1 20 package org.openi.security; 21 22 import org.apache.log4j.Logger; 23 import org.openi.application.Application; 24 import org.openi.project.Project; 25 import org.openi.project.ProjectContext; 26 import org.openi.util.Util; 27 import java.io.IOException ; 28 import javax.servlet.Filter ; 29 import javax.servlet.FilterChain ; 30 import javax.servlet.FilterConfig ; 31 import javax.servlet.ServletException ; 32 import javax.servlet.ServletRequest ; 33 import javax.servlet.ServletResponse ; 34 import javax.servlet.http.HttpServletRequest ; 35 import javax.servlet.http.HttpServletResponse ; 36 import javax.servlet.http.HttpSession ; 37 38 39 49 public class AuthorizationFilter implements Filter { 50 private static Logger logger = Logger.getLogger(AuthorizationFilter.class); 51 FilterConfig fc; 52 53 public void doFilter(ServletRequest req, ServletResponse res, 54 FilterChain chain) throws IOException , ServletException { 55 long start = System.currentTimeMillis(); 56 HttpServletResponse response = (HttpServletResponse ) res; 57 HttpServletRequest request = (HttpServletRequest ) req; 58 HttpSession session = request.getSession(); 59 60 String requestURI = request.getRequestURI(); 61 logger.debug("handling requestURI: " + requestURI); 62 63 String projectListPage = fc.getInitParameter("project_list_page"); 64 65 if (requestURI.indexOf(projectListPage) < 0) { 68 if (validateSession(session) == false) { 70 response.sendRedirect(projectListPage); 72 } else { 73 ProjectContext projectContext = (ProjectContext) session 75 .getAttribute("projectContext"); 76 77 Project project = projectContext.getProject(); 78 79 String user = request.getUserPrincipal().getName(); 80 81 if (!Util.isItemInList(user, 83 Application.getInstance().getApplicationAdmins())) { 84 if (!project.validateAdmin(user)) { 86 if (!project.validateUser(user)) { 87 String message = user 89 + " is not authorized for project " 90 + project.getProjectName(); 91 92 response.sendRedirect(projectListPage 96 + "?message=" + message); 97 } 98 } 99 } 100 101 logger.debug("checking request permission"); 102 103 if (!isRequestAllowed(request)) { 104 logger.debug("unauthorize resource requested.."); 105 response.sendError(HttpServletResponse.SC_FORBIDDEN); 106 107 return; 108 } 109 } 110 } 111 112 logger.debug("processing completed in " 115 + (System.currentTimeMillis() - start) + " ms"); 116 chain.doFilter(request, response); 117 } 118 119 private boolean isRequestAllowed(HttpServletRequest request) { 120 String resource = request.getServletPath(); 121 ProjectContext context = (ProjectContext) request.getSession() 122 .getAttribute("projectContext"); 123 124 if (resource.startsWith("/analysis.htm")) { 125 String path = request.getParameter("config"); 126 127 if ((path != null) && !path.equals("") 128 && !context.isPathAllowed(path)) { 129 return false; 130 } 131 } else if (resource.startsWith("/datasource.htm") 132 && !context.hasPermission(Permission.CONFIGURE_DATASOURCE)) { 133 return false; 134 } else if (resource.startsWith("/uploadfile.htm") 135 && !context.hasPermission(Permission.UPLOAD_FILE)) { 136 return false; 137 } else if (resource.startsWith("/managefiles.htm") 138 && !context.hasPermission(Permission.MANAGE_FILES)) { 139 return false; 140 } else if (resource.startsWith("/newanalysis.htm") 141 && !context.hasPermission(Permission.CREATE_NEW)) { 142 return false; 143 } else if (resource.startsWith("/editapplication.htm") 144 && !context.hasPermission(Permission.APP_ADMINISTRATION)) { 145 return false; 146 } else if (resource.startsWith("/editproject.htm") 147 && !context.hasPermission(Permission.PROJ_ADMINISTRATION)) { 148 return false; 149 } else if (resource.startsWith("/editproject.htm") 150 && !context.hasPermission(Permission.PROJ_ADMINISTRATION)) { 151 return false; 152 } else if (resource.startsWith("/projectcontent.htm")) { 153 String path = request.getParameter("content"); 154 155 if ((path != null) && !path.equals("") 156 && !context.isPathAllowed(path)) { 157 return false; 158 } 159 } 160 161 return true; 162 } 163 164 public void init(FilterConfig filterConfig) { 165 this.fc = filterConfig; 166 } 167 168 public void destroy() { 169 this.fc = null; 170 } 171 172 178 private boolean validateSession(HttpSession session) 179 throws IOException { 180 boolean valid = false; 181 ProjectContext projectContext = (ProjectContext) session 182 .getAttribute("projectContext"); 183 184 if ((session.getAttribute("projects") != null) 185 && (projectContext != null) 186 && (projectContext.getProject() != null)) { 187 valid = true; 188 } 189 190 return valid; 191 } 192 } 193 | Popular Tags |