Package de.businesscode.bcdui.subjectsettings

Class JdbcRealm

  • All Implemented Interfaces:
    org.apache.shiro.authc.LogoutAware, org.apache.shiro.authz.Authorizer, org.apache.shiro.authz.permission.PermissionResolverAware, org.apache.shiro.authz.permission.RolePermissionResolverAware, org.apache.shiro.cache.CacheManagerAware, org.apache.shiro.realm.Realm, org.apache.shiro.util.Initializable, org.apache.shiro.util.Nameable
    public class JdbcRealm
extends org.apache.shiro.realm.jdbc.JdbcRealm
    Used by shiro framework for retrieving authentication and authorization from the database Relies on bcd_sec_user and bcd_sec_user_settings BindingSets providing support for plaintext (backwards compatibility) and salted/hashed passwords using SHA256 hashing. The default hash iteration is 1024 and can be adjusted in shiro ini by setting .hashIterations property. The default mode is hashed/salted, which can be disabled by not having a binding item password_salt in bcd_sec_user in shiro configuration when declaring this realm. When creating new password please use generatePasswordHashSalt(String, int) method of this class.

    • Nested Class Summary

      • Nested classes/interfaces inherited from class org.apache.shiro.realm.jdbc.JdbcRealm

        org.apache.shiro.realm.jdbc.JdbcRealm.SaltStyle

    • Constructor Summary

      Constructors 
      Constructor Description
      JdbcRealm()  

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void assertCredentialsMatch​(org.apache.shiro.authc.AuthenticationToken token, org.apache.shiro.authc.AuthenticationInfo authInfo)
      Asserts that the submitted AuthenticationToken's credentials match the stored account AuthenticationInfo's credentials, and if not, throws an AuthenticationException.
      protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo​(org.apache.shiro.authc.AuthenticationToken token)  
      protected org.apache.shiro.authz.AuthorizationInfo doGetAuthorizationInfo​(org.apache.shiro.subject.PrincipalCollection arg0)
      the super implementation relies here on dataSource
      static java.lang.String[] generatePasswordHashSalt​(java.lang.String plainTextPassword)
      Convenience method using default number of iterations
      static java.lang.String[] generatePasswordHashSalt​(java.lang.String plainTextPassword, int iterations)
      Generates a password hash + salt with DEFAULT_HASH_ITERATIONS iterations, for use with Sha256CredentialsMatcher The hash and salt are returned as hex-encoded string, compatible with JdbcRealm
      protected java.lang.String[] getAccountCredentials​(java.lang.String userLogin)
      To support hashed passwords with salt we have to load the password + hash (if salted) from database, so the hash can be recomputed and verified.
      protected java.lang.String getAvailablePrincipal​(org.apache.shiro.subject.PrincipalCollection pc)
      Return the user-id to be used with getPermissions(Connection, String, Collection) and getRoleNamesForUser(Connection, String) If available, we return the technical user id here, we know it exists if we find a PrimaryPrincipal.
      static java.lang.String getConfigPasswordColumnName()  
      static java.lang.String getConfigPasswordSaltColumnName()  
      org.apache.shiro.authc.credential.CredentialsMatcher getCredentialsMatcher()  
      protected java.lang.String getCustomJdbcType​(BindingItem bindingItem)
      Support for type-name=OTHER, cust:type-name=uuid
      protected javax.sql.DataSource getDataSource()  
      protected java.lang.String getDefineJdbcParameter​(java.lang.String columnExpression, java.lang.String customType)
      support for custom jdbc type, do any explicit casts here
      static int getHashIterations()  
      java.lang.String getPasswordColumnName()  
      java.lang.String getPasswordSaltColumnName()  
      protected java.util.Set<java.lang.String> getPermissions​(java.sql.Connection con, java.lang.String userId, java.util.Collection<java.lang.String> roleNames)  
      protected java.util.Set<java.lang.String> getRoleNamesForUser​(java.sql.Connection con, java.lang.String userId)
      load roles from db
      static void main​(java.lang.String[] args)
      main helper to create passwords interactively or by argument
      static void setConfigPasswordColumnName​(java.lang.String configPasswordColumnName)  
      static void setConfigPasswordSaltColumnName​(java.lang.String configPasswordSaltColumnName)  
      void setHashIterations​(int hashIterations)  
      void setPasswordColumnName​(java.lang.String passwordColumnsName)
      These setters are called from Shiro if realmBcdJdbc.
      void setPasswordSaltColumnName​(java.lang.String passwordSaltColumnName)  
      boolean supports​(org.apache.shiro.authc.AuthenticationToken token)
      ExternalAuthenticationToken indicates that the authentication has already happened externally We let the user through here.

      • Methods inherited from class org.apache.shiro.realm.jdbc.JdbcRealm

        getSaltForUser, setAuthenticationQuery, setDataSource, setPermissionsLookupEnabled, setPermissionsQuery, setSaltIsBase64Encoded, setSaltStyle, setUserRolesQuery

      • Methods inherited from class org.apache.shiro.realm.AuthorizingRealm

        afterCacheManagerSet, checkPermission, checkPermission, checkPermission, checkPermissions, checkPermissions, checkPermissions, checkRole, checkRole, checkRoles, checkRoles, checkRoles, clearCachedAuthorizationInfo, doClearCache, getAuthorizationCache, getAuthorizationCacheKey, getAuthorizationCacheName, getAuthorizationInfo, getPermissionResolver, getPermissions, getRolePermissionResolver, hasAllRoles, hasRole, hasRole, hasRoles, hasRoles, isAuthorizationCachingEnabled, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermitted, isPermittedAll, isPermittedAll, isPermittedAll, onInit, setAuthorizationCache, setAuthorizationCacheName, setAuthorizationCachingEnabled, setName, setPermissionResolver, setRolePermissionResolver

      • Methods inherited from class org.apache.shiro.realm.AuthenticatingRealm

        clearCachedAuthenticationInfo, getAuthenticationCache, getAuthenticationCacheKey, getAuthenticationCacheKey, getAuthenticationCacheName, getAuthenticationInfo, getAuthenticationTokenClass, init, isAuthenticationCachingEnabled, isAuthenticationCachingEnabled, setAuthenticationCache, setAuthenticationCacheName, setAuthenticationCachingEnabled, setAuthenticationTokenClass, setCredentialsMatcher

      • Methods inherited from class org.apache.shiro.realm.CachingRealm

        clearCache, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface org.apache.shiro.util.Initializable

        init

    • Field Detail

      • BCD_SEC_USER_PASSWORD_BINDINGITEM

        public static final java.lang.String BCD_SEC_USER_PASSWORD_BINDINGITEM
        See Also:
        Constant Field Values

      • BCD_SEC_USER_PASSWORD_SALT_BINDINGITEM

        public static final java.lang.String BCD_SEC_USER_PASSWORD_SALT_BINDINGITEM
        See Also:
        Constant Field Values

      • BCD_SEC_USER_PASSWORD_COLUMN_NAME_DEFAULT

        public static final java.lang.String BCD_SEC_USER_PASSWORD_COLUMN_NAME_DEFAULT
        See Also:
        Constant Field Values

      • BCD_SEC_USER_PASSWORD_SALT_COLUMN_NAME_DEFAULT

        public static final java.lang.String BCD_SEC_USER_PASSWORD_SALT_COLUMN_NAME_DEFAULT
        See Also:
        Constant Field Values

      • DEFAULT_HASH_ITERATIONS

        public static final int DEFAULT_HASH_ITERATIONS
        See Also:
        Constant Field Values

    • Constructor Detail

      • JdbcRealm

        public JdbcRealm()

    • Method Detail

      • getCustomJdbcType

        protected java.lang.String getCustomJdbcType​(BindingItem bindingItem)
        Support for type-name=OTHER, cust:type-name=uuid
        Parameters:
        biUserId -
        Returns:
        cust:type-name , if defined

      • getDefineJdbcParameter

        protected java.lang.String getDefineJdbcParameter​(java.lang.String columnExpression,
                                                  java.lang.String customType)
        support for custom jdbc type, do any explicit casts here
        Parameters:
        columnExpression -
        customType - (may be null)
        Returns:

      • getDataSource

        protected javax.sql.DataSource getDataSource()
        Returns:
        unmanaged datasource, the caller is responsible to close connections

      • getCredentialsMatcher

        public org.apache.shiro.authc.credential.CredentialsMatcher getCredentialsMatcher()
        Overrides:
        getCredentialsMatcher in class org.apache.shiro.realm.AuthenticatingRealm

      • getAccountCredentials

        protected java.lang.String[] getAccountCredentials​(java.lang.String userLogin)
                                            throws java.sql.SQLException
        To support hashed passwords with salt we have to load the password + hash (if salted) from database, so the hash can be recomputed and verified.
        Parameters:
        userLogin -
        Returns:
        array of: [technical user id, password (string), salt(string)] or null if userLogin is not known; salt can be set to null, if not supported
        Throws:
        java.sql.SQLException

      • supports

        public boolean supports​(org.apache.shiro.authc.AuthenticationToken token)
        ExternalAuthenticationToken indicates that the authentication has already happened externally We let the user through here.
        Specified by:
        supports in interface org.apache.shiro.realm.Realm
        Overrides:
        supports in class org.apache.shiro.realm.AuthenticatingRealm

      • getAvailablePrincipal

        protected java.lang.String getAvailablePrincipal​(org.apache.shiro.subject.PrincipalCollection pc)
        Return the user-id to be used with getPermissions(Connection, String, Collection) and getRoleNamesForUser(Connection, String) If available, we return the technical user id here, we know it exists if we find a PrimaryPrincipal. Otherwise we use the plain user name
        Overrides:
        getAvailablePrincipal in class org.apache.shiro.realm.CachingRealm

      • assertCredentialsMatch

        protected void assertCredentialsMatch​(org.apache.shiro.authc.AuthenticationToken token,
                                      org.apache.shiro.authc.AuthenticationInfo authInfo)
                               throws org.apache.shiro.authc.AuthenticationException
        Asserts that the submitted AuthenticationToken's credentials match the stored account AuthenticationInfo's credentials, and if not, throws an AuthenticationException. In our case we do not need to verify credentials if it is Windows-SSQ or OAuth, because they are responsible
        Overrides:
        assertCredentialsMatch in class org.apache.shiro.realm.AuthenticatingRealm
        Throws:
        org.apache.shiro.authc.AuthenticationException

      • doGetAuthenticationInfo

        protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo​(org.apache.shiro.authc.AuthenticationToken token)
                                                                     throws org.apache.shiro.authc.AuthenticationException
        Overrides:
        doGetAuthenticationInfo in class org.apache.shiro.realm.jdbc.JdbcRealm
        Throws:
        org.apache.shiro.authc.AuthenticationException

      • getRoleNamesForUser

        protected java.util.Set<java.lang.String> getRoleNamesForUser​(java.sql.Connection con,
                                                              java.lang.String userId)
                                                       throws java.sql.SQLException
        load roles from db
        Overrides:
        getRoleNamesForUser in class org.apache.shiro.realm.jdbc.JdbcRealm
        Throws:
        java.sql.SQLException

      • getPermissions

        protected java.util.Set<java.lang.String> getPermissions​(java.sql.Connection con,
                                                         java.lang.String userId,
                                                         java.util.Collection<java.lang.String> roleNames)
                                                  throws java.sql.SQLException
        Overrides:
        getPermissions in class org.apache.shiro.realm.jdbc.JdbcRealm
        Throws:
        java.sql.SQLException

      • doGetAuthorizationInfo

        protected org.apache.shiro.authz.AuthorizationInfo doGetAuthorizationInfo​(org.apache.shiro.subject.PrincipalCollection arg0)
        the super implementation relies here on dataSource
        Overrides:
        doGetAuthorizationInfo in class org.apache.shiro.realm.jdbc.JdbcRealm

      • generatePasswordHashSalt

        public static java.lang.String[] generatePasswordHashSalt​(java.lang.String plainTextPassword,
                                                          int iterations)
        Generates a password hash + salt with DEFAULT_HASH_ITERATIONS iterations, for use with Sha256CredentialsMatcher The hash and salt are returned as hex-encoded string, compatible with JdbcRealm
        Parameters:
        plainTextPassword -
        Returns:
        [ password hash (hex), password salt (hash) ]

      • generatePasswordHashSalt

        public static java.lang.String[] generatePasswordHashSalt​(java.lang.String plainTextPassword)
        Convenience method using default number of iterations
        Parameters:
        plainTextPassword -
        iterations -
        Returns:

      • main

        public static void main​(java.lang.String[] args)
                 throws java.lang.Throwable
        main helper to create passwords interactively or by argument
        Parameters:
        args -
        Throws:
        java.lang.Throwable

      • setPasswordColumnName

        public void setPasswordColumnName​(java.lang.String passwordColumnsName)
        These setters are called from Shiro if realmBcdJdbc.#propertyname# are set in web.xml

      • getPasswordColumnName

        public java.lang.String getPasswordColumnName()

      • setPasswordSaltColumnName

        public void setPasswordSaltColumnName​(java.lang.String passwordSaltColumnName)

      • getPasswordSaltColumnName

        public java.lang.String getPasswordSaltColumnName()

      • setHashIterations

        public void setHashIterations​(int hashIterations)

      • getHashIterations

        public static int getHashIterations()

      • getConfigPasswordColumnName

        public static java.lang.String getConfigPasswordColumnName()

      • setConfigPasswordColumnName

        public static void setConfigPasswordColumnName​(java.lang.String configPasswordColumnName)

      • getConfigPasswordSaltColumnName

        public static java.lang.String getConfigPasswordSaltColumnName()

      • setConfigPasswordSaltColumnName

        public static void setConfigPasswordSaltColumnName​(java.lang.String configPasswordSaltColumnName)