281. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 6/11/2019 10:54:15 AM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

281.1 Files compared

#	Location	File	Last Modified
1	HTRE_P3_v14.5_iter_4_build_14.zip\java\gov\va\med\fw\security	LoginManagerImpl.java	Wed May 29 15:26:22 2019 UTC
2	HTRE_P3_v14.5_iter_4_build_14.zip\java\gov\va\med\fw\security	LoginManagerImpl.java	Tue Jun 11 11:41:37 2019 UTC

281.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	822
Changed	1	2
Inserted	0	0
Removed	0	0

281.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

281.4 Active regular expressions

No regular expressions were active.

281.5 Comparison detail

	1	/******* ****** ****** ****** ****** ****** *******
	2	* Copyrii ght 2004 V HA. All ri ghts reser ved
	3	******* ****** ****** ****** ****** ****** *******/
	4	package go v.va.med.f w.security ;
	5
	6	import jav a.util.Col lection;
	7	import jav a.util.Tim eZone;
	8
	9	import jav ax.securit y.auth.log in.LoginEx ception;
	10	import jav ax.servlet .http.Http ServletReq uest;
	11	import jav ax.servlet .http.Http Session;
	12
	13	import org .apache.co mmons.lang .Validate;
	14	import org .apache.lo g4j.Level;
	15	import org .apache.lo g4j.Logger ;
	16	import org .springfra mework.bea ns.factory .Initializ ingBean;
	17	import org .springfra mework.bea ns.factory .annotatio n.Autowire d;
	18	import org .springfra mework.bea ns.factory .annotatio n.Value;
	19	import org .springfra mework.sec urity.auth entication .Anonymous Authentica tionToken;
	20	import org .springfra mework.sec urity.auth entication .Authentic ationManag er;
	21	import org .springfra mework.sec urity.core .Authentic ation;
	22	import org .springfra mework.sec urity.core .Authentic ationExcep tion;
	23	import org .springfra mework.sec urity.core .GrantedAu thority;
	24	//import o rg.springf ramework.s ecurity.co ntext.Http SessionCon textIntegr ationFilte r;
	25	import org .springfra mework.sec urity.core .context.S ecurityCon textHolder ;
	26	import org .springfra mework.sec urity.core .userdetai ls.memory. UserAttrib ute;
	27	import org .springfra mework.sec urity.web. authentica tion.WebAu thenticati onDetails;
	28	import org .springfra mework.ste reotype.Co mponent;
	29
	30	import gov .va.med.fw .model.Use rPrincipal Impl;
	31	import gov .va.med.fw .service.S erviceExce ption;
	32
	33	/**
	34	* LoginMa nager impl ementation , centrali zed point to perform the authe ntication
	35	* and cle an up at t he end. UI use this through Lo gonAction to perform login and
	36	* Signout Action to perform lo gout at th e end. If the Anonym ousKey and
	37	* Anonymo usAttribut e are defi ned and no username or passwor d is speci fied, then
	38	* anonymo us authent ication wi ll be atte mpted, oth erwise nor mal authen tication
	39	* will be attempted . If the H ttpServlet Request is specified , it will set the
	40	* request details s uch as ses sion id, r emote ip a ddress in a authenti cation
	41	* token. To do logi n and logo ut from th e UI appli cation, us e the meth ods that
	42	* has Htt pServletRe quest para mter, do a dd/remove attributes required by the
	43	* Acegi S ecurity.
	44	*
	45	* @author D NS
	46	* @date M ay 5, 2005 6:41:43 P M
	47	*/
	48	@Component
	49	public cla ss LoginMa nagerImpl implements Initializ ingBean, L oginManage r {
	50
	51	pr ivate Logg er logger = Logger.g etLogger(L oginManage rImpl.clas s);
	52
	53	@A utowired
	54	pr ivate Auth entication Manager au thenticati onManager;
	55
	56	// Acegi's a nonymous u ser inform ation.
	57	@V alue(value ="cchtAnon AuthKey")
	58	pr ivate Stri ng anonymo usKey;
	59
	60	@V alue(value ="anonymou sUser,ROLE _ANONYMOUS ")
	61	pr ivate User Attribute anonymousU serAttribu te;
	62
	63	@A utowired
	64	pr ivate Secu rityServic e security Service;
	65
	66	/* *
	67	* Return th e Authenti cationMana ger
	68	* /
	69	pu blic Authe nticationM anager get Authentica tionManage r() {
	70	retu rn authent icationMan ager;
	71	}
	72
	73	/* *
	74	* Set the A uthenticat ionManager .
	75	*
	76	* @param au thenticati onManager
	77	* /
	78	pu blic void setAuthent icationMan ager(Authe nticationM anager aut henticatio nManager) {
	79	this .authentic ationManag er = authe nticationM anager;
	80	}
	81
	82	/* *
	83	* @return S tring anon ymous key
	84	* /
	85	pu blic Strin g getAnony mousKey() {
	86	retu rn anonymo usKey;
	87	}
	88
	89	/* *
	90	* Set the a nonymous a uthenticat ion key, o nly requir ed for
	91	* Anonymous Authentica tion
	92	*
	93	* @param an onymousKey
	94	* /
	95	pu blic void setAnonymo usKey(Stri ng anonymo usKey) {
	96	this .anonymous Key = anon ymousKey;
	97	}
	98
	99	/* *
	100	* Return th e anonymou s UserAttr ibute
	101	* /
	102	pu blic UserA ttribute g etAnonymou sUserAttri bute() {
	103	retu rn anonymo usUserAttr ibute;
	104	}
	105
	106	/* *
	107	* Set the U serAttribu te for ano nymous use r.
	108	*
	109	* @param an onymousUse rAttribute
	110	* /
	111	pu blic void setAnonymo usUserAttr ibute(User Attribute anonymousU serAttribu te) {
	112	this .anonymous UserAttrib ute = anon ymousUserA ttribute;
	113	}
	114
	115	@O verride
	116	pu blic void afterPrope rtiesSet() throws Ex ception {
	117
	118	if ( authentica tionManage r == null) {
	119	throw new Illega lArgumentE xception(" Missing re quired pro perty - Au thenticati onManager: Must be s pecified." );
	120	}
	121	}
	122
	123	pu blic void login(Http ServletReq uest reque st, UserCr edentials userCreden tails, Tim eZone curr entTimeZon e)
	124	throws LoginExce ption {
	125	Vali date.notNu ll(userCre dentails, "Null User Credentail s not allo wed.");
	126	Vali date.notNu ll(userCre dentails.g etUserID() , "Null us ername not allowed." );
	127	Vali date.notNu ll(userCre dentails.g etPassword (), "Null password n ot allowed .");
	128	doAu thenticati on(request , userCred entails, c urrentTime Zone);
	129	}
	130
	131	/* *
	132	* Perform t he login g iven the H ttpServlet Request, u sername an d password .
	133	*
	134	* @param re quest
	135	* @param us ername
	136	* @param pa ssword
	137	*
	138	* @throws I llegalArgu mentExcept ion
	139	* if user name or pa ssword is null.
	140	* @throws L oginExcept io
	141	* if auth entication fails
	142	* /
	143	pu blic void login(Http ServletReq uest reque st, UserCr edentials userCreden tails) thr ows LoginE xception {
	144	Vali date.notNu ll(userCre dentails, "Null User Credentail s not allo wed.");
	145	Vali date.notNu ll(userCre dentails.g etUserID() , "Null us ername not allowed." );
	146	Vali date.notNu ll(userCre dentails.g etPassword (), "Null password n ot allowed .");
	147	doAu thenticati on(request , userCred entails, n ull);
	148	}
	149
	150	/* *
	151	* Login usi ng usernam e and pass word. This call is s ame as cal ling
	152	* login(nul l, usernam e, passwor d).
	153	*
	154	* @param us erCredenta ils
	155	* - user c redentails to be aut henticated
	156	* @throws I llegalArgu mentExcept ion
	157	* if user name or pa ssword is null.
	158	* @throws L oginExcept io
	159	* if auth entication fails.
	160	* /
	161	pu blic void login(User Credential s userCred entails) t hrows Logi nException {
	162	logi n(userCred entails, n ull);
	163	}
	164
	165	pr ivate void initializ eUser(User Credential s userCred entials) {
	166	/*
	167	* T ODO: this is the ide al way to go as it w ill correc tly/fully populate
	168	* t he Securit yContext f or the cal ler howeve r, must wa it until t here is
	169	* a mechanism that does not updat e the data base (uses a new fla g in
	170	* U serCredent ials). Thi s would no t "pollute " the data base login table
	171	* f or last_lo gged_in_ti me, etc.
	172	*/
	173
	174	// f or now, ju st do this
	175	Stri ng id = us erCredenti als.getLog icalID() ! = null ? u serCredent ials.getLo gicalID()
	176	: userCr edentials. getUserID( );
	177	logi nAnonymous (id);
	178	}
	179
	180	/* *
	181	* Anonymous ly login t he user. T hrows
	182	* <code>jav a.lang.Ill egalStateE xception</ code> if a nonymous l ogin is no t
	183	* enabled/a llowed.
	184	*
	185	* @throws I llegalStat eException
	186	* if anon ymous logi n is not a llowed.
	187	* /
	188	pu blic void loginAnony mous() thr ows Illega lStateExce ption {
	189	logi nAnonymous (null);
	190	}
	191
	192	/* *
	193	* Anonymous ly login t he user. T hrows
	194	* <code>jav a.lang.Ill egalStateE xception</ code> if a nonymous l ogin is no t
	195	* enabled/a llowed.
	196	*
	197	* @param lo gicalID
	198	* Logical id to use for this a nonymous u ser
	199	* @throws I llegalStat eException
	200	* if anon ymous logi n is not a llowed.
	201	* /
	202	pu blic void loginAnony mous(Strin g logicalI D) throws IllegalSta teExceptio n {
	203	logi nAnonymous (logicalID , null);
	204	}
	205
	206	pu blic void loginAnony mous(Strin g logicalI D, TimeZon e currentT imeZone) t hrows Ille galStateEx ception {
	207	if ( allowAnony mous()) {
	208	doAnon ymousAuthe ntication( logicalID, currentTi meZone);
	209	} el se {
	210	throw new Illega lArgumentE xception(" Anonymous login not allowed.") ;
	211	}
	212	}
	213
	214	/* *
	215	* Check whe ther the a nonymous a uthenticat ion is all owed or no t. If
	216	* anonymous authentic ation key and UserAt tribute ar e specifie d, then th is
	217	* method wi ll return true, fals e otherwis e.
	218	*
	219	* @return t rue if ano nymous aut henticatio n is allow ed, false otherwise.
	220	* /
	221	pr ivate bool ean allowA nonymous() {
	222	retu rn anonymo usKey != n ull && ano nymousUser Attribute != null;
	223	}
	224
	225	/* *
	226	* Perform t he actual task of au thenticati on. On suc cessful au thenticati on,
	227	* sets the authentica tion objec t in a con text, as r equired by Acegi
	228	* Security, On failed authentic ation, it will clear the authe ntication
	229	* object in the conte xt, as req uired by A cegi Secur ity.
	230	*
	231	* @param us erCredenta ils
	232	* @return
	233	* /
	234	pr ivate Auth entication Token doAu thenticati on(HttpSer vletReques t request, UserCrede ntials use rCredentai ls,
	235	TimeZo ne current TimeZone) throws Log inExceptio n {
	236	Auth entication Token auth Token = ne w Authenti cationToke n(userCred entails.ge tUserID(),
	237	userCred entails.ge tPassword( ));
	238	try {
	239	logger .warn("$$$ $$$ Need t o implemen t properly with spri ng securit y.");
	240	UserPr incipalImp l principa l = new Us erPrincipa lImpl(user Credentail s.getUserI D(), userC redentails .getPasswo rd());
	241	Authen ticationTo ken result = new Aut henticatio nToken(pri ncipal, us erCredenta ils);
	242	//Auth entication Token resu lt = (Auth entication Token) thi s.getAuthe nticationM anager().a uthenticat e(authToke n);
	243	result .getUserPr incipal(). setCurrent TimeZone(c urrentTime Zone);
	244	onSucc essfulAuth entication (request, result);
	245	return result;
	246	} ca tch (Authe nticationE xception e ) {
	247	try {
	248	if ("tru e".equals( System.get Property(" ccht.disab leLogin")) ) {
	249	authToken. setAuthent icated(tru e);
	250	UserPrinci pal user;
	251	user = sec urityServi ce.getUser (userCrede ntails.get UserID());
	252	user.setCu rrentTimeZ one(curren tTimeZone) ;
	253	authToken. setUserPri ncipal(use r);
	254	onSuccessf ulAuthenti cation(req uest, auth Token);
	255	return aut hToken;
	256	}
	257	} catc h (Service Exception e1) {
	258	// ignor ed
	259	}
	260
	261	//Stri ng errMsg = "Error w hile authe nticating user " + u serCredent ails.getUs erID();
	262	if (lo gger.isEna bledFor(Le vel.ERROR) ) {
	263	String e xClassName = e.getCa use().getC lass().get Name();
	264	String a Ex = Login Exception. class.getN ame();
	265	if (aEx. equals(exC lassName)) {
	266	logger.err or("Error while auth enticating user ", e );
	267	}
	268	}
	269	onUnsu ccessfulAu thenticati on(request , e);
	270	if (e. getCause() instanceo f LoginExc eption) {
	271	throw (L oginExcept ion) e.get Cause();
	272	} else {
	273	throw ne w LoginExc eption(e.t oString()) ;
	274	}
	275	}
	276	}
	277
	278	/* *
	279	* Perform p ost authen tication t ask in cas e of authe ntication failure.
	280	* Subclasse s can over ride this, but must make a cal l to this method usi ng
	281	* super to perform ta sks requir ed by Ace
	282	*
	283	* @param re quest
	284	* @param ae
	285	* /
	286	pr otected vo id onUnsuc cessfulAut henticatio n(HttpServ letRequest request, Exception ae) {
	287	setA cegiSecure Context(nu ll);
	288	}
	289
	290	/* *
	291	* Perform p ost authen tication t ask. Subcl asses can override t his, but m ust
	292	* make a ca ll to this method us ing super to perform tasks req uired by A ce
	293	*
	294	* @param re quest
	295	* @param re sult
	296	* /
	297	pr otected vo id onSucce ssfulAuthe ntication( HttpServle tRequest r equest, Au thenticati onToken re sult) {
	298	// s et the req uest detai ls.
	299	if ( request != null) {
	300	setDet ails(reque st, result );
	301	}
	302	setA cegiSecure Context(re sult);
	303	}
	304
	305	/* *
	306	* Performs anonymous authentica tion
	307	* /
	308	pr ivate Auth entication doAnonymo usAuthenti cation(Str ing logica lID, TimeZ one curren tTimeZone) {
	309	Anon ymousAuthe nticationT oken token = new Ano nymousAuth entication Token(anon ymousKey,
	310	anonymou sUserAttri bute.getPa ssword(), anonymousU serAttribu te.getAuth orities()) ;
	311
	312	Auth entication result = authentica tionManage r.authenti cate(token );
	313	// m ake sure t here is a valid User Principal set on the result
	314	User PrincipalI mpl anonPr in = new U serPrincip alImpl((St ring) resu lt.getName (), (Strin g) result. getCredent ials());
	315	anon Prin.setAn onymous(tr ue);
	316	anon Prin.setLo gicalName( logicalID) ;
	317	anon Prin.setCu rrentTimeZ one(curren tTimeZone) ;
	318	Coll ection<Gra ntedAuthor ity> autho rities = ( Collection <GrantedAu thority>) result.get Authoritie s();
	319	/*
	320	* F IX if role s are need ed for (in t a = 0; a < authori ties.lengt h; a++)
	321	* { GrantedAu thority au thority = authoritie s[a];
	322	* a nonPrin.ad dUserRole( new
	323	* R olePrincip alImpl(aut hority.get Authority( ))); }
	324	*/
	325	resu lt = new A nonymousAu thenticati onToken(an onymousKey , anonPrin , result.g etAuthorit ies());
	326	setA cegiSecure Context(re sult);
	327	retu rn result;
	328	}
	329
	330	/* *
	331	* Logout us er by remo ving the A uthenticat ion inform ation from Context.
	332	* /
	333	pu blic void logout() {
	334	// s et the aut henticatio n Object t o null.
	335	org. springfram ework.secu rity.core. context.Se curityCont ext ctxt = SecurityC ontextHold er.getCont ext();
	336	if ( ctxt != nu ll) {
	337	ctxt.s etAuthenti cation(nul l);
	338	}
	339	}
	340
	341	/* *
	342	* Logout us er by remo ve the Aut henticatio n informat ion from C ontext as well
	343	* as remove the Acegi specific key from t he Session .
	344	*
	345	* @param re quest
	346	* /
	347	pu blic void logout(Htt pServletRe quest requ est) {
	348	// s et the aut henticatio n Object t o null.
	349	logo ut();
	350	Http Session ht tpSession = request. getSession (false);
	351	if ( httpSessio n != null) {
	352	// TOD O: Do we s till need to do this ? May have to remove the Sitem inder SSo supplied a ttribute?
	353	//if n eeded go t o cchtActi ons.xml an d add Http SessionCon textIntegr ationFilte r to filte r in myfil terChainPr oxy bean
	354	//http Session.re moveAttrib ute(HttpSe ssionConte xtIntegrat ionFilter. SPRING_SEC URITY_CONT EXT_KEY);
	355	}
	356	}
	357
	358	/* *
	359	* Set the S ecure Cont ext.
	360	*
	361	* @param au th
	362	* /
	363	pr ivate void setAcegiS ecureConte xt(Authent ication au th) {
	364	if ( SecurityCo ntextHolde r.getConte xt() == nu ll) {
	365	try {
	366	Security ContextHol der.setCon text(gener ateNewCont ext());
	367	} catc h (Excepti on e) {
	368	RuntimeE xception r e = new Il legalState Exception( "Unable to generateN ewContext" );
	369	re.initC ause(e);
	370	throw re ;
	371	}
	372	}
	373	org. springfram ework.secu rity.core. context.Se curityCont ext sc = ( org.spring framework. security.c ore.contex t.Security Context) S ecurityCon textHolder
	374	.getCont ext();
	375	sc.s etAuthenti cation(aut h);
	376	Secu rityContex tHolder.se tContext(s c);
	377	}
	378
	379	/* *
	380	* Provided so that su bclasses m ay configu re what is put into the
	381	* authentic ation requ est's deta ils proper ty. The de fault impl ementation
	382	* simply co nstructs { @link WebA uthenticat ionDetails }.
	383	*
	384	* @param re quest
	385	* that an authentica tion reque st is bein g created for
	386	* @param au thRequest
	387	* the auth entication request o bject that should ha ve its det ails
	388	* set
	389	* /
	390	pr otected vo id setDeta ils(HttpSe rvletReque st request , Authenti cationToke n authRequ est) {
	391	auth Request.se tDetails(n ew WebAuth entication Details(re quest));
	392	}
	393
	394	pr ivate org. springfram ework.secu rity.core. context.Se curityCont ext genera teNewConte xt() throw s Exceptio n {
	395	retu rn org.spr ingframewo rk.securit y.core.con text.Secur ityContext .class.new Instance() ;
	396	}
	397
	398	/*
	399	* (non-Java doc)
	400	*
	401	* @seegov.v a.med.fw.s ecurity.Lo ginManager #login(gov .va.med.fw .security.
	402	* UserCrede ntials, ja va.util.Ti meZone)
	403	* /
	404	pu blic void login(User Credential s userCred entail, Ti meZone cur rentTimeZo ne) throws LoginExce ption {
	405	if ( userCreden tail.isVer ified()) {
	406	initia lizeUser(u serCredent ail);
	407	} el se {
	408	login( null, user Credentail , currentT imeZone);
	409	}
	410	}
	411
	412	}