public Authenticator() {
    // create bob as valid user
    User u = new User("bob", "1234", "Bob");
    u.setPasswordHash(CryptoStuff.hashSha256(u.getPassword()));
    credentials = new ArrayList<User>();
    credentials.add(u);

    // init the session list
    sessions = new ArrayList<Session>();

    // create a default ABAC policy and add some permissions for user bob
    accessPolicy = new ABACPolicy();
    // bob can view, add and edit people but cannot delete nor do anything with dogs
    accessPolicy.createSimpleUserACLEntry(u.getLogin(), true, true, true, false, true);

    u = new User("sue", "5678", "Sue");
    u.setPasswordHash(CryptoStuff.hashSha256(u.getPassword()));
    credentials.add(u);
    // sue can only do stuff with warehouses
    accessPolicy.createSimpleUserACLEntry(u.getLogin(), false, false, false, false, true);

    u = new User("ragnar", "0000", "Ragnar");
    u.setPasswordHash(CryptoStuff.hashSha256(u.getPassword()));
    credentials.add(u);
    // ragnar can access everything
    accessPolicy.createSimpleUserACLEntry(u.getLogin(), true, true, true, true, true);
  }
 /**
  * login and create a new session if credentials match
  *
  * @param l
  * @param cs
  * @return id of newly created session
  * @throws SecurityException
  */
 public int login(String l, String cs) throws SecurityException {
   // iterate through user credentials and see if l and pw match. if so, make a session and returns
   // its id
   for (User u : credentials) {
     if (u.getLogin().equals(l) && u.getPassword().equals(cs)) {
       // create a fake server-side session from the user object given to us
       // in reality this makes no sense. authentication happens on the server side
       Session s = new Session(u);
       sessions.add(s);
       return s.getSessionId();
     }
   }
   throw new SecurityException("Authentication failed");
 }