public final class SecurityManager
extends java.lang.Object
SecurityManager is obtained from an OdiInstance
by calling OdiInstance.getSecurityManager()
method.
The SecurityManager class should be used to:
Here is a typical usage of SecurityManager to manage the Oracle Data Integrator Authentication:
OdiInstance odiInstance = ... // First create an Authentication object Authentication authentication = odiInstance.getSecurityManager().createAuthentication(username, password); try { // Bind the Authentication as the currently authenticated user for the SecurityManager and the current thread. odiInstance.getSecurityManager().setCurrentThreadAuthentication(authentication); try { ... use Oracle Data Integrator java APIs that requires to be authenticated here... } finally { // Unnind the Authentication for the current thread odiInstance.getSecurityManager().clearCurrentThreadAuthentication(); } } finally { // Close the authentication to release the attached resources. authentication.close(); }
Constructor and Description |
---|
SecurityManager(OdiInstance pInstance)
Internal: Constructs a new SecurityManager.
|
Modifier and Type | Method and Description |
---|---|
void |
checkPermission(IRepositoryEntity entity,
PermissionType pPermissionType)
This is a helper method to check the Permission on the current authentication.
|
void |
checkPermission(Permission pPermission)
This is a helper method to check the Permission on the current authentication.
|
void |
clearCurrentThreadAuthentication()
Unbind the Authentication currently bound to this SecurityManager and to
the current thread.
|
void |
clearGlobalAuthentication()
Unbind the Authentication currently bound to this SecurityManager as global authentication.
|
Authentication |
createAuthentication(java.lang.String pUsername,
char[] pPassword)
This method creates an ODI
Authentication from a ODI user name and password. |
Authentication |
createAuthentication(java.lang.String pSupervisorUsername,
char[] pSupervisorPassword,
java.lang.String pRunAsUsername)
This method creates an ODI Authentication using the runas pattern.
|
Authentication |
createAuthentication(javax.security.auth.Subject pSubject)
This method creates an ODI authentication from a previously authenticated
Subject.
|
java.util.Collection |
filterOnReadPermission(java.util.Collection pCollection)
This methods returns a copy of
pCollection in which the objects for which current authenticated user does not have PermissionType.READ permission have been filtered out. |
Authentication |
getCurrentAuthentication()
Returns the
Authentication that is currently bound to this SecurityManager and that will be used for privileges checking. |
boolean |
hasCurrentThreadAuthentication()
Allows to check is there is currently an Authentication bound at thread level in this SecurityManager for the current thread.
|
boolean |
hasGlobalAuthentication()
Allows to check it there is an Authentication bound at global level on this security manager.
|
boolean |
isAuthorized(IRepositoryEntity pEntity,
PermissionType pPermissionType)
Almost same as above method, but take in entity and permission type directly.
|
boolean |
isAuthorized(Permission pPermission)
This method checks if the Permission is authorized for the current authentication.
|
static boolean |
isEqual(char[] first,
char[] second)
Time-constant char array comparasion
|
boolean |
isUsingExternalAuthentication()
This method returns true if the ODI Master repository to which the
OdiInstance is connected is configured to use external authentication.
|
static java.util.List |
retrieveEnterpriseIdentities(java.lang.String pFilterString)
This method retrieves a list of enterprise entities matching by a filter string.
|
void |
setAuthenticatedUserPassword(char[] pNewPassword)
This method changes the password for the currently authenticated user.
|
void |
setCurrentThreadAuthentication(Authentication pAuthentication)
Set the current Authentication for the current thread.
|
void |
setGlobalAuthentication(Authentication pAuthentication)
Set pAuthentication as the current global Authentication for the current global thread.
|
void |
setPassword(java.lang.String pUserName,
char[] pNewPassword)
This method will set the password for the specified user.
|
void |
setPassword(java.lang.String pUserName,
char[] pCurrentPassword,
char[] pNewPassword)
This method will change the password for the user named pUserName from pCurrentPassword to pNewPassword.
|
public SecurityManager(OdiInstance pInstance)
Note:This constructor is not intended to be used by SDK users and
is only public for technical reason. SDK users should use method
OdiInstance.getSecurityManager()
to obtain a
SecurityManager
.
pInstance
- an OdiInstance object.public Authentication createAuthentication(java.lang.String pUsername, char[] pPassword) throws PasswordExpiredException, BadCredentialsException, AccountExpiredException, InvalidExternalAuthenticationConfigurationException
Authentication
from a ODI user name and password.
If the master repository is configured to use internal authentication. The user name and password will be checked against the user population defined in the master repository. If user name and password are valid an ODI authentication will be created and returned.
If the master repository is configured to use external authentication. The user name and password will be first authenticated against the default OPSS LoginService defined in the OPSS configuration. If this first authentication step succeed the user name will be checked against the users registered in the ODI repository and create an Authentication if the user is registered.
Note: It is of caller responsibility to call the Authentication.close()
on the created Authentication to release resource when the Authentication
is not needed anymore.
Note: It is of caller responsibility to overwrite the content of the pPassword char array to remove the password from memory.
pUsername
- the name of the user to log inpPassword
- the password for this user.PasswordExpiredException
- this exception is raised if the password
expired. This is only checked when internal authentication is used.AccountExpiredException
- this exception is raised if the ODI user
account is expired in ODI repositoryBadCredentialsException
- This exception is raised when user name does
not match a valid ODI user in this repository or if the password is
not valid for this user.InvalidExternalAuthenticationConfiguration
- This exception is raised
if we can't create the LoginContext for external authenticationInvalidExternalAuthenticationConfigurationException
Authentication.close()
,
createAuthentication(Subject)
,
createAuthentication(String, char[], String)
public Authentication createAuthentication(javax.security.auth.Subject pSubject) throws BadCredentialsException
Note: This is an API for advanced users of the SDK. Most SDK User should use
createAuthentication(String, char[])
method instead.
This method is typically useful in the case for J2EE applications relying on the J2EE container for authentication. The Subject has to be created using the OPSS framework. The Subject has to match a valid user in the ODI master repository. If one of this condition is not matched then a BadCredentialsException will be raised.
Note: It is of caller responsibility to call the Authentication.close()
on the created Authentication to release resource when the
Authentication
is not needed anymore.
pSubject
- the OPSS subject to authenticate against ODIBadCredentialsException
- if pSubject is not valid for ODIAuthentication.close()
,
createAuthentication(String, char[], String)
,
createAuthentication(String, char[])
public Authentication createAuthentication(java.lang.String pSupervisorUsername, char[] pSupervisorPassword, java.lang.String pRunAsUsername) throws BadCredentialsException
Note: This is an API for advanced users of the SDK. Most SDK User should use
createAuthentication(String, char[])
method instead.
This method will first check that the pSupervisorUsernmae and pSupervisorPassword match a SUPERVISOR user for ODI. Then it checks that the pRunAsUsername is a valid user and creates an authentication for it.
Note: It is of caller responsibility to overwrite the content of the pSupervisorPassword char array to remove the password from memory.
Note: It is of caller responsibility to call the Authentication.close()
on the created Authentication to release resource when the Authentication
is not needed anymore.
pSupervisorUsername
- the supervisor username.pSupervisorPassword
- the supervisor password.pRunAsUsername
- the user to run as.BadCredentialsException
- is raised if the pSupervisorUsernmae and
pSupervisorPassword does not match a valid Supervisor user or if
the pRunAsUsername does not match a valid user.Authentication.close()
,
createAuthentication(Subject)
,
createAuthentication(String, char[])
public void checkPermission(Permission pPermission) throws PermissionDeniedException, AuthenticationRequiredException
pPermission
- the permission to check.PermissionDeniedException
- if permission is denied.AuthenticationRequiredException
- if Authentication is missing.public void checkPermission(IRepositoryEntity entity, PermissionType pPermissionType) throws PermissionDeniedException, AuthenticationRequiredException
entity
- the enity object to check permission.pPermissionType
- the permission type to check.PermissionDeniedException
- if permission is denied.AuthenticationRequiredException
- if Authentication is missing.public boolean isAuthorized(Permission pPermission) throws AuthenticationRequiredException
pPermission
- the permission object to checkAuthenticationRequiredException
- if there is no current authenticationpublic boolean isAuthorized(IRepositoryEntity pEntity, PermissionType pPermissionType) throws AuthenticationRequiredException
pEntity
- is the ODI entity object to check permission.pPermissionType
- is the type of permission to check, such as READ, WRITE, GENERATE and EXECUTE etc.AuthenticationRequiredException
- if there is no current authenticationpublic void setCurrentThreadAuthentication(Authentication pAuthentication) throws InvalidAuthenticationAPIUsageException
pAuthentication
- an Authentication object specifying the current thread authentication valueInvalidAuthenticationAPIUsageException
- if there is already an
Authentication bound at this thread level for this SecurityManager or if the pAuthentication is not created
by this SecurityManager.getCurrentAuthentication()
,
clearCurrentThreadAuthentication()
,
hasCurrentThreadAuthentication()
public void clearCurrentThreadAuthentication() throws InvalidAuthenticationAPIUsageException
InvalidAuthenticationAPIUsageException
- if there
is currently no Authentication bound to this current thread and SecurityManager.setCurrentThreadAuthentication(Authentication)
,
hasCurrentThreadAuthentication()
public boolean hasCurrentThreadAuthentication()
setCurrentThreadAuthentication(Authentication)
,
clearCurrentThreadAuthentication()
public void setGlobalAuthentication(Authentication pAuthentication) throws InvalidAuthenticationAPIUsageException
setCurrentThreadAuthentication(Authentication)
.pAuthentication
- an Authentication object specifying the global authentication valueInvalidAuthenticationAPIUsageException
- if there is already an
Authentication bound as global Authentication for this SecurityManager or
if this SecurityManager has not created this pAuthentication.clearGlobalAuthentication()
,
getCurrentAuthentication()
,
hasGlobalAuthentication()
public void clearGlobalAuthentication() throws InvalidAuthenticationAPIUsageException
InvalidAuthenticationAPIUsageException
- if there is
currently no global Authentication bound to this SecurityManager.setGlobalAuthentication(Authentication)
,
hasGlobalAuthentication()
public boolean hasGlobalAuthentication()
public Authentication getCurrentAuthentication()
Authentication
that is currently bound to this SecurityManager and that will be used for privileges checking.
setCurrentThreadAuthentication(Authentication)
). If so this thread level Authentication
is returned.setGlobalAuthentication(Authentication)
. If so this global Authentication
is returned.null
is returned.setCurrentThreadAuthentication(Authentication)
,
setGlobalAuthentication(Authentication)
public void setPassword(java.lang.String pUserName, char[] pNewPassword) throws PasswordPolicyNotMatchedException, PermissionDeniedException
The authenticated user will require the SUPERVISOR privilege to execute the method otherwise a PermissionDeniedException will be raised. If the new password does not match the password policy defined in the ODI repository then a PasswordPolicyNotMatchedException will be raised.
pUserName
- the name of the user who changed the passwordpNewPassword
- the new passwordPermissionDeniedException
- if no current authentication found or if current authentication hasn't SUPERVISOR privilege.PasswordPolicyNotMatchedException
- if given password doesn't match password policy.public void setPassword(java.lang.String pUserName, char[] pCurrentPassword, char[] pNewPassword) throws PasswordPolicyNotMatchedException, PermissionDeniedException, BadCredentialsException
This method does not require a user to be authenticated to be used. It allows to change the password even if previous one has expired.
pUserName
- user namepCurrentPassword
- the previously defined passwordpNewPassword
- the new password to be setPermissionDeniedException
- if no current authentication found or if current authentication hasn't SUPERVISOR privilege.PasswordPolicyNotMatchedException
- if the pNewPassword does not match the password policy defined in the master repository.BadCredentialsException
- if the pUserName or pCurrentPassword are not valid.public void setAuthenticatedUserPassword(char[] pNewPassword) throws PasswordPolicyNotMatchedException, AuthenticationRequiredException
No specific privileges will be needed to call this method. If the new password does not match the password policy defined in the ODI repository then a PasswordPolicyNotMatchedException will be raised.
pNewPassword
- the new passwordAuthenticationRequiredException
- if there is no current Authentication for this security managerPasswordPolicyNotMatchedException
- if given password doesn't match password policypublic static boolean isEqual(char[] first, char[] second)
first
- second
- true
if arrays both null or has the same length and contentpublic boolean isUsingExternalAuthentication()
public java.util.Collection filterOnReadPermission(java.util.Collection pCollection)
pCollection
in which the objects for which current authenticated user does not have PermissionType.READ
permission have been filtered out.pCollection
- Collection object returned by ODI SDK finder
or ODI SDK navigation methods between entities e.g.
from parent to children or from object to the referenced.object.public static java.util.List retrieveEnterpriseIdentities(java.lang.String pFilterString) throws InvalidExternalAuthenticationConfigurationException
pFilterString
- a filter string used to to match enterprise users or enterprise roles name when do the retrieving.InvalidExternalAuthenticationConfigurationException