Package com.evolveum.midpoint.security.api

Class MidPointPrincipal

java.lang.Object
com.evolveum.midpoint.security.api.MidPointPrincipal
All Implemented Interfaces:
DebugDumpable, ShortDumpable, Serializable, org.springframework.security.core.userdetails.UserDetails
Direct Known Subclasses:
GuiProfiledPrincipal
public class MidPointPrincipal extends Object implements org.springframework.security.core.userdetails.UserDetails, DebugDumpable, ShortDumpable
Simple midPoint principal. This principal should contain only the concepts that are essential for midPoint core to work. It should not contain user interface concepts (e.g. adminGuiConfig). For that see GuiProfiledPrincipal.
Author:
Radovan Semancik
See Also:

  • Constructor Details

    • MidPointPrincipal

      protected MidPointPrincipal(@NotNull @NotNull FocusType focus)
      Use static factory methods when calling from the outside.

  • Method Details

    • privileged

      @NotNull public static @NotNull MidPointPrincipal privileged(@NotNull @NotNull FocusType focus)
      Returns a principal with a single privileged authorization; regardless of what authorizations the focus has.

    • create

      public static MidPointPrincipal create(@NotNull @NotNull FocusType focus)
      Returns a principal without authorizations.

    • getAuthorities

      @NotNull public @NotNull Collection<Authorization> getAuthorities()
      Specified by:
      getAuthorities in interface org.springframework.security.core.userdetails.UserDetails

    • addAuthorization

      public void addAuthorization(@NotNull @NotNull Authorization authorization)
      Use only during "regular" building or updating of a principal. Does NOT set effectivePrivilegesModification flag.

    • addExtraAuthorizationIfMissing

      public void addExtraAuthorizationIfMissing(@NotNull @NotNull Authorization authorization, boolean full)
      Use to add extra authorizations - it sets effectivePrivilegesModification flag. The "if missing" will be (most of the time) a false positive match: . The authorization source will most probably differ between role-derived and artificial (runPrivileged) one; . Even if that would not be the case, any minor difference (like in name or description) would count as well. So, the full elevation would be signalled for the majority of cases even if the equivalent authorization was there.

    • clearAuthorizations

      public void clearAuthorizations()

    • getPassword

      public String getPassword()
      Specified by:
      getPassword in interface org.springframework.security.core.userdetails.UserDetails

    • getUsername

      public String getUsername()
      Specified by:
      getUsername in interface org.springframework.security.core.userdetails.UserDetails

    • isAccountNonExpired

      public boolean isAccountNonExpired()
      Specified by:
      isAccountNonExpired in interface org.springframework.security.core.userdetails.UserDetails

    • isAccountNonLocked

      public boolean isAccountNonLocked()
      Specified by:
      isAccountNonLocked in interface org.springframework.security.core.userdetails.UserDetails

    • isCredentialsNonExpired

      public boolean isCredentialsNonExpired()
      Specified by:
      isCredentialsNonExpired in interface org.springframework.security.core.userdetails.UserDetails

    • isEnabled

      public boolean isEnabled()
      Specified by:
      isEnabled in interface org.springframework.security.core.userdetails.UserDetails

    • getFocus

      @NotNull public @NotNull FocusType getFocus()
      Effective identity that is used to execute all actions. Authorizations of this identity will be applied. This is usually the logged-in user. However, this may be the user on behalf who are the actions executed (donor of power) and the real logged-in user may be the attorney.

    • getFocusPrismObject

      public PrismObject<? extends FocusType> getFocusPrismObject()

    • setOrReplaceFocus

      public void setOrReplaceFocus(@NotNull @NotNull FocusType newFocus)
      Must not change focus OID (at least for now).

    • getName

      public PolyStringType getName()

    • getOid

      public String getOid()

    • getEffectivePrivilegesModification

      @Nullable public @Nullable EffectivePrivilegesModificationType getEffectivePrivilegesModification()

    • clearEffectivePrivilegesModification

      public void clearEffectivePrivilegesModification()

    • getAttorney

      @Nullable public @Nullable FocusType getAttorney()
      Real identity of the logged-in user. Used in cases when there is a difference between logged-in user and the identity that is used to execute actions and evaluate authorizations. This may happen when one user (attorney) has switched identity to another user (donor of power). In that case the identity of the attorney is in this property. The user that was the target of the switch is stored in the "user" property.

    • getAttorneyPrismObject

      @Nullable public @Nullable PrismObject<? extends FocusType> getAttorneyPrismObject()

    • setAttorney

      public void setAttorney(FocusType attorney)

    • getPreviousPrincipal

      public MidPointPrincipal getPreviousPrincipal()
      Principal that was used before this principal was active. This is used when principals are chained (e.g. attorney)

    • setPreviousPrincipal

      public void setPreviousPrincipal(MidPointPrincipal previousPrincipal)

    • getApplicableSecurityPolicy

      public SecurityPolicyType getApplicableSecurityPolicy()

    • setApplicableSecurityPolicy

      public void setApplicableSecurityPolicy(SecurityPolicyType applicableSecurityPolicy)

    • clone

      public MidPointPrincipal clone()
      Semi-shallow clone.
      Overrides:
      clone in class Object

    • cloneWithAdditionalAuthorizations

      public MidPointPrincipal cloneWithAdditionalAuthorizations(@NotNull @NotNull List<Authorization> additionalAuthorizations, boolean full)
      Sets effectivePrivilegesModification flag if needed.

    • copyValues

      protected void copyValues(MidPointPrincipal clone)

    • debugDump

      public String debugDump(int indent)
      Specified by:
      debugDump in interface DebugDumpable

    • debugDumpInternal

      protected void debugDumpInternal(StringBuilder sb, int indent)

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • toObjectReference

      @NotNull public @NotNull ObjectReferenceType toObjectReference()

    • shortDump

      public void shortDump(StringBuilder sb)
      Description copied from interface: ShortDumpable
      Show the content of the object intended for diagnostics. This method is supposed to append a compact, human-readable output in a single line. Unlike toString() method, there is no requirement to identify the actual class or type of the object. It is assumed that the class/type will be obvious from the context in which the output is used.
      Specified by:
      shortDump in interface ShortDumpable
      Parameters:
      sb - StringBuilder to which to a compact one-line content of the object intended for diagnostics by system administrator should be appended.

    • getLocale

      @NotNull public @NotNull Locale getLocale()
      Search for locale for this principal in multiple locations, returns first non-null item. Order of search:
      1. preferredLocale
      2. FocusType.getPreferredLanguage()
      3. FocusType.getLocale()
      4. Locale.getDefault()

    • getPreferredLocale

      public Locale getPreferredLocale()

    • setPreferredLocale

      public void setPreferredLocale(Locale preferredLocale)

    • getOtherPrivilegesLimitations

      @NotNull public @NotNull OtherPrivilegesLimitations getOtherPrivilegesLimitations()

    • addDelegationTarget

      public void addDelegationTarget(@NotNull @NotNull PrismObject<? extends AssignmentHolderType> target, @NotNull OtherPrivilegesLimitations.Limitation limitation)
      Registers an information about "membership delegation", i.e. that this principal is a delegate of given user(s) or - indirectly - it obtains a delegated abstract role membership. The information on other privileges limitations is attached as well.

    • getDelegatorsFor

      public Set<String> getDelegatorsFor(@Nullable OtherPrivilegesLimitations.Type limitationType)
      TODO (null means we don't care about limitations)

    • getDelegatedMembershipFor

      public Set<String> getDelegatedMembershipFor(@Nullable OtherPrivilegesLimitations.Type limitationType)
      Includes the delegators themselves. Later we may extend this to full references (not only OIDs).

    • checkEnabled

      public void checkEnabled() throws SecurityViolationException
      Checks if the midPoint object behind this principal is enabled. The method is placed here to be easily accessible from various contexts. (Although it is a bit questionable if it isn't just too late to check the object after being "installed" into MidPointPrincipal.) We assume that the object was recomputed.
      Throws:
      SecurityViolationException