DbAuthorizationFactory


1   /*
2    * NEMESIS-FORUM.
3    * Copyright (C) 2002  David Laurent(lithium2@free.fr). All rights reserved.
4    * 
5    * Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
6    * 
7    * Copyright (C) 2001 Yasna.com. All rights reserved.
8    * 
9    * Copyright (C) 2000 CoolServlets.com. All rights reserved.
10   * 
11   * NEMESIS-FORUM. is free software; you can redistribute it and/or
12   * modify it under the terms of the Apache Software License, Version 1.1,
13   * or (at your option) any later version.
14   * 
15   * NEMESIS-FORUM core framework, NEMESIS-FORUM backoffice, NEMESIS-FORUM frontoffice
16   * application are parts of NEMESIS-FORUM and are distributed under
17   * same terms of licence.
18   * 
19   * 
20   * NEMESIS-FORUM includes software developed by the Apache Software Foundation (http://www.apache.org/)
21   * and software developed by CoolServlets.com (http://www.coolservlets.com).
22   * and software developed by Yasna.com (http://www.yasna.com).
23   * 
24   */
25  package org.nemesis.forum.impl;
26  
27  import java.sql.Connection  ;
28  import java.sql.PreparedStatement  ;
29  import java.sql.ResultSet  ;
30  import java.sql.SQLException  ;
31  
32  import org.apache.commons.logging.Log;
33  import org.apache.commons.logging.LogFactory;
34  import org.nemesis.forum.Authorization;
35  import org.nemesis.forum.AuthorizationFactory;
36  import org.nemesis.forum.exception.UnauthorizedException;
37  import org.nemesis.forum.util.StringUtils;
38  import org.nemesis.forum.util.jdbc.DbConnectionManager;
39  /**
40   * A subclass of AuthorizationFactory for the default implementation. It makes an
41   * SQL query to the user table to see if the supplied username and password
42   * match a user record. If they do, the appropaite Authorization token is
43   * returned. If no matching User record is found an UnauthorizedException is
44   * thrown.<p>
45   *
46   * Because each call to createAuthorization(String, String) makes a database
47   * connection, Authorization tokens should be cached whenever possible. When
48   * using a servlet or JSP skins, a good method is to cache the token in the
49   * session. The SkinUtils.getUserAuthorization() methods automatically handles
50   * this logic.<p>
51   *
52   * If you wish to integrate application with your own user system, you'll need to
53   * either modify the class or provide your own implementation of the
54   * AuthorizationFactory interface.
55   */
56  public class DbAuthorizationFactory extends AuthorizationFactory {
57      
58  static protected Log log = LogFactory.getLog(DbAuthorizationFactory.class);
59  
60      /** DATABASE QUERIES **/
61      private static final String   AUTHORIZE = "SELECT userID FROM yazdUser WHERE username=? AND passwordHash=?";
62  
63      /**
64       * The same token can be used for all anonymous users, so cache it.
65       */
66      private static final Authorization anonymousAuth = new DbAuthorization(-1);
67  
68      /**
69       * Creates Authorization tokens for users. This method is implemented by
70       * concrete subclasses of AuthorizationFactory.
71       *
72       * @param username the username to create an Authorization with.
73       * @param password the password to create an Authorization with.
74       * @return an Authorization token if the username and password are correct.
75       * @throws UnauthorizedException if the username and password do not match
76       *      any existing user.
77       */
78      public Authorization createAuthorization(String   username, String   password) throws UnauthorizedException {
79          if (username == null || password == null) {
80              throw new UnauthorizedException();
81          }
82          //stores all passwords in hashed form. So, hash the plain text
83          //password for comparison.
84          password = StringUtils.hash(password);
85          int userID = 0;
86          Connection   con = null;
87          PreparedStatement   pstmt = null;
88          try {
89              con = DbConnectionManager.getConnection();
90              pstmt = con.prepareStatement(AUTHORIZE);
91              pstmt.setString(1, username);
92              pstmt.setString(2, password);
93  
94              ResultSet   rs = pstmt.executeQuery();
95              //If the query had no results, the username and password
96              //did not match a user record. Therefore, throw an exception.
97              if (!rs.next()) {
98                  throw new UnauthorizedException();
99              }
100             userID = rs.getInt(1);
101         } catch (SQLException   sqle) {
102             log.error("Exception in DbAuthorizationFactory:" , sqle);           
103             throw new UnauthorizedException();
104         } finally {
105             try {
106                 pstmt.close();
107             } catch (Exception   e) {
108                 log.error("pstmt close",e);
109             }
110             try {
111                 con.close();
112             } catch (Exception   e) {
113                 log.error("conn close",e);
114             }
115         }
116         //Got this far, so the user must be authorized.
117         return new DbAuthorization(userID);
118     }
119 
120     /**
121      * Creates anonymous Authorization tokens.
122      *
123      * @return an anonymous Authorization token.
124      */
125     public Authorization createAnonymousAuthorization() {
126         return anonymousAuth;
127     }
128 }
129
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags