Package org.owasp.esapi.reference

Class DefaultUser

  • All Implemented Interfaces:
    java.io.Serializable, java.security.Principal, User
    public class DefaultUser
extends java.lang.Object
implements User, java.io.Serializable
    Reference implementation of the User interface. This implementation is serialized into a flat file in a simple format.
    Since:
    June 1, 2007
    Author:
    Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Chris Schmidt (chrisisbeef .at. gmail.com) Digital Ritual Software
    See Also:
    User, Serialized Form

    • Field Summary

    • Constructor Summary

      Constructors 
      Constructor Description
      DefaultUser​(java.lang.String accountName)
      Instantiates a new user.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void addRole​(java.lang.String role)
      Adds a role to this user's account.
      void addRoles​(java.util.Set<java.lang.String> newRoles)
      Adds a set of roles to this user's account.
      void addSession​(javax.servlet.http.HttpSession s)
      Adds a session for this User.
      void changePassword​(java.lang.String oldPassword, java.lang.String newPassword1, java.lang.String newPassword2)
      Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.
      java.lang.Object clone()
      Override clone and make final to prevent duplicate user objects.
      void disable()
      Disable this user's account.
      void enable()
      Enable this user's account.
      long getAccountId()
      Gets this user's account id number.
      java.lang.String getAccountName()
      Gets this user's account name.
      java.lang.String getCSRFToken()
      Gets the CSRF token for this user's current sessions.
      java.util.HashMap getEventMap()
      Returns the hashmap used to store security events for this user.
      java.util.Date getExpirationTime()
      Returns the date that this user's account will expire.
      int getFailedLoginCount()
      Returns the number of failed login attempts since the last successful login for an account.
      java.util.Date getLastFailedLoginTime()
      Returns the date of the last failed login time for a user.
      java.lang.String getLastHostAddress()
      Returns the last host address used by the user.
      java.util.Date getLastLoginTime()
      Returns the date of the last successful login time for a user.
      java.util.Date getLastPasswordChangeTime()
      Gets the date of user's last password change.
      java.util.Locale getLocale()  
      java.lang.String getName()
      java.util.Set<java.lang.String> getRoles()
      Gets the roles assigned to a particular account.
      java.lang.String getScreenName()
      Gets the screen name (alias) for the current user.
      java.util.Set getSessions()
      Returns a Set containing the sessions associated with this User.
      void incrementFailedLoginCount()
      Increment failed login count.
      boolean isAnonymous()
      Checks if user is anonymous.
      boolean isEnabled()
      Checks if this user's account is currently enabled.
      boolean isExpired()
      Checks if this user's account is expired.
      boolean isInRole​(java.lang.String role)
      Checks if this user's account is assigned a particular role.
      boolean isLocked()
      Checks if this user's account is locked.
      boolean isLoggedIn()
      Tests to see if the user is currently logged in.
      boolean isSessionAbsoluteTimeout()
      Tests to see if this user's session has exceeded the absolute time out based on ESAPI's configuration settings.
      boolean isSessionTimeout()
      Tests to see if the user's session has timed out from inactivity based on ESAPI's configuration settings.
      void lock()
      Lock this user's account.
      void loginWithPassword​(java.lang.String password)
      Login with password.
      void logout()
      Logout this user.
      void removeRole​(java.lang.String role)
      Removes a role from this user's account.
      void removeSession​(javax.servlet.http.HttpSession s)
      Removes a session for this User.
      java.lang.String resetCSRFToken()
      Returns a token to be used as a prevention against CSRF attacks.
      void setAccountName​(java.lang.String accountName)
      Sets this user's account name.
      void setExpirationTime​(java.util.Date expirationTime)
      Sets the date and time when this user's account will expire.
      void setLastFailedLoginTime​(java.util.Date lastFailedLoginTime)
      Set the time of the last failed login for this user.
      void setLastHostAddress​(java.lang.String remoteHost)
      Set the last remote host address used by this user.
      void setLastLoginTime​(java.util.Date lastLoginTime)
      Set the time of the last successful login for this user.
      void setLastPasswordChangeTime​(java.util.Date lastPasswordChangeTime)
      Set the time of the last password change for this user.
      void setLocale​(java.util.Locale locale)  
      void setRoles​(java.util.Set<java.lang.String> roles)
      Sets the roles for this account.
      void setScreenName​(java.lang.String screenName)
      Sets the screen name (username alias) for this user.
      java.lang.String toString()
      void unlock()
      Unlock this user's account.
      boolean verifyPassword​(java.lang.String password)
      Verify that the supplied password matches the password for this user.

      • Methods inherited from class java.lang.Object

        equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

      • Methods inherited from interface java.security.Principal

        equals, hashCode, implies

    • Constructor Detail

      • DefaultUser

        public DefaultUser​(java.lang.String accountName)
        Instantiates a new user.
        Parameters:
        accountName - The name of this user's account.

    • Method Detail

      • addRoles

        public void addRoles​(java.util.Set<java.lang.String> newRoles)
              throws AuthenticationException
        Adds a set of roles to this user's account.
        Specified by:
        addRoles in interface User
        Parameters:
        newRoles - the new roles to add
        Throws:
        AuthenticationException - the authentication exception

      • changePassword

        public void changePassword​(java.lang.String oldPassword,
                           java.lang.String newPassword1,
                           java.lang.String newPassword2)
                    throws AuthenticationException,
                           EncryptionException
        Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.
        Specified by:
        changePassword in interface User
        Parameters:
        oldPassword - the old password
        newPassword1 - the new password
        newPassword2 - the new password - used to verify that the new password was typed correctly
        Throws:
        AuthenticationException - if newPassword1 does not match newPassword2, if oldPassword does not match the stored old password, or if the new password does not meet complexity requirements
        EncryptionException

      • disable

        public void disable()
        Disable this user's account.
        Specified by:
        disable in interface User

      • enable

        public void enable()
        Enable this user's account.
        Specified by:
        enable in interface User

      • getAccountId

        public long getAccountId()
        Gets this user's account id number.
        Specified by:
        getAccountId in interface User
        Returns:
        the account id

      • getAccountName

        public java.lang.String getAccountName()
        Gets this user's account name.
        Specified by:
        getAccountName in interface User
        Returns:
        the account name

      • getCSRFToken

        public java.lang.String getCSRFToken()
        Gets the CSRF token for this user's current sessions.
        Specified by:
        getCSRFToken in interface User
        Returns:
        the CSRF token

      • getExpirationTime

        public java.util.Date getExpirationTime()
        Returns the date that this user's account will expire.
        Specified by:
        getExpirationTime in interface User
        Returns:
        Date representing the account expiration time.

      • getFailedLoginCount

        public int getFailedLoginCount()
        Returns the number of failed login attempts since the last successful login for an account. This method is intended to be used as a part of the account lockout feature, to help protect against brute force attacks. However, the implementor should be aware that lockouts can be used to prevent access to an application by a legitimate user, and should consider the risk of denial of service.
        Specified by:
        getFailedLoginCount in interface User
        Returns:
        the number of failed login attempts since the last successful login

      • getLastFailedLoginTime

        public java.util.Date getLastFailedLoginTime()
        Returns the date of the last failed login time for a user. This date should be used in a message to users after a successful login, to notify them of potential attack activity on their account.
        Specified by:
        getLastFailedLoginTime in interface User
        Returns:
        date of the last failed login

      • getLastHostAddress

        public java.lang.String getLastHostAddress()
        Returns the last host address used by the user. This will be used in any log messages generated by the processing of this request.
        Specified by:
        getLastHostAddress in interface User
        Returns:
        the last host address used by the user

      • getLastLoginTime

        public java.util.Date getLastLoginTime()
        Returns the date of the last successful login time for a user. This date should be used in a message to users after a successful login, to notify them of potential attack activity on their account.
        Specified by:
        getLastLoginTime in interface User
        Returns:
        date of the last successful login

      • getLastPasswordChangeTime

        public java.util.Date getLastPasswordChangeTime()
        Gets the date of user's last password change.
        Specified by:
        getLastPasswordChangeTime in interface User
        Returns:
        the date of last password change

      • getName

        public java.lang.String getName()
        Specified by:
        getName in interface java.security.Principal

      • getRoles

        public java.util.Set<java.lang.String> getRoles()
        Gets the roles assigned to a particular account.
        Specified by:
        getRoles in interface User
        Returns:
        an immutable set of roles

      • getScreenName

        public java.lang.String getScreenName()
        Gets the screen name (alias) for the current user.
        Specified by:
        getScreenName in interface User
        Returns:
        the screen name

      • addSession

        public void addSession​(javax.servlet.http.HttpSession s)
        Adds a session for this User.
        Specified by:
        addSession in interface User
        Parameters:
        s - The session to associate with this user.

      • removeSession

        public void removeSession​(javax.servlet.http.HttpSession s)
        Removes a session for this User.
        Specified by:
        removeSession in interface User
        Parameters:
        s - The session to remove from being associated with this user.

      • getSessions

        public java.util.Set getSessions()
        Returns a Set containing the sessions associated with this User.
        Specified by:
        getSessions in interface User
        Returns:
        The Set of sessions for this User.

      • incrementFailedLoginCount

        public void incrementFailedLoginCount()
        Increment failed login count.
        Specified by:
        incrementFailedLoginCount in interface User

      • isAnonymous

        public boolean isAnonymous()
        Checks if user is anonymous.
        Specified by:
        isAnonymous in interface User
        Returns:
        true, if user is anonymous

      • isEnabled

        public boolean isEnabled()
        Checks if this user's account is currently enabled.
        Specified by:
        isEnabled in interface User
        Returns:
        true, if account is enabled

      • isExpired

        public boolean isExpired()
        Checks if this user's account is expired.
        Specified by:
        isExpired in interface User
        Returns:
        true, if account is expired

      • isInRole

        public boolean isInRole​(java.lang.String role)
        Checks if this user's account is assigned a particular role.
        Specified by:
        isInRole in interface User
        Parameters:
        role - the role for which to check
        Returns:
        true, if role has been assigned to user

      • isLocked

        public boolean isLocked()
        Checks if this user's account is locked.
        Specified by:
        isLocked in interface User
        Returns:
        true, if account is locked

      • isLoggedIn

        public boolean isLoggedIn()
        Tests to see if the user is currently logged in.
        Specified by:
        isLoggedIn in interface User
        Returns:
        true, if the user is logged in

      • isSessionAbsoluteTimeout

        public boolean isSessionAbsoluteTimeout()
        Tests to see if this user's session has exceeded the absolute time out based on ESAPI's configuration settings.
        Specified by:
        isSessionAbsoluteTimeout in interface User
        Returns:
        true, if user's session has exceeded the absolute time out

      • isSessionTimeout

        public boolean isSessionTimeout()
        Tests to see if the user's session has timed out from inactivity based on ESAPI's configuration settings. A session may timeout prior to ESAPI's configuration setting due to the servlet container setting for session-timeout in web.xml. The following is an example of a web.xml session-timeout set for one hour. 60
        Specified by:
        isSessionTimeout in interface User
        Returns:
        true, if user's session has timed out from inactivity based on ESAPI configuration

      • lock

        public void lock()
        Lock this user's account.
        Specified by:
        lock in interface User

      • logout

        public void logout()
        Logout this user.
        Specified by:
        logout in interface User

      • removeRole

        public void removeRole​(java.lang.String role)
        Removes a role from this user's account.
        Specified by:
        removeRole in interface User
        Parameters:
        role - the role to remove

      • resetCSRFToken

        public java.lang.String resetCSRFToken()
        Returns a token to be used as a prevention against CSRF attacks. This token should be added to all links and forms. The application should verify that all requests contain the token, or they may have been generated by a CSRF attack. It is generally best to perform the check in a centralized location, either a filter or controller. See the verifyCSRFToken method. In this implementation, we have chosen to use a random token that is stored in the User object. Note that it is possible to avoid the use of server side state by using either the hash of the users's session id or an encrypted token that includes a timestamp and the user's IP address. user's IP address. A relatively short 8 character string has been chosen because this token will appear in all links and forms.
        Specified by:
        resetCSRFToken in interface User
        Returns:
        the string

      • setAccountName

        public void setAccountName​(java.lang.String accountName)
        Sets this user's account name.
        Specified by:
        setAccountName in interface User
        Parameters:
        accountName - the new account name

      • setExpirationTime

        public void setExpirationTime​(java.util.Date expirationTime)
        Sets the date and time when this user's account will expire.
        Specified by:
        setExpirationTime in interface User
        Parameters:
        expirationTime - the new expiration time

      • setLastFailedLoginTime

        public void setLastFailedLoginTime​(java.util.Date lastFailedLoginTime)
        Set the time of the last failed login for this user.
        Specified by:
        setLastFailedLoginTime in interface User
        Parameters:
        lastFailedLoginTime - the date and time when the user just failed to login correctly.

      • setLastLoginTime

        public void setLastLoginTime​(java.util.Date lastLoginTime)
        Set the time of the last successful login for this user.
        Specified by:
        setLastLoginTime in interface User
        Parameters:
        lastLoginTime - the date and time when the user just successfully logged in.

      • setLastPasswordChangeTime

        public void setLastPasswordChangeTime​(java.util.Date lastPasswordChangeTime)
        Set the time of the last password change for this user.
        Specified by:
        setLastPasswordChangeTime in interface User
        Parameters:
        lastPasswordChangeTime - the date and time when the user just successfully changed his/her password.

      • setScreenName

        public void setScreenName​(java.lang.String screenName)
        Sets the screen name (username alias) for this user.
        Specified by:
        setScreenName in interface User
        Parameters:
        screenName - the new screen name

      • toString

        public java.lang.String toString()
        Specified by:
        toString in interface java.security.Principal
        Overrides:
        toString in class java.lang.Object

      • unlock

        public void unlock()
        Unlock this user's account.
        Specified by:
        unlock in interface User

      • verifyPassword

        public boolean verifyPassword​(java.lang.String password)
        Verify that the supplied password matches the password for this user. This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.
        Specified by:
        verifyPassword in interface User
        Parameters:
        password - the password that the user entered
        Returns:
        true, if the password passed in matches the account's password

      • clone

        public final java.lang.Object clone()
                             throws java.lang.CloneNotSupportedException
        Override clone and make final to prevent duplicate user objects.
        Overrides:
        clone in class java.lang.Object
        Returns:
        Nothing, as clone() is not supported for this class. A CloneNotSupportedException is always thrown for this class.
        Throws:
        java.lang.CloneNotSupportedException

      • getLocale

        public java.util.Locale getLocale()
        Specified by:
        getLocale in interface User
        Returns:
        the locale

      • setLocale

        public void setLocale​(java.util.Locale locale)
        Specified by:
        setLocale in interface User
        Parameters:
        locale - the locale to set

      • getEventMap

        public java.util.HashMap getEventMap()
        Description copied from interface: User
        Returns the hashmap used to store security events for this user. Used by the IntrusionDetector.
        Specified by:
        getEventMap in interface User