Authentication

To test whether an initiator of an action is known to the UserAdmin service, it should be authenticated. To authenticate a user, you typically do something like:

private UserAdmin m_userAdmin;
// ...
User user = m_userAdmin.getUser("username", getUserName());
if (user == null || !user.hasCredential("password", getPassword())) {
  throw new InvalidUsernameOrPasswordException();
}

Authorization

Only authorized users should be able to initiate privileged actions. Whether a user is authorized to do so depends on its membership in groups. The UserAdmin service aids in this by providing an Authorization facade that helps you to determine whether or not users are authorized to initiate certain actions.

Note that the UserAdmin only provides answer to the question whether a user is allowed to initiate a certain action, it does not actually shield it from doing this, like, for example, the SecurityManager in Java. This means that the common pattern used to authorize users with UserAdmin looks something like:

private UserAdmin m_userAdmin;
// ...
User user = m_userAdmin.getUser("username", getUserName());
// assume user is already authenticated...
Authorization auth = m_userAdmin.getAuthorization(user);
if (!auth.hasRole("admin")) {
  throw new InsufficientRightsException();
}
  • No labels