org.owasp.esapi.reference
Class DefaultUser

java.lang.Object
  org.owasp.esapi.reference.DefaultUser

All Implemented Interfaces:

java.io.Serializable, User

public class DefaultUser

extends java.lang.Object

implements User, java.io.Serializable

Reference implementation of the IUser interface. This implementation is serialized into a flat file in a simple format.

Since:

June 1, 2007

Author:

Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security

See Also:

User, Serialized Form

Field Summary

Fields inherited from interface org.owasp.esapi.User

ANONYMOUS

Method Summary

void	addRole(java.lang.String role) Adds a role to an account.
void	addRoles(java.util.Set newRoles) Adds the roles.
void	changePassword(java.lang.String oldPassword, java.lang.String newPassword1, java.lang.String newPassword2) Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.
java.lang.Object	clone() Override clone and make final to prevent duplicate user objects.
void	disable() Disable account.
void	enable() Enable the account
java.lang.String	getAccountName() Gets the account name.
java.lang.String	getCSRFToken() Gets the CSRF token.
java.util.Date	getExpirationTime() Gets the expiration time.
int	getFailedLoginCount() Gets the failed login count.
java.util.Date	getLastFailedLoginTime() Gets the last failed login time.
java.lang.String	getLastHostAddress() Returns the last host address used by the user.
java.util.Date	getLastLoginTime() Gets the last login time.
java.util.Date	getLastPasswordChangeTime() Gets the last password change time.
java.util.Set	getRoles() Gets the roles.
java.lang.String	getScreenName() Gets the screen name.
void	incrementFailedLoginCount() Increment failed login count.
boolean	isAnonymous() Checks if is anonymous.
boolean	isEnabled() Checks if is enabled.
boolean	isExpired() Checks if an account is expired.
boolean	isInRole(java.lang.String role) Checks if an account has been assigned a particular role.
boolean	isLocked() Checks if an account is unlocked.
boolean	isLoggedIn() Tests to see if the user is currently logged in.
boolean	isSessionAbsoluteTimeout() Tests to see if the user's session has exceeded the absolute time out.
boolean	isSessionTimeout() Tests to see if the user's session has timed out from inactivity.
void	lock() Lock the user's account.
void	loginWithPassword(java.lang.String password) Login with password.
void	logout() Logout this user.
void	removeRole(java.lang.String role) Removes a role from an account.
java.lang.String	resetCSRFToken() In this implementation, we have chosen to use a random token that is stored in the User object.
void	setAccountName(java.lang.String accountName) Sets the account name.
void	setExpirationTime(java.util.Date expirationTime) Sets the expiration time.
void	setLastFailedLoginTime(java.util.Date lastFailedLoginTime) Sets the last failed login time.
void	setLastHostAddress(java.lang.String remoteHost) Sets the last remote host address used by this User.
void	setLastLoginTime(java.util.Date lastLoginTime) Sets the last login time.
void	setLastPasswordChangeTime(java.util.Date lastPasswordChangeTime) Sets the last password change time.
void	setRoles(java.util.Set roles) Sets the roles.
void	setScreenName(java.lang.String screenName) Sets the screen name.
java.lang.String	toString()
void	unlock() Unlock account.
boolean	verifyPassword(java.lang.String password) Verify that the supplied password matches the password for this user.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

Method Detail

addRole

public void addRole(java.lang.String role)
             throws AuthenticationException

Description copied from interface: User

Adds a role to an account.

Specified by:

addRole in interface User

Parameters:

role - the role

Throws:

AuthenticationException - the authentication exception

addRoles

public void addRoles(java.util.Set newRoles)
              throws AuthenticationException

Description copied from interface: User

Adds the roles.

Specified by:

addRoles in interface User

Parameters:

newRoles - the new roles

Throws:

AuthenticationException - the authentication exception

changePassword

public void changePassword(java.lang.String oldPassword,
                           java.lang.String newPassword1,
                           java.lang.String newPassword2)
                    throws AuthenticationException,
                           EncryptionException

Description copied from interface: User

Sets the user's password, performing a verification of the user's old password, the equality of the two new passwords, and the strength of the new password.

Specified by:

changePassword in interface User

Parameters:

oldPassword - the old password

newPassword1 - the new password1

newPassword2 - the new password2

Throws:

EncryptionException

AuthenticationException - the authentication exception

disable

public void disable()

Description copied from interface: User

Disable account.

Specified by:

disable in interface User

enable

public void enable()

Enable the account

Specified by:

enable in interface User

See Also:

User.enable()

getAccountName

public java.lang.String getAccountName()

Gets the account name.

Specified by:

getAccountName in interface User

Returns:

the accountName

getCSRFToken

public java.lang.String getCSRFToken()

Gets the CSRF token. Use the HTTPUtilities.checkCSRFToken( request ) to verify the token.

Specified by:

getCSRFToken in interface User

Returns:

the csrfToken

getExpirationTime

public java.util.Date getExpirationTime()

Gets the expiration time.

Returns:

The expiration time of the current user.

getFailedLoginCount

public int getFailedLoginCount()

Gets the failed login count.

Specified by:

getFailedLoginCount in interface User

Returns:

the failedLoginCount

getLastFailedLoginTime

public java.util.Date getLastFailedLoginTime()

Gets the last failed login time.

Specified by:

getLastFailedLoginTime in interface User

Returns:

the lastFailedLoginTime

getLastHostAddress

public java.lang.String getLastHostAddress()

Description copied from interface: User

Returns the last host address used by the user. This will be used in any log messages generated by the processing of this request.

Specified by:

getLastHostAddress in interface User

Returns:

getLastLoginTime

public java.util.Date getLastLoginTime()

Gets the last login time.

Specified by:

getLastLoginTime in interface User

Returns:

the lastLoginTime

getLastPasswordChangeTime

public java.util.Date getLastPasswordChangeTime()

Gets the last password change time.

Specified by:

getLastPasswordChangeTime in interface User

Returns:

the lastPasswordChangeTime

getRoles

public java.util.Set getRoles()

Gets the roles.

Specified by:

getRoles in interface User

Returns:

the roles

getScreenName

public java.lang.String getScreenName()

Description copied from interface: User

Gets the screen name.

Specified by:

getScreenName in interface User

Returns:

the screen name

incrementFailedLoginCount

public void incrementFailedLoginCount()

Description copied from interface: User

Increment failed login count.

Specified by:

incrementFailedLoginCount in interface User

isAnonymous

public boolean isAnonymous()

Description copied from interface: User

Checks if is anonymous.

Specified by:

isAnonymous in interface User

Returns:

true, if is anonymous

isEnabled

public boolean isEnabled()

Checks if is enabled.

Specified by:

isEnabled in interface User

Returns:

the enabled

isExpired

public boolean isExpired()

Description copied from interface: User

Checks if an account is expired.

Specified by:

isExpired in interface User

Returns:

true, account is expired

isInRole

public boolean isInRole(java.lang.String role)

Description copied from interface: User

Checks if an account has been assigned a particular role.

Specified by:

isInRole in interface User

Parameters:

role - the role

Returns:

true, if is user in role

isLocked

public boolean isLocked()

Description copied from interface: User

Checks if an account is unlocked.

Specified by:

isLocked in interface User

Returns:

true, account is unlocked

isLoggedIn

public boolean isLoggedIn()

Description copied from interface: User

Tests to see if the user is currently logged in.

Specified by:

isLoggedIn in interface User

Returns:

true if the user is logged out

isSessionAbsoluteTimeout

public boolean isSessionAbsoluteTimeout()

Description copied from interface: User

Tests to see if the user's session has exceeded the absolute time out.

Specified by:

isSessionAbsoluteTimeout in interface User

Returns:

whether user's session has exceeded the absolute time out

isSessionTimeout

public boolean isSessionTimeout()

Description copied from interface: User

Tests to see if the user's session has timed out from inactivity.

Specified by:

isSessionTimeout in interface User

Returns:

whether user's session has timed out from inactivity

lock

public void lock()

Description copied from interface: User

Lock the user's account.

Specified by:

lock in interface User

loginWithPassword

public void loginWithPassword(java.lang.String password)
                       throws AuthenticationException

Description copied from interface: User

Login with password.

Specified by:

loginWithPassword in interface User

Parameters:

password - the password

Throws:

AuthenticationException - the authentication exception

logout

public void logout()

Description copied from interface: User

Logout this user.

Specified by:

logout in interface User

removeRole

public void removeRole(java.lang.String role)

Description copied from interface: User

Removes a role from an account.

Specified by:

removeRole in interface User

Parameters:

role - the role

resetCSRFToken

public java.lang.String resetCSRFToken()

In this implementation, we have chosen to use a random token that is stored in the User object. Note that it is possible to avoid the use of server side state by using either the hash of the users's session id or an encrypted token that includes a timestamp and the user's IP address. user's IP address. A relatively short 8 character string has been chosen because this token will appear in all links and forms.

Specified by:

resetCSRFToken in interface User

Returns:

the string

See Also:

User.resetCSRFToken()

setAccountName

public void setAccountName(java.lang.String accountName)

Sets the account name.

Specified by:

setAccountName in interface User

Parameters:

accountName - the accountName to set

setExpirationTime

public void setExpirationTime(java.util.Date expirationTime)

Sets the expiration time.

Parameters:

expirationTime - the expirationTime to set

setLastFailedLoginTime

public void setLastFailedLoginTime(java.util.Date lastFailedLoginTime)

Sets the last failed login time.

Parameters:

lastFailedLoginTime - the lastFailedLoginTime to set

setLastHostAddress

public void setLastHostAddress(java.lang.String remoteHost)

Sets the last remote host address used by this User.

Parameters:

remoteHost -

setLastLoginTime

public void setLastLoginTime(java.util.Date lastLoginTime)

Sets the last login time.

Parameters:

lastLoginTime - the lastLoginTime to set

setLastPasswordChangeTime

public void setLastPasswordChangeTime(java.util.Date lastPasswordChangeTime)

Sets the last password change time.

Parameters:

lastPasswordChangeTime - the lastPasswordChangeTime to set

setRoles

public void setRoles(java.util.Set roles)
              throws AuthenticationException

Sets the roles.

Specified by:

setRoles in interface User

Parameters:

roles - the roles to set

Throws:

AuthenticationException

setScreenName

public void setScreenName(java.lang.String screenName)

Description copied from interface: User

Sets the screen name.

Specified by:

setScreenName in interface User

Parameters:

screenName - the new screen name

toString

public java.lang.String toString()

unlock

public void unlock()

Description copied from interface: User

Unlock account.

Specified by:

unlock in interface User

verifyPassword

public boolean verifyPassword(java.lang.String password)

Description copied from interface: User

Verify that the supplied password matches the password for this user. This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.

Specified by:

verifyPassword in interface User

Parameters:

password -

Returns:

clone

public final java.lang.Object clone()
                             throws java.lang.CloneNotSupportedException

Override clone and make final to prevent duplicate user objects.

Throws:

java.lang.CloneNotSupportedException