org.owasp.esapi.reference

Class DefaultUser

java.lang.Object

org.owasp.esapi.reference.DefaultUser

All Implemented Interfaces:

java.io.Serializable, java.security.Principal, User

public class DefaultUser
extends java.lang.Object
implements User, java.io.Serializable

Reference implementation of the User interface. This implementation is serialized into a flat file in a simple format.

Since:

June 1, 2007

See Also:

User, Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
private static int	ABSOLUTE_TIMEOUT_LENGTH The absolute timeout length specified in the ESAPI config file.
(package private) long	accountId This user's account id.
private java.lang.String	accountName This user's account name.
private java.lang.String	csrfToken This user's CSRF token.
private boolean	enabled Whether this user's account is enabled.
private java.util.HashMap	eventMap The event map for this User
private java.util.Date	expirationTime The expiration date/time for this user's account.
private int	failedLoginCount The failed login count for this user's account.
private static int	IDLE_TIMEOUT_LENGTH The idle timeout length specified in the ESAPI config file.
private java.util.Date	lastFailedLoginTime The last failed login time for this user.
private java.lang.String	lastHostAddress The last host address used by this user.
private java.util.Date	lastLoginTime The last login time for this user.
private java.util.Date	lastPasswordChangeTime The last password change time for this user.
private java.util.Locale	locale This user's Locale.
private boolean	locked Whether this user's account is locked.
private boolean	loggedIn Whether this user is logged in.
private Logger	logger The logger used by the class.
private static int	MAX_ROLE_LENGTH
private java.util.Set<java.lang.String>	roles This user's assigned roles.
private java.lang.String	screenName This user's screen name (account name alias).
private static long	serialVersionUID The Constant serialVersionUID.
private java.util.Set<javax.servlet.http.HttpSession>	sessions The sessions this user is associated with

Fields inherited from interface org.owasp.esapi.User

ANONYMOUS

Constructor Summary

Constructors

Constructor and Description
DefaultUser(java.lang.String accountName) Instantiates a new user.

Method Summary

Modifier and Type	Method and Description
void	addRole(java.lang.String role) Adds a role to this user's account.
void	addRoles(java.util.Set<java.lang.String> newRoles) Adds a set of roles to this user's account.
void	addSession(javax.servlet.http.HttpSession s) Adds a session for this User.
void	changePassword(java.lang.String oldPassword, java.lang.String newPassword1, java.lang.String newPassword2) Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.
java.lang.Object	clone() Override clone and make final to prevent duplicate user objects.
void	disable() Disable this user's account.
void	enable() Enable this user's account.
long	getAccountId() Gets this user's account id number.
java.lang.String	getAccountName() Gets this user's account name.
java.lang.String	getCSRFToken() Gets the CSRF token for this user's current sessions.
java.util.HashMap	getEventMap() Returns the hashmap used to store security events for this user.
java.util.Date	getExpirationTime() Returns the date that this user's account will expire.
int	getFailedLoginCount() Returns the number of failed login attempts since the last successful login for an account.
java.util.Date	getLastFailedLoginTime() Returns the date of the last failed login time for a user.
java.lang.String	getLastHostAddress() Returns the last host address used by the user.
java.util.Date	getLastLoginTime() Returns the date of the last successful login time for a user.
java.util.Date	getLastPasswordChangeTime() Gets the date of user's last password change.
java.util.Locale	getLocale()
java.lang.String	getName()
java.util.Set<java.lang.String>	getRoles() Gets the roles assigned to a particular account.
java.lang.String	getScreenName() Gets the screen name (alias) for the current user.
java.util.Set	getSessions() Returns the list of sessions associated with this User.
void	incrementFailedLoginCount() Increment failed login count.
boolean	isAnonymous() Checks if user is anonymous.
boolean	isEnabled() Checks if this user's account is currently enabled.
boolean	isExpired() Checks if this user's account is expired.
boolean	isInRole(java.lang.String role) Checks if this user's account is assigned a particular role.
boolean	isLocked() Checks if this user's account is locked.
boolean	isLoggedIn() Tests to see if the user is currently logged in.
boolean	isSessionAbsoluteTimeout() Tests to see if this user's session has exceeded the absolute time out based on ESAPI's configuration settings.
boolean	isSessionTimeout() Tests to see if the user's session has timed out from inactivity based on ESAPI's configuration settings.
void	lock() Lock this user's account.
void	loginWithPassword(java.lang.String password) Login with password.
void	logout() Logout this user.
void	removeRole(java.lang.String role) Removes a role from this user's account.
void	removeSession(javax.servlet.http.HttpSession s) Removes a session for this User.
java.lang.String	resetCSRFToken() Returns a token to be used as a prevention against CSRF attacks.
private void	setAccountId(long accountId) Sets the account id for this user's account.
void	setAccountName(java.lang.String accountName) Sets this user's account name.
void	setExpirationTime(java.util.Date expirationTime) Sets the date and time when this user's account will expire.
(package private) void	setFailedLoginCount(int count) Set the failed login count
void	setLastFailedLoginTime(java.util.Date lastFailedLoginTime) Set the time of the last failed login for this user.
void	setLastHostAddress(java.lang.String remoteHost) Set the last remote host address used by this user.
void	setLastLoginTime(java.util.Date lastLoginTime) Set the time of the last successful login for this user.
void	setLastPasswordChangeTime(java.util.Date lastPasswordChangeTime) Set the time of the last password change for this user.
void	setLocale(java.util.Locale locale)
void	setRoles(java.util.Set<java.lang.String> roles) Sets the roles for this account.
void	setScreenName(java.lang.String screenName) Sets the screen name (username alias) for this user.
java.lang.String	toString()
void	unlock() Unlock this user's account.
boolean	verifyPassword(java.lang.String password) Verify that the supplied password matches the password for this user.

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.security.Principal

equals, hashCode, implies

Field Detail

serialVersionUID

private static final long serialVersionUID

The Constant serialVersionUID.

See Also:

Constant Field Values

IDLE_TIMEOUT_LENGTH

private static final int IDLE_TIMEOUT_LENGTH

The idle timeout length specified in the ESAPI config file.

ABSOLUTE_TIMEOUT_LENGTH

private static final int ABSOLUTE_TIMEOUT_LENGTH

The absolute timeout length specified in the ESAPI config file.

logger

private final transient Logger logger

The logger used by the class.

accountId

long accountId

This user's account id.

accountName

private java.lang.String accountName

This user's account name.

screenName

private java.lang.String screenName

This user's screen name (account name alias).

csrfToken

private java.lang.String csrfToken

This user's CSRF token.

roles

private java.util.Set<java.lang.String> roles

This user's assigned roles.

locked

private boolean locked

Whether this user's account is locked.

loggedIn

private boolean loggedIn

Whether this user is logged in.

enabled

private boolean enabled

Whether this user's account is enabled.

lastHostAddress

private java.lang.String lastHostAddress

The last host address used by this user.

lastPasswordChangeTime

private java.util.Date lastPasswordChangeTime

The last password change time for this user.

lastLoginTime

private java.util.Date lastLoginTime

The last login time for this user.

lastFailedLoginTime

private java.util.Date lastFailedLoginTime

The last failed login time for this user.

expirationTime

private java.util.Date expirationTime

The expiration date/time for this user's account.

sessions

private transient java.util.Set<javax.servlet.http.HttpSession> sessions

The sessions this user is associated with

eventMap

private transient java.util.HashMap eventMap

The event map for this User

failedLoginCount

private int failedLoginCount

The failed login count for this user's account.

locale

private java.util.Locale locale

This user's Locale.

MAX_ROLE_LENGTH

private static final int MAX_ROLE_LENGTH

See Also:

Constant Field Values

Constructor Detail

DefaultUser

public DefaultUser(java.lang.String accountName)

Instantiates a new user.

Parameters:

accountName - The name of this user's account.

Method Detail

addRole

public void addRole(java.lang.String role)
             throws AuthenticationException

Adds a role to this user's account.

Specified by:

addRole in interface User

Parameters:

role - the role to add

Throws:

AuthenticationException - the authentication exception

addRoles

public void addRoles(java.util.Set<java.lang.String> newRoles)
              throws AuthenticationException

Adds a set of roles to this user's account.

Specified by:

addRoles in interface User

Parameters:

newRoles - the new roles to add

Throws:

AuthenticationException - the authentication exception

changePassword

public void changePassword(java.lang.String oldPassword,
                           java.lang.String newPassword1,
                           java.lang.String newPassword2)
                    throws AuthenticationException,
                           EncryptionException

Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.

Specified by:

changePassword in interface User

Parameters:

oldPassword - the old password

newPassword1 - the new password

newPassword2 - the new password - used to verify that the new password was typed correctly

Throws:

AuthenticationException - if newPassword1 does not match newPassword2, if oldPassword does not match the stored old password, or if the new password does not meet complexity requirements

EncryptionException

disable

public void disable()

Disable this user's account.

Specified by:

disable in interface User

enable

public void enable()

Enable this user's account.

Specified by:

enable in interface User

getAccountId

public long getAccountId()

Gets this user's account id number.

Specified by:

getAccountId in interface User

Returns:

the account id

getAccountName

public java.lang.String getAccountName()

Gets this user's account name.

Specified by:

getAccountName in interface User

Returns:

the account name

getCSRFToken

public java.lang.String getCSRFToken()

Gets the CSRF token for this user's current sessions.

Specified by:

getCSRFToken in interface User

Returns:

the CSRF token

getExpirationTime

public java.util.Date getExpirationTime()

Returns the date that this user's account will expire.

Specified by:

getExpirationTime in interface User

Returns:

Date representing the account expiration time.

getFailedLoginCount

public int getFailedLoginCount()

Returns the number of failed login attempts since the last successful login for an account. This method is intended to be used as a part of the account lockout feature, to help protect against brute force attacks. However, the implementor should be aware that lockouts can be used to prevent access to an application by a legitimate user, and should consider the risk of denial of service.

Specified by:

getFailedLoginCount in interface User

Returns:

the number of failed login attempts since the last successful login

setFailedLoginCount

void setFailedLoginCount(int count)

Set the failed login count

Parameters:

count - the number of failed logins

getLastFailedLoginTime

public java.util.Date getLastFailedLoginTime()

Returns the date of the last failed login time for a user. This date should be used in a message to users after a successful login, to notify them of potential attack activity on their account.

Specified by:

getLastFailedLoginTime in interface User

Returns:

date of the last failed login

getLastHostAddress

public java.lang.String getLastHostAddress()

Returns the last host address used by the user. This will be used in any log messages generated by the processing of this request.

Specified by:

getLastHostAddress in interface User

Returns:

the last host address used by the user

getLastLoginTime

public java.util.Date getLastLoginTime()

Returns the date of the last successful login time for a user. This date should be used in a message to users after a successful login, to notify them of potential attack activity on their account.

Specified by:

getLastLoginTime in interface User

Returns:

date of the last successful login

getLastPasswordChangeTime

public java.util.Date getLastPasswordChangeTime()

Gets the date of user's last password change.

Specified by:

getLastPasswordChangeTime in interface User

Returns:

the date of last password change

getName

public java.lang.String getName()

Specified by:

getName in interface java.security.Principal

Returns:

getRoles

public java.util.Set<java.lang.String> getRoles()

Gets the roles assigned to a particular account.

Specified by:

getRoles in interface User

Returns:

an immutable set of roles

getScreenName

public java.lang.String getScreenName()

Gets the screen name (alias) for the current user.

Specified by:

getScreenName in interface User

Returns:

the screen name

addSession

public void addSession(javax.servlet.http.HttpSession s)

Adds a session for this User.

Specified by:

addSession in interface User

Parameters:

s - The session to associate with this user.

removeSession

public void removeSession(javax.servlet.http.HttpSession s)

Removes a session for this User.

Specified by:

removeSession in interface User

Parameters:

s - The session to remove from being associated with this user.

getSessions

public java.util.Set getSessions()

Returns the list of sessions associated with this User.

Specified by:

getSessions in interface User

Returns:

incrementFailedLoginCount

public void incrementFailedLoginCount()

Increment failed login count.

Specified by:

incrementFailedLoginCount in interface User

isAnonymous

public boolean isAnonymous()

Checks if user is anonymous.

Specified by:

isAnonymous in interface User

Returns:

true, if user is anonymous

isEnabled

public boolean isEnabled()

Checks if this user's account is currently enabled.

Specified by:

isEnabled in interface User

Returns:

true, if account is enabled

isExpired

public boolean isExpired()

Checks if this user's account is expired.

Specified by:

isExpired in interface User

Returns:

true, if account is expired

isInRole

public boolean isInRole(java.lang.String role)

Checks if this user's account is assigned a particular role.

Specified by:

isInRole in interface User

Parameters:

role - the role for which to check

Returns:

true, if role has been assigned to user

isLocked

public boolean isLocked()

Checks if this user's account is locked.

Specified by:

isLocked in interface User

Returns:

true, if account is locked

isLoggedIn

public boolean isLoggedIn()

Tests to see if the user is currently logged in.

Specified by:

isLoggedIn in interface User

Returns:

true, if the user is logged in

isSessionAbsoluteTimeout

public boolean isSessionAbsoluteTimeout()

Tests to see if this user's session has exceeded the absolute time out based on ESAPI's configuration settings.

Specified by:

isSessionAbsoluteTimeout in interface User

Returns:

true, if user's session has exceeded the absolute time out

isSessionTimeout

public boolean isSessionTimeout()

Tests to see if the user's session has timed out from inactivity based on ESAPI's configuration settings. A session may timeout prior to ESAPI's configuration setting due to the servlet container setting for session-timeout in web.xml. The following is an example of a web.xml session-timeout set for one hour. 60

Specified by:

isSessionTimeout in interface User

Returns:

true, if user's session has timed out from inactivity based on ESAPI configuration

lock

public void lock()

Lock this user's account.

Specified by:

lock in interface User

loginWithPassword

public void loginWithPassword(java.lang.String password)
                       throws AuthenticationException

Login with password.

Specified by:

loginWithPassword in interface User

Parameters:

password - the password

Throws:

AuthenticationException - if login fails

logout

public void logout()

Logout this user.

Specified by:

logout in interface User

removeRole

public void removeRole(java.lang.String role)

Removes a role from this user's account.

Specified by:

removeRole in interface User

Parameters:

role - the role to remove

resetCSRFToken

public java.lang.String resetCSRFToken()

Returns a token to be used as a prevention against CSRF attacks. This token should be added to all links and forms. The application should verify that all requests contain the token, or they may have been generated by a CSRF attack. It is generally best to perform the check in a centralized location, either a filter or controller. See the verifyCSRFToken method. In this implementation, we have chosen to use a random token that is stored in the User object. Note that it is possible to avoid the use of server side state by using either the hash of the users's session id or an encrypted token that includes a timestamp and the user's IP address. user's IP address. A relatively short 8 character string has been chosen because this token will appear in all links and forms.

Specified by:

resetCSRFToken in interface User

Returns:

the string

setAccountId

private void setAccountId(long accountId)

Sets the account id for this user's account.

setAccountName

public void setAccountName(java.lang.String accountName)

Sets this user's account name.

Specified by:

setAccountName in interface User

Parameters:

accountName - the new account name

setExpirationTime

public void setExpirationTime(java.util.Date expirationTime)

Sets the date and time when this user's account will expire.

Specified by:

setExpirationTime in interface User

Parameters:

expirationTime - the new expiration time

setLastFailedLoginTime

public void setLastFailedLoginTime(java.util.Date lastFailedLoginTime)

Set the time of the last failed login for this user.

Specified by:

setLastFailedLoginTime in interface User

Parameters:

lastFailedLoginTime - the date and time when the user just failed to login correctly.

setLastHostAddress

public void setLastHostAddress(java.lang.String remoteHost)
                        throws AuthenticationHostException

Set the last remote host address used by this user.

Specified by:

setLastHostAddress in interface User

Parameters:

remoteHost - The address of the user's current source host.

Throws:

AuthenticationHostException

setLastLoginTime

public void setLastLoginTime(java.util.Date lastLoginTime)

Set the time of the last successful login for this user.

Specified by:

setLastLoginTime in interface User

Parameters:

lastLoginTime - the date and time when the user just successfully logged in.

setLastPasswordChangeTime

public void setLastPasswordChangeTime(java.util.Date lastPasswordChangeTime)

Set the time of the last password change for this user.

Specified by:

setLastPasswordChangeTime in interface User

Parameters:

lastPasswordChangeTime - the date and time when the user just successfully changed his/her password.

setRoles

public void setRoles(java.util.Set<java.lang.String> roles)
              throws AuthenticationException

Sets the roles for this account.

Specified by:

setRoles in interface User

Parameters:

roles - the new roles

Throws:

AuthenticationException - the authentication exception

setScreenName

public void setScreenName(java.lang.String screenName)

Sets the screen name (username alias) for this user.

Specified by:

setScreenName in interface User

Parameters:

screenName - the new screen name

toString

public java.lang.String toString()

Specified by:

toString in interface java.security.Principal

Overrides:

toString in class java.lang.Object

Returns:

unlock

public void unlock()

Unlock this user's account.

Specified by:

unlock in interface User

verifyPassword

public boolean verifyPassword(java.lang.String password)

Verify that the supplied password matches the password for this user. This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.

Specified by:

verifyPassword in interface User

Parameters:

password - the password that the user entered

Returns:

true, if the password passed in matches the account's password

clone

public final java.lang.Object clone()
                             throws java.lang.CloneNotSupportedException

Override clone and make final to prevent duplicate user objects.

Overrides:

clone in class java.lang.Object

Returns:

Throws:

java.lang.CloneNotSupportedException

getLocale

public java.util.Locale getLocale()

Specified by:

getLocale in interface User

Returns:

the locale

setLocale

public void setLocale(java.util.Locale locale)

Specified by:

setLocale in interface User

Parameters:

locale - the locale to set

getEventMap

public java.util.HashMap getEventMap()

Description copied from interface: User

Returns the hashmap used to store security events for this user. Used by the IntrusionDetector.

Specified by:

getEventMap in interface User