Merge pull request #106 from glyptodon/check-parent-group

GUAC-1104: Validate changes to parent groups
2025-09-06 13:17:41 +00:00 · 2015-03-07 16:17:27 -08:00
parent f63b24713c c6132d2f09
commit 331fa2d3ff
11 changed files with 450 additions and 200 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/DirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/DirectoryObjectService.java
@@ -37,8 +37,8 @@ import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;

 /**
 * Service which provides convenience methods for creating, retrieving, and
- * manipulating users. This service will automatically enforce the
- * permissions of the current user.
+ * manipulating objects within directories. This service will automatically
+ * enforce the permissions of the current user.
 *
 * @author Michael Jumper
 * @param <InternalType>
@@ -215,52 +215,77 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
    }

    /**
-     * Returns whether the contents of the given model are valid and can be
-     * used to create a new object as-is. The object does not yet exist in the
-     * database, but the user desires to create a new object with the given
-     * model. This function will be called prior to any creation operation, and
-     * provides a means for the implementation to abort prior to completion. The
-     * default implementation does nothing.
+     * Called before any object is created through this directory object
+     * service. This function serves as a final point of validation before
+     * the create operation occurs. In its default implementation,
+     * beforeCreate() performs basic permissions checks.
     *
     * @param user
     *     The user creating the object.
     *
     * @param model
-     *     The model to validate.
+     *     The model of the object being created.
     *
     * @throws GuacamoleException
     *     If the object is invalid, or an error prevents validating the given
     *     object.
     */
-    protected void validateNewModel(AuthenticatedUser user,
-            ModelType model) throws GuacamoleException {
+    protected void beforeCreate(AuthenticatedUser user,
+            ModelType model ) throws GuacamoleException {

-        // By default, do nothing.
+        // Verify permission to create objects
+        if (!user.getUser().isAdministrator() && !hasCreatePermission(user))
+            throw new GuacamoleSecurityException("Permission denied.");

    }

    /**
-     * Returns whether the given model is valid and can be used to update an
-     * existing object as-is. The object already exists in the database, but the
-     * user desires to update the object to the given model. This function will
-     * be called prior to update operation, and provides a means for the
-     * implementation to abort prior to completion. The default implementation
-     * does nothing.
+     * Called before any object is updated through this directory object
+     * service. This function serves as a final point of validation before
+     * the update operation occurs. In its default implementation,
+     * beforeUpdate() performs basic permissions checks.
     *
     * @param user
     *     The user updating the existing object.
     *
     * @param model
-     *     The model to validate.
+     *     The model of the object being updated.
     *
     * @throws GuacamoleException
     *     If the object is invalid, or an error prevents validating the given
     *     object.
     */
-    protected void validateExistingModel(AuthenticatedUser user,
+    protected void beforeUpdate(AuthenticatedUser user,
            ModelType model) throws GuacamoleException {

        // By default, do nothing.
+        if (!hasObjectPermission(user, model.getIdentifier(), ObjectPermission.Type.UPDATE))
+            throw new GuacamoleSecurityException("Permission denied.");
+
+    }
+
+    /**
+     * Called before any object is deleted through this directory object
+     * service. This function serves as a final point of validation before
+     * the delete operation occurs. In its default implementation,
+     * beforeDelete() performs basic permissions checks.
+     *
+     * @param user
+     *     The user deleting the existing object.
+     *
+     * @param identifier
+     *     The identifier of the object being deleted.
+     *
+     * @throws GuacamoleException
+     *     If the object is invalid, or an error prevents validating the given
+     *     object.
+     */
+    protected void beforeDelete(AuthenticatedUser user,
+            String identifier) throws GuacamoleException {
+
+        // Verify permission to delete objects
+        if (!hasObjectPermission(user, identifier, ObjectPermission.Type.DELETE))
+            throw new GuacamoleSecurityException("Permission denied.");

    }

@@ -359,12 +384,8 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
    public InternalType createObject(AuthenticatedUser user, ExternalType object)
        throws GuacamoleException {

-        // Only create object if user has permission to do so
-        if (user.getUser().isAdministrator() || hasCreatePermission(user)) {
-
-            // Validate object prior to creation
        ModelType model = getModelInstance(user, object);
-            validateNewModel(user, model);
+        beforeCreate(user, model);
        
        // Create object
        getObjectMapper().insert(model);
@@ -392,10 +413,6 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
        getPermissionMapper().insert(implicitPermissions);

        return getObjectInstance(user, model);
-        }
-
-        // User lacks permission to create 
-        throw new GuacamoleSecurityException("Permission denied.");

    }

@@ -416,14 +433,10 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
    public void deleteObject(AuthenticatedUser user, String identifier)
        throws GuacamoleException {

-        // Only delete object if user has permission to do so
-        if (hasObjectPermission(user, identifier, ObjectPermission.Type.DELETE)) {
-            getObjectMapper().delete(identifier);
-            return;
-        }
+        beforeDelete(user, identifier);
        
-        // User lacks permission to delete 
-        throw new GuacamoleSecurityException("Permission denied.");
+        // Delete object
+        getObjectMapper().delete(identifier);

    }

@@ -444,20 +457,11 @@ public abstract class DirectoryObjectService<InternalType extends DirectoryObjec
    public void updateObject(AuthenticatedUser user, InternalType object)
        throws GuacamoleException {

-        // Only update object if user has permission to do so
-        if (hasObjectPermission(user, object.getIdentifier(), ObjectPermission.Type.UPDATE)) {
-
-            // Validate object prior to creation
        ModelType model = object.getModel();
-            validateExistingModel(user, model);
+        beforeUpdate(user, model);
        
        // Update object
        getObjectMapper().update(model);
-            return;
-        }
-
-        // User lacks permission to update
-        throw new GuacamoleSecurityException("Permission denied.");

    }

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObject.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObject.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.auth.jdbc.base;
+
+import org.glyptodon.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
+
+/**
+ * Common base class for objects that will ultimately be made available through
+ * the Directory class. All such objects will need the same base set of queries
+ * to fulfill the needs of the Directory class.
+ *
+ * @author Michael Jumper
+ * @param <ModelType>
+ *     The type of model object that corresponds to this object.
+ */
+public abstract class GroupedDirectoryObject<ModelType extends GroupedObjectModel>
+    extends DirectoryObject<ModelType> {
+
+    /**
+     * Returns the identifier of the parent connection group, which cannot be
+     * null. If the parent is the root connection group, this will be
+     * RootConnectionGroup.IDENTIFIER.
+     *
+     * @return
+     *     The identifier of the parent connection group.
+     */
+    public String getParentIdentifier() {
+
+        // Translate null parent to proper identifier
+        String parentIdentifier = getModel().getParentIdentifier();
+        if (parentIdentifier == null)
+            return RootConnectionGroup.IDENTIFIER;
+
+        return parentIdentifier;
+        
+    }
+
+    /**
+     * Sets the identifier of the associated parent connection group. If the
+     * parent is the root connection group, this should be
+     * RootConnectionGroup.IDENTIFIER.
+     * 
+     * @param parentIdentifier
+     *     The identifier of the connection group to associate as this object's
+     *     parent.
+     */
+    public void setParentIdentifier(String parentIdentifier) {
+
+        // Translate root identifier back into null
+        if (parentIdentifier != null
+                && parentIdentifier.equals(RootConnectionGroup.IDENTIFIER))
+            parentIdentifier = null;
+
+        getModel().setParentIdentifier(parentIdentifier);
+
+    }
+
+}
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedDirectoryObjectService.java
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.auth.jdbc.base;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
+
+/**
+ * Service which provides convenience methods for creating, retrieving, and
+ * manipulating objects that can be within connection groups. This service will
+ * automatically enforce the permissions of the current user.
+ *
+ * @author Michael Jumper
+ * @param <InternalType>
+ *     The specific internal implementation of the type of object this service
+ *     provides access to.
+ *
+ * @param <ExternalType>
+ *     The external interface or implementation of the type of object this
+ *     service provides access to, as defined by the guacamole-ext API.
+ *
+ * @param <ModelType>
+ *     The underlying model object used to represent InternalType in the
+ *     database.
+ */
+public abstract class GroupedDirectoryObjectService<InternalType extends GroupedDirectoryObject<ModelType>,
+        ExternalType, ModelType extends GroupedObjectModel>
+        extends DirectoryObjectService<InternalType, ExternalType, ModelType> {
+
+    /**
+     * Returns the set of parent connection groups that are modified by the
+     * given model object (by virtue of the object changing parent groups). If
+     * the model is not changing parents, the resulting collection will be
+     * empty.
+     *
+     * @param user
+     *     The user making the given changes to the model.
+     *
+     * @param identifier
+     *     The identifier of the object that has been modified, if it exists.
+     *     If the object is being created, this will be null.
+     *
+     * @param model
+     *     The model that has been modified, if any. If the object is being
+     *     deleted, this will be null.
+     *
+     * @return
+     *     A collection of the identifiers of all parent connection groups
+     *     that will be affected (updated) by the change.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while determining which parent connection groups
+     *     are affected.
+     */
+    protected Collection<String> getModifiedGroups(AuthenticatedUser user,
+            String identifier, ModelType model) throws GuacamoleException {
+
+        // Get old parent identifier
+        String oldParentIdentifier = null;
+        if (identifier != null) {
+            ModelType current = retrieveObject(user, identifier).getModel();
+            oldParentIdentifier = current.getParentIdentifier();
+        }
+
+        // Get new parent identifier
+        String parentIdentifier = null;
+        if (model != null) {
+
+            parentIdentifier = model.getParentIdentifier();
+
+            // If both parents have the same identifier, nothing has changed
+            if (parentIdentifier != null && parentIdentifier.equals(oldParentIdentifier))
+                return Collections.EMPTY_LIST;
+
+        }
+
+        // Return collection of all non-root groups involved
+        Collection<String> groups = new ArrayList<String>(2);
+        if (oldParentIdentifier != null) groups.add(oldParentIdentifier);
+        if (parentIdentifier    != null) groups.add(parentIdentifier);
+        return groups;
+
+    }
+
+    /**
+     * Returns whether the given user has permission to modify the parent
+     * connection groups affected by the modifications made to the given model
+     * object.
+     *
+     * @param user
+     *     The user who changed the model object.
+     *
+     * @param identifier
+     *     The identifier of the object that has been modified, if it exists.
+     *     If the object is being created, this will be null.
+     *
+     * @param model
+     *     The model that has been modified, if any. If the object is being
+     *     deleted, this will be null.
+     *
+     * @return
+     *     true if the user has update permission for all modified groups,
+     *     false otherwise.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while determining which parent connection groups
+     *     are affected.
+     */
+    protected boolean canUpdateModifiedGroups(AuthenticatedUser user,
+            String identifier, ModelType model) throws GuacamoleException {
+
+        // If user is an administrator, no need to check
+        if (user.getUser().isAdministrator())
+            return true;
+        
+        // Verify that we have permission to modify any modified groups
+        Collection<String> modifiedGroups = getModifiedGroups(user, identifier, model);
+        if (!modifiedGroups.isEmpty()) {
+
+            ObjectPermissionSet permissionSet = user.getUser().getConnectionGroupPermissions();
+            Collection<String> updateableGroups = permissionSet.getAccessibleObjects(
+                Collections.singleton(ObjectPermission.Type.UPDATE),
+                modifiedGroups
+            );
+
+            return updateableGroups.size() == modifiedGroups.size();
+            
+        }
+
+        return true;
+
+    }
+
+    @Override
+    protected void beforeCreate(AuthenticatedUser user,
+            ModelType model) throws GuacamoleException {
+
+        super.beforeCreate(user, model);
+        
+        // Validate that we can update all applicable parent groups
+        if (!canUpdateModifiedGroups(user, null, model))
+            throw new GuacamoleSecurityException("Permission denied.");
+        
+    }
+
+    @Override
+    protected void beforeUpdate(AuthenticatedUser user,
+            ModelType model) throws GuacamoleException {
+
+        super.beforeUpdate(user, model);
+
+        // Validate that we can update all applicable parent groups
+        if (!canUpdateModifiedGroups(user, model.getIdentifier(), model))
+            throw new GuacamoleSecurityException("Permission denied.");
+        
+    }
+
+    @Override
+    protected void beforeDelete(AuthenticatedUser user,
+            String identifier) throws GuacamoleException {
+
+        super.beforeDelete(user, identifier);
+
+        // Validate that we can update all applicable parent groups
+        if (!canUpdateModifiedGroups(user, identifier, null))
+            throw new GuacamoleSecurityException("Permission denied.");
+        
+    }
+
+}
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedObjectModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/base/GroupedObjectModel.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.auth.jdbc.base;
+
+/**
+ * Object representation of a Guacamole object, such as a user or connection,
+ * as represented in the database.
+ *
+ * @author Michael Jumper
+ */
+public abstract class GroupedObjectModel extends ObjectModel {
+
+    /**
+     * The unique identifier which identifies the parent of this object.
+     */
+    private String parentIdentifier;
+    
+    /**
+     * Creates a new, empty object.
+     */
+    public GroupedObjectModel() {
+    }
+
+    /**
+     * Returns the identifier of the parent connection group, or null if the
+     * parent connection group is the root connection group.
+     *
+     * @return 
+     *     The identifier of the parent connection group, or null if the parent
+     *     connection group is the root connection group.
+     */
+    public String getParentIdentifier() {
+        return parentIdentifier;
+    }
+
+    /**
+     * Sets the identifier of the parent connection group.
+     *
+     * @param parentIdentifier
+     *     The identifier of the parent connection group, or null if the parent
+     *     connection group is the root connection group.
+     */
+    public void setParentIdentifier(String parentIdentifier) {
+        this.parentIdentifier = parentIdentifier;
+    }
+
+}
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionModel.java
@@ -22,7 +22,7 @@

 package org.glyptodon.guacamole.auth.jdbc.connection;

-import org.glyptodon.guacamole.auth.jdbc.base.ObjectModel;
+import org.glyptodon.guacamole.auth.jdbc.base.GroupedObjectModel;

 /**
 * Object representation of a Guacamole connection, as represented in the
@@ -30,13 +30,7 @@ import org.glyptodon.guacamole.auth.jdbc.base.ObjectModel;
 *
 * @author Michael Jumper
 */
-public class ConnectionModel extends ObjectModel {
-
-    /**
-     * The identifier of the parent connection group in the database, or null
-     * if the parent connection group is the root group.
-     */
-    private String parentIdentifier;
+public class ConnectionModel extends GroupedObjectModel {

    /**
     * The human-readable name associated with this connection.
@@ -95,29 +89,6 @@ public class ConnectionModel extends ObjectModel {
        this.protocol = protocol;
    }

-    /**
-     * Returns the identifier of the parent connection group, or null if the
-     * parent connection group is the root connection group.
-     *
-     * @return 
-     *     The identifier of the parent connection group, or null if the parent
-     *     connection group is the root connection group.
-     */
-    public String getParentIdentifier() {
-        return parentIdentifier;
-    }
-
-    /**
-     * Sets the identifier of the parent connection group.
-     *
-     * @param parentIdentifier
-     *     The identifier of the parent connection group, or null if the parent
-     *     connection group is the root connection group.
-     */
-    public void setParentIdentifier(String parentIdentifier) {
-        this.parentIdentifier = parentIdentifier;
-    }
-
    @Override
    public String getIdentifier() {

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ConnectionService.java
@@ -33,11 +33,11 @@ import java.util.Map;
 import java.util.Set;
 import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
 import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
-import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectService;
 import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
 import org.glyptodon.guacamole.GuacamoleClientException;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
 import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionPermissionMapper;
 import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
 import org.glyptodon.guacamole.net.GuacamoleSocket;
@@ -55,7 +55,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
 *
 * @author Michael Jumper, James Muehlner
 */
-public class ConnectionService extends DirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {
+public class ConnectionService extends GroupedDirectoryObjectService<ModeledConnection, Connection, ConnectionModel> {

    /**
     * Mapper for accessing connections.
@@ -148,9 +148,11 @@ public class ConnectionService extends DirectoryObjectService<ModeledConnection,
    }

    @Override
-    protected void validateNewModel(AuthenticatedUser user,
+    protected void beforeCreate(AuthenticatedUser user,
            ConnectionModel model) throws GuacamoleException {

+        super.beforeCreate(user, model);
+        
        // Name must not be blank
        if (model.getName().trim().isEmpty())
            throw new GuacamoleClientException("Connection names must not be blank.");
@@ -163,9 +165,11 @@ public class ConnectionService extends DirectoryObjectService<ModeledConnection,
    }

    @Override
-    protected void validateExistingModel(AuthenticatedUser user,
+    protected void beforeUpdate(AuthenticatedUser user,
            ConnectionModel model) throws GuacamoleException {

+        super.beforeUpdate(user, model);
+        
        // Name must not be blank
        if (model.getName().trim().isEmpty())
            throw new GuacamoleClientException("Connection names must not be blank.");
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ModeledConnection.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connection/ModeledConnection.java
@@ -25,10 +25,9 @@ package org.glyptodon.guacamole.auth.jdbc.connection;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.util.List;
-import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObject;
-import org.glyptodon.guacamole.auth.jdbc.connectiongroup.RootConnectionGroup;
 import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
 import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObject;
 import org.glyptodon.guacamole.net.GuacamoleSocket;
 import org.glyptodon.guacamole.net.auth.Connection;
 import org.glyptodon.guacamole.net.auth.ConnectionRecord;
@@ -42,7 +41,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleConfiguration;
 * @author James Muehlner
 * @author Michael Jumper
 */
-public class ModeledConnection extends DirectoryObject<ConnectionModel>
+public class ModeledConnection extends GroupedDirectoryObject<ConnectionModel>
    implements Connection {

    /**
@@ -84,30 +83,6 @@ public class ModeledConnection extends DirectoryObject<ConnectionModel>
        getModel().setName(name);
    }

-    @Override
-    public String getParentIdentifier() {
-
-        // Translate null parent to proper identifier
-        String parentIdentifier = getModel().getParentIdentifier();
-        if (parentIdentifier == null)
-            return RootConnectionGroup.IDENTIFIER;
-
-        return parentIdentifier;
-        
-    }
-
-    @Override
-    public void setParentIdentifier(String parentIdentifier) {
-
-        // Translate root identifier back into null
-        if (parentIdentifier != null
-                && parentIdentifier.equals(RootConnectionGroup.IDENTIFIER))
-            parentIdentifier = null;
-
-        getModel().setParentIdentifier(parentIdentifier);
-
-    }
-
    @Override
    public GuacamoleConfiguration getConfiguration() {

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupModel.java
@@ -22,7 +22,7 @@

 package org.glyptodon.guacamole.auth.jdbc.connectiongroup;

-import org.glyptodon.guacamole.auth.jdbc.base.ObjectModel;
+import org.glyptodon.guacamole.auth.jdbc.base.GroupedObjectModel;
 import org.glyptodon.guacamole.net.auth.ConnectionGroup;

 /**
@@ -31,13 +31,7 @@ import org.glyptodon.guacamole.net.auth.ConnectionGroup;
 *
 * @author Michael Jumper
 */
-public class ConnectionGroupModel extends ObjectModel {
-
-    /**
-     * The identifier of the parent connection group in the database, or null
-     * if the parent connection group is the root group.
-     */
-    private String parentIdentifier;
+public class ConnectionGroupModel extends GroupedObjectModel {

    /**
     * The human-readable name associated with this connection group.
@@ -75,29 +69,6 @@ public class ConnectionGroupModel extends ObjectModel {
        this.name = name;
    }

-    /**
-     * Returns the identifier of the parent connection group, or null if the
-     * parent connection group is the root connection group.
-     *
-     * @return 
-     *     The identifier of the parent connection group, or null if the parent
-     *     connection group is the root connection group.
-     */
-    public String getParentIdentifier() {
-        return parentIdentifier;
-    }
-
-    /**
-     * Sets the identifier of the parent connection group.
-     *
-     * @param parentIdentifier
-     *     The identifier of the parent connection group, or null if the parent
-     *     connection group is the root connection group.
-     */
-    public void setParentIdentifier(String parentIdentifier) {
-        this.parentIdentifier = parentIdentifier;
-    }
-
    /**
     * Returns the type of this connection group, such as organizational or
     * balancing.
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
@@ -27,11 +27,11 @@ import com.google.inject.Provider;
 import java.util.Set;
 import org.glyptodon.guacamole.auth.jdbc.user.AuthenticatedUser;
 import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectMapper;
-import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObjectService;
 import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
 import org.glyptodon.guacamole.GuacamoleClientException;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObjectService;
 import org.glyptodon.guacamole.auth.jdbc.permission.ConnectionGroupPermissionMapper;
 import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
 import org.glyptodon.guacamole.net.GuacamoleSocket;
@@ -48,7 +48,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
 *
 * @author Michael Jumper, James Muehlner
 */
-public class ConnectionGroupService extends DirectoryObjectService<ModeledConnectionGroup,
+public class ConnectionGroupService extends GroupedDirectoryObjectService<ModeledConnectionGroup,
        ConnectionGroup, ConnectionGroupModel> {

    /**
@@ -130,9 +130,11 @@ public class ConnectionGroupService extends DirectoryObjectService<ModeledConnec
    }

    @Override
-    protected void validateNewModel(AuthenticatedUser user,
+    protected void beforeCreate(AuthenticatedUser user,
            ConnectionGroupModel model) throws GuacamoleException {

+        super.beforeCreate(user, model);
+        
        // Name must not be blank
        if (model.getName().trim().isEmpty())
            throw new GuacamoleClientException("Connection group names must not be blank.");
@@ -145,9 +147,11 @@ public class ConnectionGroupService extends DirectoryObjectService<ModeledConnec
    }

    @Override
-    protected void validateExistingModel(AuthenticatedUser user,
+    protected void beforeUpdate(AuthenticatedUser user,
            ConnectionGroupModel model) throws GuacamoleException {

+        super.beforeUpdate(user, model);
+        
        // Name must not be blank
        if (model.getName().trim().isEmpty())
            throw new GuacamoleClientException("Connection group names must not be blank.");
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/connectiongroup/ModeledConnectionGroup.java
@@ -24,10 +24,10 @@ package org.glyptodon.guacamole.auth.jdbc.connectiongroup;

 import com.google.inject.Inject;
 import java.util.Set;
-import org.glyptodon.guacamole.auth.jdbc.base.DirectoryObject;
 import org.glyptodon.guacamole.auth.jdbc.connection.ConnectionService;
 import org.glyptodon.guacamole.auth.jdbc.socket.GuacamoleSocketService;
 import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.auth.jdbc.base.GroupedDirectoryObject;
 import org.glyptodon.guacamole.net.GuacamoleSocket;
 import org.glyptodon.guacamole.net.auth.ConnectionGroup;
 import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
@@ -38,7 +38,7 @@ import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
 *
 * @author James Muehlner
 */
-public class ModeledConnectionGroup extends DirectoryObject<ConnectionGroupModel>
+public class ModeledConnectionGroup extends GroupedDirectoryObject<ConnectionGroupModel>
    implements ConnectionGroup {

    /**
@@ -75,30 +75,6 @@ public class ModeledConnectionGroup extends DirectoryObject<ConnectionGroupModel
        getModel().setName(name);
    }

-    @Override
-    public String getParentIdentifier() {
-
-        // Translate null parent to proper identifier
-        String parentIdentifier = getModel().getParentIdentifier();
-        if (parentIdentifier == null)
-            return RootConnectionGroup.IDENTIFIER;
-
-        return parentIdentifier;
-        
-    }
-
-    @Override
-    public void setParentIdentifier(String parentIdentifier) {
-
-        // Translate root identifier back into null
-        if (parentIdentifier != null
-                && parentIdentifier.equals(RootConnectionGroup.IDENTIFIER))
-            parentIdentifier = null;
-
-        getModel().setParentIdentifier(parentIdentifier);
-
-    }
-
    @Override
    public GuacamoleSocket connect(GuacamoleClientInformation info)
            throws GuacamoleException {
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserService.java
@@ -126,9 +126,11 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
    }

    @Override
-    protected void validateNewModel(AuthenticatedUser user, UserModel model)
+    protected void beforeCreate(AuthenticatedUser user, UserModel model)
            throws GuacamoleException {

+        super.beforeCreate(user, model);
+        
        // Username must not be blank
        if (model.getIdentifier().trim().isEmpty())
            throw new GuacamoleClientException("The username must not be blank.");
@@ -141,9 +143,11 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
    }

    @Override
-    protected void validateExistingModel(AuthenticatedUser user,
+    protected void beforeUpdate(AuthenticatedUser user,
            UserModel model) throws GuacamoleException {

+        super.beforeUpdate(user, model);
+        
        // Username must not be blank
        if (model.getIdentifier().trim().isEmpty())
            throw new GuacamoleClientException("The username must not be blank.");