Skip navigation links

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Oracle® Data Integrator Java API Reference
11g Release 1 (11.1.1.5.0)
E17060-02
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

oracle.odi.core.security
Class SecurityManager

java.lang.Object
  extended by oracle.odi.core.security.SecurityManager

public final class SecurityManager
extends java.lang.Object

This class implements Oracle Data Integrator operation related to security.

SecurityManager is obtained from an OdiInstance by calling OdiInstance.getSecurityManager() method. The SecurityManager class should be used to:

Here is a typical usage of SecurityManager to manage the Oracle Data Integrator Authentication:

  OdiInstance odiInstance = ...
        
  // First create an Authentication object 
  Authentication authentication = odiInstance.getSecurityManager().createAuthentication(username, password);
  try
  {
        // Bind the Authentication as the currently authenticated user for the SecurityManager and the current thread.
        odiInstance.getSecurityManager().setCurrentThreadAuthentication(authentication);
        try
        {
                ... use Oracle Data Integrator java APIs that requires to be authenticated here...
        }
        finally
        {
                // Unnind the Authentication for the current thread
                odiInstance.getSecurityManager().clearCurrentThreadAuthentication();
        }
  }
  finally
  {
        // Close the authentication to release the attached resources.
        authentication.close();
  }
Since:
11.1.1.3.0

Constructor Summary
SecurityManager(OdiInstance pInstance)
          Internal: Constructs a new SecurityManager.

 

Method Summary
 void checkPermission(IRepositoryEntity entity, PermissionType pPermissionType)
          This is a helper method to check the Permission on the current authentication.
 void checkPermission(Permission pPermission)
          This is a helper method to check the Permission on the current authentication.
 void clearCurrentThreadAuthentication()
          Unbind the Authentication currently bound to this SecurityManager and to the current thread.
 void clearGlobalAuthentication()
          Unbind the Authentication currently bound to this SecurityManager as global authentication.
 Authentication createAuthentication(java.lang.String pUsername, char[] pPassword)
          This method creates an ODI Authentication from a ODI user name and password.
 Authentication createAuthentication(java.lang.String pSupervisorUsername, char[] pSupervisorPassword, java.lang.String pRunAsUsername)
          This method creates an ODI Authentication using the runas pattern.
 Authentication createAuthentication(javax.security.auth.Subject pSubject)
          This method creates an ODI authentication from a previously authenticated Subject.
 java.util.Collection filterOnReadPermission(java.util.Collection pCollection)
          This methods returns a copy of pCollection in which the objects for which current authenticated user does not have PermissionType.READ permission have been filtered out.
 Authentication getCurrentAuthentication()
          Returns the Authentication that is currently bound to this SecurityManager and that will be used for privileges checking.
 boolean hasCurrentThreadAuthentication()
          Allows to check is there is currently an Authentication bound at thread level in this SecurityManager for the current thread.
 boolean hasGlobalAuthentication()
          Allows to check it there is an Authentication bound at global level on this security manager.
 boolean isAuthorized(IRepositoryEntity pEntity, PermissionType pPermissionType)
          Almost same as above method, but take in entity and permission type directly.
 boolean isAuthorized(Permission pPermission)
          This method checks if the Permission is authorized for the current authentication.
 boolean isUsingExternalAuthentication()
          This method returns true if the ODI Master repository to which the OdiInstance is connected is configured to use external authentication.
 void setAuthenticatedUserPassword(char[] pNewPassword)
          This method changes the password for the currently authenticated user.
 void setCurrentThreadAuthentication(Authentication pAuthentication)
          Set the current Authentication for the current thread.
 void setGlobalAuthentication(Authentication pAuthentication)
          Set pAuthentication as the current global Authentication for the current global thread.
 void setPassword(java.lang.String pUserName, char[] pNewPassword)
          This method will set the password for the specified user.
 void setPassword(java.lang.String pUserName, char[] pCurrentPassword, char[] pNewPassword)
          This method will change the password for the user named pUserName from pCurrentPassword to pNewPassword.

 

Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

 

Constructor Detail

SecurityManager

public SecurityManager(OdiInstance pInstance)
Internal: Constructs a new SecurityManager.

Note:This constructor is not intended to be used by SDK users and is only public for technical reason. SDK users should use method OdiInstance.getSecurityManager() to obtain a SecurityManager.

Parameters:
pInstance - an OdiInstance object.

Method Detail

createAuthentication

public Authentication createAuthentication(java.lang.String pUsername,
                                           char[] pPassword)
                                    throws PasswordExpiredException,
                                           BadCredentialsException,
                                           AccountExpiredException,
                                           InvalidExternalAuthenticationConfiguration
This method creates an ODI Authentication from a ODI user name and password.

If the master repository is configured to use internal authentication. The user name and password will be checked against the user population defined in the master repository. If user name and password are valid an ODI authentication will be created and returned.

If the master repository is configured to use external authentication. The user name and password will be first authenticated against the default OPSS LoginService defined in the OPSS configuration. If this first authentication step succeed the user name will be checked against the users registered in the ODI repository and create an Authentication if the user is registered.

Note: It is of caller responsibility to call the Authentication.close() on the created Authentication to release resource when the Authentication is not needed anymore.

Note: It is of caller responsibility to overwrite the content of the pPassword char array to remove the password from memory.

Parameters:
pUsername - the name of the user to log in
pPassword - the password for this user.
Returns:
an Authentication representing the current user and his authorizations.
Throws:
PasswordExpiredException - this exception is raised if the password expired. This is only checked when internal authentication is used.
AccountExpiredException - this exception is raised if the ODI user account is expired in ODI repository
BadCredentialsException - This exception is raised when user name does not match a valid ODI user in this repository or if the password is not valid for this user.
InvalidExternalAuthenticationConfiguration - This exception is raised if we can't create the LoginContext for external authentication
See Also:
Authentication.close(), createAuthentication(Subject), createAuthentication(String, char[], String)

createAuthentication

public Authentication createAuthentication(javax.security.auth.Subject pSubject)
                                    throws BadCredentialsException
This method creates an ODI authentication from a previously authenticated Subject.

Note: This is an API for advanced users of the SDK. Most SDK User should use createAuthentication(String, char[]) method instead.

This method is typically useful in the case for J2EE applications relying on the J2EE container for authentication. The Subject has to be created using the OPSS framework. The Subject has to match a valid user in the ODI master repository. If one of this condition is not matched then a BadCredentialsException will be raised.

Note: It is of caller responsibility to call the Authentication.close() on the created Authentication to release resource when the Authentication is not needed anymore.

Parameters:
pSubject - the OPSS subject to authenticate against ODI
Returns:
the Authentication matching the ODI user
Throws:
BadCredentialsException - if pSubject is not valid for ODI
See Also:
Authentication.close(), createAuthentication(String, char[], String), createAuthentication(String, char[])

createAuthentication

public Authentication createAuthentication(java.lang.String pSupervisorUsername,
                                           char[] pSupervisorPassword,
                                           java.lang.String pRunAsUsername)
                                    throws BadCredentialsException
This method creates an ODI Authentication using the runas pattern.

Note: This is an API for advanced users of the SDK. Most SDK User should use createAuthentication(String, char[]) method instead.

This method will first check that the pSupervisorUsernmae and pSupervisorPassword match a SUPERVISOR user for ODI. Then it checks that the pRunAsUsername is a valid user and creates an authentication for it.

Note: It is of caller responsibility to overwrite the content of the pSupervisorPassword char array to remove the password from memory.

Note: It is of caller responsibility to call the Authentication.close() on the created Authentication to release resource when the Authentication is not needed anymore.

Parameters:
pSupervisorUsername - the supervisor username.
pSupervisorPassword - the supervisor password.
pRunAsUsername - the user to run as.
Returns:
Authentication object.
Throws:
BadCredentialsException - is raised if the pSupervisorUsernmae and pSupervisorPassword does not match a valid Supervisor user or if the pRunAsUsername does not match a valid user.
See Also:
Authentication.close(), createAuthentication(Subject), createAuthentication(String, char[])

checkPermission

public void checkPermission(Permission pPermission)
                     throws PermissionDeniedException,
                            AuthenticationRequiredException
This is a helper method to check the Permission on the current authentication. Throws InvalidAuthenticationAPIUsageException if there is no current authentication for this SecurityManager. It can also throw a PermissionDeniedException if the current authentication has not the given Permission.
Parameters:
pPermission - the permission to check.
Throws:
PermissionDeniedException - if permission is denied.
AuthenticationRequiredException - if Authentication is missing.

checkPermission

public void checkPermission(IRepositoryEntity entity,
                            PermissionType pPermissionType)
                     throws PermissionDeniedException,
                            AuthenticationRequiredException
This is a helper method to check the Permission on the current authentication. Throws InvalidAuthenticationAPIUsageException if there is no current authentication for this SecurityManager. It can also throw a PermissionDeniedException if the current authentication has not the given Permission.
Parameters:
entity - the enity object to check permission.
pPermissionType - the permission type to check.
Throws:
PermissionDeniedException - if permission is denied.
AuthenticationRequiredException - if Authentication is missing.

isAuthorized

public boolean isAuthorized(Permission pPermission)
                     throws AuthenticationRequiredException
This method checks if the Permission is authorized for the current authentication.
Parameters:
pPermission - the permission object to check
Returns:
true if the current user associated with this authentication has the given Permission, false otherwise.
Throws:
AuthenticationRequiredException - if there is no current authentication

isAuthorized

public boolean isAuthorized(IRepositoryEntity pEntity,
                            PermissionType pPermissionType)
                     throws AuthenticationRequiredException
Almost same as above method, but take in entity and permission type directly.
Parameters:
pEntity - is the ODI entity object to check permission.
pPermissionType - is the type of permission to check, such as READ, WRITE, GENERATE and EXECUTE etc.
Returns:
true if the current user associated with this authentication has the given Permission, false otherwise.
Throws:
AuthenticationRequiredException - if there is no current authentication

setCurrentThreadAuthentication

public void setCurrentThreadAuthentication(Authentication pAuthentication)
                                    throws InvalidAuthenticationAPIUsageException
Set the current Authentication for the current thread.
Parameters:
pAuthentication - an Authentication object specifying the current thread authentication value
Throws:
InvalidAuthenticationAPIUsageException - if there is already an Authentication bound at this thread level for this SecurityManager or if the pAuthentication is not created by this SecurityManager.
See Also:
getCurrentAuthentication(), clearCurrentThreadAuthentication(), hasCurrentThreadAuthentication()

clearCurrentThreadAuthentication

public void clearCurrentThreadAuthentication()
                                      throws InvalidAuthenticationAPIUsageException
Unbind the Authentication currently bound to this SecurityManager and to the current thread.
Throws:
InvalidAuthenticationAPIUsageException - if there is currently no Authentication bound to this current thread and SecurityManager.
See Also:
setCurrentThreadAuthentication(Authentication), hasCurrentThreadAuthentication()

hasCurrentThreadAuthentication

public boolean hasCurrentThreadAuthentication()
Allows to check is there is currently an Authentication bound at thread level in this SecurityManager for the current thread.
Returns:
true if there is an Authentication bound to this SecurityManagerand for the current thread and false otherwise.
See Also:
setCurrentThreadAuthentication(Authentication), clearCurrentThreadAuthentication()

setGlobalAuthentication

public void setGlobalAuthentication(Authentication pAuthentication)
                             throws InvalidAuthenticationAPIUsageException
Set pAuthentication as the current global Authentication for the current global thread. You probably will not use this API and instead you may only need to use setCurrentThreadAuthentication(Authentication).
Parameters:
pAuthentication - an Authentication object specifying the global authentication value
Throws:
InvalidAuthenticationAPIUsageException - if there is already an Authentication bound as global Authentication for this SecurityManager or if this SecurityManager has not created this pAuthentication.
See Also:
clearGlobalAuthentication(), getCurrentAuthentication(), hasGlobalAuthentication()

clearGlobalAuthentication

public void clearGlobalAuthentication()
                               throws InvalidAuthenticationAPIUsageException
Unbind the Authentication currently bound to this SecurityManager as global authentication.
Throws:
InvalidAuthenticationAPIUsageException - if there is currently no global Authentication bound to this SecurityManager.
See Also:
setGlobalAuthentication(Authentication), hasGlobalAuthentication()

hasGlobalAuthentication

public boolean hasGlobalAuthentication()
Allows to check it there is an Authentication bound at global level on this security manager.
Returns:
true if there is already an Authentication currently bound as global to this SecurityManager, false otherwise.

getCurrentAuthentication

public Authentication getCurrentAuthentication()
Returns the Authentication that is currently bound to this SecurityManager and that will be used for privileges checking.
Returns:
the Authentication currently bound to this SecurityManager.
See Also:
setCurrentThreadAuthentication(Authentication), setGlobalAuthentication(Authentication)

setPassword

public void setPassword(java.lang.String pUserName,
                        char[] pNewPassword)
                 throws PasswordPolicyNotMatchedException,
                        PermissionDeniedException
This method will set the password for the specified user.

The authenticated user will require the SUPERVISOR privilege to execute the method otherwise a PermissionDeniedException will be raised. If the new password does not match the password policy defined in the ODI repository then a PasswordPolicyNotMatchedException will be raised.

Parameters:
pUserName - the name of the user who changed the password
pNewPassword - the new password
Throws:
PermissionDeniedException - if no current authentication found or if current authentication hasn't SUPERVISOR privilege.
PasswordPolicyNotMatchedException - if given password doesn't match password policy.

setPassword

public void setPassword(java.lang.String pUserName,
                        char[] pCurrentPassword,
                        char[] pNewPassword)
                 throws PasswordPolicyNotMatchedException,
                        PermissionDeniedException,
                        BadCredentialsException
This method will change the password for the user named pUserName from pCurrentPassword to pNewPassword.

This method does not require a user to be authenticated to be used. It allows to change the password even if previous one has expired.

Parameters:
pUserName - user name
pCurrentPassword - the previously defined password
pNewPassword - the new password to be set
Throws:
PermissionDeniedException - if no current authentication found or if current authentication hasn't SUPERVISOR privilege.
PasswordPolicyNotMatchedException - if the pNewPassword does not match the password policy defined in the master repository.
BadCredentialsException - if the pUserName or pCurrentPassword are not valid.

setAuthenticatedUserPassword

public void setAuthenticatedUserPassword(char[] pNewPassword)
                                  throws PasswordPolicyNotMatchedException,
                                         AuthenticationRequiredException
This method changes the password for the currently authenticated user.

No specific privileges will be needed to call this method. If the new password does not match the password policy defined in the ODI repository then a PasswordPolicyNotMatchedException will be raised.

Parameters:
pNewPassword - the new password
Throws:
AuthenticationRequiredException - if there is no current Authentication for this security manager
PasswordPolicyNotMatchedException - if given password doesn't match password policy

isUsingExternalAuthentication

public boolean isUsingExternalAuthentication()
This method returns true if the ODI Master repository to which the OdiInstance is connected is configured to use external authentication. It returns false if the internal authentication is activated.
Returns:
true if external authentication is enabled, false otherwise.

filterOnReadPermission

public java.util.Collection filterOnReadPermission(java.util.Collection pCollection)
This methods returns a copy of pCollection in which the objects for which current authenticated user does not have PermissionType.READ permission have been filtered out.
Parameters:
pCollection - Collection object returned by ODI SDK finder or ODI SDK navigation methods between entities e.g. from parent to children or from object to the referenced.object.
Returns:
a collection object for which the current user has READ permission.

Skip navigation links

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Oracle® Data Integrator Java API Reference
11g Release 1 (11.1.1.5.0)
E17060-02
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.