View Javadoc
1   /**
2    * This Source Code Form is subject to the terms of the Mozilla Public
3    * License, v. 2.0. If a copy of the MPL was not distributed with this
4    * file, You can obtain one at http://mozilla.org/MPL/2.0/.
5    *
6    * If it is not possible or desirable to put the notice in a particular
7    * file, then You may include the notice in a location (such as a LICENSE
8    * file in a relevant directory) where a recipient would be likely to look
9    * for such a notice.
10   *
11   * 
12   */
13  /*  ---------------------------------------------------------------------------
14   *  U.S. Government, Department of the Army
15   *  Army Materiel Command
16   *  Research Development Engineering Command
17   *  Communications Electronics Research Development and Engineering Center
18   *  ---------------------------------------------------------------------------
19   */
20  package org.miloss.fgsms.common;
21  
22  import java.sql.Connection;
23  import java.sql.PreparedStatement;
24  import java.sql.ResultSet;
25  import javax.servlet.http.HttpServletRequest;
26  import javax.xml.ws.WebServiceContext;
27  import javax.xml.ws.handler.MessageContext;
28  import org.apache.log4j.Level;
29  
30  import org.miloss.fgsms.services.interfaces.common.SecurityWrapper;
31  
32  /**
33   * Performs all access control functions of fgsms based on ACLs and Roles.
34   * Function of this class is critical has is it the sole location for access
35   * control processing
36   *
37   * @author AO
38   */
39  public class UserIdentityUtil {
40  
41      public static final String logname = "fgsms.UserIdentityUtil";
42      static final Logger log = Logger.getLogger(logname);
43  
44      /**
45       * assertReadAccess , checks the servlet context first, then the database
46       *
47       * @param uri
48       * @param currentUser
49       * @param fromFunction
50       * @param classification
51       */
52      public static void assertReadAccess(final String uri, final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
53          try {
54              if (session != null) {
55                  {
56                      if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
57                          return;
58                      }
59                      if (session.isUserInRole(Constants.ROLES_GLOBAL_WRITE)) {
60                          return;
61                      }
62                      if (session.isUserInRole(Constants.ROLES_GLOBAL_READ)) {
63                          return;
64                      }
65                      if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
66                          return;
67                      }
68                  }
69              }
70          } catch (Exception ex) {
71              log.log(Level.DEBUG, "error type casting servlet request context", ex);
72          }
73  
74          Connection con = Utility.getConfigurationDBConnection();
75          PreparedStatement comm = null;
76          ResultSet r = null;
77          try {
78  
79              comm = con.prepareStatement("Select count(*)"
80                      + "where  ? in ("
81                      + "	Select Username"
82                      + "	from UserPermissions"
83                      + "	Where (UserPermissions.Username=? AND"
84                      + "	UserPermissions.ObjectURI=?)"
85                      + "	AND"
86                      + "	((UserPermissions.ReadObject=true OR "
87                      + "	UserPermissions.WriteObject=true OR"
88                      + "	UserPermissions.AdministerObject=true OR"
89                      + "	UserPermissions.AuditObject=true))"
90                      + "	)"
91                      + "or 'everyone' in ("
92                      + "	Select Username"
93                      + "	from UserPermissions"
94                      + "	Where (UserPermissions.Username='everyone' AND"
95                      + "	UserPermissions.ObjectURI=?)"
96                      + "	AND"
97                      + "	((UserPermissions.ReadObject=true OR "
98                      + "	UserPermissions.WriteObject=true OR"
99                      + "	UserPermissions.AdministerObject=true OR"
100                     + "	UserPermissions.AuditObject=true))"
101                     + "	)"
102                     + "or ?  in ("
103                     + "	select Users.Username"
104                     + "	from Users"
105                     + "	Where Users.Username=?"
106                     + "	AND Users.rolecol='admin');");
107             comm.setString(1, currentUser);
108             comm.setString(2, currentUser);
109             comm.setString(3, uri);
110             comm.setString(4, uri);
111             comm.setString(5, currentUser);
112             comm.setString(6, currentUser);
113             r = comm.executeQuery();
114             r.next();
115             int right = 0;
116             right = r.getInt(1);
117             DBUtils.safeClose(r);
118             DBUtils.safeClose(comm);
119             DBUtils.safeClose(con);
120             if (right == 0) {
121                 log.log(Level.ERROR, currentUser + " does not have fgsms read rights for " + uri + " from " + fromFunction);
122                 AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "read deny", classification, null);
123                 throw new SecurityException("Access Denied");
124             }
125         } // end assertReadAccess
126         catch (Exception ex) {
127             if (ex instanceof SecurityException) {
128                 throw (SecurityException) ex;
129             }
130             log.log(Level.ERROR, "Error caught querying database for " + currentUser + ":fgsms read rights for " + uri + " from " + fromFunction, ex);
131             throw new SecurityException("Access Denied");
132         } finally {
133             DBUtils.safeClose(r);
134             DBUtils.safeClose(comm);
135             DBUtils.safeClose(con);
136         }
137 
138     } // end assertReadAccess
139 
140     /**
141      * assertWriteAccess throws an exception if the role is not present , checks
142      * the servlet context first, then the database
143      *
144      * @param uri
145      * @param currentUser
146      * @param fromFunction
147      * @param classification
148      */
149     public static void assertWriteAccess(final String uri, final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
150         try {
151             if (session != null) {
152                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
153                     return;
154                 }
155                 if (session.isUserInRole(Constants.ROLES_GLOBAL_WRITE)) {
156                     return;
157                 }
158                 if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
159                     return;
160                 }
161             }
162         } catch (Exception ex) {
163             log.log(Level.DEBUG, "error type casting servlet request context", ex);
164         }
165 
166         Connection con = Utility.getConfigurationDBConnection();
167         PreparedStatement comm = null;
168         ResultSet r = null;
169         try {
170 
171             comm = con.prepareStatement("Select count(*)"
172                     + "where  ? in ("
173                     + "	Select Username"
174                     + "	from UserPermissions"
175                     + "	Where (UserPermissions.Username=? AND"
176                     + "	UserPermissions.ObjectURI=?)"
177                     + "	AND"
178                     + "	((UserPermissions.WriteObject=true OR"
179                     + "	UserPermissions.AdministerObject=true OR"
180                     + "	UserPermissions.AuditObject=true))"
181                     + "	)"
182                     + " or 'everyone' in ("
183                     + "	Select Username"
184                     + "	from UserPermissions"
185                     + "	Where (UserPermissions.Username='everyone' AND"
186                     + "	UserPermissions.ObjectURI=?)"
187                     + "	AND"
188                     + "	((UserPermissions.WriteObject=true OR"
189                     + "	UserPermissions.AdministerObject=true OR"
190                     + "	UserPermissions.AuditObject=true))"
191                     + "	)"
192                     + "or ?  in ("
193                     + "	select Users.Username"
194                     + "	from Users"
195                     + "	Where Users.Username=?"
196                     + "	AND Users.rolecol='admin');");
197             comm.setString(1, currentUser);
198             comm.setString(2, currentUser);
199             comm.setString(3, uri);
200             comm.setString(4, uri);
201             comm.setString(5, currentUser);
202             comm.setString(6, currentUser);
203             r = comm.executeQuery();
204             r.next();
205             int right = 0;
206             right = r.getInt(1);
207             DBUtils.safeClose(r);
208             DBUtils.safeClose(comm);
209             DBUtils.safeClose(con);
210             if (right == 0) {
211                 log.log(Level.ERROR, currentUser + " does not have fgsms write rights for " + uri + " from " + fromFunction);
212                 AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "write deny", classification, null);
213                 throw new SecurityException("Access Denied");
214             }
215 
216         } // end assertReadAccess
217         catch (Exception ex) {
218             if (ex instanceof SecurityException) {
219                 throw (SecurityException) ex;
220             }
221             log.log(Level.ERROR, "Error caught querying database for " + currentUser + ":fgsms write rights for " + uri + " from " + fromFunction, ex);
222             throw new SecurityException("Access Denied");
223         } finally {
224             DBUtils.safeClose(r);
225             DBUtils.safeClose(comm);
226             DBUtils.safeClose(con);
227         }
228 
229     } // end assertWriteAccess
230 
231     /**
232      * assertAuditAccess throws a security exception if the user does not
233      * contain the role audit for a specific URI or the global audit role ,
234      * checks the servlet context first, then the database
235      *
236      * @param uri
237      * @param currentUser
238      * @param fromFunction
239      * @param classification
240      */
241     public static void assertAuditAccess(final String uri, final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
242         try {
243             if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
244                 return;
245             }
246             if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
247                 return;
248             }
249         } catch (Exception ex) {
250             log.log(Level.DEBUG, "error type casting servlet request context", ex);
251         }
252 
253         Connection con = Utility.getConfigurationDBConnection();
254         PreparedStatement comm = null;
255         ResultSet r = null;
256         try {
257 
258             comm = con.prepareStatement(
259                     "Select count(*)"
260                     + "where ?  in ("
261                     + "	Select Username"
262                     + "	from UserPermissions"
263                     + "	Where (UserPermissions.Username=? AND"
264                     + "	UserPermissions.ObjectURI=?)"
265                     + "	AND"
266                     + "	((UserPermissions.AdministerObject=true OR"
267                     + "	UserPermissions.AuditObject=true))"
268                     + "	)"
269                     + "or 'everyone'  in ("
270                     + "	Select Username"
271                     + "	from UserPermissions"
272                     + "	Where (UserPermissions.Username='everyone' AND"
273                     + "	UserPermissions.ObjectURI=?)"
274                     + "	AND"
275                     + "	((UserPermissions.AdministerObject=true OR"
276                     + "	UserPermissions.AuditObject=true))"
277                     + "	)"
278                     + "or ?  in ("
279                     + "	select Users.Username"
280                     + "	from Users"
281                     + "	Where Users.Username=?"
282                     + "	AND (Users.rolecol='admin' OR Users.rolecol='audit'));");
283             comm.setString(1, currentUser);
284             comm.setString(2, currentUser);
285             comm.setString(3, uri);
286             comm.setString(4, uri);
287             comm.setString(5, currentUser);
288             comm.setString(6, currentUser);
289             r = comm.executeQuery();
290             r.next();
291             int right = 0;
292             right = r.getInt(1);
293             DBUtils.safeClose(r);
294             DBUtils.safeClose(comm);
295             DBUtils.safeClose(con);
296             if (right == 0) {
297                 AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "audit deny", classification, null);
298                 log.log(Level.ERROR, currentUser + " does not have fgsms audit rights for " + uri + " from " + fromFunction);
299                 throw new SecurityException("Access Denied");
300             }
301 
302         } // end assertReadAccess
303         catch (Exception ex) {
304             if (ex instanceof SecurityException) {
305                 throw (SecurityException) ex;
306             }
307             log.log(Level.ERROR, "Error caught querying database for " + currentUser + ":fgsms audit rights for " + uri + " from " + fromFunction, ex);
308             throw new SecurityException("Access Denied");
309         } finally {
310             DBUtils.safeClose(r);
311             DBUtils.safeClose(comm);
312             DBUtils.safeClose(con);
313         }
314 
315     } // end assertAuditAccess
316 
317     /**
318      * throws a security exception of the user does not have the role administer
319      * for a specific uri or global administrator, checks the servlet context
320      * first, then the database
321      *
322      * @param uri
323      * @param currentUser
324      * @param fromFunction
325      * @param classification
326      */
327     public static void assertAdministerAccess(final String uri, final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
328         try {
329             if (session != null) {
330                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
331                     return;
332                 }
333             }
334         } catch (Exception ex) {
335             log.log(Level.DEBUG, "error type casting servlet request context", ex);
336         }
337         Connection con = Utility.getConfigurationDBConnection();
338         PreparedStatement comm = null;
339         ResultSet r = null;
340         try {
341 
342             comm = con.prepareStatement("Select count(*)"
343                     + "where  ? in ("
344                     + "	Select Username"
345                     + "	from UserPermissions"
346                     + "	Where (UserPermissions.Username=? AND"
347                     + "	UserPermissions.ObjectURI=?)"
348                     + "	AND"
349                     + "	((UserPermissions.AdministerObject=true))"
350                     + "	)"
351                     + "or ?  in ("
352                     + "	select Users.Username"
353                     + "	from Users"
354                     + "	Where Users.Username=?"
355                     + "	AND Users.rolecol='admin');");
356             comm.setString(1, currentUser);
357             comm.setString(2, currentUser);
358             comm.setString(3, uri);
359             comm.setString(4, currentUser);
360             comm.setString(5, currentUser);
361             r = comm.executeQuery();
362             r.next();
363             int right = 0;
364             right = r.getInt(1);
365             DBUtils.safeClose(r);
366             DBUtils.safeClose(comm);
367             DBUtils.safeClose(con);
368             if (right == 0) {
369                 log.log(Level.ERROR, currentUser + " does not have fgsms administer rights for " + uri + " from " + fromFunction);
370                 AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "admin deny", classification, null);
371                 throw new SecurityException("Access Denied");
372             }
373 
374         } // end assertReadAccess
375         catch (Exception ex) {
376             if (ex instanceof SecurityException) {
377                 throw (SecurityException) ex;
378             }
379             log.log(Level.ERROR, "Error caught querying database for " + currentUser + ":fgsms administer rights for " + uri + " from " + fromFunction + "Msg: " + ex.getLocalizedMessage());
380             throw new SecurityException("Access Denied");
381         } finally {
382             DBUtils.safeClose(r);
383             DBUtils.safeClose(comm);
384             DBUtils.safeClose(con);
385         }
386 
387     } // end assertAdministerAccess
388 
389     /**
390      * Assert global admin role, throws an exception if the role is not present,
391      * checks the servlet context first, then the database
392      *
393      * @param currentUser
394      * @param fromFunction
395      * @param classification
396      * @param session
397      */
398     public static void assertGlobalAdministratorRole(final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
399         if (Utility.stringIsNullOrEmpty(currentUser)) {
400             throw new SecurityException("Access Denied");
401         }
402         try {
403             if (session != null) {
404                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
405                     return;
406                 }
407             }
408         } catch (Exception ex) {
409             log.log(Level.DEBUG, "error type casting servlet request context", ex);
410         }
411 
412         Connection con = Utility.getConfigurationDBConnection();
413         PreparedStatement comm = null;
414         ResultSet r = null;
415         try {
416 
417             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
418             comm.setString(1, currentUser);
419             r = comm.executeQuery();
420             while (r.next()) {
421                 String s = r.getString(1);
422                 if (!Utility.stringIsNullOrEmpty(s)) {
423                     if (s.equalsIgnoreCase("admin")) {
424                         DBUtils.safeClose(r);
425                         DBUtils.safeClose(comm);
426                         DBUtils.safeClose(con);
427                         return;
428                     }
429                 }
430             }
431 
432         } // end assertGlobalAdministratorRole
433         catch (Exception ex) {
434             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms global admin rights. " + fromFunction, ex);
435             throw new SecurityException("Access Denied");
436         } finally {
437             DBUtils.safeClose(r);
438             DBUtils.safeClose(comm);
439             DBUtils.safeClose(con);
440         }
441         log.log(Level.ERROR, currentUser + " does not have fgsms Global Admin rights." + fromFunction);
442         AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "global admin deny", classification, null);
443         throw new SecurityException("Access Denied");
444     } // end assertGlobalAdministratorRole
445 
446     /**
447      * return true if the user has the global admin role, , checks the servlet
448      * context first, then the database
449      *
450      * @param currentUser
451      * @param fromFunction
452      * @param classification
453      * @param session
454      * @return
455      */
456     public static boolean hasGlobalAdministratorRole(final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
457         try {
458             if (session != null) {
459                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
460                     return true;
461                 }
462             }
463         } catch (Exception ex) {
464             log.log(Level.DEBUG, "error type casting servlet request context", ex);
465         }
466         Connection con = Utility.getConfigurationDBConnection();
467         PreparedStatement comm = null;
468         ResultSet r = null;
469         try {
470             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
471             comm.setString(1, currentUser);
472             r = comm.executeQuery();
473             while (r.next()) {
474                 String s = null;
475                 s = r.getString("rolecol");
476                 if (Utility.stringIsNullOrEmpty(s)) {
477                     DBUtils.safeClose(r);
478                     DBUtils.safeClose(comm);
479                     DBUtils.safeClose(con);
480                     return false;
481                 }
482                 if (s.equalsIgnoreCase("admin")) {
483                     DBUtils.safeClose(r);
484                     DBUtils.safeClose(comm);
485                     DBUtils.safeClose(con);
486                     return true;
487                 }
488             }
489         } // end assertGlobalAdministratorRole
490         catch (Exception ex) {
491             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms global admin rights. Assuming the answer is no." + fromFunction, ex);
492         } finally {
493             DBUtils.safeClose(r);
494             DBUtils.safeClose(comm);
495             DBUtils.safeClose(con);
496         }
497 
498         return false;
499     } // end hasGlobalAdministratorRole
500 
501     /**
502      * Current only works for HTTP auth methods, unknown if SOAP credentials
503      * will be available here
504      *
505      * @param webctx
506      * @return
507      */
508     public static String getFirstIdentityToString(final WebServiceContext webctx) {
509 
510         if (webctx == null) {
511             return "anonymous";
512         }
513         if (webctx.getUserPrincipal() != null && !Utility.stringIsNullOrEmpty(webctx.getUserPrincipal().getName())) {
514             return webctx.getUserPrincipal().getName();
515         }
516 
517         MessageContext mc = webctx.getMessageContext();
518         try {//org.apache.cxf.configuration.security.AuthorizationPolicy
519             //MessageContext mc = ctx.getMessageContext();
520             if (mc == null) {
521                 return "anonymous";
522             }
523             //hack for CXF stacks
524             Object cxfAuthz = mc.get("org.apache.cxf.configuration.security.AuthorizationPolicy");
525             if (cxfAuthz != null) {
526                 String user = CXFUserIdentifyUtil.getFirstIdentityToString(cxfAuthz);
527                 if (!Utility.stringIsNullOrEmpty(user)) {
528                     return user;
529                 }
530             }
531             HttpServletRequest session = ((HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST));
532             if (session == null || session.getUserPrincipal() == null) {
533                 return "anonymous";
534             } else {
535                 if (Utility.stringIsNullOrEmpty(session.getAuthType())) {
536                     return "anonymous";
537                 }
538                 if (!Utility.stringIsNullOrEmpty(session.getUserPrincipal().getName())) {
539                     return session.getUserPrincipal().getName();
540                 }
541 
542             }
543         } catch (Exception ex) {
544             log.log(Level.ERROR,
545                     "Error caught determining the current user identity. Assuming anonymous.", ex);
546         }
547 
548         return "anonymous";
549 
550     }
551 
552     /**
553      * Assert Agent Role, throws a security exception if the user does not have
554      * the agent role, checks the servlet context first, then the database
555      *
556      * @param currentUser
557      * @param fromFunction
558      * @param currentLevel
559      * @param mc
560      */
561     public static void assertAgentRole(final String currentUser, final String fromFunction, final SecurityWrapper currentLevel, final WebServiceContext session) {
562         try {
563             if (session != null) {
564                 if (session.isUserInRole(Constants.ROLES_GLOBAL_AGENT)) {
565                     return;
566                 }
567             }
568         } catch (Exception ex) {
569             log.log(Level.DEBUG, "error type casting servlet request context", ex);
570         }
571 
572         Connection con = Utility.getConfigurationDBConnection();
573         PreparedStatement comm = null;
574         ResultSet r = null;
575         try {
576 
577             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
578             comm.setString(1, currentUser);
579             r = comm.executeQuery();
580             if (r.next()) {
581                 String s = null;
582                 s = r.getString(1);
583                 if (!Utility.stringIsNullOrEmpty(s) && s.equalsIgnoreCase("agent")) {
584                     //remnoved 1-7-2012 not sure why this was here || r.getString(1).equalsIgnoreCase("admin")) {
585                     DBUtils.safeClose(r);
586                     DBUtils.safeClose(comm);
587                     DBUtils.safeClose(con);
588                     return;
589                 }
590             }
591 
592         } // end assertGlobalAdministratorRole
593         catch (Exception ex) {
594             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms agent rights. " + fromFunction, ex);
595             throw new SecurityException("Access Denied");
596         } finally {
597             DBUtils.safeClose(r);
598             DBUtils.safeClose(comm);
599             DBUtils.safeClose(con);
600         }
601 
602         log.log(Level.ERROR, currentUser + " does not have fgsms agent rights." + fromFunction);
603         AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "agent deny", currentLevel, null);
604 
605         throw new SecurityException("Access Denied");
606 
607     }
608 
609     /**
610      * return true if the current user is an agent, checks the servlet context
611      * first, then the database
612      *
613      * @param currentUser
614      * @param fromFunction
615      * @param classification
616      * @param session
617      * @return
618      */
619     public static boolean isTrustedAgent(final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
620         try {
621             if (session != null) {
622                 if (session.isUserInRole(Constants.ROLES_GLOBAL_AGENT)) {
623                     return true;
624                 }
625             }
626         } catch (Exception ex) {
627             log.log(Level.DEBUG, "error type casting servlet request context", ex);
628         }
629         Connection con = Utility.getConfigurationDBConnection();
630         PreparedStatement comm = null;
631         ResultSet r = null;
632         try {
633             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
634             comm.setString(1, currentUser);
635             r = comm.executeQuery();
636             if (r.next()) {
637                 String s = r.getString(1);
638                 if (!Utility.stringIsNullOrEmpty(s) && s.equalsIgnoreCase("agent")) {
639                     DBUtils.safeClose(r);
640                     DBUtils.safeClose(comm);
641                     DBUtils.safeClose(con);
642                     return true;
643                 }
644             }
645         } // end assertGlobalAdministratorRole
646         catch (Exception ex) {
647             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms agent rights. " + fromFunction, ex);
648         } finally {
649             DBUtils.safeClose(r);
650             DBUtils.safeClose(comm);
651             DBUtils.safeClose(con);
652         }
653 
654         return false;
655 
656     }
657 
658     /**
659      * throws an exception if the user is a global admin or an agent , checks
660      * the servlet context first, then the database
661      *
662      * @param currentUser
663      * @param fromFunction
664      * @param currentLevel
665      * @param mc
666      */
667     public static void assertAdminOrAgentRole(final String currentUser, final String fromFunction, final SecurityWrapper currentLevel, final WebServiceContext mc) {
668         try {
669             if (mc != null) {
670                 if (mc.isUserInRole(Constants.ROLES_GLOBAL_AGENT)) {
671                     return;
672                 }
673                 if (mc.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
674                     return;
675                 }
676 
677             }
678         } catch (Exception ex) {
679             log.log(Level.DEBUG, "error type casting servlet request context", ex);
680         }
681         Connection con = Utility.getConfigurationDBConnection();
682         PreparedStatement comm = null;
683         ResultSet r = null;
684         try {
685 
686             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
687             comm.setString(1, currentUser);
688             r = comm.executeQuery();
689             if (r.next()) {
690                 String s = r.getString(1);
691                 if (!Utility.stringIsNullOrEmpty(s) && (s.equalsIgnoreCase("agent") || s.equalsIgnoreCase("admin"))) {
692                     DBUtils.safeClose(r);
693                     DBUtils.safeClose(comm);
694                     DBUtils.safeClose(con);
695                     return;
696                 }
697             }
698 
699         } // end assertGlobalAdministratorRole
700         catch (Exception ex) {
701             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms agent or admin rights. " + fromFunction, ex);
702             throw new SecurityException("Access Denied");
703         } finally {
704             DBUtils.safeClose(r);
705             DBUtils.safeClose(comm);
706             DBUtils.safeClose(con);
707         }
708 
709         log.log(Level.ERROR, currentUser + " does not have fgsms agent or admin rights." + fromFunction);
710         AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "agent deny", currentLevel, null);
711 
712         throw new SecurityException("Access Denied");
713 
714     }
715 
716     public static void assertAuditRole(final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
717         if (Utility.stringIsNullOrEmpty(currentUser)) {
718             throw new SecurityException("Access Denied");
719         }
720         try {
721             if (session != null) {
722                 if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
723                     return;
724                 }
725                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
726                     return;
727                 }
728             }
729         } catch (Exception ex) {
730             log.log(Level.DEBUG, "error type casting servlet request context", ex);
731         }
732 
733         Connection con = Utility.getConfigurationDBConnection();
734         PreparedStatement comm = null;
735         ResultSet r = null;
736         try {
737 
738             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
739             comm.setString(1, currentUser);
740             r = comm.executeQuery();
741             while (r.next()) {
742                 String s = r.getString(1);
743                 if (!Utility.stringIsNullOrEmpty(s)) {
744                     if (s.equalsIgnoreCase("audit") || s.equalsIgnoreCase("admin")) {
745                         DBUtils.safeClose(r);
746                         DBUtils.safeClose(comm);
747                         DBUtils.safeClose(con);
748                         return;
749                     }
750                 }
751             }
752 
753         } // end assertGlobalAdministratorRole
754         catch (Exception ex) {
755             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms global audit rights. " + fromFunction, ex);
756             throw new SecurityException("Access Denied");
757         } finally {
758             DBUtils.safeClose(r);
759             DBUtils.safeClose(comm);
760             DBUtils.safeClose(con);
761         }
762         log.log(Level.ERROR, currentUser + " does not have fgsms Global audit rights." + fromFunction);
763         AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "global audit deny", classification, null);
764         throw new SecurityException("Access Denied");
765     }
766 
767     /**
768      * return true if the user has the global admin role, , checks the servlet
769      * context first, then the database
770      *
771      * @param currentUser
772      * @param fromFunction
773      * @param classification
774      * @param mc
775      * @return
776      */
777     public static boolean hasGlobalAuditRole(final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
778         try {
779             if (session != null) {
780                 if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
781                     return true;
782                 }
783                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
784                     return true;
785                 }
786             }
787         } catch (Exception ex) {
788             log.log(Level.DEBUG, "error type casting servlet request context", ex);
789         }
790         Connection con = Utility.getConfigurationDBConnection();
791         PreparedStatement comm = null;
792         ResultSet r = null;
793         try {
794 
795             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
796             comm.setString(1, currentUser);
797             r = comm.executeQuery();
798             while (r.next()) {
799                 String s = null;
800                 s = r.getString("rolecol");
801                 if (Utility.stringIsNullOrEmpty(s)) {
802                     DBUtils.safeClose(r);
803                     DBUtils.safeClose(comm);
804                     DBUtils.safeClose(con);
805                     return false;
806                 }
807                 if (s.equalsIgnoreCase("audit") || s.equalsIgnoreCase("admin")) {
808                     DBUtils.safeClose(r);
809                     DBUtils.safeClose(comm);
810                     DBUtils.safeClose(con);
811                     return true;
812                 }
813             }
814         } // end assertGlobalAdministratorRole
815         catch (Exception ex) {
816             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms global audit rights. Assuming the answer is no." + fromFunction, ex);
817         } finally {
818             DBUtils.safeClose(r);
819             DBUtils.safeClose(comm);
820             DBUtils.safeClose(con);
821         }
822 
823         return false;
824     } // end hasGlobalAdministratorRole
825 
826     /**
827      * Assert global admin role, throws an exception if the role is not present,
828      * checks the servlet context first, then the database
829      *
830      * @param currentUser
831      * @param fromFunction
832      * @param classification
833      * @param mc
834      */
835     public static void assertGlobalAuditRole(final String currentUser, final String fromFunction, final SecurityWrapper classification, final WebServiceContext session) {
836         if (Utility.stringIsNullOrEmpty(currentUser)) {
837             throw new SecurityException("Access Denied");
838         }
839         try {
840             if (session != null) {
841                 if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
842                     return;
843                 }
844                 if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
845                     return;
846                 }
847             }
848         } catch (Exception ex) {
849             log.log(Level.DEBUG, "error type casting servlet request context", ex);
850         }
851 
852         Connection con = Utility.getConfigurationDBConnection();
853         PreparedStatement comm = null;
854         ResultSet r = null;
855         try {
856 
857             comm = con.prepareStatement("Select rolecol from Users where Username=?;");
858             comm.setString(1, currentUser);
859             r = comm.executeQuery();
860             while (r.next()) {
861                 String s = r.getString(1);
862                 if (!Utility.stringIsNullOrEmpty(s)) {
863                     if (s.equalsIgnoreCase("admin") || s.equalsIgnoreCase("audit")) {
864                         DBUtils.safeClose(r);
865                         DBUtils.safeClose(comm);
866                         DBUtils.safeClose(con);
867                         return;
868                     }
869                 }
870             }
871 
872         } // end assertGlobalAdministratorRole
873         catch (Exception ex) {
874             log.log(Level.ERROR, "Error caught determining if " + currentUser + " has fgsms global audit rights. " + fromFunction, ex);
875             throw new SecurityException("Access Denied");
876         } finally {
877             DBUtils.safeClose(r);
878             DBUtils.safeClose(comm);
879             DBUtils.safeClose(con);
880         }
881         log.log(Level.ERROR, currentUser + " does not have fgsms Global audit rights." + fromFunction);
882         AuditLogger.logItem(UserIdentityUtil.class.getCanonicalName(), fromFunction, currentUser, "global audit deny", classification, null);
883 
884         throw new SecurityException("Access Denied");
885 
886     } // end assertGlobalAdministratorRole
887 
888     /**
889      * return true if the user has the global admin role, , checks the servlet
890      * context first, then the database
891      *
892      * @param currentUser
893      * @param fromFunction
894      * @param url
895      * @param classification
896      * @param session
897      * @return
898      */
899     public static boolean hasReadAccess(final String currentUser, final String fromFunction, final String uri, final SecurityWrapper classification, final WebServiceContext session) {
900         try {
901             if (session != null) {
902                 {
903                     if (session.isUserInRole(Constants.ROLES_GLOBAL_ADMINISTRATOR)) {
904                         return true;
905                     }
906                     if (session.isUserInRole(Constants.ROLES_GLOBAL_WRITE)) {
907                         return true;
908                     }
909                     if (session.isUserInRole(Constants.ROLES_GLOBAL_READ)) {
910                         return true;
911                     }
912                     if (session.isUserInRole(Constants.ROLES_GLOBAL_AUDITOR)) {
913                         return true;
914                     }
915                 }
916             }
917         } catch (Exception ex) {
918             log.log(Level.DEBUG, "error type casting servlet request context", ex);
919         }
920 
921         Connection con = Utility.getConfigurationDBConnection();
922         PreparedStatement comm = null;
923         ResultSet r = null;
924         try {
925 
926             comm = con.prepareStatement("Select count(*)"
927                     + "where  ? in ("
928                     + "	Select Username"
929                     + "	from UserPermissions"
930                     + "	Where (UserPermissions.Username=? AND"
931                     + "	UserPermissions.ObjectURI=?)"
932                     + "	AND"
933                     + "	((UserPermissions.ReadObject=true OR "
934                     + "	UserPermissions.WriteObject=true OR"
935                     + "	UserPermissions.AdministerObject=true OR"
936                     + "	UserPermissions.AuditObject=true))"
937                     + "	)"
938                     + "or 'everyone' in ("
939                     + "	Select Username"
940                     + "	from UserPermissions"
941                     + "	Where (UserPermissions.Username='everyone' AND"
942                     + "	UserPermissions.ObjectURI=?)"
943                     + "	AND"
944                     + "	((UserPermissions.ReadObject=true OR "
945                     + "	UserPermissions.WriteObject=true OR"
946                     + "	UserPermissions.AdministerObject=true OR"
947                     + "	UserPermissions.AuditObject=true))"
948                     + "	)"
949                     + "or ?  in ("
950                     + "	select Users.Username"
951                     + "	from Users"
952                     + "	Where Users.Username=?"
953                     + "	AND Users.rolecol='admin');");
954             comm.setString(1, currentUser);
955             comm.setString(2, currentUser);
956             comm.setString(3, uri);
957             comm.setString(4, uri);
958             comm.setString(5, currentUser);
959             comm.setString(6, currentUser);
960             r = comm.executeQuery();
961             r.next();
962             int right = r.getInt(1);
963             DBUtils.safeClose(r);
964             DBUtils.safeClose(comm);
965             DBUtils.safeClose(con);
966             return right != 0;
967         } // end assertReadAccess // end assertReadAccess
968         catch (Exception ex) {
969             log.log(Level.ERROR, "Error caught querying database for " + currentUser + ":fgsms read rights for " + uri + " from " + fromFunction, ex);
970         } finally {
971             DBUtils.safeClose(r);
972             DBUtils.safeClose(comm);
973             DBUtils.safeClose(con);
974         }
975 
976         return false;
977 
978     } // end 
979 }