nl.b3p.viewer.config.security

Class Authorizations

java.lang.Object

nl.b3p.viewer.config.security.Authorizations

public class Authorizations
extends Object

Utility class for authorization checking. Because of the inheritence of authorizations in tree structures, caches are used for efficient authorization checks.

There are authorizations on these objects:

Geo services registry:

• Categories: currently disabled, not accessible via user interface
• Layers of GeoServices: with inheritence, read/write authorizations

Application:

• Levels: with inheritence, read authorization only
• ApplicationLayers of Levels: inherits from Level and the referenced Layer, read/write authorizations
• ConfiguredComponents

Authorizations are based on role names which are Group names.

Inheritence and authorization rules:

1. The empty set of authorized role names (EVERYBODY) means everybody is authorized.
2. A non-empty set which is not equal to NOBODY means only users who are members of the named Groups in the set are authorized
3. NOBODY is the set containing a single value which is null.
4. Inheritence processing starts at the root with everybody authorized.
5. When inheriting authorizations, the set of authorized roles can only be reduced and not expanded. When a parent is authorized for roles A and B and the set of authorized roles for a child is B and C, only B is authorized. When the child is only authorized for role C, nobody will be authorized for the child.
6. Because of the default access for everybody, denying editing for example is done by only authorizing write access to a group which has no members.

Caching

• Layer authorizations are cached and invalidated when authorizations are changed for a GeoService by updating the GeoService.authorizationsModified timestamp.
• Level and ApplicationLayer authorizations are cached and invalidated when authorizations on a Level or ApplicationLayer are changed by updating the Application.authorizationsModified timestamp.
• Because ApplicationLayer authorizations inherit from Layer authorizations, Application caches are invalidated when any authorization on a Layer changes.

Although when authorizations are changed for an object only the cached object and its inheriting objects could be refreshed in the cache, the entire set of cached Layers of a GeoService or cached Levels and ApplicationLayers of an Application are invalidated because:

1. The viewer-admin webapp is isolated from the viewer webapp so it cannot access its application-scope cache without extra cross-webapp communication.
2. The viewer-admin webapp communicates with the viewer webapp to refresh its cache by updating the above mentioned authorizationChanged database columns.
3. The cache for an Application is invalidated when the maximum authorization changed date (for all GeoServices) column is later than the Application authorization changed date.
4. These database columns are the simplest method to refresh the cache, and no partial updates are required to maintain performance because authorizations are modified infrequently.
5. Applying inherited authorizations is optimized by loading a tree in a single query using hierarchical queries.

Group membership for a User is not cached and read from the database for the first authorization check in a Transaction. So authorization changes by an administrator should always be directly applied except authorization checks which use HttpServletRequest.isUserInRole(), which is cached by the servlet container. Currently only viewer-admin checks roles this way.

Author:

Matthijs Laan

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Authorizations.AppConfiguredComponentsReadersCache
static class	Authorizations.ApplicationCache
static class	Authorizations.GeoServiceCache
static class	Authorizations.Read
static class	Authorizations.ReadWrite

Field Summary

Fields

Modifier and Type	Field and Description
static Set<String>	EVERYBODY The empty set of role names which mean everybody has access.
static Set<String>	NOBODY The set of role names which mean nobody has access; a set which only contains null.
static Map<Long,Authorizations.GeoServiceCache>	serviceCache Map of protected Layers per GeoService.

Constructor Summary

Constructors

Constructor and Description
Authorizations()

Method Summary

Modifier and Type	Method and Description
static void	checkAppLayerReadAuthorized(Application app, ApplicationLayer al, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static void	checkAppLayerWriteAuthorized(Application app, ApplicationLayer al, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static void	checkConfiguredComponentAuthorized(ConfiguredComponent component, javax.servlet.http.HttpServletRequest request)
static void	checkLayerReadAuthorized(Layer l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static void	checkLayerWriteAuthorized(Layer l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static void	checkLevelReadAuthorized(Application app, Level l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static Authorizations.ApplicationCache	getApplicationCache(Application app, javax.persistence.EntityManager em)
static Authorizations.ApplicationCache	getApplicationCacheFromRequest(Application app, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static Authorizations.ReadWrite	getLayerAuthorizations(Layer l, javax.persistence.EntityManager em) Returns set of authorized readers and writers for this layer.
static Set<String>	getRoles(javax.servlet.http.HttpServletRequest request)
static boolean	isAppLayerReadAuthorized(Application app, ApplicationLayer al, javax.servlet.http.HttpServletRequest request, Authorizations.ApplicationCache appCache, javax.persistence.EntityManager em)
static boolean	isAppLayerReadAuthorized(Application app, ApplicationLayer al, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static boolean	isAppLayerWriteAuthorized(Application app, ApplicationLayer al, javax.servlet.http.HttpServletRequest request, Authorizations.ApplicationCache appCache, javax.persistence.EntityManager em)
static boolean	isAppLayerWriteAuthorized(Application app, ApplicationLayer al, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static boolean	isApplicationReadAuthorized(Application app, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static boolean	isConfiguredComponentAuthorized(ConfiguredComponent component, javax.servlet.http.HttpServletRequest request)
static boolean	isLayerGeomWriteAuthorized(Layer l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em) See if a user can edit geometry attribute of a layer in addition to regular writing.
static boolean	isLayerReadAuthorized(Layer l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static boolean	isLayerWriteAuthorized(Layer l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)
static boolean	isLevelReadAuthorized(Application app, Level l, javax.servlet.http.HttpServletRequest request, Authorizations.ApplicationCache appCache, javax.persistence.EntityManager em)
static boolean	isLevelReadAuthorized(Application app, Level l, javax.servlet.http.HttpServletRequest request, javax.persistence.EntityManager em)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NOBODY

public static final Set<String> NOBODY

The set of role names which mean nobody has access; a set which only contains null.

EVERYBODY

public static final Set<String> EVERYBODY

The empty set of role names which mean everybody has access.

serviceCache

public static final Map<Long,Authorizations.GeoServiceCache> serviceCache

Map of protected Layers per GeoService. Only public for UserAction to display all authorizations.

Constructor Detail

Authorizations

public Authorizations()

Method Detail

getRoles

public static Set<String> getRoles(javax.servlet.http.HttpServletRequest request)

isLayerReadAuthorized

public static boolean isLayerReadAuthorized(Layer l,
                                            javax.servlet.http.HttpServletRequest request,
                                            javax.persistence.EntityManager em)

checkLayerReadAuthorized

public static void checkLayerReadAuthorized(Layer l,
                                            javax.servlet.http.HttpServletRequest request,
                                            javax.persistence.EntityManager em)
                                     throws Exception

Throws:

Exception

isLayerWriteAuthorized

public static boolean isLayerWriteAuthorized(Layer l,
                                             javax.servlet.http.HttpServletRequest request,
                                             javax.persistence.EntityManager em)

checkLayerWriteAuthorized

public static void checkLayerWriteAuthorized(Layer l,
                                             javax.servlet.http.HttpServletRequest request,
                                             javax.persistence.EntityManager em)
                                      throws Exception

Throws:

Exception

isLayerGeomWriteAuthorized

public static boolean isLayerGeomWriteAuthorized(Layer l,
                                                 javax.servlet.http.HttpServletRequest request,
                                                 javax.persistence.EntityManager em)

See if a user can edit geometry attribute of a layer in addition to regular writing. Calling this will also call isAppLayerWriteAuthorized(nl.b3p.viewer.config.app.Application, nl.b3p.viewer.config.app.ApplicationLayer, javax.servlet.http.HttpServletRequest, javax.persistence.EntityManager)

Parameters:

l - the layer

request - the servlet request that has the user credential

em - the entity manager to use

Returns:

true if the user is allowed to edit the geometry attribute of the layer (the user is not in any of the groups that prevent editing geometry).

getApplicationCacheFromRequest

public static Authorizations.ApplicationCache getApplicationCacheFromRequest(Application app,
                                                                             javax.servlet.http.HttpServletRequest request,
                                                                             javax.persistence.EntityManager em)

isApplicationReadAuthorized

public static boolean isApplicationReadAuthorized(Application app,
                                                  javax.servlet.http.HttpServletRequest request,
                                                  javax.persistence.EntityManager em)

isLevelReadAuthorized

public static boolean isLevelReadAuthorized(Application app,
                                            Level l,
                                            javax.servlet.http.HttpServletRequest request,
                                            javax.persistence.EntityManager em)

isLevelReadAuthorized

public static boolean isLevelReadAuthorized(Application app,
                                            Level l,
                                            javax.servlet.http.HttpServletRequest request,
                                            Authorizations.ApplicationCache appCache,
                                            javax.persistence.EntityManager em)

checkLevelReadAuthorized

public static void checkLevelReadAuthorized(Application app,
                                            Level l,
                                            javax.servlet.http.HttpServletRequest request,
                                            javax.persistence.EntityManager em)
                                     throws Exception

Throws:

Exception

isAppLayerReadAuthorized

public static boolean isAppLayerReadAuthorized(Application app,
                                               ApplicationLayer al,
                                               javax.servlet.http.HttpServletRequest request,
                                               javax.persistence.EntityManager em)

isAppLayerReadAuthorized

public static boolean isAppLayerReadAuthorized(Application app,
                                               ApplicationLayer al,
                                               javax.servlet.http.HttpServletRequest request,
                                               Authorizations.ApplicationCache appCache,
                                               javax.persistence.EntityManager em)

checkAppLayerReadAuthorized

public static void checkAppLayerReadAuthorized(Application app,
                                               ApplicationLayer al,
                                               javax.servlet.http.HttpServletRequest request,
                                               javax.persistence.EntityManager em)
                                        throws Exception

Throws:

Exception

isAppLayerWriteAuthorized

public static boolean isAppLayerWriteAuthorized(Application app,
                                                ApplicationLayer al,
                                                javax.servlet.http.HttpServletRequest request,
                                                javax.persistence.EntityManager em)

isAppLayerWriteAuthorized

public static boolean isAppLayerWriteAuthorized(Application app,
                                                ApplicationLayer al,
                                                javax.servlet.http.HttpServletRequest request,
                                                Authorizations.ApplicationCache appCache,
                                                javax.persistence.EntityManager em)

checkAppLayerWriteAuthorized

public static void checkAppLayerWriteAuthorized(Application app,
                                                ApplicationLayer al,
                                                javax.servlet.http.HttpServletRequest request,
                                                javax.persistence.EntityManager em)
                                         throws Exception

Throws:

Exception

isConfiguredComponentAuthorized

public static boolean isConfiguredComponentAuthorized(ConfiguredComponent component,
                                                      javax.servlet.http.HttpServletRequest request)

checkConfiguredComponentAuthorized

public static void checkConfiguredComponentAuthorized(ConfiguredComponent component,
                                                      javax.servlet.http.HttpServletRequest request)
                                               throws Exception

Throws:

Exception

getLayerAuthorizations

public static Authorizations.ReadWrite getLayerAuthorizations(Layer l,
                                                              javax.persistence.EntityManager em)

Returns set of authorized readers and writers for this layer. If null is returned, everyone is authorized for reading and writing. Note: even if not null, the "readers" and "writers" properties of the returned ReadWriteAuthorizations may be equal to EVERYONE.

Parameters:

l - the layer to check

em - the entity manager to use

Returns:

the authorizations

getApplicationCache

public static Authorizations.ApplicationCache getApplicationCache(Application app,
                                                                  javax.persistence.EntityManager em)