org.broadleafcommerce.openadmin.server.security.service

Class AdminSecurityServiceImpl

java.lang.Object

org.broadleafcommerce.openadmin.server.security.service.AdminSecurityServiceImpl

All Implemented Interfaces:

AdminSecurityService

@Service(value="blAdminSecurityService")
public class AdminSecurityServiceImpl
extends Object
implements AdminSecurityService

Author:

jfischer

Field Summary

Fields

Modifier and Type	Field and Description
protected AdminPermissionDao	adminPermissionDao
protected AdminRoleDao	adminRoleDao
protected AdminUserDao	adminUserDao
protected net.sf.ehcache.Cache	cache
protected static String	CACHE_KEY_PREFIX
protected static String	CACHE_NAME
protected EmailService	emailService
protected ForgotPasswordSecurityTokenDao	forgotPasswordSecurityTokenDao
protected org.springframework.security.authentication.encoding.PasswordEncoder	passwordEncoder Deprecated. Spring Security has deprecated this encoder interface, this will be removed in 4.2
protected Object	passwordEncoderBean This is simply a placeholder to be used by setupPasswordEncoder() to determine if we're using the new PasswordEncoder or the deprecated PasswordEncoder
protected org.springframework.security.crypto.password.PasswordEncoder	passwordEncoderNew Set by setupPasswordEncoder() if the blPasswordEncoder bean provided is the new version.
protected EmailInfo	resetPasswordEmailInfo
protected String	salt Deprecated. use saltSource instead, this will be removed in 4.2
protected org.springframework.security.authentication.dao.SaltSource	saltSource Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2
protected EmailInfo	sendUsernameEmailInfo

Fields inherited from interface org.broadleafcommerce.openadmin.server.security.service.AdminSecurityService

DEFAULT_PERMISSIONS

Constructor Summary

Constructors

Constructor and Description
AdminSecurityServiceImpl()

Method Summary

Modifier and Type	Method and Description
protected String	buildCacheKey(AdminUser adminUser, PermissionType permissionType, String ceilingEntityFullyQualifiedName)
AdminUser	changePassword(PasswordChange passwordChange)
GenericResponse	changePassword(String username, String oldPassword, String password, String confirmPassword) Change a user's password only if oldPassword matches what's stored for that user
protected void	checkExistingPassword(String unencodedPassword, AdminUser user, GenericResponse response)
protected void	checkPassword(String password, String confirmPassword, GenericResponse response)
protected void	checkUser(AdminUser user, GenericResponse response)
void	clearAdminSecurityCache() Clears the cache used for AdminSecurityService.isUserQualifiedForOperationOnCeilingEntity(AdminUser, PermissionType, String)
void	deleteAdminPermission(AdminPermission permission)
void	deleteAdminRole(AdminRole role)
void	deleteAdminUser(AdminUser user)
boolean	doesOperationExistForCeilingEntity(PermissionType permissionType, String ceilingEntityFullyQualifiedName)
protected String	encodePassword(String rawPassword) Generate an encoded password from a raw password, salting is handled internally to the PasswordEncoder.
protected String	encodePassword(String rawPassword, Object salt) Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2
protected String	generateSecurePassword()
static int	getPASSWORD_TOKEN_LENGTH()
EmailInfo	getResetPasswordEmailInfo()
protected String	getResetPasswordURL()
String	getSalt() Deprecated.
Object	getSalt(AdminUser user, String unencodedPassword) Deprecated.
org.springframework.security.authentication.dao.SaltSource	getSaltSource() Deprecated.
EmailInfo	getSendUsernameEmailInfo()
protected int	getTokenExpiredMinutes()
protected void	invalidateAllTokensForAdminUser(AdminUser user)
protected boolean	isPasswordValid(String encodedPassword, String rawPassword) Determines if a password is valid by comparing it to the encoded string, salting is handled internally to the PasswordEncoder.
protected boolean	isPasswordValid(String encodedPassword, String rawPassword, Object salt) Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2
protected boolean	isTokenExpired(ForgotPasswordSecurityToken fpst)
boolean	isUserQualifiedForOperationOnCeilingEntity(AdminUser adminUser, PermissionType permissionType, String ceilingEntityFullyQualifiedName)
AdminPermission	readAdminPermissionById(Long id)
AdminRole	readAdminRoleById(Long id)
AdminUser	readAdminUserById(Long id)
AdminUser	readAdminUserByUserName(String userName)
List<AdminUser>	readAdminUsersByEmail(String email) Returns a list of admin users that match the given email.
List<AdminPermission>	readAllAdminPermissions()
List<AdminRole>	readAllAdminRoles()
List<AdminUser>	readAllAdminUsers()
GenericResponse	resetPasswordUsingToken(String username, String token, String password, String confirmPassword) Updates the password for the passed in user only if the passed in token is valid for that user.
AdminPermission	saveAdminPermission(AdminPermission permission)
AdminRole	saveAdminRole(AdminRole role)
AdminUser	saveAdminUser(AdminUser user)
GenericResponse	sendForgotUsernameNotification(String emailAddress) Looks up the corresponding AdminUser and emails the address on file with the associated username.
GenericResponse	sendResetPasswordNotification(String username) Generates an access token and then emails the user.
static void	setPASSWORD_TOKEN_LENGTH(int PASSWORD_TOKEN_LENGTH)
void	setResetPasswordEmailInfo(EmailInfo resetPasswordEmailInfo)
void	setSalt(String salt) Deprecated.
void	setSaltSource(org.springframework.security.authentication.dao.SaltSource saltSource) Deprecated.
void	setSendUsernameEmailInfo(EmailInfo sendUsernameEmailInfo)
protected void	setupPasswordEncoder() Sets either passwordEncoder or passwordEncoderNew based on the type of passwordEncoderBean in order to provide bean configuration backwards compatibility with the deprecated PasswordEncoder bean.
protected boolean	usingDeprecatedPasswordEncoder() Deprecated.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

adminRoleDao

protected AdminRoleDao adminRoleDao

adminUserDao

protected AdminUserDao adminUserDao

forgotPasswordSecurityTokenDao

protected ForgotPasswordSecurityTokenDao forgotPasswordSecurityTokenDao

adminPermissionDao

protected AdminPermissionDao adminPermissionDao

passwordEncoder

@Deprecated
protected org.springframework.security.authentication.encoding.PasswordEncoder passwordEncoder

Deprecated. Spring Security has deprecated this encoder interface, this will be removed in 4.2

Set by setupPasswordEncoder() if the blPasswordEncoder bean provided is the deprecated version.

passwordEncoderNew

protected org.springframework.security.crypto.password.PasswordEncoder passwordEncoderNew

Set by setupPasswordEncoder() if the blPasswordEncoder bean provided is the new version.

CACHE_NAME

protected static String CACHE_NAME

CACHE_KEY_PREFIX

protected static String CACHE_KEY_PREFIX

cache

protected net.sf.ehcache.Cache cache

passwordEncoderBean

protected Object passwordEncoderBean

This is simply a placeholder to be used by setupPasswordEncoder() to determine if we're using the new PasswordEncoder or the deprecated PasswordEncoder

salt

@Deprecated
protected String salt

Deprecated. use saltSource instead, this will be removed in 4.2

Optional password salt to be used with the passwordEncoder

saltSource

@Deprecated
 @Autowired(required=false)
 @Qualifier(value="blAdminSaltSource")
protected org.springframework.security.authentication.dao.SaltSource saltSource

Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2

Use a Salt Source ONLY if there's one configured

emailService

protected EmailService emailService

resetPasswordEmailInfo

protected EmailInfo resetPasswordEmailInfo

sendUsernameEmailInfo

protected EmailInfo sendUsernameEmailInfo

Constructor Detail

AdminSecurityServiceImpl

public AdminSecurityServiceImpl()

Method Detail

setupPasswordEncoder

@PostConstruct
protected void setupPasswordEncoder()

Sets either passwordEncoder or passwordEncoderNew based on the type of passwordEncoderBean in order to provide bean configuration backwards compatibility with the deprecated PasswordEncoder bean.

passwordEncoderBean is set by the bean defined as "blPasswordEncoder".

This class will utilize either the new or deprecated PasswordEncoder type depending on which is not null.

Throws:

org.springframework.beans.factory.NoSuchBeanDefinitionException - if passwordEncoderBean is null or not an instance of either PasswordEncoder

getTokenExpiredMinutes

protected int getTokenExpiredMinutes()

getResetPasswordURL

protected String getResetPasswordURL()

deleteAdminPermission

@Transactional(value="blTransactionManager")
public void deleteAdminPermission(AdminPermission permission)

Specified by:

deleteAdminPermission in interface AdminSecurityService

deleteAdminRole

@Transactional(value="blTransactionManager")
public void deleteAdminRole(AdminRole role)

Specified by:

deleteAdminRole in interface AdminSecurityService

deleteAdminUser

@Transactional(value="blTransactionManager")
public void deleteAdminUser(AdminUser user)

Specified by:

deleteAdminUser in interface AdminSecurityService

readAdminPermissionById

public AdminPermission readAdminPermissionById(Long id)

Specified by:

readAdminPermissionById in interface AdminSecurityService

readAdminRoleById

public AdminRole readAdminRoleById(Long id)

Specified by:

readAdminRoleById in interface AdminSecurityService

readAdminUserById

public AdminUser readAdminUserById(Long id)

Specified by:

readAdminUserById in interface AdminSecurityService

saveAdminPermission

@Transactional(value="blTransactionManager")
public AdminPermission saveAdminPermission(AdminPermission permission)

Specified by:

saveAdminPermission in interface AdminSecurityService

saveAdminRole

@Transactional(value="blTransactionManager")
public AdminRole saveAdminRole(AdminRole role)

Specified by:

saveAdminRole in interface AdminSecurityService

saveAdminUser

@Transactional(value="blTransactionManager")
public AdminUser saveAdminUser(AdminUser user)

Specified by:

saveAdminUser in interface AdminSecurityService

clearAdminSecurityCache

public void clearAdminSecurityCache()

Description copied from interface: AdminSecurityService

Clears the cache used for AdminSecurityService.isUserQualifiedForOperationOnCeilingEntity(AdminUser, PermissionType, String)

Specified by:

clearAdminSecurityCache in interface AdminSecurityService

generateSecurePassword

protected String generateSecurePassword()

changePassword

@Transactional(value="blTransactionManager")
public AdminUser changePassword(PasswordChange passwordChange)

Specified by:

changePassword in interface AdminSecurityService

isUserQualifiedForOperationOnCeilingEntity

public boolean isUserQualifiedForOperationOnCeilingEntity(AdminUser adminUser,
                                                          PermissionType permissionType,
                                                          String ceilingEntityFullyQualifiedName)

Specified by:

isUserQualifiedForOperationOnCeilingEntity in interface AdminSecurityService

buildCacheKey

protected String buildCacheKey(AdminUser adminUser,
                               PermissionType permissionType,
                               String ceilingEntityFullyQualifiedName)

doesOperationExistForCeilingEntity

public boolean doesOperationExistForCeilingEntity(PermissionType permissionType,
                                                  String ceilingEntityFullyQualifiedName)

Specified by:

doesOperationExistForCeilingEntity in interface AdminSecurityService

readAdminUserByUserName

public AdminUser readAdminUserByUserName(String userName)

Specified by:

readAdminUserByUserName in interface AdminSecurityService

readAdminUsersByEmail

public List<AdminUser> readAdminUsersByEmail(String email)

Description copied from interface: AdminSecurityService

Returns a list of admin users that match the given email. This could potentially return more than one user if the admin.user.requireUniqueEmailAddress property is set to false.

Specified by:

readAdminUsersByEmail in interface AdminSecurityService

Parameters:

email - the email address to search for

Returns:

a List of AdminUser matching the provided email address

readAllAdminUsers

public List<AdminUser> readAllAdminUsers()

Specified by:

readAllAdminUsers in interface AdminSecurityService

readAllAdminRoles

public List<AdminRole> readAllAdminRoles()

Specified by:

readAllAdminRoles in interface AdminSecurityService

readAllAdminPermissions

public List<AdminPermission> readAllAdminPermissions()

Specified by:

readAllAdminPermissions in interface AdminSecurityService

sendForgotUsernameNotification

@Transactional(value="blTransactionManager")
public GenericResponse sendForgotUsernameNotification(String emailAddress)

Description copied from interface: AdminSecurityService

Looks up the corresponding AdminUser and emails the address on file with the associated username.

Specified by:

sendForgotUsernameNotification in interface AdminSecurityService

Parameters:

emailAddress - email address of user to email

Returns:

Response can contain errors including (notFound)

sendResetPasswordNotification

@Transactional(value="blTransactionManager")
public GenericResponse sendResetPasswordNotification(String username)

Description copied from interface: AdminSecurityService

Generates an access token and then emails the user.

Specified by:

sendResetPasswordNotification in interface AdminSecurityService

Parameters:

username - the username of the user to send a password reset email

Returns:

Response can contain errors including (invalidEmail, invalidUsername, inactiveUser)

resetPasswordUsingToken

@Transactional(value="blTransactionManager")
public GenericResponse resetPasswordUsingToken(String username,
                                                                                            String token,
                                                                                            String password,
                                                                                            String confirmPassword)

Description copied from interface: AdminSecurityService

Updates the password for the passed in user only if the passed in token is valid for that user.

Specified by:

resetPasswordUsingToken in interface AdminSecurityService

Parameters:

username - the username of the user

token - a valid reset token from the email

password - the new desired password

confirmPassword - the password confirmation to match password

Returns:

Response can contain errors including (invalidUsername, inactiveUser, invalidToken, invalidPassword, tokenExpired, passwordMismatch)

invalidateAllTokensForAdminUser

protected void invalidateAllTokensForAdminUser(AdminUser user)

checkUser

protected void checkUser(AdminUser user,
                         GenericResponse response)

checkPassword

protected void checkPassword(String password,
                             String confirmPassword,
                             GenericResponse response)

checkExistingPassword

protected void checkExistingPassword(String unencodedPassword,
                                     AdminUser user,
                                     GenericResponse response)

isTokenExpired

protected boolean isTokenExpired(ForgotPasswordSecurityToken fpst)

getPASSWORD_TOKEN_LENGTH

public static int getPASSWORD_TOKEN_LENGTH()

setPASSWORD_TOKEN_LENGTH

public static void setPASSWORD_TOKEN_LENGTH(int PASSWORD_TOKEN_LENGTH)

getSendUsernameEmailInfo

public EmailInfo getSendUsernameEmailInfo()

setSendUsernameEmailInfo

public void setSendUsernameEmailInfo(EmailInfo sendUsernameEmailInfo)

getResetPasswordEmailInfo

public EmailInfo getResetPasswordEmailInfo()

setResetPasswordEmailInfo

public void setResetPasswordEmailInfo(EmailInfo resetPasswordEmailInfo)

getSalt

@Deprecated
public Object getSalt(AdminUser user,
                                  String unencodedPassword)

Deprecated.

Description copied from interface: AdminSecurityService

Gets the salt object for the current admin user. By default this delegates to AdminSecurityService.getSaltSource(). If there is not a SaltSource configured (AdminSecurityService.getSaltSource() returns null) then this also returns null.

Specified by:

getSalt in interface AdminSecurityService

Parameters:

user - the AdminUser to get UserDetails from

unencodedPassword - the unencoded password

Returns:

the salt for the current admin user

getSalt

@Deprecated
public String getSalt()

Deprecated.

Specified by:

getSalt in interface AdminSecurityService

Returns:

the currently used salt string

setSalt

@Deprecated
public void setSalt(String salt)

Deprecated.

Specified by:

setSalt in interface AdminSecurityService

Parameters:

salt - the new salt string to use

getSaltSource

@Deprecated
public org.springframework.security.authentication.dao.SaltSource getSaltSource()

Deprecated.

Description copied from interface: AdminSecurityService

Returns the SaltSource used with the blAdminPasswordEncoder to encrypt the user password. Usually configured in applicationContext-admin-security.xml. This is not a required property and will return null if not configured

Specified by:

getSaltSource in interface AdminSecurityService

Returns:

the currently used SaltSource

setSaltSource

@Deprecated
public void setSaltSource(org.springframework.security.authentication.dao.SaltSource saltSource)

Deprecated.

Description copied from interface: AdminSecurityService

Sets the SaltSource used with blAdminPasswordEncoder to encrypt the user password. Usually configured within applicationContext-admin-security.xml

Specified by:

setSaltSource in interface AdminSecurityService

Parameters:

saltSource - the new SaltSource to use

changePassword

@Transactional(value="blTransactionManager")
public GenericResponse changePassword(String username,
                                                                                   String oldPassword,
                                                                                   String password,
                                                                                   String confirmPassword)

Description copied from interface: AdminSecurityService

Change a user's password only if oldPassword matches what's stored for that user

Specified by:

changePassword in interface AdminSecurityService

Parameters:

username - the username to change the password for

oldPassword - the user's current password

password - the desired new password

confirmPassword - the confirm password to ensure it matches password

Returns:

Response can contain errors including (invalidUser, emailNotFound, inactiveUser, invalidPassword, passwordMismatch)

isPasswordValid

@Deprecated
protected boolean isPasswordValid(String encodedPassword,
                                              String rawPassword,
                                              Object salt)

Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2

Determines if a password is valid by comparing it to the encoded string, optionally using a salt.

The externally salted PasswordEncoder support is being deprecated, following in Spring Security's footsteps, in order to move towards self salting hashing algorithms such as bcrypt. Bcrypt is a superior hashing algorithm that randomly generates a salt per password in order to protect against rainbow table attacks and is an intentionally expensive algorithm to further guard against brute force attempts to crack hashed passwords. Additionally, having the encoding algorithm handle the salt internally reduces code complexity and dependencies such as SaltSource.

Parameters:

encodedPassword - the encoded password

rawPassword - the unencoded password

salt - the optional salt

Returns:

true if rawPassword matches the encodedPassword, false otherwise

isPasswordValid

protected boolean isPasswordValid(String encodedPassword,
                                  String rawPassword)

Determines if a password is valid by comparing it to the encoded string, salting is handled internally to the PasswordEncoder.

This method must always be called to verify if a password is valid after the original encoded password is generated due to PasswordEncoder randomly generating salts internally and appending them to the resulting hash.

Parameters:

encodedPassword - the encoded password

rawPassword - the raw password to check against the encoded password

Returns:

true if rawPassword matches the encodedPassword, false otherwise

encodePassword

@Deprecated
protected String encodePassword(String rawPassword,
                                            Object salt)

Deprecated. the new PasswordEncoder handles salting internally, this will be removed in 4.2

Generate an encoded password from a raw password, optionally using a salt.

The externally salted PasswordEncoder support is being deprecated, following in Spring Security's footsteps, in order to move towards self salting hashing algorithms such as bcrypt. Bcrypt is a superior hashing algorithm that randomly generates a salt per password in order to protect against rainbow table attacks and is an intentionally expensive algorithm to further guard against brute force attempts to crack hashed passwords. Additionally, having the encoding algorithm handle the salt internally reduces code complexity and dependencies such as SaltSource.

Parameters:

rawPassword -

salt -

Returns:

encodePassword

protected String encodePassword(String rawPassword)

Generate an encoded password from a raw password, salting is handled internally to the PasswordEncoder.

This method can only be called once per password. The salt is randomly generated internally in the PasswordEncoder and appended to the hash to provide the resulting encoded password. Once this has been called on a password, going forward all checks for authenticity must be done by isPasswordValid(String, String) as encoding the same password twice will result in different encoded passwords.

Parameters:

rawPassword - the unencoded password to encode

Returns:

the encoded password

usingDeprecatedPasswordEncoder

@Deprecated
protected boolean usingDeprecatedPasswordEncoder()

Deprecated.