SecurityFilter


1   /**
2    *
3    * Magnolia and its source-code is licensed under the LGPL.
4    * You may copy, adapt, and redistribute this file for commercial or non-commercial use.
5    * When copying, adapting, or redistributing this document in keeping with the guidelines above,
6    * you are required to provide proper attribution to obinary.
7    * If you reproduce or distribute the document without making any substantive modifications to its content,
8    * please use the following attribution line:
9    *
10   * Copyright 1993-2005 obinary Ltd. (http://www.obinary.com) All rights reserved.
11   *
12   */
13  package info.magnolia.cms.filters;
14  
15  import info.magnolia.cms.beans.config.Server;
16  import info.magnolia.cms.core.Path;
17  import info.magnolia.cms.security.Authenticator;
18  import info.magnolia.cms.security.Listener;
19  import info.magnolia.cms.security.Lock;
20  import info.magnolia.cms.security.SecureURI;
21  import info.magnolia.cms.security.SessionAccessControl;
22  
23  import java.io.IOException  ;
24  
25  import javax.servlet.Filter  ;
26  import javax.servlet.FilterChain  ;
27  import javax.servlet.FilterConfig  ;
28  import javax.servlet.ServletException  ;
29  import javax.servlet.ServletRequest  ;
30  import javax.servlet.ServletResponse  ;
31  import javax.servlet.http.HttpServletRequest  ;
32  import javax.servlet.http.HttpServletResponse  ;
33  
34  import org.apache.log4j.Logger;
35  
36  
37  /**
38   * @author Fabrizio Giustina
39   * @version $Id: $
40   */
41  public class SecurityFilter implements Filter   {
42  
43      /**
44       * Logger.
45       */
46      private static Logger log = Logger.getLogger(SecurityFilter.class);
47  
48      /**
49       * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
50       */
51      public void init(FilterConfig   filterConfig) throws ServletException   {
52          // unused
53      }
54  
55      /**
56       * @see javax.servlet.Filter#destroy()
57       */
58      public void destroy() {
59          // unused
60      }
61  
62      /**
63       * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
64       * javax.servlet.FilterChain)
65       */
66      public void doFilter(ServletRequest   req, ServletResponse   res, FilterChain   chain) throws IOException  ,
67          ServletException   {
68  
69          HttpServletRequest   request = (HttpServletRequest  ) req;
70          HttpServletResponse   response = (HttpServletResponse  ) res;
71  
72          if (isAllowed(request, response)) {
73              chain.doFilter(request, response);
74          }
75      }
76  
77      /**
78       * Checks access from Listener / Authenticator / AccessLock.
79       * @param req HttpServletRequest as received by the service method
80       * @param res HttpServletResponse as received by the service method
81       * @return boolean <code>true</code> if access to the resource is allowed
82       * @throws IOException can be thrown when the servlet is unable to write to the response stream
83       */
84      protected boolean isAllowed(HttpServletRequest   req, HttpServletResponse   res) throws IOException   {
85          if (Lock.isSystemLocked()) {
86              res.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
87              return false;
88          }
89          else if (SessionAccessControl.isSecuredSession(req)) {
90              return true;
91          }
92          else if (SecureURI.isProtected(Path.getURI(req))) {
93              return authenticate(req, res);
94          }
95          else if (!Listener.isAllowed(req)) {
96              res.sendError(HttpServletResponse.SC_FORBIDDEN);
97              return false;
98          }
99          return true;
100     }
101 
102     /**
103      * Authenticate on basic headers.
104      * @param request HttpServletRequest
105      * @param response HttpServletResponst
106      * @return <code>true</code> if the user is authenticated
107      */
108     private boolean authenticate(HttpServletRequest   request, HttpServletResponse   response) {
109         try {
110             if (!Authenticator.authenticate(request)) {
111                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
112                 response.setHeader("WWW-Authenticate", "BASIC realm=\"" + Server.getBasicRealm() + "\""); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
113 
114                 // invalidate previous session
115                 SessionAccessControl.invalidateUser(request);
116                 return false;
117             }
118         }
119         catch (Exception   e) {
120             log.error(e.getMessage(), e);
121             return false;
122         }
123 
124         return true;
125     }
126 
127 }
128
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags