Improve security

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.core / src / main / java / org / argeo / security / core / DefaultSecurityService.java

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
index e9718035148db27b8f3aafd706fdc07516664ebd..68f97d4a069e3eaa73257d943da72913ea5bf24d 100644 (file)
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
@@ -17,14 +17,14 @@
 package org.argeo.security.core;
 
 import java.util.Iterator;
-import java.util.List;
+import java.util.Set;
 
-import org.argeo.ArgeoException;
 import org.argeo.security.ArgeoSecurity;
 import org.argeo.security.ArgeoSecurityDao;
 import org.argeo.security.ArgeoSecurityService;
 import org.argeo.security.ArgeoUser;
 import org.argeo.security.SimpleArgeoUser;
+import org.argeo.security.UserAdminService;
 import org.springframework.core.task.SimpleAsyncTaskExecutor;
 import org.springframework.core.task.TaskExecutor;
 import org.springframework.security.Authentication;
@@ -32,22 +32,14 @@ import org.springframework.security.AuthenticationManager;
 import org.springframework.security.context.SecurityContext;
 import org.springframework.security.context.SecurityContextHolder;
 
-public class DefaultSecurityService implements ArgeoSecurityService {
+public class DefaultSecurityService extends DefaultCurrentUserService implements
+               UserAdminService, ArgeoSecurityService {
        private ArgeoSecurity argeoSecurity = new DefaultArgeoSecurity();
        private ArgeoSecurityDao securityDao;
        private AuthenticationManager authenticationManager;
 
        private String systemAuthenticationKey;
 
-       public ArgeoUser getCurrentUser() {
-               ArgeoUser argeoUser = ArgeoUserDetails.securityContextUser();
-               if (argeoUser == null)
-                       return null;
-               if (argeoUser.getRoles().contains(securityDao.getDefaultRole()))
-                       argeoUser.getRoles().remove(securityDao.getDefaultRole());
-               return argeoUser;
-       }
-
        public ArgeoSecurityDao getSecurityDao() {
                return securityDao;
        }
@@ -59,32 +51,54 @@ public class DefaultSecurityService implements ArgeoSecurityService {
        public void updateUserPassword(String username, String password) {
                SimpleArgeoUser user = new SimpleArgeoUser(
                                securityDao.getUser(username));
-               user.setPassword(password);
-               securityDao.update(user);
-       }
-
-       public void updateCurrentUserPassword(String oldPassword, String newPassword) {
-               SimpleArgeoUser user = new SimpleArgeoUser(getCurrentUser());
-               if (!securityDao.isPasswordValid(user.getPassword(), oldPassword))
-                       throw new ArgeoException("Old password is not correct.");
-               user.setPassword(securityDao.encodePassword(newPassword));
-               securityDao.update(user);
+               user.setPassword(encodePassword(password));
+               securityDao.updateUser(user);
        }
 
        public void newUser(ArgeoUser user) {
-               user.getUserNatures().clear();
                argeoSecurity.beforeCreate(user);
-               securityDao.create(user);
+               // normalize password
+               if (user instanceof SimpleArgeoUser) {
+                       if (user.getPassword() == null || user.getPassword().equals(""))
+                               ((SimpleArgeoUser) user).setPassword(encodePassword(user
+                                               .getUsername()));
+                       else if (!user.getPassword().startsWith("{"))
+                               ((SimpleArgeoUser) user).setPassword(encodePassword(user
+                                               .getPassword()));
+               }
+               securityDao.createUser(user);
+       }
+
+       public ArgeoUser getUser(String username) {
+               return securityDao.getUser(username);
+       }
+
+       public Boolean userExists(String username) {
+               return securityDao.userExists(username);
        }
 
        public void updateUser(ArgeoUser user) {
-               String password = securityDao.getUserWithPassword(user.getUsername())
-                               .getPassword();
+               String password = user.getPassword();
+               if (password == null)
+                       password = securityDao.getUserWithPassword(user.getUsername())
+                                       .getPassword();
+               if (!password.startsWith("{"))
+                       password = encodePassword(user.getPassword());
                SimpleArgeoUser simpleArgeoUser = new SimpleArgeoUser(user);
                simpleArgeoUser.setPassword(password);
-               securityDao.update(simpleArgeoUser);
+               securityDao.updateUser(simpleArgeoUser);
        }
 
+       public void deleteUser(String username) {
+               securityDao.deleteUser(username);
+
+       }
+
+       public void deleteRole(String role) {
+               securityDao.deleteRole(role);
+       }
+
+       @Deprecated
        public TaskExecutor createSystemAuthenticatedTaskExecutor() {
                return new SimpleAsyncTaskExecutor() {
                        private static final long serialVersionUID = -8126773862193265020L;
@@ -102,6 +116,7 @@ public class DefaultSecurityService implements ArgeoSecurityService {
         * Wraps another runnable, adding security context <br/>
         * TODO: secure the call to this method with Java Security
         */
+       @Deprecated
        public Runnable wrapWithSystemAuthentication(final Runnable runnable) {
                return new Runnable() {
 
@@ -118,8 +133,8 @@ public class DefaultSecurityService implements ArgeoSecurityService {
                };
        }
 
-       public List<ArgeoUser> listUsersInRole(String role) {
-               List<ArgeoUser> lst = securityDao.listUsersInRole(role);
+       public Set<ArgeoUser> listUsersInRole(String role) {
+               Set<ArgeoUser> lst = securityDao.listUsersInRole(role);
                Iterator<ArgeoUser> it = lst.iterator();
                while (it.hasNext()) {
                        if (it.next().getUsername()
@@ -131,12 +146,22 @@ public class DefaultSecurityService implements ArgeoSecurityService {
                return lst;
        }
 
+       public Set<ArgeoUser> listUsers() {
+               return securityDao.listUsers();
+       }
+
+       public Set<String> listEditableRoles() {
+               // TODO Auto-generated method stub
+               return securityDao.listEditableRoles();
+       }
+
        public void setArgeoSecurity(ArgeoSecurity argeoSecurity) {
                this.argeoSecurity = argeoSecurity;
        }
 
        public void setSecurityDao(ArgeoSecurityDao dao) {
                this.securityDao = dao;
+               setCurrentUserDao(dao);
        }
 
        public void setAuthenticationManager(