<br />
+ * <p/>
+ * <h4>Password Policies</h4>
+ * <a href="http://www.openldap.org/">OpenLDAP</a> supports the IETF draft <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">Password Policies for LDAP directories</a></li>. Policies may be applied at the user, group or global level.
+ * <p/>
+ * <img src="../doc-files/PasswordPolicy.png">
+ * <p/>
+ * Password enforcement options include:
+ * <ol>
+ * <li>A configurable limit on failed authentication attempts.</li>
+ * <li>A counter to track the number of failed authentication attempts.</li>
+ * <li>A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.</li>
+ * <li>The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.</li>
+ * <li>An amount of time the account is locked (if it is to be locked) This can be indefinite.</li>
+ * <li>Password expiration.</li>
+ * <li>Expiration warning</li>
+ * <li>Grace authentications</li>
+ * <li>Password history</li>
+ * <li>Password minimum age</li>
+ * <li>Password minimum length</li>
+ * <li>Password Change after Reset</li>
+ * <li>Safe Modification of Password</li>
+ * </ol>
+ * <p/>
+ * <h4>Schema</h4>
+ * The OpenLDAP Password Policy entity is a composite of the following structural and aux object classes:
+ * <p/>
+ * 1. organizationalRole Structural Object Class is used to store basic attributes like cn and description.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 2.5.6.14 NAME 'device'
+ * DESC 'RFC2256: a device'
+ * SUP top STRUCTURAL
+ * MUST cn
+ * MAY (
+ * serialNumber $ seeAlso $ owner $ ou $ o $ l $ description
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
+ * NAME 'pwdPolicy'</code>
+ * SUP top</code>
+ * AUXILIARY</code>
+ * MUST (
+ * pwdAttribute
+ * )
+ * MAY (
+ * pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
+ * pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
+ * pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
+ * pwdMustChange $ pwdAllowUserChange $ pwdSafeModify
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ * NAME 'ftMods'
+ * DESC 'Fortress Modifiers AUX Object Class'
+ * AUXILIARY
+ * MAY (
+ * ftModifier $
+ * ftModCode $
+ * ftModId
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortPolicy")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "pswdpolicy", propOrder = {
+ "name",
+ "attribute",
+ "minAge",
+ "maxAge",
+ "inHistory",
+ "checkQuality",
+ "minLength",
+ "expireWarning",
+ "graceLoginLimit",
+ "lockout",
+ "lockoutDuration",
+ "maxFailure",
+ "failureCountInterval",
+ "mustChange",
+ "allowUserChange",
+ "safeModify"
+})
+public class PwPolicy extends FortEntity
+ implements java.io.Serializable
+{
+ /**
+ * Maps to name attribute of pwdPolicy object class.
+ */
+ private String name;
+
+ /**
+ * 5.2.1 pwdAttribute
+ * <p/>
+ * This holds the name of the attribute to which the password policy is
+ * applied. For example, the password policy may be applied to the
+ * userPassword attribute.
+ */
+ private String attribute;
+
+ /**
+ * 5.2.2 pwdMinAge
+ * <p/>
+ * This attribute holds the number of seconds that must elapse between
+ * modifications to the password. If this attribute is not present, 0
+ * seconds is assumed.
+ */
+ @XmlElement(nillable = true)
+ private Integer minAge;
+ //private String minAge;
+
+ /**
+ * 5.2.3 pwdMaxAge
+ * <p/>
+ * This attribute holds the number of seconds after which a modified
+ * password will expire.
+ * <p/>
+ * If this attribute is not present, or if the value is 0 the password
+ * does not expire. If not 0, the value must be greater than or equal
+ * to the value of the pwdMinAge.
+ */
+ @XmlElement(nillable = true)
+ private Long maxAge;
+
+ /**
+ * 5.2.4 pwdInHistory
+ * <p/>
+ * This attribute specifies the maximum number of used passwords stored
+ * in the pwdHistory attribute.
+ * <p/>
+ * If this attribute is not present, or if the value is 0, used
+ * passwords are not stored in the pwdHistory attribute and thus may be
+ * reused.
+ */
+ @XmlElement(nillable = true)
+ private Short inHistory;
+
+ /**
+ * 5.2.5 pwdCheckQuality
+ * <p/>
+ * This attribute indicates how the password quality will be verified
+ * while being modified or added. If this attribute is not present, or
+ * if the value is '0', quality checking will not be enforced. A value
+ * of '1' indicates that the server will check the quality, and if the
+ * server is unable to check it (due to a hashed password or other
+ * reasons) it will be accepted. A value of '2' indicates that the
+ * server will check the quality, and if the server is unable to verify
+ * it, it will return an error refusing the password.
+ */
+ @XmlElement(nillable = true)
+ private Short checkQuality;
+
+ /**
+ * 5.2.6 pwdMinLength
+ * <p/>
+ * When quality checking is enabled, this attribute holds the minimum
+ * number of characters that must be used in a password. If this
+ * attribute is not present, no minimum password length will be
+ * enforced. If the server is unable to check the length (due to a
+ * hashed password or otherwise), the server will, depending on the
+ * value of the pwdCheckQuality attribute, either accept the password
+ * without checking it ('0' or '1') or refuse it ('2').
+ */
+ @XmlElement(nillable = true)
+ private Short minLength;
+
+ /**
+ * 5.2.7 pwdExpireWarning
+ * <p/>
+ * This attribute specifies the maximum number of seconds before a
+ * password is due to expire that expiration warning messages will be
+ * returned to an authenticating user.
+ * <p/>
+ * If this attribute is not present, or if the value is 0 no warnings
+ * will be returned. If not 0, the value must be smaller than the value
+ * of the pwdMaxAge attribute.
+ */
+ @XmlElement(nillable = true)
+ private Long expireWarning;
+
+ /**
+ * 5.2.8 pwdGraceAuthNLimit
+ * <p/>
+ * This attribute specifies the number of times an expired password can
+ * be used to authenticate. If this attribute is not present or if the
+ * value is 0, authentication will fail.
+ */
+ @XmlElement(nillable = true)
+ private Short graceLoginLimit;
+
+ /**
+ * 5.2.9 pwdLockout
+ * <p/>
+ * This attribute indicates, when its value is "TRUE", that the password
+ * may not be used to authenticate after a specified number of
+ * consecutive failed bind attempts. The maximum number of consecutive
+ * failed bind attempts is specified in pwdMaxFailure.
+ * <p/>
+ * If this attribute is not present, or if the value is "FALSE", the
+ * password may be used to authenticate when the number of failed bind
+ * attempts has been reached.
+ */
+ @XmlElement(nillable = true)
+ private Boolean lockout;
+
+ /**
+ * 5.2.10 pwdLockoutDuration
+ * <p/>
+ * This attribute holds the number of seconds that the password cannot
+ * be used to authenticate due to too many failed bind attempts. If
+ * this attribute is not present, or if the value is 0 the password
+ * cannot be used to authenticate until reset by a password
+ * administrator.
+ */
+ @XmlElement(nillable = true)
+ private Integer lockoutDuration;
+
+ /**
+ * 5.2.11 pwdMaxFailure
+ * <p/>
+ * This attribute specifies the number of consecutive failed bind
+ * attempts after which the password may not be used to authenticate.
+ * If this attribute is not present, or if the value is 0, this policy
+ * is not checked, and the value of pwdLockout will be ignored.
+ */
+ @XmlElement(nillable = true)
+ private Short maxFailure;
+
+ /**
+ * 5.2.12 pwdFailureCountInterval
+ * <p/>
+ * This attribute holds the number of seconds after which the password
+ * failures are purged from the failure counter, even though no
+ * successful authentication occurred.
+ * <p/>
+ * If this attribute is not present, or if its value is 0, the failure
+ * counter is only reset by a successful authentication.
+ */
+ @XmlElement(nillable = true)
+ private Short failureCountInterval;
+
+ /**
+ * 5.2.13 pwdMustChange
+ * <p/>
+ * This attribute specifies with a value of "TRUE" that users must
+ * change their passwords when they first bind to the directory after a
+ * password is set or reset by a password administrator. If this
+ * attribute is not present, or if the value is "FALSE", users are not
+ * required to change their password upon binding after the password
+ * administrator sets or resets the password. This attribute is not set
+ * due to any actions specified by this document, it is typically set by
+ * a password administrator after resetting a user's password.
+ */
+ @XmlElement(nillable = true)
+ private Boolean mustChange;
+
+ /**
+ * 5.2.14 pwdAllowUserChange
+ * <p/>
+ * This attribute indicates whether users can change their own
+ * passwords, although the change operation is still subject to access
+ * control. If this attribute is not present, a value of "TRUE" is
+ * assumed. This attribute is intended to be used in the absence of an
+ * access control mechanism.
+ */
+ @XmlElement(nillable = true)
+ private Boolean allowUserChange;
+
+ /**
+ * 5.2.15 pwdSafeModify
+ * <p/>
+ * This attribute specifies whether or not the existing password must be
+ * sent along with the new password when being changed. If this
+ * attribute is not present, a "FALSE" value is assumed.
+ */
+ @XmlElement(nillable = true)
+ private Boolean safeModify;
+
+ /**
+ * Default constructor is used by internal Fortress classes and not intended for external use.
+ */
+ public PwPolicy()
+ {
+ }
+
+ /**
+ * Create instance given a policy name.
+ * @param name
+ */
+ public PwPolicy(String name)
+ {
+ this.name = name;
+ }
+
+
+ /**
+ * Get the policy name associated with this instance.
+ * @return attribute stored as 'cn' in 'pwdPolicy' object class.
+ */
+ public String getName()
+ {
+ return this.name;
+ }
+
+ /**
+ * Set the required attribute policy name on this entity.
+ * @param name stored as 'cn' in 'pwdPolicy' object class.
+ */
+ public void setName(String name)
+ {
+ this.name = name;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds that must elapse between
+ * modifications to the password. If this attribute is not present, 0
+ * seconds is assumed.
+ *
+ * @return attribute stored as 'pwdMinAge' in 'pwdPolicy' object class.
+ */
+ public Integer getMinAge()
+ {
+ return this.minAge;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds that must elapse between
+ * modifications to the password. If this attribute is not present, 0
+ * seconds is assumed.
+ *
+ * @param minAge stored as 'pwdMinAge' in 'pwdPolicy' object class.
+ */
+ public void setMinAge(Integer minAge)
+ {
+ this.minAge = minAge;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds after which a modified
+ * password will expire.
+ * If this attribute is not present, or if the value is 0 the password
+ * does not expire. If not 0, the value must be greater than or equal
+ * to the value of the pwdMinAge.
+ *
+ * @return attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.
+ */
+ public Long getMaxAge()
+ {
+ return this.maxAge;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds after which a modified
+ * password will expire.
+ * If this attribute is not present, or if the value is 0 the password
+ * does not expire. If not 0, the value must be greater than or equal
+ * to the value of the pwdMinAge.
+ *
+ * @param maxAge attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.
+ */
+ public void setMaxAge(Long maxAge)
+ {
+ this.maxAge = maxAge;
+ }
+
+ /**
+ * This optional attribute specifies the maximum number of used passwords stored
+ * in the pwdHistory attribute.
+ * If this attribute is not present, or if the value is 0, used
+ * passwords are not stored in the pwdInHistory attribute and thus may be
+ * reused.
+ *
+ * @return attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.
+ */
+ public Short getInHistory()
+ {
+ return this.inHistory;
+ }
+
+ /**
+ * This optional attribute specifies the maximum number of used passwords stored
+ * in the pwdHistory attribute.
+ * If this attribute is not present, or if the value is 0, used
+ * passwords are not stored in the pwdInHistory attribute and thus may be
+ * reused.
+ *
+ * @param inHistory attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.
+ */
+ public void setInHistory(Short inHistory)
+ {
+ this.inHistory = inHistory;
+ }
+
+ /**
+ * This optional attribute is not currently supported by Fortress.
+ * This attribute indicates how the password quality will be verified
+ * while being modified or added. If this attribute is not present, or
+ * if the value is '0', quality checking will not be enforced. A value
+ * of '1' indicates that the server will check the quality, and if the
+ * server is unable to check it (due to a hashed password or other
+ * reasons) it will be accepted. A value of '2' indicates that the
+ * server will check the quality, and if the server is unable to verify
+ * it, it will return an error refusing the password.
+ *
+ * @return attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.
+ */
+ public Short getCheckQuality()
+ {
+ return this.checkQuality;
+ }
+
+ /**
+ * This optional attribute is not currently supported by Fortress.
+ * This attribute indicates how the password quality will be verified
+ * while being modified or added. If this attribute is not present, or
+ * if the value is '0', quality checking will not be enforced. A value
+ * of '1' indicates that the server will check the quality, and if the
+ * server is unable to check it (due to a hashed password or other
+ * reasons) it will be accepted. A value of '2' indicates that the
+ * server will check the quality, and if the server is unable to verify
+ * it, it will return an error refusing the password.
+ *
+ * @param checkQuality attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.
+ */
+ public void setCheckQuality(Short checkQuality)
+ {
+ this.checkQuality = checkQuality;
+ }
+
+ /**
+ * When quality checking is enabled, this optional attribute holds the minimum
+ * number of characters that must be used in a password. If this
+ * attribute is not present, no minimum password length will be
+ * enforced. If the server is unable to check the length (due to a
+ * hashed password or otherwise), the server will, depending on the
+ * value of the pwdCheckQuality attribute, either accept the password
+ * without checking it ('0' or '1') or refuse it ('2').
+ *
+ * @return attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.
+ */
+ public Short getMinLength()
+ {
+ return this.minLength;
+ }
+
+ /**
+ * When quality checking is enabled, this optional attribute holds the minimum
+ * number of characters that must be used in a password. If this
+ * attribute is not present, no minimum password length will be
+ * enforced. If the server is unable to check the length (due to a
+ * hashed password or otherwise), the server will, depending on the
+ * value of the pwdCheckQuality attribute, either accept the password
+ * without checking it ('0' or '1') or refuse it ('2').
+ *
+ * @param minLength attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.
+ */
+ public void setMinLength(Short minLength)
+ {
+ this.minLength = minLength;
+ }
+
+ /**
+ * This optional attribute specifies the maximum number of seconds before a
+ * password is due to expire that expiration warning messages will be
+ * returned to an authenticating user.
+ * If this attribute is not present, or if the value is 0 no warnings
+ * will be returned. If not 0, the value must be smaller than the value
+ * of the pwdMaxAge attribute.
+ *
+ * @return attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.
+ */
+ public Long getExpireWarning()
+ {
+ return this.expireWarning;
+ }
+
+ /**
+ * This optional attribute specifies the maximum number of seconds before a
+ * password is due to expire that expiration warning messages will be
+ * returned to an authenticating user.
+ * If this attribute is not present, or if the value is 0 no warnings
+ * will be returned. If not 0, the value must be smaller than the value
+ * of the pwdMaxAge attribute.
+ *
+ * @param expireWarning attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.
+ */
+ public void setExpireWarning(Long expireWarning)
+ {
+ this.expireWarning = expireWarning;
+ }
+
+ /**
+ * This optional attribute specifies the number of times an expired password can
+ * be used to authenticate. If this attribute is not present or if the
+ * value is 0, authentication will fail.
+ *
+ * @return attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.
+ */
+ public Short getGraceLoginLimit()
+ {
+ return this.graceLoginLimit;
+ }
+
+ /**
+ * This optional attribute specifies the number of times an expired password can
+ * be used to authenticate. If this attribute is not present or if the
+ * value is 0, authentication will fail.
+ *
+ * @param graceLoginLimit attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.
+ */
+ public void setGraceLoginLimit(Short graceLoginLimit)
+ {
+ this.graceLoginLimit = graceLoginLimit;
+ }
+
+ /**
+ * This optional attribute indicates, when its value is "TRUE", that the password
+ * may not be used to authenticate after a specified number of
+ * consecutive failed bind attempts. The maximum number of consecutive
+ * failed bind attempts is specified in pwdMaxFailure.
+ * If this attribute is not present, or if the value is "FALSE", the
+ * password may be used to authenticate when the number of failed bind
+ * attempts has been reached.
+ *
+ * @return attribute stored as 'pwdLockout' in 'pwdPolicy' object class.
+ */
+ public Boolean getLockout()
+ {
+ return this.lockout;
+ }
+
+ /**
+ * This optional attribute indicates, when its value is "TRUE", that the password
+ * may not be used to authenticate after a specified number of
+ * consecutive failed bind attempts. The maximum number of consecutive
+ * failed bind attempts is specified in pwdMaxFailure.
+ * If this attribute is not present, or if the value is "FALSE", the
+ * password may be used to authenticate when the number of failed bind
+ * attempts has been reached.
+ *
+ * @param lockout attribute stored as 'pwdLockout' in 'pwdPolicy' object class.
+ */
+ public void setLockout(Boolean lockout)
+ {
+ this.lockout = lockout;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds that the password cannot
+ * be used to authenticate due to too many failed bind attempts. If
+ * this attribute is not present, or if the value is 0 the password
+ * cannot be used to authenticate until reset by a password
+ * administrator.
+ *
+ * @return attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.
+ */
+ public Integer getLockoutDuration()
+ {
+ return this.lockoutDuration;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds that the password cannot
+ * be used to authenticate due to too many failed bind attempts. If
+ * this attribute is not present, or if the value is 0 the password
+ * cannot be used to authenticate until reset by a password
+ * administrator.
+ *
+ * @param lockoutDuration attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.
+ */
+ public void setLockoutDuration(Integer lockoutDuration)
+ {
+ this.lockoutDuration = lockoutDuration;
+ }
+
+ /**
+ * This optional attribute specifies the number of consecutive failed bind
+ * attempts after which the password may not be used to authenticate.
+ * If this attribute is not present, or if the value is 0, this policy
+ * is not checked, and the value of pwdLockout will be ignored.
+ *
+ * @return attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.
+ */
+ public Short getMaxFailure()
+ {
+ return this.maxFailure;
+ }
+
+ /**
+ * This optional attribute specifies the number of consecutive failed bind
+ * attempts after which the password may not be used to authenticate.
+ * If this attribute is not present, or if the value is 0, this policy
+ * is not checked, and the value of pwdLockout will be ignored.
+ *
+ * @param maxFailure attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.
+ */
+ public void setMaxFailure(Short maxFailure)
+ {
+ this.maxFailure = maxFailure;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds after which the password
+ * failures are purged from the failure counter, even though no
+ * successful authentication occurred.
+ * If this attribute is not present, or if its value is 0, the failure
+ * counter is only reset by a successful authentication.
+ *
+ * @return attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.
+ */
+ public Short getFailureCountInterval()
+ {
+ return this.failureCountInterval;
+ }
+
+ /**
+ * This optional attribute holds the number of seconds after which the password
+ * failures are purged from the failure counter, even though no
+ * successful authentication occurred.
+ * If this attribute is not present, or if its value is 0, the failure
+ * counter is only reset by a successful authentication.
+ *
+ * @param failureCountInterval attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.
+ */
+ public void setFailureCountInterval(Short failureCountInterval)
+ {
+ this.failureCountInterval = failureCountInterval;
+ }
+
+ /**
+ * This optional attribute specifies with a value of "TRUE" that users must
+ * change their passwords when they first bind to the directory after a
+ * password is set or reset by a password administrator. If this
+ * attribute is not present, or if the value is "FALSE", users are not
+ * required to change their password upon binding after the password
+ * administrator sets or resets the password. This attribute is not set
+ * due to any actions specified by this document, it is typically set by
+ * a password administrator after resetting a user's password.
+ *
+ * @return attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.
+ */
+ public Boolean getMustChange()
+ {
+ return this.mustChange;
+ }
+
+ /**
+ * This optional attribute specifies with a value of "TRUE" that users must
+ * change their passwords when they first bind to the directory after a
+ * password is set or reset by a password administrator. If this
+ * attribute is not present, or if the value is "FALSE", users are not
+ * required to change their password upon binding after the password
+ * administrator sets or resets the password. This attribute is not set
+ * due to any actions specified by this document, it is typically set by
+ * a password administrator after resetting a user's password.
+ *
+ * @param mustChange attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.
+ */
+ public void setMustChange(Boolean mustChange)
+ {
+ this.mustChange = mustChange;
+ }
+
+ /**
+ * This optional attribute indicates whether users can change their own
+ * passwords, although the change operation is still subject to access
+ * control. If this attribute is not present, a value of "TRUE" is
+ * assumed. This attribute is intended to be used in the absence of an
+ * access control mechanism.
+ *
+ * @return attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.
+ */
+ public Boolean getAllowUserChange()
+ {
+ return this.allowUserChange;
+ }
+
+ /**
+ * This optional attribute indicates whether users can change their own
+ * passwords, although the change operation is still subject to access
+ * control. If this attribute is not present, a value of "TRUE" is
+ * assumed. This attribute is intended to be used in the absence of an
+ * access control mechanism.
+ *
+ * @param allowUserChange attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.
+ */
+ public void setAllowUserChange(Boolean allowUserChange)
+ {
+ this.allowUserChange = allowUserChange;
+ }
+
+ /**
+ * This optional attribute specifies whether or not the existing password must be
+ * sent along with the new password when being changed. If this
+ * attribute is not present, a "FALSE" value is assumed.
+ *
+ * @return attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.
+ */
+ public Boolean getSafeModify()
+ {
+ return this.safeModify;
+ }
+
+ /**
+ * This optional attribute specifies whether or not the existing password must be
+ * sent along with the new password when being changed. If this
+ * attribute is not present, a "FALSE" value is assumed.
+ *
+ * @param safeModify attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.
+ */
+ public void setSafeModify(Boolean safeModify)
+ {
+ this.safeModify = safeModify;
+ }
+
+ /**
+ * Matches the name from two PwPolicy entities.
+ *
+ * @param thatObj contains a Role entity.
+ * @return boolean indicating both objects contain matching PwPolicy names.
+ */
+ public boolean equals(Object thatObj)
+ {
+ if (this == thatObj) return true;
+ if (this.getName() == null) return false;
+ if (!(thatObj instanceof PwPolicy)) return false;
+ PwPolicy thatPolicy = (PwPolicy) thatObj;
+ if (thatPolicy.getName() == null) return false;
+ return thatPolicy.getName().equalsIgnoreCase(this.getName());
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
new file mode 100755
index 0000000..8cc7c51
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPControl;
+
+
+/**
+ * Interface is used to allow pluggable password policy interrogation.
+ *
+ * @author Shawn McKinney
+ */
+public interface PwPolicyControl
+{
+ /**
+ * Check the password policy controls returned from server and sets the PwMessage with what it finds.
+ *
+ * @param controls ldap controls object.
+ * @param isAuthenticated set to 'true' if password checks pass.
+ * @param pwMsg describes the outcome of the policy checks.
+ */
+ public void checkPasswordPolicy( LDAPControl[] controls, boolean isAuthenticated, PwMessage pwMsg );
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyMgrImpl.java
new file mode 100755
index 0000000..1a9ca3e
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyMgrImpl.java
@@ -0,0 +1,375 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.PwPolicyMgr;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+import java.util.List;
+
+/**
+ * This class is used to perform administrative and review functions on the PWPOLICIES and USERS data sets.
+ * <p/>
+ * <h4>Password Policies</h4>
+ * <a href="http://www.openldap.org/">OpenLDAP</a> supports the IETF draft <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">Password Policies for LDAP directories</a></li>. Policies may be applied at the user, group or global level.
+ * <p/>
+ * <img src="../doc-files/PasswordPolicy.png">
+ * <p/>
+ * Password enforcement options include:
+ * <ol>
+ * <li>A configurable limit on failed authentication attempts.</li>
+ * <li>A counter to track the number of failed authentication attempts.</li>
+ * <li>A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.</li>
+ * <li>The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.</li>
+ * <li>An amount of time the account is locked (if it is to be locked) This can be indefinite.</li>
+ * <li>Password expiration.</li>
+ * <li>Expiration warning</li>
+ * <li>Grace authentications</li>
+ * <li>Password history</li>
+ * <li>Password minimum age</li>
+ * <li>Password minimum length</li>
+ * <li>Password Change after Reset</li>
+ * <li>Safe Modification of Password</li>
+ * </ol>
+ * <p/>
+ * This class is NOT thread safe if parent instance variables ({@link #contextId} or {@link #adminSess}) are set.
+ *
+ * @author Shawn McKinney
+ */
+public class PwPolicyMgrImpl extends Manageable implements PwPolicyMgr
+{
+ private static final String CLS_NM = PwPolicyMgrImpl.class.getName();
+ private static final PolicyP policyP = new PolicyP();
+ private static final UserP userP = new UserP();
+
+ // package private constructor ensures outside classes cannot use:
+ PwPolicyMgrImpl()
+ {}
+
+ /**
+ * This method will add a new policy entry to the POLICIES data set. This command is valid
+ * if and only if the policy entry is not already present in the POLICIES data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#name} - Maps to name attribute of pwdPolicy object class being added.</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#minAge} - This attribute holds the number of seconds that must elapse between
+ * modifications to the password. If this attribute is not present, 0
+ * seconds is assumed.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#maxAge} - This attribute holds the number of seconds after which a modified
+ * password will expire. If this attribute is not present, or if the value is 0 the password
+ * does not expire. If not 0, the value must be greater than or equal
+ * to the value of the pwdMinAge.
+ * </li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#inHistory} - This attribute specifies the maximum number of used passwords stored
+ * in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used
+ * passwords are not stored in the pwdHistory attribute and thus may be reused.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#minLength} - When quality checking is enabled, this attribute holds the minimum
+ * number of characters that must be used in a password. If this
+ * attribute is not present, no minimum password length will be
+ * enforced. If the server is unable to check the length (due to a
+ * hashed password or otherwise), the server will, depending on the
+ * value of the pwdCheckQuality attribute, either accept the password
+ * without checking it ('0' or '1') or refuse it ('2').</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#expireWarning} - This attribute specifies the maximum number of seconds before a
+ * password is due to expire that expiration warning messages will be
+ * returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings
+ * will be returned. If not 0, the value must be smaller than the value
+ * of the pwdMaxAge attribute.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#graceLoginLimit} - This attribute specifies the number of times an expired password can
+ * be used to authenticate. If this attribute is not present or if the
+ * value is 0, authentication will fail. </li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#lockout} - This attribute indicates, when its value is "TRUE", that the password
+ * may not be used to authenticate after a specified number of
+ * consecutive failed bind attempts. The maximum number of consecutive
+ * failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the
+ * value is "FALSE", the password may be used to authenticate when the number of failed bind
+ * attempts has been reached.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#lockoutDuration} - This attribute holds the number of seconds that the password cannot
+ * be used to authenticate due to too many failed bind attempts. If
+ * this attribute is not present, or if the value is 0 the password
+ * cannot be used to authenticate until reset by a password
+ * administrator.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#maxFailure} - This attribute specifies the number of consecutive failed bind
+ * attempts after which the password may not be used to authenticate.
+ * If this attribute is not present, or if the value is 0, this policy
+ * is not checked, and the value of pwdLockout will be ignored.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#failureCountInterval} - This attribute holds the number of seconds after which the password
+ * failures are purged from the failure counter, even though no
+ * successful authentication occurred. If this attribute is not present, or if its value is 0, the failure
+ * counter is only reset by a successful authentication.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#mustChange} - This attribute specifies with a value of "TRUE" that users must
+ * change their passwords when they first bind to the directory after a
+ * password is set or reset by a password administrator. If this
+ * attribute is not present, or if the value is "FALSE", users are not
+ * required to change their password upon binding after the password
+ * administrator sets or resets the password. This attribute is not set
+ * due to any actions specified by this document, it is typically set by
+ * a password administrator after resetting a user's password.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#allowUserChange} - This attribute indicates whether users can change their own
+ * passwords, although the change operation is still subject to access
+ * control. If this attribute is not present, a value of "TRUE" is
+ * assumed. This attribute is intended to be used in the absence of an access control mechanism.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#safeModify} - This attribute specifies whether or not the existing password must be
+ * sent along with the new password when being changed. If this
+ * attribute is not present, a "FALSE" value is assumed.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#checkQuality} - This attribute indicates how the password quality will be verified
+ * while being modified or added. If this attribute is not present, or
+ * if the value is '0', quality checking will not be enforced. A value
+ * of '1' indicates that the server will check the quality, and if the
+ * server is unable to check it (due to a hashed password or other
+ * reasons) it will be accepted. A value of '2' indicates that the
+ * server will check the quality, and if the server is unable to verify
+ * it, it will return an error refusing the password. </li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PwPolicy#attribute} - This holds the name of the attribute to which the password policy is
+ * applied. For example, the password policy may be applied to the
+ * userPassword attribute </li>
+ * </ul>
+ *
+ * @param policy Object must contain {@link org.apache.directory.fortress.core.rbac.PwPolicy#name} and optionally other attributes.
+ * @throws SecurityException In the event of data validation or system error.
+ */
+ @Override
+ public void add(PwPolicy policy)
+ throws SecurityException
+ {
+ String methodName = "add";
+ assertContext(CLS_NM, methodName, policy, GlobalErrIds.PSWD_PLCY_NULL);
+ setEntitySession(CLS_NM, methodName, policy);
+ policyP.add(policy);
+ }
+
+
+ /**
+ * This method will update an exiting policy entry to the POLICIES data set. This command is valid
+ * if and only if the policy entry is already present in the POLICIES data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link PwPolicy#name} - Maps to name attribute of pwdPolicy object class being updated.</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link PwPolicy#minAge} - This attribute holds the number of seconds that must elapse between
+ * modifications to the password. If this attribute is not present, 0
+ * seconds is assumed.</li>
+ * <li>{@link PwPolicy#maxAge} - This attribute holds the number of seconds after which a modified
+ * password will expire. If this attribute is not present, or if the value is 0 the password
+ * does not expire. If not 0, the value must be greater than or equal
+ * to the value of the pwdMinAge.
+ * </li>
+ * <li>{@link PwPolicy#inHistory} - This attribute specifies the maximum number of used passwords stored
+ * in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used
+ * passwords are not stored in the pwdHistory attribute and thus may be reused.</li>
+ * <li>{@link PwPolicy#minLength} - When quality checking is enabled, this attribute holds the minimum
+ * number of characters that must be used in a password. If this
+ * attribute is not present, no minimum password length will be
+ * enforced. If the server is unable to check the length (due to a
+ * hashed password or otherwise), the server will, depending on the
+ * value of the pwdCheckQuality attribute, either accept the password
+ * without checking it ('0' or '1') or refuse it ('2').</li>
+ * <li>{@link PwPolicy#expireWarning} - This attribute specifies the maximum number of seconds before a
+ * password is due to expire that expiration warning messages will be
+ * returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings
+ * will be returned. If not 0, the value must be smaller than the value
+ * of the pwdMaxAge attribute.</li>
+ * <li>{@link PwPolicy#graceLoginLimit} - This attribute specifies the number of times an expired password can
+ * be used to authenticate. If this attribute is not present or if the
+ * value is 0, authentication will fail. </li>
+ * <li>{@link PwPolicy#lockout} - This attribute indicates, when its value is "TRUE", that the password
+ * may not be used to authenticate after a specified number of
+ * consecutive failed bind attempts. The maximum number of consecutive
+ * failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the
+ * value is "FALSE", the password may be used to authenticate when the number of failed bind
+ * attempts has been reached.</li>
+ * <li>{@link PwPolicy#lockoutDuration} - This attribute holds the number of seconds that the password cannot
+ * be used to authenticate due to too many failed bind attempts. If
+ * this attribute is not present, or if the value is 0 the password
+ * cannot be used to authenticate until reset by a password
+ * administrator.</li>
+ * <li>{@link PwPolicy#maxFailure} - This attribute specifies the number of consecutive failed bind
+ * attempts after which the password may not be used to authenticate.
+ * If this attribute is not present, or if the value is 0, this policy
+ * is not checked, and the value of pwdLockout will be ignored.</li>
+ * <li>{@link PwPolicy#failureCountInterval} - This attribute holds the number of seconds after which the password
+ * failures are purged from the failure counter, even though no
+ * successful authentication occurred. If this attribute is not present, or if its value is 0, the failure
+ * counter is only reset by a successful authentication.</li>
+ * <li>{@link PwPolicy#mustChange} - This attribute specifies with a value of "TRUE" that users must
+ * change their passwords when they first bind to the directory after a
+ * password is set or reset by a password administrator. If this
+ * attribute is not present, or if the value is "FALSE", users are not
+ * required to change their password upon binding after the password
+ * administrator sets or resets the password. This attribute is not set
+ * due to any actions specified by this document, it is typically set by
+ * a password administrator after resetting a user's password.</li>
+ * <li>{@link PwPolicy#allowUserChange} - This attribute indicates whether users can change their own
+ * passwords, although the change operation is still subject to access
+ * control. If this attribute is not present, a value of "TRUE" is
+ * assumed. This attribute is intended to be used in the absence of an access control mechanism.</li>
+ * <li>{@link PwPolicy#safeModify} - This attribute specifies whether or not the existing password must be
+ * sent along with the new password when being changed. If this
+ * attribute is not present, a "FALSE" value is assumed.</li>
+ * <li>{@link PwPolicy#checkQuality} - This attribute indicates how the password quality will be verified
+ * while being modified or added. If this attribute is not present, or
+ * if the value is '0', quality checking will not be enforced. A value
+ * of '1' indicates that the server will check the quality, and if the
+ * server is unable to check it (due to a hashed password or other
+ * reasons) it will be accepted. A value of '2' indicates that the
+ * server will check the quality, and if the server is unable to verify
+ * it, it will return an error refusing the password. </li>
+ * <li>{@link PwPolicy#attribute} - This holds the name of the attribute to which the password policy is
+ * applied. For example, the password policy may be applied to the
+ * userPassword attribute </li>
+ * </ul>
+ *
+ * @param policy Object must contain {@link PwPolicy#name} and optionally all non-null attributes will be updated. null attributes will be ignored.
+ * @throws SecurityException In the event policy not found , data validation or system error.
+ */
+ @Override
+ public void update(PwPolicy policy)
+ throws SecurityException
+ {
+ String methodName = "update";
+ assertContext(CLS_NM, methodName, policy, GlobalErrIds.PSWD_PLCY_NULL);
+ setEntitySession(CLS_NM, methodName, policy);
+ policyP.update(policy);
+ }
+
+
+ /**
+ * This method will delete exiting policy entry from the POLICIES data set. This command is valid
+ * if and only if the policy entry is already present in the POLICIES data set. Existing users that
+ * are assigned this policy will be removed from association.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link PwPolicy#name} - Maps to name attribute of pwdPolicy object class being removed.</li>
+ * </ul>
+ *
+ * @param policy Object must contain {@link PwPolicy#name} of the policy entity to remove.
+ * @throws org.apache.directory.fortress.core.SecurityException In the event policy entity not found or system error.
+ */
+ @Override
+ public void delete(PwPolicy policy)
+ throws SecurityException
+ {
+ String methodName = "delete";
+ assertContext(CLS_NM, methodName, policy, GlobalErrIds.PSWD_PLCY_NULL);
+ policy.setAdminSession(adminSess);
+ setEntitySession(CLS_NM, methodName, policy);
+ policyP.delete(policy);
+ }
+
+
+ /**
+ * This method will return the password policy entity to the caller. This command is valid
+ * if and only if the policy entry is present in the POLICIES data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link PwPolicy#name} - Maps to name attribute of pwdPolicy object class being read.</li>
+ * </ul>
+ *
+ * @return PswdPolicy entity returns fully populated with attributes.
+ * @return PswdPolicy entity returns fully populated with attributes.
+ * @throws SecurityException In the event policy entry not found, data validation or system error.
+ */
+ @Override
+ public PwPolicy read(String name)
+ throws SecurityException
+ {
+ String methodName = "read";
+ VUtil.assertNotNullOrEmpty(name, GlobalErrIds.PSWD_NAME_NULL, CLS_NM + "." + methodName);
+ checkAccess(CLS_NM, methodName);
+ PwPolicy policy = new PwPolicy(name);
+ policy.setContextId(this.contextId);
+ return policyP.read(policy);
+ }
+
+
+ /**
+ * This method will return a list of all password policy entities that match a particular search string.
+ * This command will return an empty list of no matching entries are found.
+ *
+ * @param searchVal String contains the leading chars of a policy entity. This search is not case sensitive.
+ * @return List<PswdPolicy> contains all matching password policy entities. If no records found this will be empty.
+ * @throws SecurityException In the event of data validation or system error.
+ */
+ @Override
+ public List<PwPolicy> search(String searchVal)
+ throws SecurityException
+ {
+ String methodName = "search";
+ VUtil.assertNotNull(searchVal, GlobalErrIds.PSWD_NAME_NULL, CLS_NM + "." + methodName);
+ checkAccess(CLS_NM, methodName);
+ PwPolicy policy = new PwPolicy(searchVal);
+ policy.setContextId(this.contextId);
+ return policyP.search(policy);
+ }
+
+
+ /**
+ * This method will associate a user entity with a password policy entity. This function is valid
+ * if and only if the user is a member of the USERS data set and the policyName refers to a
+ * policy that is a member of the PWPOLICIES data set.
+ *
+ * @param userId Contains {@link org.apache.directory.fortress.core.rbac.User#userId} of a User entity in USERS data set.
+ * @param policyName String contains the {@link PwPolicy#name} of a pw policy entity contained within the PWPOLICIES data set.
+ * @throws SecurityException thrown in the event either user or policy not valid or system error.
+ */
+ @Override
+ public void updateUserPolicy(String userId, String policyName)
+ throws SecurityException
+ {
+ String methodName = "updateUserPolicy";
+ VUtil.assertNotNullOrEmpty(userId, GlobalErrIds.USER_NULL, CLS_NM + "." + methodName);
+ VUtil.assertNotNullOrEmpty(policyName, GlobalErrIds.PSWD_NAME_NULL, CLS_NM + "." + methodName);
+ User user = new User(userId);
+ user.setPwPolicy(policyName);
+ user.setAdminSession(adminSess);
+ setEntitySession(CLS_NM, methodName, user);
+ userP.update(user);
+ }
+
+
+ /**
+ * This method will remove the pw policy assignment from a user entity. This function is valid
+ * if and only if the user is a member of the USERS data set and the policy attribute is assigned.
+ * Removal of pw policy assignment will revert the user's policy to use the global default for OpenLDAP
+ * instance that contains user.
+ *
+ * @param userId Contains {@link User#userId} of a User entity in USERS data set.
+ * @throws SecurityException Thrown in the event either user not valid or system error.
+ */
+ @Override
+ public void deletePasswordPolicy(String userId)
+ throws SecurityException
+ {
+ String methodName = "deletePasswordPolicy";
+ VUtil.assertNotNullOrEmpty(userId, GlobalErrIds.USER_NULL, CLS_NM + "." + methodName);
+ User user = new User(userId);
+ user.setAdminSession(adminSess);
+ setEntitySession(CLS_NM, methodName, user);
+ userP.deletePwPolicy(user);
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Relationship.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Relationship.java b/src/main/java/org/apache/directory/fortress/core/rbac/Relationship.java
new file mode 100755
index 0000000..4849458
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Relationship.java
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import java.lang.String;
+
+/**
+ * Contains a parent child data entity that is used for hierarchical processing. This entity is used to construct edges in graphs.
+ * <p/>
+
+ *
+ * @author Shawn McKinney
+ */
+public class Relationship
+ implements java.io.Serializable
+{
+ private String child;
+ private String parent;
+
+ /**
+ * No argument constructor is necessary for Ant admin utility
+ *
+ */
+ public Relationship()
+ {
+ }
+ /**
+ * Construct a new relationship given a child and parent name.
+ *
+ * @param child contains the name of child.
+ * @param parent contains the name of parent.
+ */
+ public Relationship(String child, String parent)
+ {
+ this.child = child;
+ this.parent = parent;
+ }
+
+ /**
+ * Return the child name.
+ *
+ * @return name of child.
+ */
+ public String getChild()
+ {
+ return child;
+ }
+
+ /**
+ * Set the child name.
+ *
+ * @param child contains the name of child.
+ */
+ public void setChild(String child)
+ {
+ this.child = child;
+ }
+
+ /**
+ * Return the parent name.
+ *
+ * @return name of parent.
+ */
+ public String getParent()
+ {
+ return parent;
+ }
+
+ /**
+ * Set the parent name.
+ *
+ * @param parent contains the name of parent.
+ */
+ public void setParent(String parent)
+ {
+ this.parent = parent;
+ }
+
+ /**
+ * Compute the hashcode on the parent and child values. This is used for list processing.
+ *
+ * @return hashcode that includes parent concatenated with child.
+ */
+ public final int hashCode()
+ {
+ return child.hashCode() + parent.hashCode();
+ }
+
+ /**
+ * Matches the parent and child values from two Relationship entities.
+ *
+ * @param thatObj contains a Relationship entity.
+ * @return boolean indicating both objects contain matching parent and child names.
+ */
+ public boolean equals(Object thatObj)
+ {
+ if (this == thatObj)
+ {
+ return true;
+ }
+ if (this.getChild() == null || this.getParent() == null)
+ {
+ return false;
+ }
+ if (!(thatObj instanceof Relationship))
+ {
+ return false;
+ }
+ Relationship thatKey = (Relationship) thatObj;
+ if (thatKey.getChild() == null || thatKey.getParent() == null)
+ {
+ return false;
+ }
+ return ((thatKey.getChild().equalsIgnoreCase(this.getChild()) && thatKey.getParent().equalsIgnoreCase(this.getParent())));
+ }
+}