org.sandev.basics.Authorizer
Class AuthorizerNode

java.lang.Object
  org.sandev.basics.Authorizer.AuthorizerNodeDecl
      org.sandev.basics.Authorizer.AuthorizerNodeBase
          org.sandev.basics.Authorizer.AuthorizerNode

All Implemented Interfaces:

Authorizer, Controllable, Loggable, Messageable

public class AuthorizerNode

extends AuthorizerNodeBase

implements Authorizer

An Authorizer node. An instance of this node would be deployed on either side of a secure communications path that bridges two separate process spaces.

Field Summary

protected AuthUserLookup	auLookup Our AuthUserLookup, used for finding the user from the sandTransmitAuthID in a SandTransmitMessage.
protected AuthFilter	authfilter Our AuthFilter, used for checking if we should accept a message, or manipulate it in any way before transmission.
protected java.util.HashMap	delmap A map of message classes to node instances, used for delivery of incoming asynchronous sends.
protected SandEncryptor	encryptor Our encryptor, used for encrypting serialized message object text for transmission.
protected IDLookup	idLookup Our IDLookup, used for restoring field values that have been previously set to default values during authorization.
protected java.util.HashMap	recmap A map of of message classes to node instances, used for receipt of incoming synchronous queries.
protected CharSerializer	serializer Our serializer, used for translating message objects into or from a string.

Fields inherited from class org.sandev.basics.Authorizer.AuthorizerNodeBase

ctrlwrappers, helperNodes, LOGDEBUG, LOGERROR, LOGFATAL, logger, LOGINFO, logLevel, LOGLEVEL_DEBUG, LOGLEVEL_ERROR, LOGLEVEL_FATAL, LOGLEVEL_INFO, LOGLEVEL_WARN, LOGWARN, messager, nodeInstance, parent, sandNodeErrorMessage, sandNodeState, SANDNODESTATE_FAILED, SANDNODESTATE_FAILING, SANDNODESTATE_RESUMING, SANDNODESTATE_RUNNING, SANDNODESTATE_STARTING, SANDNODESTATE_STOPPED, SANDNODESTATE_STOPPING, SANDNODESTATE_SUSPENDED, SANDNODESTATE_SUSPENDING, SANDNODESTATE_UNDEFINED, sandRoot

Fields inherited from class org.sandev.basics.Authorizer.AuthorizerNodeDecl

authFilterClassName, authUserLookupInstanceName, encryptorName, lookupInstanceName, serializerClassName

Fields inherited from interface org.sandev.basics.nodecommon.Controllable

OPERATION_FAIL, OPERATION_RESUME, OPERATION_SHUTDOWN, OPERATION_STARTUP, OPERATION_STR_FAIL, OPERATION_STR_RESUME, OPERATION_STR_SHUTDOWN, OPERATION_STR_STARTUP, OPERATION_STR_SUSPEND, OPERATION_STR_UNDEFINED, OPERATION_STRINGS, OPERATION_SUSPEND, OPERATION_UNDEFINED, SHUTDOWN_ERROR_RESTART_GLOBAL, SHUTDOWN_ERROR_RESTART_LOCAL, SHUTDOWN_ERROR_TERMINATE, SHUTDOWN_NORMAL, STATE_FAILED, STATE_FAILING, STATE_RESUMING, STATE_RUNNING, STATE_STARTING, STATE_STOPPED, STATE_STOPPING, STATE_STR_FAILED, STATE_STR_FAILING, STATE_STR_RESUMING, STATE_STR_RUNNING, STATE_STR_STARTING, STATE_STR_STOPPED, STATE_STR_STOPPING, STATE_STR_SUSPENDED, STATE_STR_SUSPENDING, STATE_STR_UNDEFINED, STATE_STRINGS, STATE_SUSPENDED, STATE_SUSPENDING, STATE_UNDEFINED

Constructor Summary

AuthorizerNode()

Method Summary

protected void	authorizeAndRestore(SandMessage msg) Throw an exception if this message is unauthorized, otherwise restore the instance data as necessary.
protected AuthUser	authorizeAndScrub(SandMessage msg) Throw an exception if this message is unauthorized, otherwise scrub the data as necessary.
protected AuthUser	checkMessageAuthorization(SandMessage msg) Verify that this user is allowed to send this message.
void	deliver(SandMessage msg) Reject anything that is not an AuthWrapper, unwrap the message, and deliver it to the appropriate registered nodes.
protected AuthUserLookup	findAuthUserLookup() Find our AuthUserLookup.
protected IDLookup	findIDLookup() Find our IDLookup.
AuthFilter	getAuthFilter() intializing accessor for authfilter
AuthUserLookup	getAuthUserLookup() intializing accessor for auLookup
java.util.HashMap	getDelMap() initializing accessor for delmap
SandEncryptor	getEncryptor() initializing accessor for encryptor
IDLookup	getIDLookup() intializing accessor for idLookup
java.util.HashMap	getRecMap() initializing accessor for recmap
CharSerializer	getSerializer() initializing accessor for serializer
protected AuthFilter	instantiateAuthFilter() Instantiate a new AuthFilter.
protected SandEncryptor	instantiateEncryptor() Instantiate a new SandEncryptor.
protected CharSerializer	instantiateSerializer() Instantiate a new serializer.
protected boolean	isQualifiedInitialUserQuery(SandTransmitMessage stm) Return true if this is a SandQueryMessage for an AuthUser that explicitely matches the username and password.
SandMessage	query(SandMessage msg, java.lang.String recipient, int optimize) Wrap the given message into an AuthWrapper, then query the recipient via unsecure (direct) messaging.
SandMessage	receive(SandMessage msg) Reject anything that is not an AuthWrapper, unwrap the contained message, lookup the registered recipient, and call through to it directly, returning the result wrapped as an AuthWrapper.
void	registerDelivery(java.lang.String msgClass, Messageable node) Register this node as a receiver for all messages of this class that are delivered.
void	registerReceive(java.lang.String msgClass, Messageable node) Register the given node as the processor for all queries of this message class that are received.
protected void	restoreCurrentFieldValues(AuthUser user, SandInstanceMessage msg) Restore the field values that had been set to their defaults due to authorization restrictions.
void	send(SandMessage msg, int optimize) Wrap the given message into an AuthWrapper, then send it via unsecure (direct) messaging.
protected void	setFieldsToDefaultValues(AuthUser user, SandInstanceMessage msg) Set any unauthorized fields to their default values.
protected void	setTransmitIDFromQueryResult(SandTransmitMessage msg) If this is a collection which is the result of a qualified initial user query, then set the transmission ID now that we have the uniqueID of the AuthUser.
void	unregisterDelivery(java.lang.String msgClass, Messageable node) Unregister this node as a receiver for all messages of this class that are delivered.
protected SandMessage	unwrap(AuthWrapper wrapper) Unwrap the contained SandMessage and return that.
protected void	verifyMatchRestrictions(AuthUser user, SandQueryMessage msg) Get the additional match restrictions for this user via our AuthFilter and make sure they are present in the match description.
protected AuthWrapper	wrap(AuthUser user, SandMessage msg) Wrap the given message in an AuthWrapper and return it.

Methods inherited from class org.sandev.basics.Authorizer.AuthorizerNodeBase

addWrapper, fieldHasFlag, getAuthFilterClassName, getAuthFilterClassNameDefaultValue, getAuthFilterClassNameFieldPrintValue, getAuthFilterClassNameFlag, getAuthFilterClassNameInvalidValue, getAuthFilterClassNameLengthMax, getAuthFilterClassNameLengthNorm, getAuthFilterClassNameMetatype, getAuthFilterClassNamePrintValue, getAuthFilterClassNameRange, getAuthFilterClassNameValidityCheck, getAuthUserLookupInstanceName, getAuthUserLookupInstanceNameDefaultValue, getAuthUserLookupInstanceNameFieldPrintValue, getAuthUserLookupInstanceNameFlag, getAuthUserLookupInstanceNameInvalidValue, getAuthUserLookupInstanceNameLengthMax, getAuthUserLookupInstanceNameLengthNorm, getAuthUserLookupInstanceNameMetatype, getAuthUserLookupInstanceNamePrintValue, getAuthUserLookupInstanceNameRange, getAuthUserLookupInstanceNameValidityCheck, getEncryptorName, getEncryptorNameDefaultValue, getEncryptorNameFieldPrintValue, getEncryptorNameFlag, getEncryptorNameInvalidValue, getEncryptorNameLengthMax, getEncryptorNameLengthNorm, getEncryptorNameMetatype, getEncryptorNamePrintValue, getEncryptorNameRange, getEncryptorNameValidityCheck, getHelperNodes, getIDCache, getLogger, getLoggerDefaultValue, getLoggerFieldPrintValue, getLoggerFlag, getLoggerInvalidValue, getLoggerMetatype, getLoggerPrintValue, getLoggerRange, getLoggerValidityCheck, getLogLevel, getLogLevelActualVals, getLogLevelDefaultValue, getLogLevelEnumSummary, getLogLevelFieldPrintValue, getLogLevelFlag, getLogLevelInvalidValue, getLogLevelKeyVals, getLogLevelMetatype, getLogLevelPrintVals, getLogLevelPrintValue, getLogLevelRange, getLogLevelValidityCheck, getLookupInstanceName, getLookupInstanceNameDefaultValue, getLookupInstanceNameFieldPrintValue, getLookupInstanceNameFlag, getLookupInstanceNameInvalidValue, getLookupInstanceNameLengthMax, getLookupInstanceNameLengthNorm, getLookupInstanceNameMetatype, getLookupInstanceNamePrintValue, getLookupInstanceNameRange, getLookupInstanceNameValidityCheck, getMessager, getMessagerDefaultValue, getMessagerFieldPrintValue, getMessagerFlag, getMessagerInvalidValue, getMessagerMetatype, getMessagerPrintValue, getMessagerRange, getMessagerValidityCheck, getNodeInstance, getNodeInstanceDefaultValue, getNodeInstanceFieldPrintValue, getNodeInstanceFlag, getNodeInstanceInvalidValue, getNodeInstanceMetatype, getNodeInstanceName, getNodeInstancePrintValue, getNodeInstanceRange, getNodeInstanceValidityCheck, getParent, getSandNodeErrorMessage, getSandNodeErrorMessageDefaultValue, getSandNodeErrorMessageFieldPrintValue, getSandNodeErrorMessageFlag, getSandNodeErrorMessageInvalidValue, getSandNodeErrorMessageLengthMax, getSandNodeErrorMessageLengthNorm, getSandNodeErrorMessageMetatype, getSandNodeErrorMessagePrintValue, getSandNodeErrorMessageRange, getSandNodeErrorMessageValidityCheck, getSandNodeState, getSandNodeStateActualVals, getSandNodeStateDefaultValue, getSandNodeStateEnumSummary, getSandNodeStateFieldPrintValue, getSandNodeStateFlag, getSandNodeStateInvalidValue, getSandNodeStateKeyVals, getSandNodeStateMetatype, getSandNodeStatePrintVals, getSandNodeStatePrintValue, getSandNodeStateRange, getSandNodeStateValidityCheck, getSandRoot, getSerializerClassName, getSerializerClassNameDefaultValue, getSerializerClassNameFieldPrintValue, getSerializerClassNameFlag, getSerializerClassNameInvalidValue, getSerializerClassNameLengthMax, getSerializerClassNameLengthNorm, getSerializerClassNameMetatype, getSerializerClassNamePrintValue, getSerializerClassNameRange, getSerializerClassNameValidityCheck, getServername, init, log, log, logLevelActual2Print, logLevelLabelToValue, logLevelPrint2Actual, logLevelPrint2Key, logLevelValueToLabel, notifyStateChange, onFailure, onRestart, onResume, onShutdown, onStartup, onSuspend, restart, resume, sandNodeStateActual2Print, sandNodeStateLabelToValue, sandNodeStatePrint2Actual, sandNodeStatePrint2Key, sandNodeStateValueToLabel, setAuthFilterClassName, setAuthFilterClassName, setAuthUserLookupInstanceName, setAuthUserLookupInstanceName, setEncryptorName, setEncryptorName, setHelperNodes, setLogger, setLogger, setLogLevel, setLookupInstanceName, setLookupInstanceName, setMessager, setMessager, setNodeInstance, setNodeInstance, setParent, setSandNodeErrorMessage, setSandNodeErrorMessage, setSandNodeState, setSandRoot, setSerializerClassName, setSerializerClassName, setupSecureReceive, setupSubscriptions, shutdown, startup, suspend, systemwideShutdown, validTransition

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

delmap

protected java.util.HashMap delmap

A map of message classes to node instances, used for delivery of incoming asynchronous sends.

recmap

protected java.util.HashMap recmap

A map of of message classes to node instances, used for receipt of incoming synchronous queries.

serializer

protected CharSerializer serializer

Our serializer, used for translating message objects into or from a string.

encryptor

protected SandEncryptor encryptor

Our encryptor, used for encrypting serialized message object text for transmission.

authfilter

protected AuthFilter authfilter

Our AuthFilter, used for checking if we should accept a message, or manipulate it in any way before transmission.

idLookup

protected IDLookup idLookup

Our IDLookup, used for restoring field values that have been previously set to default values during authorization.

auLookup

protected AuthUserLookup auLookup

Our AuthUserLookup, used for finding the user from the sandTransmitAuthID in a SandTransmitMessage.

Constructor Detail

AuthorizerNode

public AuthorizerNode()

Method Detail

getDelMap

public java.util.HashMap getDelMap()

initializing accessor for delmap

getRecMap

public java.util.HashMap getRecMap()

initializing accessor for recmap

getSerializer

public CharSerializer getSerializer()

initializing accessor for serializer

getEncryptor

public SandEncryptor getEncryptor()

initializing accessor for encryptor

getAuthFilter

public AuthFilter getAuthFilter()

intializing accessor for authfilter

Specified by:

getAuthFilter in interface Authorizer

getIDLookup

public IDLookup getIDLookup()

intializing accessor for idLookup

getAuthUserLookup

public AuthUserLookup getAuthUserLookup()

intializing accessor for auLookup

registerDelivery

public void registerDelivery(java.lang.String msgClass,
                             Messageable node)
                      throws MessagerException

Register this node as a receiver for all messages of this class that are delivered.

Specified by:

registerDelivery in interface Authorizer

Throws:

MessagerException

unregisterDelivery

public void unregisterDelivery(java.lang.String msgClass,
                               Messageable node)
                        throws MessagerException

Unregister this node as a receiver for all messages of this class that are delivered.

Specified by:

unregisterDelivery in interface Authorizer

Throws:

MessagerException

registerReceive

public void registerReceive(java.lang.String msgClass,
                            Messageable node)
                     throws MessagerException

Register the given node as the processor for all queries of this message class that are received. It is an error for the system to attempt to register more than one node for a given class.

Specified by:

registerReceive in interface Authorizer

Throws:

MessagerException

deliver

public void deliver(SandMessage msg)
             throws SandException

Reject anything that is not an AuthWrapper, unwrap the message, and deliver it to the appropriate registered nodes.

Note that there is no authorization done here at the receiving end, since the outbound data will already have been scrubbed.

Specified by:

deliver in interface Authorizer

Overrides:

deliver in class AuthorizerNodeBase

Throws:

SandException

send

public void send(SandMessage msg,
                 int optimize)
          throws MessagerException

Wrap the given message into an AuthWrapper, then send it via unsecure (direct) messaging.

Specified by:

send in interface Authorizer

Throws:

MessagerException

query

public SandMessage query(SandMessage msg,
                         java.lang.String recipient,
                         int optimize)
                  throws MessagerException

Wrap the given message into an AuthWrapper, then query the recipient via unsecure (direct) messaging.

Specified by:

query in interface Authorizer

Throws:

MessagerException

receive

public SandMessage receive(SandMessage msg)
                    throws SandException

Reject anything that is not an AuthWrapper, unwrap the contained message, lookup the registered recipient, and call through to it directly, returning the result wrapped as an AuthWrapper.

The appropriate recipient will have been registered already. If no appropriate recipient is found, this method throws.

Specified by:

receive in interface Authorizer

Overrides:

receive in class AuthorizerNodeBase

Throws:

SandException

authorizeAndScrub

protected AuthUser authorizeAndScrub(SandMessage msg)
                              throws MessagerException

Throw an exception if this message is unauthorized, otherwise scrub the data as necessary.

Throws:

MessagerException

authorizeAndRestore

protected void authorizeAndRestore(SandMessage msg)
                            throws MessagerException

Throw an exception if this message is unauthorized, otherwise restore the instance data as necessary.

Throws:

MessagerException

isQualifiedInitialUserQuery

protected boolean isQualifiedInitialUserQuery(SandTransmitMessage stm)

Return true if this is a SandQueryMessage for an AuthUser that explicitely matches the username and password. This is special case bootstrapping to get initial user login information. On the return path, we trap the case of a corresponding collection with sandTransmitAuthID==0 and fill it in from the contained user info.

An AuthUser is characterized by getUsername and getPassword methods. These are typically generated by having the AuthUser struct define fields called "username" and "password". While it's possible to accomplish this in other ways, it doesn't seem worth the effort of extending SandQueryMessage to include an isQualifiedInitialUserQuery method until we see a driving use case in the real world. So this method simply looks for those fields to see if this is a qualified initial user query.

setTransmitIDFromQueryResult

protected void setTransmitIDFromQueryResult(SandTransmitMessage msg)
                                     throws SandException

If this is a collection which is the result of a qualified initial user query, then set the transmission ID now that we have the uniqueID of the AuthUser.

Throws:

SandException

checkMessageAuthorization

protected AuthUser checkMessageAuthorization(SandMessage msg)
                                      throws MessagerException

Verify that this user is allowed to send this message. Return the AuthUser information for the sandTransmitAuthID since that will be useful for subsequent processing.

For everything with a sandTransmitAuthID, we retrieve the associated user via our local lookup node, and then call our AuthFilter to find out if the user is allowed to deal with the specified message instance. If not, then we throw.

Throws:

MessagerException

verifyMatchRestrictions

protected void verifyMatchRestrictions(AuthUser user,
                                       SandQueryMessage msg)
                                throws MessagerException

Get the additional match restrictions for this user via our AuthFilter and make sure they are present in the match description.

Besides making sure the additional match restrictions are present, we also need to make sure the query does not specify any unauthorized fields. Otherwise the user could figure things out from queries even while receiving only the defaulted values back. If an unauthorized field is specified in the match info, an exception is thrown.

Throws:

MessagerException

setFieldsToDefaultValues

protected void setFieldsToDefaultValues(AuthUser user,
                                        SandInstanceMessage msg)
                                 throws MessagerException

Set any unauthorized fields to their default values.

Throws:

MessagerException

restoreCurrentFieldValues

protected void restoreCurrentFieldValues(AuthUser user,
                                         SandInstanceMessage msg)
                                  throws MessagerException

Restore the field values that had been set to their defaults due to authorization restrictions. This method functions as the inverse operation for setFieldsToDefaultValues.

The last Authorizer in the call chain before the DataManager must perform this replacement for updates to contain the correct information. Otherwise the default values will be written to permanent storage. The messaging chain can be checked by reading the deployment configuration.

Throws:

MessagerException

wrap

protected AuthWrapper wrap(AuthUser user,
                           SandMessage msg)
                    throws MessagerException

Wrap the given message in an AuthWrapper and return it. We call to encrypt even if the Messager is WIRE_SECURECOMMS because we also need to avoid spoofing. Our messages just have the ID of the user, so we ensure they are who they say they are through encryption processing (typically by blending in their passphrase and/or other info).

Throws:

MessagerException

unwrap

protected SandMessage unwrap(AuthWrapper wrapper)
                      throws MessagerException

Unwrap the contained SandMessage and return that.

Throws:

MessagerException

instantiateSerializer

protected CharSerializer instantiateSerializer()

Instantiate a new serializer. If for any reason we can't instantiate the class we were configured with, we log an error and return null.

instantiateEncryptor

protected SandEncryptor instantiateEncryptor()

Instantiate a new SandEncryptor. If for any reason we can't instantiate the class we were configured with, we log an error and return null.

instantiateAuthFilter

protected AuthFilter instantiateAuthFilter()

Instantiate a new AuthFilter. If for any reason we can't instantiate the class we were configured with, we log an error and return null.

findIDLookup

protected IDLookup findIDLookup()

Find our IDLookup. If for any reason we can't retrieve a reference based on the node instance name we were configured with, then return null. It is the callers responsibility to die nicely if it needs to use the lookup.

findAuthUserLookup

protected AuthUserLookup findAuthUserLookup()

Find our AuthUserLookup. If for any reason we can't retrieve a reference to the node instance name we were configured with, log an error and return null.