MAINT, DOC: Refactoring "attempt" -> "replay", plus documentation.

conf/core/authtoken.example.yaml

@@ -12,7 +12,7 @@
   output:
     file: "authtoken/admin_token_3_attempts.json"
     schedule: "0/10 * * ? * * *"
-  maxAttempts: 3
+  maxReplays: 3
 - roles:
     - administration
   output:

conf/core/server.conf

@@ -123,11 +123,12 @@ ONE_TIME_TOKEN_EXPIRES_MS=604800000
 # Path to config file for one time tokens, for example authtoken.yml.
 AUTHTOKEN_CONFIG=
 
-# Timeout after which a consumed one-time token expires regardless of the
-# maximum of attempts that are allowed for that token. This is only a default
-# value. The actual timeout of tokens can be configured otherwise.
+# Timeout after which a one-time token expires once it has been first consumed,
+# regardless of the maximum of replays that are allowed for that token. This is
+# only a default value. The actual timeout of tokens can be configured
+# otherwise.
 # 30 s
-ONE_TIME_TOKEN_ATTEMPTS_TIMEOUT_MS=30000
+ONE_TIME_TOKEN_REPLAYS_TIMEOUT_MS=30000
 
 # The value for the HTTP cache directive "max-age"
 WEBUI_HTTP_HEADER_CACHE_MAX_AGE=28800

src/main/java/caosdb/server/CaosDBServer.java

@@ -123,6 +123,9 @@ public class CaosDBServer extends Application {
   private static ArrayList<Runnable> preShutdownHooks = new ArrayList<Runnable>();
   private static boolean START_BACKEND = true;
   private static boolean INSECURE = false;
+  public static final String REQUEST_TIME_LOGGER = "REQUEST_TIME_LOGGER";
+  public static final String REQUEST_ERRORS_LOGGER = "REQUEST_ERRORS_LOGGER";
+  private static Scheduler SCHEDULER;
 
   public static String getServerProperty(final String key) {
     return getServerProperties().getProperty(key);
@@ -527,10 +530,6 @@ public class CaosDBServer extends Application {
     }
   }
 
-  public static final String REQUEST_TIME_LOGGER = "REQUEST_TIME_LOGGER";
-  public static final String REQUEST_ERRORS_LOGGER = "REQUEST_ERRORS_LOGGER";
-  private static Scheduler SCHEDULER;
-
   /**
    * Specify the dispatching restlet that maps URIs to their associated resources for processing.
    *
@@ -580,6 +579,7 @@ public class CaosDBServer extends Application {
           private void setSessionCookies(final Response response) {
 
             final Subject subject = SecurityUtils.getSubject();
+            // if authenticated as a normal user: generate and set session cookie.
             if (subject.isAuthenticated()
                 && subject.getPrincipal() != AnonymousAuthenticationToken.PRINCIPAL) {
               final SessionToken sessionToken = SessionToken.generate(subject);

src/main/java/caosdb/server/ServerProperties.java

@@ -89,8 +89,8 @@ public class ServerProperties extends Properties {
 
   public static final String KEY_SESSION_TIMEOUT_MS = "SESSION_TIMEOUT_MS";
   public static final String KEY_ONE_TIME_TOKEN_EXPIRES_MS = "ONE_TIME_TOKEN_EXPIRES_MS";
-  public static final String KEY_ONE_TIME_TOKEN_ATTEMPTS_TIMEOUT_MS =
-      "ONE_TIME_TOKEN_ATTEMPTS_TIMEOUT_MS";
+  public static final String KEY_ONE_TIME_TOKEN_REPLAYS_TIMEOUT_MS =
+      "ONE_TIME_TOKEN_REPLAYS_TIMEOUT_MS";
 
   public static final String KEY_CACHE_CONF_LOC = "CACHE_CONF_LOC";
   public static final String KEY_CACHE_DISABLE = "CACHE_DISABLE";

src/main/java/caosdb/server/accessControl/AuthenticationUtils.java

@@ -4,6 +4,8 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -124,9 +126,7 @@ public class AuthenticationUtils {
 
     if (token != null && token.isValid()) {
       t = new Timestamp(token.getExpires()).toString().replaceFirst(" ", "T");
-      exp_in_sec = (int) Math.ceil(token.getTimeout() / 1000.0); // new
-      // expiration
-      // time.
+      exp_in_sec = (int) Math.ceil(token.getTimeout() / 1000.0); // new expiration time
       return new CookieSetting(
           0,
           AuthenticationUtils.SESSION_TIMEOUT_COOKIE,

src/main/java/caosdb/server/accessControl/CaosDBAuthorizingRealm.java

@@ -49,6 +49,7 @@ public class CaosDBAuthorizingRealm extends AuthorizingRealm {
     final SimpleAuthorizationInfo authzInfo = new SimpleAuthorizationInfo();
     Object principal = principals.getPrimaryPrincipal();
 
+    // Add explicitly given roles and permissions.
     if (principal instanceof SelfValidatingAuthenticationToken) {
       Collection<String> sessionPermissions =
           getSessionPermissions((SelfValidatingAuthenticationToken) principal);
@@ -60,8 +61,7 @@ public class CaosDBAuthorizingRealm extends AuthorizingRealm {
       authzInfo.addStringPermissions(sessionPermissions);
     }
 
-    // find all roles which are associated with this principal in this
-    // realm.
+    // Find all roles which are associated with this principal in this realm.
     final Set<String> principalRoles =
         UserSources.resolve((Principal) principals.getPrimaryPrincipal());
     if (principalRoles != null) {

src/main/java/caosdb/server/accessControl/CaosDBRolePermissionResolver.java

@@ -33,6 +33,7 @@ import org.apache.shiro.authc.AuthenticationException;
 
 public class CaosDBRolePermissionResolver {
 
+  /** Return CaosPermission with the rules which are associated with the roles. */
   public CaosPermission resolvePermissionsInRole(final Set<String> roles) {
     final HashSet<PermissionRule> rules = new HashSet<PermissionRule>();
     for (final String role : roles) {

src/main/java/caosdb/server/accessControl/Config.java

@@ -5,9 +5,9 @@ public class Config {
   private String[] roles = {};
   private String purpose = null;
   private OneTimeTokenToFile output = null;
-  private int maxAttempts = 1;
+  private int maxReplays = 1;
   private int timeout = OneTimeAuthenticationToken.DEFAULT_TIMEOUT_MS;
-  private int attemptsTimeout = OneTimeAuthenticationToken.DEFAULT_ATTEMPTS_TIMEOUT_MS;
+  private int replaysTimeout = OneTimeAuthenticationToken.DEFAULT_REPLAYS_TIMEOUT_MS;
   private String name = AnonymousAuthenticationToken.PRINCIPAL.getUsername();
 
   public Config() {}
@@ -28,20 +28,20 @@ public class Config {
     this.timeout = timeout;
   }
 
-  public void setAttemptsTimeoutSeconds(int seconds) {
-    this.setAttemptsTimeout(seconds * 1000);
+  public void setReplaysTimeoutSeconds(int seconds) {
+    this.setReplaysTimeout(seconds * 1000);
   }
 
   public void setExpiresAfterSeconds(int seconds) {
     this.setTimeout(seconds * 1000);
   }
 
-  public void setMaxAttempts(int maxAttempts) {
-    this.maxAttempts = maxAttempts;
+  public void setMaxReplays(int maxReplays) {
+    this.maxReplays = maxReplays;
   }
 
-  public int getMaxAttempts() {
-    return maxAttempts;
+  public int getMaxReplays() {
+    return maxReplays;
   }
 
   public String[] getPermissions() {
@@ -76,11 +76,11 @@ public class Config {
     this.output = output;
   }
 
-  public int getAttemptsTimeout() {
-    return attemptsTimeout;
+  public int getReplaysTimeout() {
+    return replaysTimeout;
   }
 
-  public void setAttemptsTimeout(int attemptsTimeout) {
-    this.attemptsTimeout = attemptsTimeout;
+  public void setReplaysTimeout(int replaysTimeout) {
+    this.replaysTimeout = replaysTimeout;
   }
 }

src/main/java/caosdb/server/accessControl/OneTimeAuthenticationToken.java

@@ -4,6 +4,8 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -43,18 +45,18 @@ import org.slf4j.LoggerFactory;
 
 public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToken {
 
-  public static final long DEFAULT_MAX_ATTEMPTS = 1L;
-  public static final int DEFAULT_ATTEMPTS_TIMEOUT_MS =
+  public static final long DEFAULT_MAX_REPLAYS = 1L;
+  public static final int DEFAULT_REPLAYS_TIMEOUT_MS =
       Integer.parseInt(
-          CaosDBServer.getServerProperty(ServerProperties.KEY_ONE_TIME_TOKEN_ATTEMPTS_TIMEOUT_MS));
+          CaosDBServer.getServerProperty(ServerProperties.KEY_ONE_TIME_TOKEN_REPLAYS_TIMEOUT_MS));
   public static final int DEFAULT_TIMEOUT_MS =
       Integer.parseInt(
           CaosDBServer.getServerProperty(ServerProperties.KEY_ONE_TIME_TOKEN_EXPIRES_MS));
   public static final String REALM_NAME = "OneTimeAuthenticationToken"; // TODO move to UserSources
   public static final Logger LOGGER = LoggerFactory.getLogger(OneTimeAuthenticationToken.class);
 
-  private long maxAttempts;
-  private long attemptsTimeout;
+  private long maxReplays;
+  private long replaysTimeout;
 
   public OneTimeAuthenticationToken(
       final Principal principal,
@@ -64,16 +66,16 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
       final String checksum,
       final String[] permissions,
       final String[] roles,
-      final long maxAttempts,
-      final long attemptsTimeout) {
+      final long maxReplays,
+      final long replaysTimeout) {
     super(principal, date, timeout, salt, checksum, permissions, roles);
-    this.attemptsTimeout = attemptsTimeout;
-    this.maxAttempts = maxAttempts;
+    this.replaysTimeout = replaysTimeout;
+    this.maxReplays = maxReplays;
     consume();
   }
 
-  public long getAttemptsTimeout() {
-    return attemptsTimeout;
+  public long getReplaysTimeout() {
+    return replaysTimeout;
   }
 
   public void consume() {
@@ -85,15 +87,15 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
       final long timeout,
       final String[] permissions,
       final String[] roles,
-      final Long maxAttempts,
-      final Long attemptsTimeout) {
+      final Long maxReplays,
+      final Long replaysTimeout) {
     super(
         principal,
         timeout,
         permissions,
         roles,
-        defaultIfNull(maxAttempts, DEFAULT_MAX_ATTEMPTS),
-        defaultIfNull(attemptsTimeout, DEFAULT_ATTEMPTS_TIMEOUT_MS));
+        defaultIfNull(maxReplays, DEFAULT_MAX_REPLAYS),
+        defaultIfNull(replaysTimeout, DEFAULT_REPLAYS_TIMEOUT_MS));
   }
 
   private static final long serialVersionUID = -1072740888045267613L;
@@ -113,10 +115,10 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
     final long timeout = (Long) array[6];
     final String salt = (String) array[7];
     final String checksum = (String) array[8];
-    final long maxAttempts = (Long) array[9];
-    final long attemptsTimeout = (Long) array[10];
+    final long maxReplays = (Long) array[9];
+    final long replaysTimeout = (Long) array[10];
     return new OneTimeAuthenticationToken(
-        principal, date, timeout, salt, checksum, permissions, roles, maxAttempts, attemptsTimeout);
+        principal, date, timeout, salt, checksum, permissions, roles, maxReplays, replaysTimeout);
   }
 
   private static OneTimeAuthenticationToken generate(
@@ -124,11 +126,11 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
       final String[] permissions,
       final String[] roles,
       final long timeout,
-      final long maxAttempts,
-      final long attemptsTimeout) {
+      final long maxReplays,
+      final long replaysTimeout) {
 
     return new OneTimeAuthenticationToken(
-        principal, timeout, permissions, roles, maxAttempts, attemptsTimeout);
+        principal, timeout, permissions, roles, maxReplays, replaysTimeout);
   }
 
   public static List<Config> loadConfig(InputStream input) throws Exception {
@@ -174,8 +176,8 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
         c.getPermissions(),
         c.getRoles(),
         c.getTimeout(),
-        c.getMaxAttempts(),
-        c.getAttemptsTimeout());
+        c.getMaxReplays(),
+        c.getReplaysTimeout());
   }
 
   static Map<String, Config> purposes = new HashMap<>();
@@ -212,8 +214,8 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
   @Override
   protected void setFields(Object[] fields) {
     if (fields.length == 2) {
-      this.maxAttempts = (long) fields[0];
-      this.attemptsTimeout = (long) fields[1];
+      this.maxReplays = (long) fields[0];
+      this.replaysTimeout = (long) fields[1];
     } else {
       throw new InstantiationError("Too few fields.");
     }
@@ -230,8 +232,8 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
         this.salt,
         calcChecksum((Object[]) this.permissions),
         calcChecksum((Object[]) this.roles),
-        this.maxAttempts,
-        this.attemptsTimeout,
+        this.maxReplays,
+        this.replaysTimeout,
         pepper);
   }
 
@@ -248,13 +250,13 @@ public class OneTimeAuthenticationToken extends SelfValidatingAuthenticationToke
           this.timeout,
           this.salt,
           this.checksum,
-          this.maxAttempts,
-          this.attemptsTimeout
+          this.maxReplays,
+          this.replaysTimeout
         });
   }
 
-  public long getMaxAttempts() {
-    return maxAttempts;
+  public long getMaxReplays() {
+    return maxReplays;
   }
 
   public static void resetConfig() {

src/main/java/caosdb/server/accessControl/OneTimeTokenConsumedInfo.java

@@ -7,6 +7,10 @@ import java.util.List;
 import java.util.Map;
 import org.apache.shiro.authc.AuthenticationException;
 
+/**
+ * Utility class to manage OTTs: mark as consumed, removed expired OTTs, manage maximum number of
+ * replays and replay timeout of tokens.
+ */
 class OneTimeTokenConsumedInfo {
 
   private static Map<String, OneTimeTokenConsumedInfo> consumedOneTimeTokens = new HashMap<>();
@@ -24,6 +28,7 @@ class OneTimeTokenConsumedInfo {
     }
   }
 
+  /** If the token is valid, consume it once and store this information. */
   public static void consume(OneTimeAuthenticationToken oneTimeAuthenticationToken) {
     if (oneTimeAuthenticationToken.isValid()) {
       String key = OneTimeTokenConsumedInfo.getKey(oneTimeAuthenticationToken);
@@ -40,7 +45,7 @@ class OneTimeTokenConsumedInfo {
   }
 
   private OneTimeAuthenticationToken oneTimeAuthenticationToken;
-  private List<Long> attempts = new LinkedList<>();
+  private List<Long> replays = new LinkedList<>();
 
   public OneTimeTokenConsumedInfo(OneTimeAuthenticationToken oneTimeAuthenticationToken) {
     this.oneTimeAuthenticationToken = oneTimeAuthenticationToken;
@@ -50,30 +55,31 @@ class OneTimeTokenConsumedInfo {
     return token.checksum;
   }
 
-  private int getNoOfAttempts() {
-    return attempts.size();
+  private int getNoOfReplays() {
+    return replays.size();
   }
 
-  private long getMaxAttempts() {
-    return oneTimeAuthenticationToken.getMaxAttempts();
+  private long getMaxReplays() {
+    return oneTimeAuthenticationToken.getMaxReplays();
   }
 
-  private long getAttemptTimeout() {
-    if (attempts.size() == 0) {
+  private long getReplayTimeout() {
+    if (replays.size() == 0) {
       return Long.MAX_VALUE;
     }
-    long firstAttemptTime = attempts.get(0);
-    return firstAttemptTime + oneTimeAuthenticationToken.getAttemptsTimeout();
+    long firstReplayTime = replays.get(0);
+    return firstReplayTime + oneTimeAuthenticationToken.getReplaysTimeout();
   }
 
+  /** If there are still replays and time left, increase the replay counter by one. */
   public void consume() {
-    synchronized (attempts) {
-      if (getNoOfAttempts() >= getMaxAttempts()) {
+    synchronized (replays) {
+      if (getNoOfReplays() >= getMaxReplays()) {
         throw new AuthenticationException("One-time token was consumed too often.");
-      } else if (getAttemptTimeout() < System.currentTimeMillis()) {
-        throw new AuthenticationException("One-time token attempts timeout expired.");
+      } else if (getReplayTimeout() < System.currentTimeMillis()) {
+        throw new AuthenticationException("One-time token replays timeout expired.");
       }
-      attempts.add(System.currentTimeMillis());
+      replays.add(System.currentTimeMillis());
     }
   }
 

src/main/java/caosdb/server/accessControl/OneTimeTokenToFile.java

@@ -49,10 +49,11 @@ public class OneTimeTokenToFile implements Job {
     this.schedule = schedule;
   }
 
+  /** If no schedule was set, immediately write the config to file, else schedule the job. */
   public void init(Config config) throws IOException, SchedulerException {
 
     if (this.schedule != null) {
-      OneTimeAuthenticationToken.generate(config); // test config
+      OneTimeAuthenticationToken.generate(config); // test config, throw away token
       JobDataMap map = new JobDataMap();
       map.put("config", config);
       map.put("file", file);

src/main/java/caosdb/server/accessControl/SelfValidatingAuthenticationToken.java

@@ -4,6 +4,8 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -28,12 +30,28 @@ import java.util.Collection;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.eclipse.jetty.util.ajax.JSON;
 
+/**
+ * These AuthenticationTokens are characterized by the following properties:
+ *
+ * <ul>
+ *   <li>date: The creation time.
+ *   <li>timeout: How long this token is valud after creation.
+ *   <li>checksum: ? Used for validation, but how?
+ *   <li>salt: Salt for the password checksum, may be used by inheriting classes.
+ *   <li>pepper: A static property, generated when class is loaded and used until the server
+ *       reboots. Hence all tokens of this kkinf invalidate when the server reboots.
+ *
+ * @todo Explain: Checksum
+ * @todo Is this really a pepper in the sense in which it is usually used?
+ */
 public abstract class SelfValidatingAuthenticationToken extends Principal
     implements AuthenticationToken {
 
   protected static final transient String PEPPER = Utils.getSecureFilename(32);
   private static final long serialVersionUID = -7212039848895531161L;
+  // date is the token creation time, in ms since 1970
   protected final long date;
+  // token validity duration
   protected final long timeout;
   protected final String checksum;
   protected final String salt;
@@ -93,6 +111,7 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
     this.checksum = checksum == null && newChecksum ? calcChecksum() : checksum;
   }
 
+  /** Customizable customization method, will be called with the remaining constructor arguments. */
   protected abstract void setFields(Object[] fields);
 
   public SelfValidatingAuthenticationToken(
@@ -120,8 +139,10 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
   @Override
   public abstract String toString();
 
+  /** Implementation specific version of a peppered checksum. */
   public abstract String calcChecksum(String pepper);
 
+  /** No credentials (returns null), since this token is self-validating. */
   @Override
   public Object getCredentials() {
     return null;
@@ -139,6 +160,9 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
     return System.currentTimeMillis() >= getExpires();
   }
 
+  /**
+   * Test if the hash stored in `checksum` is equal to the one calculated using the secret pepper.
+   */
   public boolean isHashValid() {
     final String other = calcChecksum();
     return this.checksum != null && this.checksum.equals(other);
@@ -148,6 +172,7 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
     return !isExpired() && isHashValid();
   }
 
+  /** Return the hash (SHA512) of the stringified arguments. */
   protected static String calcChecksum(final Object... fields) {
     final StringBuilder sb = new StringBuilder();
     for (final Object field : fields) {
@@ -167,6 +192,12 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
     return ret;
   }
 
+  /**
+   * Parse a JSON string and return the generated token. Depending on the first element of the JSON,
+   * this is either (if it is "O") a OneTimeAuthenticationToken or else a SessionToken
+   *
+   * @todo Only allow "O" and "S"?
+   */
   public static SelfValidatingAuthenticationToken parse(String token) {
     Object[] array = (Object[]) JSON.parse(token);
     switch (array[0].toString()) {
@@ -177,6 +208,7 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
     }
   }
 
+  /** No "other" identity, so this returns itself. */
   @Override
   public SelfValidatingAuthenticationToken getPrincipal() {
     return this;

src/main/java/caosdb/server/accessControl/SessionToken.java

@@ -4,6 +4,9 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
+ * Copyright (C) 2020 Daniel Hornung <d.hornung@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -27,6 +30,20 @@ import caosdb.server.ServerProperties;
 import org.apache.shiro.subject.Subject;
 import org.eclipse.jetty.util.ajax.JSON;
 
+/**
+ * Session tokens are formatted as JSON arrays with the following elements:
+ *
+ * <ul>
+ *   <li>Anything but "O" (upper-case "o"), preferred is "S".
+ *   <li>Realm
+ *   <li>name within the Realm
+ *   <li>list of roles
+ *   <li>list of permissions
+ *   <li>time of token generation (long, ms since 1970)
+ *   <li>validity duration (long, ms)
+ *   <li>salt
+ *   <li>checksum
+ */
 public class SessionToken extends SelfValidatingAuthenticationToken {
 
   public SessionToken(
@@ -51,6 +68,7 @@ public class SessionToken extends SelfValidatingAuthenticationToken {
   private static final long serialVersionUID = 5887135104218573761L;
 
   public static SessionToken parse(final Object[] array) {
+    // array[0] is not used here, it was already consumed to determine the type of token.
     final Principal principal = new Principal((String) array[1], (String) array[2]);
     final String[] roles = toStringArray((Object[]) array[3]);
     final String[] permissions = toStringArray((Object[]) array[4]);
@@ -81,6 +99,7 @@ public class SessionToken extends SelfValidatingAuthenticationToken {
     return generate((Principal) subject.getPrincipal(), permissions, roles);
   }
 
+  /** Nothing to set in this implemention. */
   @Override
   protected void setFields(Object[] fields) {}
 

src/main/java/caosdb/server/accessControl/UserSources.java

@@ -4,6 +4,8 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -116,6 +118,8 @@ public class UserSources extends HashMap<String, UserSource> {
     }
   }
 
+  private Ini map = null;
+
   public UserSource put(final UserSource src) {
     if (src.getName() == null) {
       throw new IllegalArgumentException("A user source's name must not be null.");
@@ -131,8 +135,6 @@ public class UserSources extends HashMap<String, UserSource> {
     return instance.put(src);
   }
 
-  private Ini map = null;
-
   public void initMap() {
     this.map = new Ini();
     try (final FileInputStream f =
@@ -147,6 +149,7 @@ public class UserSources extends HashMap<String, UserSource> {
   /**
    * Return the roles of a given user.
    *
+   * @todo Refactor name: resolveRoles(...)?
    * @param realm
    * @param username
    * @return
@@ -194,6 +197,7 @@ public class UserSources extends HashMap<String, UserSource> {
     return instance.map.getSectionProperty(Ini.DEFAULT_SECTION_NAME, KEY_DEFAULT_REALM, "CaosDB");
   }
 
+  // @todo Refactor name: resolveRoles(...)?
   public static Set<String> resolve(final Principal principal) {
     if (AnonymousAuthenticationToken.PRINCIPAL == principal) {
       // anymous has one role

src/main/java/caosdb/server/resource/ScriptingResource.java

@@ -208,6 +208,10 @@ public class ScriptingResource extends AbstractCaosDBServerResource {
     return AuthenticationUtils.isAnonymous(getUser());
   }
 
+  /**
+   * Generate and return a token for the purpose of the given call. If the user is not anonymous and
+   * the call is not configured to be called by everyone, a SessionToken is returned instead.
+   */
   public Object generateAuthToken(String call) {
     String purpose = "scripting:" + call;
     Object authtoken = OneTimeAuthenticationToken.generateForPurpose(purpose, getUser());

src/main/java/caosdb/server/transaction/Transaction.java

@@ -4,6 +4,8 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as

src/main/java/caosdb/server/utils/Initialization.java

@@ -4,6 +4,8 @@
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2020 Indiscale GmbH <info@indiscale.com>
+ * Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as

src/main/java/caosdb/server/utils/ServerMessages.java

@@ -26,9 +26,6 @@ import caosdb.server.entity.Message.MessageType;
 
 public class ServerMessages {
 
-  public static final Message UNAUTHENTICATED =
-      new Message(MessageType.Error, 401, "Sign up, please!");
-
   public static final Message ENTITY_HAS_BEEN_DELETED_SUCCESSFULLY =
       new Message(MessageType.Info, 10, "This entity has been deleted successfully.");
 
@@ -258,6 +255,9 @@ public class ServerMessages {
           0,
           "User has been activated. You can now log in with your username and password.");
 
+  public static final Message UNAUTHENTICATED =
+      new Message(MessageType.Error, 401, "Sign in, please.");
+
   public static final Message AUTHORIZATION_ERROR =
       new Message(MessageType.Error, 403, "You are not allowed to do this.");
 

src/main/java/caosdb/server/utils/Utils.java

@@ -187,8 +187,8 @@ public class Utils {
   /**
    * Generate a secure filename (base32 letters and numbers).
    *
-   * <p>Very similar to getUID, but uses cryptographic random number instead, also also nicely
-   * formats the resulting string.
+   * <p>Very similar to getUID, but uses cryptographic random number instead, also nicely formats
+   * the resulting string.
    *
    * @param byteSize How many bytes of random bits shall be generated.
    * @return The filename as a String.

src/test/java/caosdb/server/authentication/AuthTokenTest.java

@@ -161,7 +161,7 @@ public class AuthTokenTest {
             new String[] {"roles"},
             1L,
             3000L);
-    Assert.assertEquals(1L, t1.getMaxAttempts());
+    Assert.assertEquals(1L, t1.getMaxReplays());
     Assert.assertFalse(t1.isExpired());
     Assert.assertTrue(t1.isHashValid());
     Assert.assertTrue(t1.isValid());
@@ -172,7 +172,7 @@ public class AuthTokenTest {
     Assert.assertEquals(t1, parsed);
     Assert.assertEquals(serialized, parsed.toString());
 
-    Assert.assertEquals(1L, t1.getMaxAttempts());
+    Assert.assertEquals(1L, t1.getMaxReplays());
     Assert.assertFalse(parsed.isExpired());
     Assert.assertTrue(parsed.isHashValid());
     Assert.assertTrue(parsed.isValid());
@@ -263,7 +263,7 @@ public class AuthTokenTest {
         Integer.parseInt(
             CaosDBServer.getServerProperty(ServerProperties.KEY_ONE_TIME_TOKEN_EXPIRES_MS)),
         config.getTimeout());
-    Assert.assertEquals(1, config.getMaxAttempts());
+    Assert.assertEquals(1, config.getMaxReplays());
     Assert.assertNull("no purpose", config.getPurpose());
 
     Assert.assertArrayEquals("no permissions", new String[] {}, config.getPermissions());
@@ -277,7 +277,7 @@ public class AuthTokenTest {
     testYaml.append("purpose: test purpose 1\n");
     testYaml.append("roles: [ role1, \"role2\"]\n");
     testYaml.append("expiresAfterSeconds: 10\n");
-    testYaml.append("maxAttempts: 3\n");
+    testYaml.append("maxReplays: 3\n");
     testYaml.append("permissions:\n");
     testYaml.append("  - permission1\n");
     testYaml.append("  - 'permission2'\n");
@@ -290,7 +290,7 @@ public class AuthTokenTest {
     Assert.assertTrue("parsing to Config object", map.get("test purpose 1") instanceof Config);
     Config config = map.get("test purpose 1");
     Assert.assertEquals(10000, config.getTimeout());
-    Assert.assertEquals(3, config.getMaxAttempts());
+    Assert.assertEquals(3, config.getMaxReplays());
 
     Assert.assertArrayEquals(
         "permissions parsed",