Java Buzz Forum - Security stuff is working! :)

Articles |
News |
Weblogs |
Books |
Forums

Artima Forums | Articles | Weblogs | Java Answers | News

Sponsored Link •

Java Buzz Forum
Security stuff is working! :)

0 replies on 1 page.

Welcome Guest
Sign In

Back to Topic List

Reply to this Topic

Search Forum

Threaded View


Previous Topic		Next Topic

Flat View: This topic has 0 replies on 1 page

Carlos Villela

Posts: 116
Nickname: cvillela
Registered: Jun, 2003

Carlos Villela is a Java developer working mostly with web technologies and AOP.

Security stuff is working! :)

Posted: Jul 20, 2003 9:51 AM

This post originated from an RSS feed registered with Java Buzz by Carlos Villela.
Original Post: Security stuff is working! :) Feed Title: That's sooo '82! Feed URL: http://www.jroller.com/rss/cv?catname=Technical Feed Description: Carlos Villela's weblog. Everyday life, everyday software development, everyday musings.	Latest Java Buzz Posts Latest Java Buzz Posts by Carlos Villela Latest Posts From That's sooo '82!

Just got some security advices to work on Inectis. The code is really simple, and I surely could use some input here.

First, I've got this poorly-named class:

public class SecurityManager {
    public void authenticate(String username, String password) throws SecurityManagerException {
        if (username == null || password == null || "".equals(username) || "".equals(password))
            throw new SecurityManagerException("Invalid login - null or empty username/password");

         // find user with that username
        User user = EntryPoint.findUser(username);
        if(user == null) {
            throw new SecurityManagerException("Invalid login - unknown user");
        }

        // compare passwords and authenticate
        if(((HasPassword)user).getPassword().equals(password)) {
            ((HasLogonInfo)this).setLoggedOn(true);
            ((HasLogonInfo)this).setUser(user);
        } else {
            throw new SecurityManagerException("Invalid login - wrong password");
        }
    }
}

And one introduction, to go along with it:

// Deployed as perThread
public class HasLogonInfoImpl implements HasLogonInfo {

    private boolean loggedOn;
    private User user;

    // getters and setters
}

Now, all I need is the aspect that checks for this stuff before I finish the call. Here we go to some more sloppy code:

    public Object execute(JoinPoint joinPoint) throws Throwable {
        MethodJoinPoint jp = (MethodJoinPoint) joinPoint;

        SecurityManager manager =
            ((HasSecurityManager) new EntryPoint()).getSecurityManager();

        Object target = jp.getTargetObject();
        String method = jp.getMethodName();

        AccessControlList acl = null;

        boolean loggedOn = ((HasLogonInfo) manager).isLoggedOn();
        boolean hasAcl =
            (target instanceof HasAccessControlList)
                && ((acl = ((HasAccessControlList) target).getAccessControlList())
                    != null);

        if (hasAcl) {
            if (loggedOn) {
                return checkAcl(jp, manager, acl);
            } else {
                throw new SecurityManagerException(
                    "User is not logged - call to " + method + ")");
            }
        } else {
            return jp.proceed();
        }
    }

The checkAcl method will remain hidden to protect the innocent and to avoid people having heart attacks (it's as sloppy as it gets for now, but it works). Anyway, you can guess what's going on there.

So, what do you think? Could I have made it better somehow, and I'm missing something important? Please, keep in mind that I don't want to use J2EE-based security, because I don't know yet if this code will run only on a J2EE container (it might be usefult to create a desktop app to manage content, maybe?).

Read: Security stuff is working! :)

Previous Topic

Next Topic


	Web Artima.com