Module org.bzdev.ejws
Package org.bzdev.ejws

Class EjwsAuthenticator<E extends EjwsAuthenticator>

java.lang.Object
com.sun.net.httpserver.Authenticator
com.sun.net.httpserver.BasicAuthenticator
org.bzdev.ejws.EjwsAuthenticator<E>
Direct Known Subclasses:
EjwsBasicAuthenticator, EjwsSecureBasicAuth
public abstract class EjwsAuthenticator<E extends EjwsAuthenticator> extends BasicAuthenticator
Base class for EJWS authenticators.

  • Field Details

    • tracer

      protected Appendable tracer
      The Appendable used for tracing.

    • onAccountRequest

      protected EjwsAuthenticator.BiConsumer1 onAccountRequest
      The account-request monitoring function. This function is called when a user requests an account on this server.

    • onAccountActive

      protected EjwsAuthenticator.BiConsumer2 onAccountActive
      The account-active monitoring function. This function is called when an account is made active

    • onAccountPending

      protected EjwsAuthenticator.BiConsumer2 onAccountPending
      The account-pending monitoring function. This function is called when an account is explicitly made pending

    • onAccountRemoval

      protected EjwsAuthenticator.BiConsumer2 onAccountRemoval
      The account-removal monitoring function. This function is called when an account is removed from the server.

    • loginFunction

      protected BiConsumer<EjwsPrincipal,HttpExchange> loginFunction
      The login function. This function is called when a login is successful.

    • logoutFunction

      protected BiConsumer<EjwsPrincipal,HttpExchange> logoutFunction
      The logout function. This function is called when a logout is successful.

    • authFunction

      protected BiConsumer<EjwsPrincipal,HttpExchange> authFunction
      The authorization function. This function is called when a request is authorized and the login function or logout function was not called during the same transaction.

  • Constructor Details

    • EjwsAuthenticator

      protected EjwsAuthenticator(EmbeddedWebServer ews, String realm)
      Constructor. Realms are strings denoting a name space for users.
      Parameters:
      ews - the EmbeddedWebServer
      realm - the realm

  • Method Details

    • setThisObject

      protected void setThisObject(E thisObject)
      Set this object so that we can always get the actual type.
      Parameters:
      thisObject - this object

    • gpghome

      protected File gpghome()
      Get the GPG home directory.
      Returns:
      the GPG home directory; null if one has not been set

    • setGPGHome

      public E setGPGHome(File gpghome) throws IOException
      Set the GPG home directory. If the directory does not exist, it will be created and its POSIX file permissions (if applicable) will be set to read, write, execute for the owner with no group or other permissions. A key named keysigner will be automatically added if it does not already exist.

      The methods createUser(String,String,String[],Set), createUser(String,String,Set), storeGPGKey(String,EjwsAuthenticator.GPGKeyIDs), and trustGPGKey(String,boolean) will throw a NullPointerException if this method is not called with a non-null argument.

      Parameters:
      gpghome - the home directory that GPG will use
      Returns:
      this object
      Throws:
      IOException - if an IO error occurs

    • setSBLStore

      public E setSBLStore(SBLStore store)
      Set persistent storage for SBL files and/or passwords.
      Parameters:
      store - the SBLStore
      Returns:
      this object

    • setSBLStore

      public E setSBLStore(File file) throws IOException
      Set persistent storage for SBL files and/or passwords given a file.
      Parameters:
      file - the file used for storage
      Returns:
      this object
      Throws:
      IOException - if an an IO exception occurred
      See Also:

    • closeSBLStore

      public void closeSBLStore()
      Close persistent storage.

      This method has no effect if setSBLStore(java.io.File) or setSBLStore(java.io.File) has not been called.

      See Also:

    • getSBLStore

      public SBLStore getSBLStore()
      Get the SBL store. An SBL store is persistent storage for passwords and SBL files, with a user as a key and an indication of whether or not a user is active.
      Returns:
      the SBL store; null if one has not been configured

    • getUserTable

      public abstract EjwsUserTable<? extends EjwsAuthenticator,? extends EjwsAuthenticator.Entry> getUserTable()
      Get this authenticator's user table.
      Returns:
      this authenticator's user table

    • readSBLData

      protected String readSBLData(InputStream is)
      Read SBL data from an input stream, storing it as a string
      Parameters:
      is - the input stream
      Returns:
      the SBL data; null if there is an error

    • storeSBLData

      protected void storeSBLData(String s, EjwsAuthenticator.AddStatus status) throws Exception
      Store SBL data.
      Parameters:
      s - the SBL data as a String
      status - EjwsAuthenticator.AddStatus.OK if the corresponding account will be active; EjwsAuthenticator.AddStatus.PENDING if the corresponding account will be pending; EjwsAuthenticator.AddStatus.REJECTED if the account is immediately rejected
      Throws:
      Exception

    • createAuthCode

      public E createAuthCode(String secret)
      Add an authorization code. This method will create an object that can generate authorization codes, which are useful when users are emailed links to allow them to set up accounts.
      Parameters:
      secret - an initialization string.
      Returns:
      this object

    • getAuthCode

      protected AuthCode getAuthCode()
      Get the current authorization-code generator.
      Returns:
      an instance of AuthCode; null if one was not configured.

    • isActiveDefault

      public boolean isActiveDefault()
      Get the default value for whether or not a user account is active or not. An account is active if the user is allowed to log in.
      Returns:
      true if the account is active; false otherwise

    • setDefaultActive

      public E setDefaultActive(boolean value)
      Set the default for whether new users are active or not. The value is used by the createUser methods.
      Parameters:
      value - true if new users are active by default; false if not active by default
      Returns:
      this object

    • getCanAddAccount

      public boolean getCanAddAccount()
      Determine if this authenticator can add a new user account.
      Returns:
      true if an account can be added; false otherwise.

    • setCanAddAccount

      public E setCanAddAccount(boolean value)
      Set whether or not this authenticator can add a user account.
      Parameters:
      value - true if an account can be added; false otherwise.
      Returns:
      this object

    • setTruststore

      public E setTruststore(String truststore)
      Set the name of the truststore file. The value may be sent to clients setting up an account.
      Parameters:
      truststore - the name of the truststore file
      Returns:
      this object

    • setTruststorePW

      public E setTruststorePW(char[] pw)
      Set the truststore password. The value may be sent to clients setting up an account.
      Parameters:
      pw - the password
      Returns:
      this object

    • setSelfSigned

      public E setSelfSigned(boolean selfSigned)
      Set whether or not certificats may be self signed The value may be sent to clients setting up an account.
      Parameters:
      selfSigned - true if certificates can be self-signed; false if a certificate chain ends at a root certificate
      Returns:
      this object

    • setAllowLoopback

      public E setAllowLoopback(boolean allowLoopback)
      Set if a loopback interface may be used for secure connections The value may be sent to clients setting up an account.
      Parameters:
      allowLoopback - true if a looback interface may be used; false otherwise
      Returns:
      this object

    • getLoginAlias

      public String getLoginAlias()
      Get the login alias. This is a convenience method.
      Returns:
      the login alias
      See Also:

    • getLoginPath

      public String getLoginPath()
      Get the login path.
      Returns:
      the login path; null if one was not configured

    • createUser

      public EjwsAuthenticator.UserInfo createUser(String userName, String title, String[] recipients, Set<String> roles) throws IllegalStateException, IOException, NullPointerException
      Create an instance of EjwsAuthenticator.UserInfo. For example, 
      
 EmbeddedWebServer ews = ...;
 File gpghome = ...;
 EjwsSecureBasicAuth auth = new EjwsSecureBasicAuth(ews, "test-realm");
 auth.setGPGHome(gpghome);
 String recipients[] = {
   "user@example.com"
 };
 URI logoutURI = ...;
 auth.add(auth.createUser("user@example.com", "Example",
                          recipients, roles)
          .setURI("/docs/login.html")
          .addUser(true));
 ews.add("/", DirWebMap.class, dir, auth, true, true, true)
    .setWelcome("/index.html")
    .setLoginAlias("login.html", "", true)
    .setLogoutAlias("logout.html", logoutURI);
      In this example, the order of the calls to auth.add and ews.add can be swapped.

      Each recipient must be a string that can be used with the gpg -r option.

      Parameters:
      userName - the user name
      title - A title for an SBL file
      recipients - the GPG recipients
      roles - the user's roles
      Throws:
      NullPointerException - if the GPG home directory had not been set
      IllegalStateException - if the recipient does not have a known GPG public key or if there was a certificate error
      IOException - if an IO error occurs while constructing a cannonical path
      See Also:

    • createUser

      public EjwsAuthenticator.UserInfo createUser(String email, String title, Set<String> roles) throws IllegalStateException, IOException, NullPointerException
      Create an instance of EjwsAuthenticator.UserInfo. For example, 
      
 EmbeddedWebServer ews = ...;
 File gpghome = ...;
 EjwsSecureBasicAuth auth = new EjwsSecureBasicAuth(ews, "test-realm");
 URI logoutURI = ...;
 auth.add(auth.createUser("user@example.com", "Example", roles)
          .setURI("/docs/login.html")
          .addUser(true));
 ews.add("/", DirWebMap.class, dir, auth, true, true, true)
    .setWelcome("/index.html")
    .setLoginAlias("login.html", "", true)
    .setLogoutAlias("logout.html", logoutURI);
      In this example, the order of the calls to auth.add and ews.add can be swapped.

      Each recipient must be a string that can be used with the gpg -r option.

      Parameters:
      email - the user's email address
      title - A title for an SBL file
      roles - the user's roles
      Throws:
      NullPointerException - if the GPG home directory had not been set
      IllegalStateException - if the recipient does not have a known GPG public key or if there was a certificate error
      IOException - if an IO error occurs while constructing a cannonical path
      See Also:

    • createUser

      public EjwsAuthenticator.UserInfo createUser(String userName, String password, String publicKeyPEM, Set<String> roles)
      Create an instance of EjwsAuthenticator.UserInfo based on a public key provided by a remote user. For example, 
      
 EmbeddedWebServer ews = ...;
 String user = ...;
 String password = ...;
 String publickeyPEM = ...;
 EjwsSecureBasicAuth auth = new EjwsSecureBasicAuth(ews, "test-realm");
 String recipients[] = {
 URI logoutURI = ...;
 auth.add(auth.createUser(ews, user, password, publicKeyPEM, null)
 ews.add("/", DirWebMap.class, dir, auth, true, true, true)
    .setWelcome("/index.html")
    .setLoginAlias("login.html", "", true)
    .setLogoutAlias("logout.html", logoutURI);
      In this example, the order of the calls to auth.add and ews.add can be swapped.
      Parameters:
      userName - the user name
      password - the user's password
      publicKeyPEM - the user's publicKey in PEM format
      roles - the user's roles; null if there are none

    • createUser

      public EjwsAuthenticator.UserInfo createUser(ConfigProperties props, Set<String> roles) throws IllegalStateException, IllegalArgumentException
      Create an instance of EjwsAuthenticator.UserInfo based on a ConfigProperties object provided by a remote user.
      Parameters:
      props -
      roles - a set of roles; null if there are none
      Throws:
      IllegalStateException - if the recipient does not have a known GPG public key or if there was a certificate error
      IllegalArgumentException - if the property file was ill formed

    • createUser

      public EjwsAuthenticator.UserInfo createUser(String propsString, Set<String> roles) throws IOException, IllegalArgumentException
      Create an instance of EjwsAuthenticator.UserInfo based on a string representing a ConfigProperties object provided by a remote user. The first argument is a string that was in effect created by the following steps:
      1. store a Properties object by using the method Properties.store(Writer,String) with the Writer argument set to a Writer that uses the UTF-8 character set with CRLF line separators. The first line in this file will be "#(M.T application/vnd.bzdev.sblauncher)", which is used to determine the File's media type.
      2. Compress the byte stream produced in the first step using GZIP.
      3. Finally Base-64 encode the compressed byte stream

      The easiest way to create this string is to use the program SBL to create an SBL file, select a site (listed by keys), and then select the "Copy Server SBL to Clipboard" menu item under the File menu.

      Parameters:
      propsString - a string representing an ConfigProperties object
      roles - a set of roles; null if there are none
      Throws:
      IOException - if the media type does not match that of the Base-64 encoded representation
      IllegalArgumentException - if the property file was ill formed

    • getUserNameFromSBL

      public static String getUserNameFromSBL(String propsString) throws Exception
      Get the name of a user from an SBL file.
      Parameters:
      propsString - the string representation of an SBL file
      Returns:
      the user name
      Throws:
      Exception - if there is an error

    • generateRequestURI

      protected String generateRequestURI(String username)
      Generate a URI for a login request that will provide an SBL file for a user. The host name in the URI will be preferentially taken from the server's certificate when SSL is used.
      Parameters:
      username - the user name; null for just the login URL
      Returns:
      the URL

    • generateAdminURI

      protected String generateAdminURI(String username)
      Generate a URI for an admin page. The host name in the URI will be preferentially taken from the server's certificate when SSL is used.
      Parameters:
      username - the user name; null for just the login URL
      Returns:
      the URL

    • requestFromUser

      protected byte[] requestFromUser(String username, String type, String auth)
      Generate a sequence of bytes containing an SBL file that instructs the SBL program as to how to download data needed to create an account. The format is a UTF-8 encoded string, where the string is produced by ConfigPropUtilities.store(Properities,String) (which describes the string format in detail).
      Parameters:
      username - the user name
      type - "pgpkey" when a PGP/GPG public key should be downloaded; "sbl" if an SBL file should be downloaded
      auth - the authorization string; null if there is none
      Returns:
      the SBL file's contents

    • getReverseProxy

      public URI getReverseProxy()
      Get the reverse proxy. When a reverse proxy is configured, the ".base" field in an SBL file provided by the server will be a URI whose host name and port matches that of the reverse proxy and whose path starts with the reverse proxy's path.
      Returns:
      the reverse proxy; null if there isn't one

    • setReverseProxy

      protected void setReverseProxy(URI proxy)
      Set the reverse proxy. When a reverse proxy is configured, the ".base" field in an SBL file provided by the server will be a URI whose host name and port matches that of the reverse proxy and whose path starts with the reverse proxy's path.
      Parameters:
      proxy - the reverse proxy; null if there isn't one

    • storeGPGKey

      public void storeGPGKey(String key, EjwsAuthenticator.GPGKeyIDs keyids) throws IllegalArgumentException, IllegalStateException, IOException
      Store an ASCII-armored GPG public key for use by this authenticator. The program SBL has an option under the File menu to copy the key to the system clipboard. Alternatively, if a login alias is configured, a URL referencing the login alias with a query containing
      • user=EMAIL_ADDRESS
      • uploadtype=pgpkey will return an SBL file that triggers a series of events that will download the corresponding public key and possibly set up a user account.

        The second argument should be computed by calling showGPGKey(key)

      Parameters:
      key - the public key
      keyids - and object containing the key's email address and fingerprint
      Throws:
      NullPointerException - if the GPG home directory had not been set
      IllegalArgumentException - if the key is ill-formed
      IllegalStateException - if the key cannot be stored
      IOException - if an IO error occurs while constructing a cannonical path
      See Also:

    • showGPGKey

      public EjwsAuthenticator.GPGKeyIDs showGPGKey(String key) throws IllegalArgumentException, IllegalStateException, IOException
      Show an ASCII-armored GPG public key for use by this authenticator. The program SBL has an option under the File menu to copy the key to the system clipboard. Alternatively, if a login alias is configured, a URL referencing the login alias with a query containing
      • user=EMAIL_ADDRESS
      • uploadtype=pgpkey will return an SBL file that triggers a series of events that will download the corresponding public key and possibly set up a user account.
      Parameters:
      key - the public key
      Returns:
      an object containing the key's email address and fingerprint
      Throws:
      NullPointerException - if the GPG home directory had not been set
      IllegalArgumentException - if the key is ill-formed
      IllegalStateException - if the key cannot be stored
      IOException - if an IO error occurs while constructing a cannonical path
      See Also:

    • trustGPGKey

      public void trustGPGKey(String email, boolean trust) throws IllegalArgumentException, IllegalStateException, IOException
      Configure a GPG public key's trust level for this authenticator. The choice for a key's trust level is binary because the key is not being distributed. When the third argument is false, the key's trust is "unknown" and when true, the key's trust is "ultimate".

      Normally this method is not needed because of the use of the TOFU (Trust On First Use) GPG trust policy.

      Parameters:
      email - the public key's email field
      trust - true if the key is "ultimately" trusted; false if the key is not trusted
      Throws:
      NullPointerException - if the GPG home directory had not been set
      IllegalArgumentException - if the key is ill-formed
      IllegalStateException - if the key cannot be stored
      IOException - if an IO error occurs while constructing a cannonical path
      See Also:

    • getSBL

      public abstract byte[] getSBL(String user)
      Get the SBL file for a user
      Parameters:
      user - the user
      Returns:
      the SBL file as a byte array; null if there is none

    • isSBLCompressed

      public abstract boolean isSBLCompressed(String user)
      Determine if the SBL file is compresssed using GZIP.
      Returns:
      true if the SBL file is compressed; false otherwise
      See Also:

    • isActive

      public abstract boolean isActive(String user)
      Determine if a user is currently active. The authenticator's internal tables are tested, not values in persistent storage.
      Returns:
      true if the user exists and is active; false otherwise

    • removeUser

      public abstract boolean removeUser(String name)
      Remove a user.
      Parameters:
      name - the user's name

    • makeUserActive

      public abstract boolean makeUserActive(String name)
      Make a user active.
      Parameters:
      name - the user's name

    • makeUserPending

      public abstract boolean makeUserPending(String name)
      Make a user pendijng.
      Parameters:
      name - the user's name

    • makeUserActiveInMap

      protected abstract boolean makeUserActiveInMap(String name)
      Make a user active, modifying only the authenticator's map.
      Parameters:
      name - the user name
      Returns:
      true on success; false if there is no such user

    • makeUserPendingInMap

      protected abstract boolean makeUserPendingInMap(String name)
      Make a user pending, modifying only the authenticator's map.
      Parameters:
      name - the user name
      Returns:
      true on success; false if there is no such user

    • removeUserFromMap

      protected abstract boolean removeUserFromMap(String name)
      Remove a user, modifying only the authenticator's map.
      Parameters:
      name - the user name
      Returns:
      true on success; false if there is no such user

    • removeUser

      public abstract boolean removeUser(String name, boolean gpg)
      Remove a user, specifying if the user is one for whom GPG is used to provide the data needed to log in.
      Parameters:
      name - the user's name
      gpg - true if GPG is used; false if an SBL directory is used

    • makeUserActive

      public abstract boolean makeUserActive(String name, boolean gpg)
      Make a user active, specifying if the user is one for whom GPG is used to provide the data needed to log in.
      Parameters:
      name - the user's name
      gpg - true if GPG is used; false if an SBL directory is used

    • makeUserPending

      public abstract boolean makeUserPending(String name, boolean gpg)
      Make a user pending, specifying if the user is one for whom GPG is used to provide the data needed to log in.
      Parameters:
      name - the user's name
      gpg - true if GPG is used; false if an SBL directory is used

    • loadFromDirs

      public E loadFromDirs() throws UnsupportedOperationException
      Load user-account data obtained from GPG or an SBL directory
      Returns:
      this object
      Throws:
      UnsupportedOperationException
      See Also:

    • setTracer

      public E setTracer(Appendable tracer)
      Set an Appendable for tracing. This method should be used only for debugging.
      Parameters:
      tracer - the Appendable for tracing request and responses
      Returns:
      this object

    • setOnAccountRequest

      public E setOnAccountRequest(EjwsAuthenticator.BiConsumer1 function)
      Set the function called when a user requests an account. This function will be called when a request to add an account is processed. Its first argument is the name of the user. Its second argument is the status of the request (OK, PENDING, or REJECTED).
      Parameters:
      function - the function; null to disable
      Returns:
      this object

    • setOnAccountActive

      public E setOnAccountActive(EjwsAuthenticator.BiConsumer2 function)
      Set the function called when an account becomes active. This function will be called when a request to make an account active is processed. Its first argument is the name of the user. Its second argument is the status this operation (true for success; false for failure).
      Parameters:
      function - the function; null to disable
      Returns:
      this object

    • setOnAccountPending

      public E setOnAccountPending(EjwsAuthenticator.BiConsumer2 function)
      Set the function called when an account becomes pending explicitly. This function will be called when a request to make an account pending is processed. Its first argument is the name of the user. Its second argument is the status this operation (true for success; false for failure).
      Parameters:
      function - the function; null to disable
      Returns:
      this object

    • setOnAccountRemoval

      public E setOnAccountRemoval(EjwsAuthenticator.BiConsumer2 function)
      Set the function called when an account is removed. This function will be called when a request to make an account active is processed. Its first argument is the name of the user. Its second argument is the status this operation (true for success; false for failure).
      Parameters:
      function - the function; null to disable
      Returns:
      this object

    • setLoginFunction

      public E setLoginFunction(BiConsumer<EjwsPrincipal,HttpExchange> function)
      Set the login function. This function will be called using the current HttpExchange when a login is (a) successful and (b) the function is not null. It can be used to set headers or perform other operations as required by an application.

      The function will be called when the request URI matches a designated login URI, with the current EjwsPrincipal and HttpExchange as its arguments In any transaction, at most one of the login, logout, and authorized functions will be called.

      Parameters:
      function - the function; null to disable
      Returns:
      this object
      See Also:

    • setAuthorizedFunction

      public E setAuthorizedFunction(BiConsumer<EjwsPrincipal,HttpExchange> function)
      Set the authorized function. This function will be called when a request is authorized. Its arguments are a principal and the HTTP exchange. The later can be used to set cookies or perform other operations. In any transaction, at most one of the login, logout, and authorized functions will be called.
      Parameters:
      function - the 'authorized' function.
      Returns:
      this object

    • setLogoutFunction

      public E setLogoutFunction(BiConsumer<EjwsPrincipal,HttpExchange> function)
      Set the logout function. This function will be called using the current HttpExchange when a logout is (a) successful and (b) the function is not null. It can be used to set headers or perform other operations as required by an application.

      The function will be called when the request URI matches a designated logout URI, with the current EjwsPrincipal and HttpExchange as its arguments. The HttpExchange will be null if the login session has timed out. In any transaction, at most one of the login, logout, and authorized functions will be called.

      Parameters:
      function - the function; null to disable
      Returns:
      this object
      See Also:

    • getMode

      public abstract SecureBasicUtilities.Mode getMode()
      Get a user's authentication mode.
      Returns:
      the mode

    • add

      public abstract void add(EjwsAuthenticator.UserInfo info)
      Add a user specified by an instance of EjwsAuthenticator.UserInfo.
      Parameters:
      info - the user data

    • setUserStatusFunction

      public E setUserStatusFunction(Function<String,EjwsAuthenticator.AddStatus> function)
      Set the user-status function. A user status function takes a user name as its argument and returns
      • AddStatus.OK if the user's account is to be added and will be active.
      • AddStatus.PENDING if the user's account is to be added but will not be active.
      • AddStatus.REJECTED if the user may not have an account at this time.
      • null if all users will be active or pending, depending on the value returned by isActiveDefault().
      The default function simply returns null so that whether or not a user is active is determined by the value returned by isActiveDefault().
      Parameters:
      function - the user-status function; null for the default
      Returns:
      this object
      See Also:

    • addToAdminMap

      public E addToAdminMap(String email, String fingerprint)
      Add an entry to the map associating email addresses with the fingerprint of a corresponding GPG key.

      Note: normally this is called explicitly as the web server is being configured. The method FileHandler.setAdminAlias(String), which is called by WebMap.setAdminAlias(String), will add an entry for "admin".

      Parameters:
      email - the email address
      fingerprint - the corresponding GPG key's fingerprint
      Returns:
      this object

    • getAdminFingerprint

      public String getAdminFingerprint(String email)
      Get the PGP fingerprint for an email address associated with the admin account
      Parameters:
      email - the email address
      Returns:
      the fingerprint; null if there isn't one associated with the admin account

    • getAdminUsers

      public Set<String> getAdminUsers()
      Get the users' email addresses for those users associated with the admin account
      Returns:
      the email addresses

    • getUserStatus

      protected EjwsAuthenticator.AddStatus getUserStatus(String username)
      Get the status for a request to set up an account. When a function has been provided by calling setUserStatusFunction(Function), the value returned by the provided function will be used unless the value returned is null, in which case isActiveDefault() determines the result (either active or pending).
      Parameters:
      username - the name (typically the email address) of a user
      Returns:
      EjwsAuthenticator.AddStatus.REJECTED if the account will definitely not be allowed; EjwsAuthenticator.AddStatus.PENDING if the account request requires further processing; EjwsAuthenticator.AddStatus.OK if the account request is immediately accepted
      See Also:

    • addToDeleteSet

      protected void addToDeleteSet(String uname)
      Add a user to the set of users that will be deleted.
      Parameters:
      uname - the user name (e.g., the user's email address)

    • removeFromDeleteSet

      public void removeFromDeleteSet(String uname)
      Remove a user to the set of users that will be deleted.
      Parameters:
      uname - the user name (e.g., the user's email address)

    • inDeleteSet

      public boolean inDeleteSet(String uname)
      Determine if a user is in the set of users that will be deleted.
      Parameters:
      uname - the user name (e.g., the user's email address)

    • getTrustedKeyIDs

      public Set<String> getTrustedKeyIDs() throws Exception
      Get the GPG key IDs for ultimately trusted users. The values returned are in the format used for keysigning (the last 16 characters in the full fingerprint).
      Returns:
      a set of the key IDs
      Throws:
      Exception

    • isTrustedKey

      public boolean isTrustedKey(String name)
      Determine if a user is ultimately trusted. setGPGHome(File) must have been called before this method is used.
      Parameters:
      name - the user name
      Returns:
      true if the user is ultimately trusted; false otherwise
      See Also:

    • hasGPGKey

      public boolean hasGPGKey(String name)
      Determine if there is a GPG Key for a specified user. setGPGHome(File) must have been called before this method is used.
      Parameters:
      name - the user name
      Returns:
      true if there is an associated GPG key; false otherwise

    • setupKeySigner

      protected boolean setupKeySigner()
      Set up a key signer. If not already available, a key named keysigner will be created. setGPGHome(File) must have been called before this method is used.

    • getFingerprint

      public String getFingerprint(String email)
      Get the GPG fingerprint for an email address. setGPGHome(File) must have been called before this method is used.
      Parameters:
      email - the email address
      Returns:
      the fingerpint; null if there is none

    • isEmailAddress

      public static boolean isEmailAddress(String string)
      Determine if a string is a syntactically valid email address. The email address must be the local part of an email address, followed by an '@', in turn followed by a domain. For example, user@example.com. This is often delimited by "&tl;" and ">". Those delimiters must not be included.
      Parameters:
      string - the string to check
      Returns:
      true if the argument is a syntactically valid email address; false otherwise

    • signKey

      public boolean signKey(String email, boolean gpg)
      Sign a key given an email address. The methods setGPGHome(File) and/or setSBLStore(File) should be called before this method is used.
      Parameters:
      email - the email address
      gpg - true if a GPG key will be signed; false if a directory containing SBL data will be manipulated
      Returns:
      true if successful; false otherwise
      See Also:

    • signKey

      protected boolean signKey(String email, String target)
      Sign a key given an email address and target. The methods setGPGHome(File) and/or setSBLStore(File) should be called before this method is used. This is a convenience method.
      Parameters:
      email - the email address
      target - the email address if GPG is used; a file name for a file in the SBL directory otherwise.
      See Also:

    • validGPGUser

      public boolean validGPGUser(String email)
      Determine if a user has a key that was signed by a key recognized by this authenticator. setGPGHome(File) must have been called before this method is used.
      Parameters:
      email - the user's email address
      Returns:
      true if the user is valid (e.g., the user's GPG key has been signed); false otherwise
      See Also:

    • getUsers

      public abstract Set<String> getUsers()
      Get the names of all users known to this authenticator. The value returned is an unmodifiable set.
      Returns:
      the users

    • getUsers

      public abstract Set<String> getUsers(boolean active)
      Get selected users known to this authenticator.
      Parameters:
      active - true if the users are active; false if they are not active

    • getUsersExcept

      public Set<String> getUsersExcept(Set<String> exceptions)
      Get all users except those in an exception set. Users that are in the admin map are ignored.
      Parameters:
      exceptions - a set of users to ignore
      Returns:
      the names of users not in the exception set

    • getPendingGPGUsers

      public Set<String> getPendingGPGUsers()
      Get GPG users that are in the pending state.
      Returns:
      the GPG users that are in a pending state

    • getActiveGPGUsers

      public Set<String> getActiveGPGUsers()
      Get GPG users in the active state.
      Returns:
      the names of GPG users in the active state

    • getGPGUsers

      public Set<String> getGPGUsers(boolean signed)
      Get GPG user names. setGPGHome(File) must have been called before this method is used.
      Parameters:
      signed - true if the corresponding keys were signed; false otherwise
      Returns:
      the user names (typically email addresses)

    • getAuthMap

      protected abstract Map<String,? extends EjwsAuthenticator.Entry> getAuthMap()
      Get the authentication map association user names with authentication data..
      Returns:
      the map

    • getSBLUsers

      public Set<String> getSBLUsers(boolean active)
      Get the users whose data is kept in the SBL directory The method setSBLStore(File) or setSBLStore(SBLStore) should be called before this method is used.
      Parameters:
      active - true to list active users; false to list inactive ones
      Returns:
      the user names

    • deleteWithFingerprint

      public void deleteWithFingerprint(String fpr)
      Delete a GPG key given the key's fingerprint. setGPGHome(File) must have been called before this method is used.
      Parameters:
      fpr - the fingerprint
      See Also:

    • createServerCookie

      protected static ServerCookie createServerCookie(HttpExchange t)
      Create a server cookie
      Parameters:
      t - the instance of HttpExchange used for the current connection
      Returns:
      the new cookie

    • createAuthCookie

      protected ServerCookie createAuthCookie(HttpExchange t, String username)
      Create an authentication cookie given a user name.
      Parameters:
      t - the HttpExchange for an HTTP trasaction
      username - the user name

    • findServerCookie

      protected static ServerCookie findServerCookie(HttpExchange t)
      Find a server cookie.
      Parameters:
      t - the instance of HttpExchange used for the current connection
      Returns:
      the cookie

    • findAuthServerCookie

      protected static ServerCookie findAuthServerCookie(HttpExchange t)
      Find an authorization server cookie. This is used for password-authentication account creation, where the browser handles the request directly.
      Parameters:
      t - the instance of HttpExchange used for the current connection
      Returns:
      the cookie

    • setCookie

      protected static void setCookie(HttpExchange t, ServerCookie cookie)
      Set a server cookie.
      Parameters:
      t - the instance of HttpExchange used for the current connection
      cookie - the cookie

    • removePWInfo

      public void removePWInfo(String username)
      Remove an entry from the password map. This is called when logging out.
      Parameters:
      username - the user name

    • processAdminRequests

      public void processAdminRequests(Map<String,String> deleteMap, Map<String,String> activateMap, Map<String,String> pendingMap)
      Process a request to remove or active user accounts Either removeUser(String,String) or makeUserActive(String,String) will be called to remove or active a user respectively.

      This method is called by FileHandler to implement a simple account manager.

      Parameters:
      deleteMap - a map whose keys are user names or email addresses and whose values are either the same or a file name, where the map is used to determine which users shoudl be deleted
      activateMap - a map whose keys are user names or email addresses and whose values are either the same or a file name, where the map is used to determine which users should be activated
      pendingMap - a map whose keys are user names or email addresses and whose values are either the same or a file name, where the map is used to determine which active users should be made pending