JAVA ACCESS CONTROL

In this assignment, you will create an access control program. We use a program much like this one (although more complex) to maintain access to the shared computers in the instructional lab. An access control program maintains a record of valid users and their properties. In order to gain access to the machine, a user must accurately report their matching name and password.

For this assignment, you need to submit three files on zybooks: AccessControl.java, User.java, and AccessControlTest.java.

STEP1. DESIGNING AN ACCESS CONTROL SYSTEM

An access control system, once launched prevents a user from doing anything until they log into the system. Behind this simple login screen lies the heart of the program, which stores and maintains the set of Users and their properties. An AccessControl object must deal with three types of users:

Administrators should be able to reset passwords, remove or add users, and give administrator access. They should also be able to log in or out, and change their own password.

Regular users should be able to log in, change their own password, and log out.

Non-users should not be able to access anyones passwords, nor log into the system.

STEP2. CREATE THE USER CLASS

Begin with the User class. The following fields and methods (copied from our list) must be present exactly as shown. You may add additional private fields or methods, but not any additional public fields or methods.

1 2 3 4 5 6 7 8 9 10 11

private final String USERNAME; // The user's name private String password; // The user's password private boolean isAdmin; // Whether or not the user has Admin powers public User(String username, String password, boolean isAdmin) {} // Creates a new user with the given password and admin status public boolean isValidLogin(String password) {} // Report whether the password is correct public String getUsername() {} // Return the user's name public boolean getIsAdmin() {} // Report whether the user is an admin public void setPassword(String password) {} // Set the new password public void setIsAdmin(boolean isAdmin) {} // Set the new admin status

Notice that the User class includes three private fields, but only two have mutators and only two have accessors. For the password field, we provide a method that returns true iff a given password matches the fields value instead of an accessor that reveals its password. For the username field, we set its value when we create the user, but do not change it after that. (For this reason, we also make the username a finalfield.)

You can now submit your program on zybooks to pass unit test 1.

STEP3. CREATE A TESTING CLASS

Create a class AccessControlTest. The testing class should consist of a main method and some number of test methods. Each test method should return a boolean indicating whether or not the test passed. (We will provide examples in the following steps.) The main method should run each test method and print out a brief report for any failed tests. You generally dont print anything for a passed test. If all tests pass, your main method should print All tests passed! Your main method in AccessControlTest should look similar to this example:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

/* * Testing main. Runs each test and prints which (if any) failed. */ public static void main(String[] args) { int fails = 0; if (!testLogin1()) { System.out.println("testLogin1 [bad username] failed"); fails++; } if (!testLogin2()) { System.out.println("testLogin2 [good login] failed"); fails++; } if (!testLogin3()) { System.out.println("testLogin1 [bad username with default password] failed"); fails++; } if (fails == 0) System.out.println("All tests passed!"); }

Remember to document all of your testing methods!

STEP4. WRITE THE ACCESS CONTROL SYSTEM

Now lets create the AccessControl class.

The following private fields (copied from our list) must be present exactly as shown. You may add additional private fields, but not additional public fields.

Note: While it is allowed, you shouldnt need any additional private fields to complete this assignment.

1 2 3 4 5

private static ArrayList users; // An ArrayList of valid users. private User currentUser; // Who is currently logged in, if anyone? private static final String DEFAULT_PASSWORD = "changeme"; // Default password given to //new users or when we reset a user's password.

An instance of AccessControl represents a single terminal (computer). The AccessControl system as a whole allows many users to be logged in at oncejust at different terminals! Therefore, the currentUser is made as an instance variable, while the ArrayList of all valid users and the default password are made as static class variables.

Now lets start adding public methods to your AccessControl class. Their signatures must be exactly as shown. You may add additional private methods, but you should not add any public methods other than the ones we require.

4.1 THE CONSTRUCTOR

1	public AccessControl() {} // A no-parameter constructor

Your AccessControl constructor needs to make a new AccessControl object. Any non-static field should be initialized here. Your constructor should also check whether each class variable has been initialized and, if not, initialize them. The required fields should have the following starting values:

users: An ArrayList containing a single user with the username admin, the password root, and isAdmin set to true.

currentUser: null

Note: Since DEFAULT_PASSWORD is both static and final, you will not be able to modify it within the constructor.

4.2 ISVALIDLOGIN

1 2 3

public static boolean isValidLogin(String username, String password) {} // Report whether a // given username/password pair is a valid login

Your isValidLogin method should return true if the username/password pair matches any user in your users ArrayList and false otherwise. This method should be static, since it only relies on the static users ArrayList. This method should nothave any side-effects. (For example, do not set the currentUser here.) Its only job is to determine whether a username/password pair is valid.

You can test isValidLogin by calling it on username/password combinations where you know whether they are in the system. Weve provided one example below where the username is not present.

1 2 3 4 5 6 7 8 9 10

/* * This test tries to log in a user that doesn't exist * @return boolean test passed */ public static boolean testLogin1() { AccessControl ac = new AccessControl(); String user = "probablyNotInTheSystem1234"; String pw = "password"; return !ac.isValidLogin(user, pw); // isValidLogin should return false }

4.3 REGULAR USER METHODS

1 2 3 4

public void changePassword(String newPassword) {} // Change the current user's password public void logout() {} // Log out the current user public void setCurrentUser(String username) {} // A mutator you can use to write tests // without simulating user input

Both changePassword and logout operate on the currentUser, so they do not take a username as a parameter. changePassword should modify the currentUsers password to be the given newPassword. logout should set the currentUser to null.

The setCurrentUser method should not be used by any other method in AccessControl, but may be very useful for writing test methods. You must implement it even if you do not use it in any test methods. (We may use it when testing your code.)

4.4 ADMIN METHODS

1 2 3 4 5 6 7 8

public boolean addUser(String username) {} // Create a new user // With the default password and isAdmin==false public boolean addUser(String username, boolean isAdmin) {} // Create a new user // and specify their admin status public boolean removeUser(String username) {} // Remove a user (names should be unique) public boolean giveAdmin(String username) {} // Give a user admin power public boolean takeAdmin(String username) {} // Remove a user's admin power public boolean resetPassword(String username) {} // Reset a user's password

These six methods are collectively the admin methods of AccessControl. During the normal operation of your program, they should only be run when an administrator is logged in. To meet this requirement, we have two options. We can either (A) have each admin method check whether the current user is an admin and fail if they arent, or (B) make sure we never call these methods if the current user is not an admin. Please follow option A. If an admin method call fails for any reason, it should return false. If it succeeds, return true. In addition to failing due to lack of administrator powers, each method can fail in one other way: The addUser methods can fail if a user with that username already exists. Duplicate users arent allowed. The other admin methods each fail if the designated username does not refer to any User in the system.

Here is a test method that makes sure addUser(String username) correctly fails when the currentUser is not an admin:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

/* * Create a new AccessControl and do not log in an admin. * Verify that addUser(String username) returns false * and that the new user is not added. * @return boolean test passed */ public static boolean testAddUser1() { AccessControl ac = new AccessControl(); String user = "alexi"; boolean addUserReport = ac.addUser(user); if (addUserReport) return false; // addUserReport should be false // Make sure user wasn't added anyway return !ac.isValidLogin(user, "changeme"); }

4.4 DRIVERS

1 2 3 4 5 6 7 8

public void loginScreen(Scanner userInputScanner) {} // Main driver loop. // Prompt the user for login information // calls the isValidLogin method // If the login is valid, call the sessionScreen method public void sessionScreen(String username, Scanner userInputScanner) {} // Set the currentUser // Allows them to changePassword or logout // If they are an admin, gives access to admin methods

The loginScreen method consists of a single while(true) loop. This is an intentionally infinite loopthis program does not need a quit option. Remember that you can use the stop button in Eclipse to halt your program in the middle of execution. Within that loop, you must

Print a prompt for the user. You may design this prompt.

Get a username and a password from the given userInputScanner. Do not create additional Scanners.

Use isValidLogin to determine whether the given username and password are valid

If valid, call sessionScreen. Otherwise, print a message indicating an invalid login.

The username and password will be given as separate lines of input, username first. You may assume that all given usernames and passwords consist of a single word with no spaces or other special characters. The loginScreen method will be called by the main static method provided below. (You should include main as written in your AccessControl class.)

1 2 3 4 5 6 7 8 9 10

/* * Launch an AccessControl instance */ public static void main(String[] args) { AccessControl ac = new AccessControl(); // If we have any persistent information to lead // this is where we load it. Scanner userIn = new Scanner(System.in); ac.loginScreen(userIn); }

The sessionScreen method also consists mostly of a single while loop. Unlike loginScreen, sessionScreen has a little setup to do before you begin looping: set the currentUser to the user object matching the username parameter. Within the loop, you must

Print a prompt for the user. You may design this prompt.

Get a command from the user. Valid commands are:

logout

newpw [newpassword]

adduser [username]

adduser [username] [true or false]

rmuser [username]

giveadmin [username]

rmadmin [username]

resetpw [username]

Run the appropriate method

The first two commands may be run by any user. The latter six are restricted to administrators only. The sessionScreen method is not responsible for enforcing thisrecall that we chose to have each admin method check for admin powers. The sessionScreen loop should run until you call the logout method.

Note on command formatting: [username] indicates that the user inputs a username. An example command string would be resetpw alexi or adduser mouna true.

You can now submit your program on zybooks to pass unit tests 2 and 3.

STEP5. CREATE SOME MORE TESTS

Create at least three additional tests. Each test should focus on a specific method, on a specific field, or on a specific bug. You are welcome to create additional tests as you feel is necessary. Remember that each public test method you write must be static boolean.

Sometimes you want to test the value of a private field, but your test method does not have access to that field. Get creative! For example, you might test whether the currentUsers password was changed by attempting to login with their old password and checking that the second login attempt fails.

Make sure your AccessControl program passes your tests!