/*
* Title: blogUser
* Description: Manages authentication using the JCE and checks user/group rights for read/write access to journal.
* @author Nathan Binford
* @version 1.2
*/
package org.nb.blog;
import org.nb.Preferences;
import java.security.*;
import java.security.spec.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import java.io.*;
import java.sql.*;
import org.xml.sax.SAXException;
import javax.xml.parsers.ParserConfigurationException;
public class blogUser
{
String user, password, group; /** User information for authentication and rights checking */
Preferences pref; /** Application settings */
boolean authenicated = false; /** Flag determining authentication status */
/**
Constructor.
*/
public blogUser(String user, String password, String prefPath) throws blogException
{
this.user = user;
this.password = password;
try
{
pref = new Preferences(prefPath);
}
catch (ParserConfigurationException e) { throw new blogException("Cannot load preferences file. Message: " + e.getMessage()); }
catch (SAXException e) { throw new blogException("Cannot load preferences file. Message: " + e.getMessage()); }
catch (IOException e) { throw new blogException("Cannot load preferences file. Message: " + e.getMessage()); }
authenticate();
}
/**
Authenticates user based on supplied user/pass information.
*/
private void authenticate() throws blogException
{
try
{
Connection conn;
Statement stmt;
ResultSet rs;
BufferedReader r = new BufferedReader(new FileReader(pref.getPreference("KEY", "KeyFile")));
SecretKey key;
Cipher cip;
String keyStr;
//register JCE provider
Provider sunJce = new com.sun.crypto.provider.SunJCE();
Security.addProvider(sunJce);
//read in private key record from file
if ((keyStr = r.readLine()) != null)
{
//create SecretKey from key record
key = new SecretKeySpec(keyStr.getBytes(), "DES");
//encrypt supplied password using key
cip = Cipher.getInstance("DES");
cip.init(Cipher.ENCRYPT_MODE, key);
password = new String(cip.doFinal(password.getBytes()));
}
r.close();
//compare user and pass to db
Class.forName(pref.getPreference("DB", "ClassString"));
conn = DriverManager.getConnection(pref.getPreference("DB", "ConnectionString"));
stmt = conn.createStatement();
rs = stmt.executeQuery("SELECT * FROM users WHERE user = '" + user + "' AND password = '" + password + "'");
if (!rs.next())
{
rs.close();
stmt.close();
conn.close();
throw new blogException("Authentication Failure. Invalid user name or password.");
}
else
group = rs.getString("groupID");
rs.close();
stmt.close();
conn.close();
}
catch (IllegalBlockSizeException e) { throw new blogException("Encryption Failure. Private Key Invalid."); }
catch (BadPaddingException e) { throw new blogException("Encryption Failure. Private Key Invalid."); }
catch (NoSuchPaddingException e) { throw new blogException("Encryption Failure. Private Key Invalid."); }
catch (InvalidKeyException e) { throw new blogException("Encryption Failure. Private Key Invalid."); }
catch (NoSuchAlgorithmException e) { throw new blogException("Encryption Failure. DES Algorithm Not Available."); }
catch (FileNotFoundException e) { throw new blogException("File Access Failure. Cannot locate key file specified."); }
catch (IOException e) { throw new blogException("File Access Failure: " + e.getMessage()); }
catch (ClassNotFoundException e) { throw new blogException("Invalid Preference File Setting: JDBC Class. Message: " + e.getMessage()); }
catch (SQLException e) { throw new blogException("Database Error. Message: " + e.getMessage()); }
}
/**
Checks access rights on thread specified.
*/
public String checkRights(int threadID) throws blogException
{
Connection conn;
Statement stmt;
ResultSet rs;
String rights;
try
{
Class.forName(pref.getPreference("DB", "ClassString"));
conn = DriverManager.getConnection(pref.getPreference("DB", "ConnectionString"));
stmt = conn.createStatement();
//check to see if user owns thread
rs = stmt.executeQuery("SELECT owner FROM threads WHERE threadID = " + threadID);
if (!rs.next())
throw new blogException("Database Access Failure. Thread Does Not Exist.");
//check to see if user is root
if (user.equals(pref.getPreference("USERS", "AdministrativeUser")))
return "read,write";
if (rs.getString("owner").equals(user))
{
rs.close();
return "read,write";
}
rs.close();
//if not, check to see what rights the user's group has on the thread
rs = stmt.executeQuery("SELECT rights FROM threadPrivs WHERE threadID = " + threadID + " AND groupID = '" + group + "'");
if (rs.next())
rights = rs.getString("rights");
else
{
rs.close();
stmt.close();
conn.close();
return "";
}
rs.close();
stmt.close();
conn.close();
return rights;
}
catch (ClassNotFoundException e) { throw new blogException("Invalid Preference File Setting: JDBC Class. Message: " + e.getMessage()); }
catch (SQLException e) { throw new blogException("Database error. Message: " + e.getMessage()); }
}
public String getUser() { return user; } /** Returns the user name. */
public String getGroup() { return group; } /** Returns the group name. */
}