MasterPasswordProvider.java

/* (c) 2014 Open Source Geospatial Foundation - all rights reserved
 * (c) 2001 - 2013 OpenPlans
 * This code is licensed under the GPL 2.0 license, available at the root
 * application directory.
 */
package org.geoserver.security;

import org.geoserver.security.impl.AbstractGeoServerSecurityService;
import org.geoserver.security.validation.MasterPasswordChangeValidator;

/**
 * Extension point for providing the master password.
 * </p>
 * Instances of this interface are provided via spring context as a strategy for providing the 
 * GeoServer master password. 
 * </p>
 * <p>
 * Extensions of this interface <b>must</b> be final to prevent an attacker from registering a
 * subclass that could be used to obtain the plain text version of the master password. 
 * </p>
 * 
 * @author christian
 *
 */
public abstract class MasterPasswordProvider extends AbstractGeoServerSecurityService {

    /**
     * Getter the master password in plain text.
     * <p>
     * This method is package visibility only to prevent extensions from obtaining the master
     * password in plain text. 
     * </p>
     */
    final char[] getMasterPassword() throws Exception {
        return doGetMasterPassword();
    }

    /**
     * Internal getter for plain text master password. 
     */
    protected abstract char[] doGetMasterPassword() throws Exception;

    /**
     * Setter for the master password in plain text.
     */
    final void setMasterPassword(char[] newPasswd) throws Exception {
        doSetMasterPassword(newPasswd);
    }

    /**
     * Internal setter for plain text master password. 
     */
    protected abstract void doSetMasterPassword(char[] passwd) throws Exception;

    public MasterPasswordChangeValidator createPasswordChangeValidator() {
        return new MasterPasswordChangeValidator(getSecurityManager());
    }
}