Package org.owasp.esapi.reference
Class DefaultUser
- java.lang.Object
-
- org.owasp.esapi.reference.DefaultUser
-
- All Implemented Interfaces:
java.io.Serializable
,java.security.Principal
,User
public class DefaultUser extends java.lang.Object implements User, java.io.Serializable
Reference implementation of the User interface. This implementation is serialized into a flat file in a simple format.- Since:
- June 1, 2007
- Author:
- Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Chris Schmidt (chrisisbeef .at. gmail.com) Digital Ritual Software
- See Also:
User
, Serialized Form
-
-
Constructor Summary
Constructors Constructor Description DefaultUser(java.lang.String accountName)
Instantiates a new user.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addRole(java.lang.String role)
Adds a role to this user's account.void
addRoles(java.util.Set<java.lang.String> newRoles)
Adds a set of roles to this user's account.void
addSession(javax.servlet.http.HttpSession s)
Adds a session for this User.void
changePassword(java.lang.String oldPassword, java.lang.String newPassword1, java.lang.String newPassword2)
Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.java.lang.Object
clone()
Override clone and make final to prevent duplicate user objects.void
disable()
Disable this user's account.void
enable()
Enable this user's account.long
getAccountId()
Gets this user's account id number.java.lang.String
getAccountName()
Gets this user's account name.java.lang.String
getCSRFToken()
Gets the CSRF token for this user's current sessions.java.util.HashMap
getEventMap()
Returns the hashmap used to store security events for this user.java.util.Date
getExpirationTime()
Returns the date that this user's account will expire.int
getFailedLoginCount()
Returns the number of failed login attempts since the last successful login for an account.java.util.Date
getLastFailedLoginTime()
Returns the date of the last failed login time for a user.java.lang.String
getLastHostAddress()
Returns the last host address used by the user.java.util.Date
getLastLoginTime()
Returns the date of the last successful login time for a user.java.util.Date
getLastPasswordChangeTime()
Gets the date of user's last password change.java.util.Locale
getLocale()
java.lang.String
getName()
java.util.Set<java.lang.String>
getRoles()
Gets the roles assigned to a particular account.java.lang.String
getScreenName()
Gets the screen name (alias) for the current user.java.util.Set
getSessions()
Returns a Set containing the sessions associated with this User.void
incrementFailedLoginCount()
Increment failed login count.boolean
isAnonymous()
Checks if user is anonymous.boolean
isEnabled()
Checks if this user's account is currently enabled.boolean
isExpired()
Checks if this user's account is expired.boolean
isInRole(java.lang.String role)
Checks if this user's account is assigned a particular role.boolean
isLocked()
Checks if this user's account is locked.boolean
isLoggedIn()
Tests to see if the user is currently logged in.boolean
isSessionAbsoluteTimeout()
Tests to see if this user's session has exceeded the absolute time out based on ESAPI's configuration settings.boolean
isSessionTimeout()
Tests to see if the user's session has timed out from inactivity based on ESAPI's configuration settings.void
lock()
Lock this user's account.void
loginWithPassword(java.lang.String password)
Login with password.void
logout()
Logout this user.void
removeRole(java.lang.String role)
Removes a role from this user's account.void
removeSession(javax.servlet.http.HttpSession s)
Removes a session for this User.java.lang.String
resetCSRFToken()
Returns a token to be used as a prevention against CSRF attacks.void
setAccountName(java.lang.String accountName)
Sets this user's account name.void
setExpirationTime(java.util.Date expirationTime)
Sets the date and time when this user's account will expire.void
setLastFailedLoginTime(java.util.Date lastFailedLoginTime)
Set the time of the last failed login for this user.void
setLastHostAddress(java.lang.String remoteHost)
Set the last remote host address used by this user.void
setLastLoginTime(java.util.Date lastLoginTime)
Set the time of the last successful login for this user.void
setLastPasswordChangeTime(java.util.Date lastPasswordChangeTime)
Set the time of the last password change for this user.void
setLocale(java.util.Locale locale)
void
setRoles(java.util.Set<java.lang.String> roles)
Sets the roles for this account.void
setScreenName(java.lang.String screenName)
Sets the screen name (username alias) for this user.java.lang.String
toString()
void
unlock()
Unlock this user's account.boolean
verifyPassword(java.lang.String password)
Verify that the supplied password matches the password for this user.
-
-
-
Method Detail
-
addRole
public void addRole(java.lang.String role) throws AuthenticationException
Adds a role to this user's account.- Specified by:
addRole
in interfaceUser
- Parameters:
role
- the role to add- Throws:
AuthenticationException
- the authentication exception
-
addRoles
public void addRoles(java.util.Set<java.lang.String> newRoles) throws AuthenticationException
Adds a set of roles to this user's account.- Specified by:
addRoles
in interfaceUser
- Parameters:
newRoles
- the new roles to add- Throws:
AuthenticationException
- the authentication exception
-
changePassword
public void changePassword(java.lang.String oldPassword, java.lang.String newPassword1, java.lang.String newPassword2) throws AuthenticationException, EncryptionException
Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.- Specified by:
changePassword
in interfaceUser
- Parameters:
oldPassword
- the old passwordnewPassword1
- the new passwordnewPassword2
- the new password - used to verify that the new password was typed correctly- Throws:
AuthenticationException
- if newPassword1 does not match newPassword2, if oldPassword does not match the stored old password, or if the new password does not meet complexity requirementsEncryptionException
-
getAccountId
public long getAccountId()
Gets this user's account id number.- Specified by:
getAccountId
in interfaceUser
- Returns:
- the account id
-
getAccountName
public java.lang.String getAccountName()
Gets this user's account name.- Specified by:
getAccountName
in interfaceUser
- Returns:
- the account name
-
getCSRFToken
public java.lang.String getCSRFToken()
Gets the CSRF token for this user's current sessions.- Specified by:
getCSRFToken
in interfaceUser
- Returns:
- the CSRF token
-
getExpirationTime
public java.util.Date getExpirationTime()
Returns the date that this user's account will expire.- Specified by:
getExpirationTime
in interfaceUser
- Returns:
- Date representing the account expiration time.
-
getFailedLoginCount
public int getFailedLoginCount()
Returns the number of failed login attempts since the last successful login for an account. This method is intended to be used as a part of the account lockout feature, to help protect against brute force attacks. However, the implementor should be aware that lockouts can be used to prevent access to an application by a legitimate user, and should consider the risk of denial of service.- Specified by:
getFailedLoginCount
in interfaceUser
- Returns:
- the number of failed login attempts since the last successful login
-
getLastFailedLoginTime
public java.util.Date getLastFailedLoginTime()
Returns the date of the last failed login time for a user. This date should be used in a message to users after a successful login, to notify them of potential attack activity on their account.- Specified by:
getLastFailedLoginTime
in interfaceUser
- Returns:
- date of the last failed login
-
getLastHostAddress
public java.lang.String getLastHostAddress()
Returns the last host address used by the user. This will be used in any log messages generated by the processing of this request.- Specified by:
getLastHostAddress
in interfaceUser
- Returns:
- the last host address used by the user
-
getLastLoginTime
public java.util.Date getLastLoginTime()
Returns the date of the last successful login time for a user. This date should be used in a message to users after a successful login, to notify them of potential attack activity on their account.- Specified by:
getLastLoginTime
in interfaceUser
- Returns:
- date of the last successful login
-
getLastPasswordChangeTime
public java.util.Date getLastPasswordChangeTime()
Gets the date of user's last password change.- Specified by:
getLastPasswordChangeTime
in interfaceUser
- Returns:
- the date of last password change
-
getName
public java.lang.String getName()
- Specified by:
getName
in interfacejava.security.Principal
-
getRoles
public java.util.Set<java.lang.String> getRoles()
Gets the roles assigned to a particular account.
-
getScreenName
public java.lang.String getScreenName()
Gets the screen name (alias) for the current user.- Specified by:
getScreenName
in interfaceUser
- Returns:
- the screen name
-
addSession
public void addSession(javax.servlet.http.HttpSession s)
Adds a session for this User.- Specified by:
addSession
in interfaceUser
- Parameters:
s
- The session to associate with this user.
-
removeSession
public void removeSession(javax.servlet.http.HttpSession s)
Removes a session for this User.- Specified by:
removeSession
in interfaceUser
- Parameters:
s
- The session to remove from being associated with this user.
-
getSessions
public java.util.Set getSessions()
Returns a Set containing the sessions associated with this User.- Specified by:
getSessions
in interfaceUser
- Returns:
- The Set of sessions for this User.
-
incrementFailedLoginCount
public void incrementFailedLoginCount()
Increment failed login count.- Specified by:
incrementFailedLoginCount
in interfaceUser
-
isAnonymous
public boolean isAnonymous()
Checks if user is anonymous.- Specified by:
isAnonymous
in interfaceUser
- Returns:
- true, if user is anonymous
-
isEnabled
public boolean isEnabled()
Checks if this user's account is currently enabled.
-
isExpired
public boolean isExpired()
Checks if this user's account is expired.
-
isInRole
public boolean isInRole(java.lang.String role)
Checks if this user's account is assigned a particular role.
-
isLocked
public boolean isLocked()
Checks if this user's account is locked.
-
isLoggedIn
public boolean isLoggedIn()
Tests to see if the user is currently logged in.- Specified by:
isLoggedIn
in interfaceUser
- Returns:
- true, if the user is logged in
-
isSessionAbsoluteTimeout
public boolean isSessionAbsoluteTimeout()
Tests to see if this user's session has exceeded the absolute time out based on ESAPI's configuration settings.- Specified by:
isSessionAbsoluteTimeout
in interfaceUser
- Returns:
- true, if user's session has exceeded the absolute time out
-
isSessionTimeout
public boolean isSessionTimeout()
Tests to see if the user's session has timed out from inactivity based on ESAPI's configuration settings. A session may timeout prior to ESAPI's configuration setting due to the servlet container setting for session-timeout in web.xml. The following is an example of a web.xml session-timeout set for one hour.60 - Specified by:
isSessionTimeout
in interfaceUser
- Returns:
- true, if user's session has timed out from inactivity based on ESAPI configuration
-
loginWithPassword
public void loginWithPassword(java.lang.String password) throws AuthenticationException
Login with password.- Specified by:
loginWithPassword
in interfaceUser
- Parameters:
password
- the password- Throws:
AuthenticationException
- if login fails
-
removeRole
public void removeRole(java.lang.String role)
Removes a role from this user's account.- Specified by:
removeRole
in interfaceUser
- Parameters:
role
- the role to remove
-
resetCSRFToken
public java.lang.String resetCSRFToken()
Returns a token to be used as a prevention against CSRF attacks. This token should be added to all links and forms. The application should verify that all requests contain the token, or they may have been generated by a CSRF attack. It is generally best to perform the check in a centralized location, either a filter or controller. See the verifyCSRFToken method. In this implementation, we have chosen to use a random token that is stored in the User object. Note that it is possible to avoid the use of server side state by using either the hash of the users's session id or an encrypted token that includes a timestamp and the user's IP address. user's IP address. A relatively short 8 character string has been chosen because this token will appear in all links and forms.- Specified by:
resetCSRFToken
in interfaceUser
- Returns:
- the string
-
setAccountName
public void setAccountName(java.lang.String accountName)
Sets this user's account name.- Specified by:
setAccountName
in interfaceUser
- Parameters:
accountName
- the new account name
-
setExpirationTime
public void setExpirationTime(java.util.Date expirationTime)
Sets the date and time when this user's account will expire.- Specified by:
setExpirationTime
in interfaceUser
- Parameters:
expirationTime
- the new expiration time
-
setLastFailedLoginTime
public void setLastFailedLoginTime(java.util.Date lastFailedLoginTime)
Set the time of the last failed login for this user.- Specified by:
setLastFailedLoginTime
in interfaceUser
- Parameters:
lastFailedLoginTime
- the date and time when the user just failed to login correctly.
-
setLastHostAddress
public void setLastHostAddress(java.lang.String remoteHost) throws AuthenticationHostException
Set the last remote host address used by this user.- Specified by:
setLastHostAddress
in interfaceUser
- Parameters:
remoteHost
- The address of the user's current source host.- Throws:
AuthenticationHostException
-
setLastLoginTime
public void setLastLoginTime(java.util.Date lastLoginTime)
Set the time of the last successful login for this user.- Specified by:
setLastLoginTime
in interfaceUser
- Parameters:
lastLoginTime
- the date and time when the user just successfully logged in.
-
setLastPasswordChangeTime
public void setLastPasswordChangeTime(java.util.Date lastPasswordChangeTime)
Set the time of the last password change for this user.- Specified by:
setLastPasswordChangeTime
in interfaceUser
- Parameters:
lastPasswordChangeTime
- the date and time when the user just successfully changed his/her password.
-
setRoles
public void setRoles(java.util.Set<java.lang.String> roles) throws AuthenticationException
Sets the roles for this account.- Specified by:
setRoles
in interfaceUser
- Parameters:
roles
- the new roles- Throws:
AuthenticationException
- the authentication exception
-
setScreenName
public void setScreenName(java.lang.String screenName)
Sets the screen name (username alias) for this user.- Specified by:
setScreenName
in interfaceUser
- Parameters:
screenName
- the new screen name
-
toString
public java.lang.String toString()
- Specified by:
toString
in interfacejava.security.Principal
- Overrides:
toString
in classjava.lang.Object
-
verifyPassword
public boolean verifyPassword(java.lang.String password)
Verify that the supplied password matches the password for this user. This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.- Specified by:
verifyPassword
in interfaceUser
- Parameters:
password
- the password that the user entered- Returns:
- true, if the password passed in matches the account's password
-
clone
public final java.lang.Object clone() throws java.lang.CloneNotSupportedException
Override clone and make final to prevent duplicate user objects.- Overrides:
clone
in classjava.lang.Object
- Returns:
- Nothing, as clone() is not supported for this class. A CloneNotSupportedException is always thrown for this class.
- Throws:
java.lang.CloneNotSupportedException
-
getLocale
public java.util.Locale getLocale()
-
setLocale
public void setLocale(java.util.Locale locale)
-
getEventMap
public java.util.HashMap getEventMap()
Description copied from interface:User
Returns the hashmap used to store security events for this user. Used by the IntrusionDetector.- Specified by:
getEventMap
in interfaceUser
-
-