org.owasp.esapi
Class User

java.lang.Object
  org.owasp.esapi.User

All Implemented Interfaces:

IUser, java.io.Serializable

public class User

extends java.lang.Object

implements IUser, java.io.Serializable

Reference implementation of the IUser interface. This implementation is serialized into a flat file in a simple format.

Since:

June 1, 2007

Author:

Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security

See Also:

IUser, Serialized Form

Field Summary

Fields inherited from interface org.owasp.esapi.interfaces.IUser

ANONYMOUS

Method Summary

void	addRole(java.lang.String role) Adds a role to an account.
void	addRoles(java.util.Set newRoles) Adds the roles.
void	changePassword(java.lang.String oldPassword, java.lang.String newPassword1, java.lang.String newPassword2) Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.
java.lang.Object	clone() Override clone and make final to prevent duplicate user objects.
void	disable() Disable account.
void	enable() Enable the account
boolean	equals(java.lang.Object obj)
java.lang.String	getAccountName() Gets the account name.
java.lang.String	getCSRFToken() Gets the CSRF token.
java.util.Date	getExpirationTime() Gets the expiration time.
int	getFailedLoginCount() Gets the failed login count.
java.util.Date	getLastFailedLoginTime() Gets the last failed login time.
java.lang.String	getLastHostAddress() Returns the last host address used by the user.
java.util.Date	getLastLoginTime() Gets the last login time.
java.util.Date	getLastPasswordChangeTime() Gets the last password change time.
java.util.Set	getRoles() Gets the roles.
java.lang.String	getScreenName() Gets the screen name.
int	hashCode()
void	incrementFailedLoginCount() Increment failed login count.
boolean	isAnonymous() Checks if is anonymous.
boolean	isEnabled() Checks if is enabled.
boolean	isExpired() Checks if an account is expired.
boolean	isInRole(java.lang.String role) Checks if an account has been assigned a particular role.
boolean	isLocked() Checks if an account is unlocked.
boolean	isLoggedIn() Tests to see if the user is currently logged in.
boolean	isSessionAbsoluteTimeout() Tests to see if the user's session has exceeded the absolute time out.
boolean	isSessionTimeout() Tests to see if the user's session has timed out from inactivity.
void	lock() Lock the user's account.
void	loginWithPassword(java.lang.String password) Login with password.
void	logout() Logout this user.
void	removeRole(java.lang.String role) Removes a role from an account.
java.lang.String	resetCSRFToken() In this implementation, we have chosen to use a random token that is stored in the User object.
java.lang.String	resetPassword() Reset password.
java.lang.String	resetRememberToken() Regenerates the user's remember token by sealing the account name and hashed password with a timestamp.
void	setAccountName(java.lang.String accountName) Sets the account name.
void	setExpirationTime(java.util.Date expirationTime) Sets the expiration time.
void	setLastHostAddress(java.lang.String remoteHost) Sets the last remote host address used by this User.
void	setRoles(java.util.Set roles) Sets the roles.
void	setScreenName(java.lang.String screenName) Sets the screen name.
java.lang.String	toString()
void	unlock() Unlock account.
boolean	verifyPassword(java.lang.String password) Verify that the supplied password matches the password for this user.

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Method Detail

addRole

public void addRole(java.lang.String role)
             throws AuthenticationException

Description copied from interface: IUser

Adds a role to an account.

Specified by:

addRole in interface IUser

Parameters:

role - the role

Throws:

AuthenticationException - the authentication exception

addRoles

public void addRoles(java.util.Set newRoles)
              throws AuthenticationException

Description copied from interface: IUser

Adds the roles.

Specified by:

addRoles in interface IUser

Parameters:

newRoles - the new roles

Throws:

AuthenticationException - the authentication exception

changePassword

public void changePassword(java.lang.String oldPassword,
                           java.lang.String newPassword1,
                           java.lang.String newPassword2)
                    throws AuthenticationException,
                           EncryptionException

Description copied from interface: IUser

Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.

Specified by:

changePassword in interface IUser

Parameters:

oldPassword - the old password

newPassword1 - the new password1

newPassword2 - the new password2

Throws:

EncryptionException

AuthenticationException - the authentication exception

disable

public void disable()

Description copied from interface: IUser

Disable account.

Specified by:

disable in interface IUser

enable

public void enable()

Enable the account

Specified by:

enable in interface IUser

See Also:

IUser.enable()

equals

public boolean equals(java.lang.Object obj)

getAccountName

public java.lang.String getAccountName()

Gets the account name.

Specified by:

getAccountName in interface IUser

Returns:

the accountName

getCSRFToken

public java.lang.String getCSRFToken()

Gets the CSRF token. Use the HTTPUtilities.checkCSRFToken( request ) to verify the token.

Specified by:

getCSRFToken in interface IUser

Returns:

the csrfToken

getExpirationTime

public java.util.Date getExpirationTime()

Gets the expiration time.

Returns:

The expiration time of the current user.

getFailedLoginCount

public int getFailedLoginCount()

Gets the failed login count.

Specified by:

getFailedLoginCount in interface IUser

Returns:

the failedLoginCount

getLastFailedLoginTime

public java.util.Date getLastFailedLoginTime()

Gets the last failed login time.

Specified by:

getLastFailedLoginTime in interface IUser

Returns:

the lastFailedLoginTime

getLastHostAddress

public java.lang.String getLastHostAddress()

Description copied from interface: IUser

Returns the last host address used by the user. This will be used in any log messages generated by the processing of this request.

Specified by:

getLastHostAddress in interface IUser

Returns:

getLastLoginTime

public java.util.Date getLastLoginTime()

Gets the last login time.

Specified by:

getLastLoginTime in interface IUser

Returns:

the lastLoginTime

getLastPasswordChangeTime

public java.util.Date getLastPasswordChangeTime()

Gets the last password change time.

Specified by:

getLastPasswordChangeTime in interface IUser

Returns:

the lastPasswordChangeTime

getRoles

public java.util.Set getRoles()

Gets the roles.

Specified by:

getRoles in interface IUser

Returns:

the roles

getScreenName

public java.lang.String getScreenName()

Description copied from interface: IUser

Gets the screen name.

Specified by:

getScreenName in interface IUser

Returns:

the screen name

hashCode

public int hashCode()

incrementFailedLoginCount

public void incrementFailedLoginCount()

Description copied from interface: IUser

Increment failed login count.

Specified by:

incrementFailedLoginCount in interface IUser

isAnonymous

public boolean isAnonymous()

Description copied from interface: IUser

Checks if is anonymous.

Specified by:

isAnonymous in interface IUser

Returns:

true, if is anonymous

isEnabled

public boolean isEnabled()

Checks if is enabled.

Specified by:

isEnabled in interface IUser

Returns:

the enabled

isExpired

public boolean isExpired()

Description copied from interface: IUser

Checks if an account is expired.

Specified by:

isExpired in interface IUser

Returns:

true, account is expired

isInRole

public boolean isInRole(java.lang.String role)

Description copied from interface: IUser

Checks if an account has been assigned a particular role.

Specified by:

isInRole in interface IUser

Parameters:

role - the role

Returns:

true, if is user in role

isLocked

public boolean isLocked()

Description copied from interface: IUser

Checks if an account is unlocked.

Specified by:

isLocked in interface IUser

Returns:

true, account is unlocked

isLoggedIn

public boolean isLoggedIn()

Description copied from interface: IUser

Tests to see if the user is currently logged in.

Specified by:

isLoggedIn in interface IUser

Returns:

true if the user is logged out

isSessionAbsoluteTimeout

public boolean isSessionAbsoluteTimeout()

Description copied from interface: IUser

Tests to see if the user's session has exceeded the absolute time out.

Specified by:

isSessionAbsoluteTimeout in interface IUser

Returns:

whether user's session has exceeded the absolute time out

isSessionTimeout

public boolean isSessionTimeout()

Description copied from interface: IUser

Tests to see if the user's session has timed out from inactivity.

Specified by:

isSessionTimeout in interface IUser

Returns:

whether user's session has timed out from inactivity

lock

public void lock()

Description copied from interface: IUser

Lock the user's account.

Specified by:

lock in interface IUser

loginWithPassword

public void loginWithPassword(java.lang.String password)
                       throws AuthenticationException

Description copied from interface: IUser

Login with password.

Specified by:

loginWithPassword in interface IUser

Parameters:

password - the password

Throws:

AuthenticationException - the authentication exception

logout

public void logout()

Description copied from interface: IUser

Logout this user.

Specified by:

logout in interface IUser

removeRole

public void removeRole(java.lang.String role)

Description copied from interface: IUser

Removes a role from an account.

Specified by:

removeRole in interface IUser

Parameters:

role - the role

resetCSRFToken

public java.lang.String resetCSRFToken()

In this implementation, we have chosen to use a random token that is stored in the User object. Note that it is possible to avoid the use of server side state by using either the hash of the users's session id or an encrypted token that includes a timestamp and the user's IP address. user's IP address. A relatively short 8 character string has been chosen because this token will appear in all links and forms.

Specified by:

resetCSRFToken in interface IUser

Returns:

the string

See Also:

IUser.resetCSRFToken()

resetPassword

public java.lang.String resetPassword()
                               throws EncryptionException

Reset password.

Returns:

the string

Throws:

EncryptionException

See Also:

org.owasp.esapi.interfaces.IUser#setPassword(java.lang.String, java.lang.String)

resetRememberToken

public java.lang.String resetRememberToken()
                                    throws AuthenticationException

Regenerates the user's remember token by sealing the account name and hashed password with a timestamp. The account name is used to look up the user when the remember token is received. The hashed password is included to allow the user to invalidate all existing remember tokens by changing their password.

Specified by:

resetRememberToken in interface IUser

Returns:

the string

Throws:

AuthenticationException - the authentication exception

setAccountName

public void setAccountName(java.lang.String accountName)

Sets the account name.

Specified by:

setAccountName in interface IUser

Parameters:

accountName - the accountName to set

setExpirationTime

public void setExpirationTime(java.util.Date expirationTime)

Sets the expiration time.

Parameters:

expirationTime - the expirationTime to set

setLastHostAddress

public void setLastHostAddress(java.lang.String remoteHost)

Sets the last remote host address used by this User.

Parameters:

remoteHost -

setRoles

public void setRoles(java.util.Set roles)
              throws AuthenticationException

Sets the roles.

Specified by:

setRoles in interface IUser

Parameters:

roles - the roles to set

Throws:

AuthenticationException

setScreenName

public void setScreenName(java.lang.String screenName)

Description copied from interface: IUser

Sets the screen name.

Specified by:

setScreenName in interface IUser

Parameters:

screenName - the new screen name

toString

public java.lang.String toString()

unlock

public void unlock()

Description copied from interface: IUser

Unlock account.

Specified by:

unlock in interface IUser

verifyPassword

public boolean verifyPassword(java.lang.String password)

Description copied from interface: IUser

Verify that the supplied password matches the password for this user. This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.

Specified by:

verifyPassword in interface IUser

Parameters:

password -

Returns:

clone

public final java.lang.Object clone()
                             throws java.lang.CloneNotSupportedException

Override clone and make final to prevent duplicate user objects.

Throws:

java.lang.CloneNotSupportedException