1 /** 2 * This file Copyright (c) 2003-2016 Magnolia International 3 * Ltd. (http://www.magnolia-cms.com). All rights reserved. 4 * 5 * 6 * This file is dual-licensed under both the Magnolia 7 * Network Agreement and the GNU General Public License. 8 * You may elect to use one or the other of these licenses. 9 * 10 * This file is distributed in the hope that it will be 11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the 12 * implied warranty of MERCHANTABILITY or FITNESS FOR A 13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT. 14 * Redistribution, except as permitted by whichever of the GPL 15 * or MNA you select, is prohibited. 16 * 17 * 1. For the GPL license (GPL), you can redistribute and/or 18 * modify this file under the terms of the GNU General 19 * Public License, Version 3, as published by the Free Software 20 * Foundation. You should have received a copy of the GNU 21 * General Public License, Version 3 along with this program; 22 * if not, write to the Free Software Foundation, Inc., 51 23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * 2. For the Magnolia Network Agreement (MNA), this file 26 * and the accompanying materials are made available under the 27 * terms of the MNA which accompanies this distribution, and 28 * is available at http://www.magnolia-cms.com/mna.html 29 * 30 * Any modifications to this file must keep this entire header 31 * intact. 32 * 33 */ 34 package info.magnolia.cms.security; 35 36 import info.magnolia.cms.security.auth.ACL; 37 38 import java.util.Collection; 39 import java.util.Map; 40 41 import javax.jcr.Value; 42 import javax.security.auth.Subject; 43 44 45 /** 46 * Manages users. 47 */ 48 public interface UserManager { 49 50 /** 51 * Magnolia system user name. 52 */ 53 public static final String SYSTEM_USER = "superuser"; 54 55 /** 56 * Magnolia system default password. 57 */ 58 public static final String SYSTEM_PSWD = "superuser"; 59 60 /** 61 * Anonymous user name. 62 */ 63 public static final String ANONYMOUS_USER = "anonymous"; 64 65 /** 66 * Find a specific user. Not all implementations will support this method. 67 * 68 * @param name the name of the user 69 * @return the user object 70 */ 71 public User getUser(String name) throws UnsupportedOperationException; 72 73 /** 74 * Find a specific user. Not all implementations will support this method. 75 * 76 * @param id user identifier 77 * @return the user object 78 */ 79 public User getUserById(String id) throws UnsupportedOperationException; 80 81 /** 82 * Initialize new user using JAAS authenticated/authorized subject. 83 * 84 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 85 * @deprecated since 5.3.3 jaas login module should just request the user, not pass the subject around to the user manager 86 */ 87 @Deprecated 88 public User getUser(Subject subject) throws UnsupportedOperationException; 89 90 /** 91 * Get system user, this user must always exist in magnolia repository. 92 * 93 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 94 */ 95 public User getSystemUser() throws UnsupportedOperationException; 96 97 /** 98 * Get Anonymous user, this user must always exist in magnolia repository. 99 * 100 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 101 */ 102 public User getAnonymousUser() throws UnsupportedOperationException; 103 104 /** 105 * Get all users. 106 * 107 * @return collection of User objects 108 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 109 */ 110 public Collection<User> getAllUsers() throws UnsupportedOperationException; 111 112 /** 113 * Creates a user without security restrictions. 114 * 115 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 116 */ 117 public User createUser(String name, String pw) throws UnsupportedOperationException; 118 119 /** 120 * Creates a user on given path. 121 * 122 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 123 */ 124 public User createUser(String path, String name, String pw) throws UnsupportedOperationException; 125 126 /** 127 * Sets a new password. 128 * 129 * @return user object with updated password. 130 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 131 */ 132 public User changePassword(User user, String newPassword) throws UnsupportedOperationException; 133 134 /** 135 * Sets given property for the user. 136 * 137 * @param user User to be updated. If property doesn't exist yet, it will be created. If the value is null, property will be removed if existing. 138 * @param propertyName Name of the property. 139 * @param propertyValue Value of the property. Use org.apache.jackrabbit.value.ValueFactoryImpl to convert type to Value. 140 * @return updated user object with new value of the property. 141 * @deprecated since 4.5.7 - use {@link UserManager#setProperty(User, String, String)} 142 */ 143 @Deprecated 144 public User setProperty(User user, String propertyName, Value propertyValue); 145 146 /** 147 * Sets given property for the user and returns updated user object with new value of the property. 148 */ 149 public User setProperty(User user, String propertyName, String propertyValue); 150 151 /* ---------- User Manager configuration ----------- */ 152 153 /** 154 * Sets a time period for account lock. 155 * 156 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 157 */ 158 public void setLockTimePeriod(int lockTimePeriod) throws UnsupportedOperationException; 159 160 /** 161 * Gets a time period for account lock. 162 * 163 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 164 */ 165 public int getLockTimePeriod() throws UnsupportedOperationException; 166 167 /** 168 * Sets a number of failed attempts before locking account. 169 * 170 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 171 */ 172 public void setMaxFailedLoginAttempts(int maxFailedLoginAttempts) throws UnsupportedOperationException; 173 174 /** 175 * Gets a number of failed attempts before locking account. 176 * 177 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 178 */ 179 public int getMaxFailedLoginAttempts() throws UnsupportedOperationException; 180 181 /** 182 * Grants user role. 183 * 184 * @return user object with the role already granted. 185 */ 186 public User addRole(User user, String roleName); 187 188 /** 189 * Adds user to a group. 190 * 191 * @return user object with the group already assigned. 192 */ 193 public User addGroup(User user, String groupName); 194 195 /** 196 * Updates last access timestamp for the user. 197 * 198 * @throws UnsupportedOperationException if the current implementation doesn't support this operation 199 */ 200 public void updateLastAccessTimestamp(User user) throws UnsupportedOperationException; 201 202 /** 203 * @param principal name of the principal 204 * @param resourceName either group or role name 205 * @param resourceType either group or role see 206 * @return whether principal belongs to the named resource. 207 */ 208 public boolean hasAny(String principal, String resourceName, String resourceType); 209 210 /** 211 * @return all ACLs assigned to the given user. 212 */ 213 public Map<String, ACL> getACLs(User user); 214 215 /** 216 * Removes user from a group. 217 * 218 * @return user object with the group assignment removed. 219 */ 220 public User removeGroup(User user, String groupName); 221 222 /** 223 * Removes role from a user. 224 * 225 * @return user object without removed role. 226 */ 227 public User removeRole(User user, String roleName); 228 229 /** 230 * Returns all users which are the provided group. 231 * Note that the method returns only users in exactly this group, users which are in transitive groups will not be returned. 232 * 233 * @param groupName name of the group 234 */ 235 public Collection<String> getUsersWithGroup(String groupName); 236 237 /** 238 * Returns all users which are in the provided group. 239 * The method can return also users which are in transitive groups of the given group. 240 * 241 * @param groupName name of the group 242 * @param transitive whether the method should return also users which are in transitive groups of the given group. 243 */ 244 public Collection<String> getUsersWithGroup(String groupName, boolean transitive) throws UnsupportedOperationException; 245 246 247 /** 248 * @return all users having assigned the provided role 249 */ 250 public Collection<String> getUsersWithRole(String roleName); 251 252 }