2 * Copyright (C) 2007 EDIT
3 * European Distributed Institute of Taxonomy
4 * http://www.e-taxonomy.eu
6 * The contents of this file are subject to the Mozilla Public License Version 1.1
7 * See LICENSE.TXT at the top of this package for the full license terms.
9 package eu
.etaxonomy
.cdm
.api
.service
;
11 import java
.util
.ArrayList
;
12 import java
.util
.Collection
;
13 import java
.util
.HashMap
;
14 import java
.util
.List
;
16 import java
.util
.UUID
;
18 import org
.hibernate
.NonUniqueResultException
;
19 import org
.hibernate
.criterion
.Criterion
;
20 import org
.springframework
.beans
.factory
.annotation
.Autowired
;
21 import org
.springframework
.context
.annotation
.Lazy
;
22 import org
.springframework
.dao
.DataAccessException
;
23 import org
.springframework
.dao
.IncorrectResultSizeDataAccessException
;
24 import org
.springframework
.security
.access
.AccessDeniedException
;
25 import org
.springframework
.security
.access
.prepost
.PreAuthorize
;
26 import org
.springframework
.security
.authentication
.AuthenticationManager
;
27 import org
.springframework
.security
.authentication
.UsernamePasswordAuthenticationToken
;
28 import org
.springframework
.security
.authentication
.dao
.SaltSource
;
29 import org
.springframework
.security
.authentication
.encoding
.PasswordEncoder
;
30 import org
.springframework
.security
.core
.Authentication
;
31 import org
.springframework
.security
.core
.GrantedAuthority
;
32 import org
.springframework
.security
.core
.context
.SecurityContextHolder
;
33 import org
.springframework
.security
.core
.userdetails
.UserCache
;
34 import org
.springframework
.security
.core
.userdetails
.UserDetails
;
35 import org
.springframework
.security
.core
.userdetails
.UsernameNotFoundException
;
36 import org
.springframework
.security
.core
.userdetails
.cache
.NullUserCache
;
37 import org
.springframework
.stereotype
.Service
;
38 import org
.springframework
.transaction
.annotation
.Transactional
;
39 import org
.springframework
.util
.Assert
;
41 import eu
.etaxonomy
.cdm
.model
.permission
.GrantedAuthorityImpl
;
42 import eu
.etaxonomy
.cdm
.model
.permission
.User
;
43 import eu
.etaxonomy
.cdm
.persistence
.dao
.permission
.IGrantedAuthorityDao
;
44 import eu
.etaxonomy
.cdm
.persistence
.dao
.permission
.IGroupDao
;
45 import eu
.etaxonomy
.cdm
.persistence
.dao
.permission
.IUserDao
;
46 import eu
.etaxonomy
.cdm
.persistence
.query
.MatchMode
;
47 import eu
.etaxonomy
.cdm
.persistence
.query
.OrderHint
;
50 * Note: All group related functionality has been refactored into a GroupService.
51 * The will be removed in a future version.
54 @Transactional(readOnly
= true)
55 // NOTE: no type level @PreAuthorize annotation for this class!
56 public class UserService
extends ServiceBase
<User
,IUserDao
> implements IUserService
{
58 protected IGroupDao groupDao
;
60 protected IGrantedAuthorityDao grantedAuthorityDao
;
62 private SaltSource saltSource
; // = new ReflectionSaltSource();
64 private PasswordEncoder passwordEncoder
; // = new Md5PasswordEncoder();
66 private AuthenticationManager authenticationManager
;
69 private UserCache userCache
= new NullUserCache();
71 @Autowired(required
= false)
72 public void setUserCache(UserCache userCache
) {
73 Assert
.notNull(userCache
, "userCache cannot be null");
74 this.userCache
= userCache
;
77 @Autowired(required
= false)
78 public void setPasswordEncoder(PasswordEncoder passwordEncoder
) {
80 this.passwordEncoder
= passwordEncoder
;
83 @Autowired(required
= false)
84 public void setSaltSource(SaltSource saltSource
) {
85 this.saltSource
= saltSource
;
88 @Autowired(required
= false)
89 @Lazy // avoid dependency cycle coming from OAuth2ServerConfiguration.AuthorizationServerConfiguration.authenticationManager
90 public void setAuthenticationManager(AuthenticationManager authenticationManager
) {
91 this.authenticationManager
= authenticationManager
;
96 protected void setDao(IUserDao dao
) {
101 public void setGroupDao(IGroupDao groupDao
) {
102 this.groupDao
= groupDao
;
106 public void setGrantedAuthorityDao(IGrantedAuthorityDao grantedAuthorityDao
) {
107 this.grantedAuthorityDao
= grantedAuthorityDao
;
112 * Changes the own password of in the database of the user which is
113 * currently authenticated. Requires to supply the old password for security
114 * reasons. Refreshes the authentication in the SecurityContext after the
115 * password change by re-authenticating the user with the new password.
117 * @see org.springframework.security.provisioning.UserDetailsManager#changePassword(java.lang.String,
121 @Transactional(readOnly
=false)
122 @PreAuthorize("isAuthenticated()")
123 public void changePassword(String oldPassword
, String newPassword
) {
124 Assert
.hasText(oldPassword
);
125 Assert
.hasText(newPassword
);
126 Authentication authentication
= SecurityContextHolder
.getContext().getAuthentication();
127 if(authentication
!= null && authentication
.getPrincipal() != null && authentication
.getPrincipal() instanceof User
) {
129 // get current authentication and load it from the persistence layer,
130 // to make sure we are modifying the instance which is
131 // attached to the hibernate session
132 User user
= (User
)authentication
.getPrincipal();
133 user
= dao
.load(user
.getUuid());
135 // check if old password is valid
136 authenticationManager
.authenticate(new UsernamePasswordAuthenticationToken(user
.getUsername(), oldPassword
));
137 encodeUserPassword(user
, newPassword
);
140 // authenticate the user again with the new password
141 UsernamePasswordAuthenticationToken newAuthentication
= new UsernamePasswordAuthenticationToken(user
, user
.getPassword(), user
.getAuthorities());
142 newAuthentication
.setDetails(authentication
.getDetails());
143 SecurityContextHolder
.getContext().setAuthentication(newAuthentication
);
144 userCache
.removeUserFromCache(user
.getUsername());
147 throw new AccessDeniedException("Can't change password as no Authentication object found in context for current user.");
152 * make new password salt, encode and set it for the passed user
155 * The user to set the new password for.
157 * the new password to be encoded and set for the <code>user</code>
160 public void encodeUserPassword(User user
, String newPassword
) {
161 Object salt
= this.saltSource
.getSalt(user
);
162 String password
= passwordEncoder
.encodePassword(newPassword
, salt
);
163 user
.setPassword(password
);
167 @Transactional(readOnly
=false)
168 @PreAuthorize("#username == authentication.name or hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
169 public void changePasswordForUser(String username
, String newPassword
) {
170 Assert
.hasText(username
);
171 Assert
.hasText(newPassword
);
174 User user
= dao
.findUserByUsername(username
);
176 throw new UsernameNotFoundException(username
);
179 encodeUserPassword(user
, newPassword
);
181 userCache
.removeUserFromCache(user
.getUsername());
182 } catch(NonUniqueResultException nure
) {
183 throw new IncorrectResultSizeDataAccessException("More than one user found with name '" + username
+ "'", 1);
188 @Transactional(readOnly
=false)
189 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
190 public void createUser(UserDetails user
) {
191 Assert
.isInstanceOf(User
.class, user
);
192 encodeUserPassword((User
)user
, user
.getPassword());
193 dao
.save((User
)user
);
197 @Transactional(readOnly
=false)
198 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
199 public void deleteUser(String username
) {
200 Assert
.hasLength(username
);
202 User user
= dao
.findUserByUsername(username
);
207 userCache
.removeUserFromCache(username
);
211 @Transactional(readOnly
=false)
212 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
213 public void updateUser(UserDetails user
) {
214 Assert
.isInstanceOf(User
.class, user
);
216 dao
.update((User
)user
);
217 userCache
.removeUserFromCache(user
.getUsername());
221 public boolean userExists(String username
) {
222 Assert
.hasText(username
);
224 User user
= dao
.findUserByUsername(username
);
229 * <b>DO NOT CALL THIS METHOD IN LONG RUNNING SESSIONS OR CONVERSATIONS
230 * A THROWN UsernameNotFoundException WILL RENDER THE CONVERSATION UNUSABLE</b>
232 * @see org.springframework.security.core.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
234 // NOTE: this method must not be secured since it is being used during the
235 // authentication process
237 public UserDetails
loadUserByUsername(String username
)
238 throws UsernameNotFoundException
, DataAccessException
{
239 Assert
.hasText(username
);
241 User user
= dao
.findUserByUsername(username
);
243 throw new UsernameNotFoundException(username
);
246 } catch(NonUniqueResultException nure
) {
247 throw new IncorrectResultSizeDataAccessException("More than one user found with name '" + username
+ "'", 1);
253 @Transactional(readOnly
=false)
254 // @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_RUN_AS_ADMIN') or hasRole('ROLE_USER_MANAGER')")
255 public User
save(User user
) {
256 if(user
.getId() == 0 || dao
.load(user
.getUuid()) == null){
265 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
266 public UUID
update(User user
) {
268 return user
.getUuid();
272 @Transactional(readOnly
=false)
273 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
274 public UUID
saveGrantedAuthority(GrantedAuthority grantedAuthority
) {
275 return grantedAuthorityDao
.save((GrantedAuthorityImpl
)grantedAuthority
).getUuid();
281 @Transactional(readOnly
= true)
282 public List
<User
> listByUsername(String queryString
,MatchMode matchmode
, List
<Criterion
> criteria
, Integer pageSize
, Integer pageNumber
, List
<OrderHint
> orderHints
, List
<String
> propertyPaths
) {
283 long numberOfResults
= dao
.countByUsername(queryString
, matchmode
, criteria
);
285 List
<User
> results
= new ArrayList
<>();
286 if(numberOfResults
> 0) {
287 results
= dao
.findByUsername(queryString
, matchmode
, criteria
, pageSize
, pageNumber
, orderHints
, propertyPaths
);
292 /* ================================================
293 * overriding methods to secure them
294 * via the type level annotation @PreAuthorize
295 * ================================================ */
298 @Transactional(readOnly
=false)
299 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
300 public DeleteResult
delete(User persistentObject
) {
301 return super.delete(persistentObject
);
305 @Transactional(readOnly
=false)
306 public DeleteResult
delete(UUID userUuid
) {
307 return delete(dao
.load(userUuid
));
311 @Transactional(readOnly
=false)
312 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
313 public Map
<UUID
, User
> save(Collection
<?
extends User
> newInstances
) {
314 Map
<UUID
, User
> users
= new HashMap
<UUID
, User
>();
315 for (User user
: newInstances
){
317 users
.put(user
.getUuid(), user
);
323 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
324 public UUID
saveOrUpdate(User transientObject
) {
325 return super.saveOrUpdate(transientObject
);
329 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
330 @Transactional(readOnly
=false)
331 public User
merge(User detachedObject
) {
332 return super.merge(detachedObject
);
336 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
337 @Transactional(readOnly
=false)
338 public List
<User
> merge(List
<User
> detachedObjects
) {
339 return super.merge(detachedObjects
);
343 @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER_MANAGER')")
344 public Map
<UUID
, User
> saveOrUpdate(Collection
<User
> transientInstances
) {
345 return super.saveOrUpdate(transientInstances
);