in src/main/java/org/apache/directory/fortress/core/util/VUtil.java [561:664]
public void validateConstraints( Session session, ConstraintType type, boolean checkDsd )
throws SecurityException
{
String location = "validateConstraints";
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
int rc;
if ( validators == null )
{
if ( LOG.isDebugEnabled() )
{
LOG.debug("{} " + entityType + " [{}] has no constraints enabled", location, entityId);
}
return;
}
// no need to continue if the role list is empty and we're trying to check role constraints:
else if ( type == ConstraintType.ROLE && CollectionUtils.isEmpty( session.getRoles() )
&& CollectionUtils.isEmpty( session.getAdminRoles() ) )
{
if ( LOG.isDebugEnabled() )
{
LOG.debug("{} " + entityType + " [{}] has no roles assigned", location, entityId);
}
return;
}
for ( Validator val : validators )
{
Time currTime = TUtil.getCurrentTime();
// first check the constraint on the user:
if ( type == ConstraintType.USER && !session.isGroupSession() )
{
rc = val.validate( session, session.getUser(), currTime, type );
if ( rc > 0 )
{
String info = location + " user [" + entityId + "] was deactivated reason code [" + rc
+ "]";
throw new ValidationException( rc, info );
}
}
// Check the constraints for each activated role:
else
{
if ( CollectionUtils.isNotEmpty( session.getRoles() ) )
{
// now check the constraint on every role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for ( UserRole role : session.getRoles() )
{
rc = val.validate( session, role, currTime, type );
if ( rc > 0 )
{
rolesToRemove.add( role );
String msg = location + " role [" + role.getName() + "] for " + entityType
+ "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info( msg );
session.setWarning( new ObjectFactory().createWarning( rc, msg, Warning.Type.ROLE,
role.getName() ) );
}
}
// remove all roles not passing validation
session.getRoles().removeAll( rolesToRemove );
}
if ( CollectionUtils.isNotEmpty( session.getAdminRoles() ) )
{
// now check the constraint on every arbac role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for ( UserRole role : session.getAdminRoles() )
{
rc = val.validate( session, role, currTime, type );
if ( rc > 0 )
{
rolesToRemove.add( role );
String msg = location + " admin role [" + role.getName() + "] for " + entityType
+ "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info( msg );
session.setWarning( new ObjectFactory().createWarning( rc, msg, Warning.Type.ROLE,
role.getName() ) );
}
}
// remove all roles not passing validation
session.getAdminRoles().removeAll( rolesToRemove );
}
}
}
// now perform DSD validation on session's impl roles:
if ( checkDsd && DSDVALIDATOR != null && DSDVALIDATOR.length() > 0 && type == ConstraintType.ROLE
&& CollectionUtils.isNotEmpty( session.getRoles() ) )
{
Validator dsdVal = ( Validator ) ClassUtil.createInstance( DSDVALIDATOR );
if ( session.isGroupSession() )
{
// pass session's group wrapped into constraint interface
dsdVal.validate( session, new ConstraintedGroup( session.getGroup() ), null, null );
}
else
{
dsdVal.validate( session, session.getUser(), null, null );
}
}
// reset the user's last access timestamp:
session.setLastAccess();
}