KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > openi > security > AuthorizationFilter


1 /*********************************************************************************
2  * The contents of this file are subject to the OpenI Public License Version 1.0
3  * ("License"); You may not use this file except in compliance with the
4  * License. You may obtain a copy of the License at
5  * http://www.openi.org/docs/LICENSE.txt
6  *
7  * Software distributed under the License is distributed on an "AS IS" basis,
8  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for
9  * the specific language governing rights and limitations under the License.
10  *
11  * The Original Code is: OpenI Open Source
12  *
13  * The Initial Developer of the Original Code is Loyalty Matrix, Inc.
14  * Portions created by Loyalty Matrix, Inc. are
15  * Copyright (C) 2005 Loyalty Matrix, Inc.; All Rights Reserved.
16  *
17  * Contributor(s): ______________________________________.
18  *
19  ********************************************************************************/
20 package org.openi.security;
21
22 import org.apache.log4j.Logger;
23 import org.openi.application.Application;
24 import org.openi.project.Project;
25 import org.openi.project.ProjectContext;
26 import org.openi.util.Util;
27 import java.io.IOException JavaDoc;
28 import javax.servlet.Filter JavaDoc;
29 import javax.servlet.FilterChain JavaDoc;
30 import javax.servlet.FilterConfig JavaDoc;
31 import javax.servlet.ServletException JavaDoc;
32 import javax.servlet.ServletRequest JavaDoc;
33 import javax.servlet.ServletResponse JavaDoc;
34 import javax.servlet.http.HttpServletRequest JavaDoc;
35 import javax.servlet.http.HttpServletResponse JavaDoc;
36 import javax.servlet.http.HttpSession JavaDoc;
37
38
39 /**
40  * Checks session to make sure it has all required attributes (does not populate session).
41  * The project_list_page is responsible for populating the session values.
42  *
43  * Why not set the session vars here? B/c choice of projectId is up to the user. Didn't want
44  * to set the session var based on user input here (filter doesn't seem like it should responsd to user input).
45  *
46  * Since didn't want to set the projectId var here, wanted to set all session vars in one place.
47  * Doubt this will make much sense - unless you try to refactor.
48  */
49 public class AuthorizationFilter implements Filter JavaDoc {
50     private static Logger logger = Logger.getLogger(AuthorizationFilter.class);
51     FilterConfig JavaDoc fc;
52
53     public void doFilter(ServletRequest JavaDoc req, ServletResponse JavaDoc res,
54         FilterChain JavaDoc chain) throws IOException JavaDoc, ServletException JavaDoc {
55         long start = System.currentTimeMillis();
56         HttpServletResponse JavaDoc response = (HttpServletResponse JavaDoc) res;
57         HttpServletRequest JavaDoc request = (HttpServletRequest JavaDoc) req;
58         HttpSession JavaDoc session = request.getSession();
59
60         String JavaDoc requestURI = request.getRequestURI();
61         logger.debug("handling requestURI: " + requestURI);
62
63         String JavaDoc projectListPage = fc.getInitParameter("project_list_page");
64
65         // if there's no project context set in session, and force user to choose a project (send to projectlist page)
66 // notice exclude the project_list_page!
67 if (requestURI.indexOf(projectListPage) < 0) {
68             //if there's no project context set in session
69 if (validateSession(session) == false) {
70                 // force user to choose project
71 response.sendRedirect(projectListPage);
72             } else {
73                 // here is where we need to authorize!
74 ProjectContext projectContext = (ProjectContext) session
75                         .getAttribute("projectContext");
76
77                     Project project = projectContext.getProject();
78
79                     String JavaDoc user = request.getUserPrincipal().getName();
80
81                     //If user is not application admin, check in project admin list
82 if (!Util.isItemInList(user,
83                                 Application.getInstance().getApplicationAdmins())) {
84                         //if user is not project admin, check in project user list
85 if (!project.validateAdmin(user)) {
86                             if (!project.validateUser(user)) {
87                                 //message to sent back project list
88 String JavaDoc message = user
89                                     + " is not authorized for project "
90                                     + project.getProjectName();
91
92                                 // force user to choose project. Since this user can be member of other
93 // projects. Therefore redirecting user to project list instead of
94 //ending current session so that user can choose other projects without login again.
95 response.sendRedirect(projectListPage
96                                     + "?message=" + message);
97                             }
98                         }
99                     }
100
101                     logger.debug("checking request permission");
102
103                     if (!isRequestAllowed(request)) {
104                         logger.debug("unauthorize resource requested..");
105                         response.sendError(HttpServletResponse.SC_FORBIDDEN);
106
107                         return;
108                     }
109                 }
110             }
111
112             // logger.debug("chaining"); // yes you can!?
113 // logger.debug(request.getRequestURI());
114 logger.debug("processing completed in "
115                 + (System.currentTimeMillis() - start) + " ms");
116             chain.doFilter(request, response);
117         }
118
119         private boolean isRequestAllowed(HttpServletRequest JavaDoc request) {
120             String JavaDoc resource = request.getServletPath();
121             ProjectContext context = (ProjectContext) request.getSession()
122                                                              .getAttribute("projectContext");
123
124             if (resource.startsWith("/analysis.htm")) {
125                 String JavaDoc path = request.getParameter("config");
126
127                 if ((path != null) && !path.equals("")
128                         && !context.isPathAllowed(path)) {
129                     return false;
130                 }
131             } else if (resource.startsWith("/datasource.htm")
132                     && !context.hasPermission(Permission.CONFIGURE_DATASOURCE)) {
133                 return false;
134             } else if (resource.startsWith("/uploadfile.htm")
135                     && !context.hasPermission(Permission.UPLOAD_FILE)) {
136                 return false;
137             } else if (resource.startsWith("/managefiles.htm")
138                     && !context.hasPermission(Permission.MANAGE_FILES)) {
139                 return false;
140             } else if (resource.startsWith("/newanalysis.htm")
141                     && !context.hasPermission(Permission.CREATE_NEW)) {
142                 return false;
143             } else if (resource.startsWith("/editapplication.htm")
144                     && !context.hasPermission(Permission.APP_ADMINISTRATION)) {
145                 return false;
146             } else if (resource.startsWith("/editproject.htm")
147                     && !context.hasPermission(Permission.PROJ_ADMINISTRATION)) {
148                 return false;
149             } else if (resource.startsWith("/editproject.htm")
150                     && !context.hasPermission(Permission.PROJ_ADMINISTRATION)) {
151                 return false;
152             } else if (resource.startsWith("/projectcontent.htm")) {
153                 String JavaDoc path = request.getParameter("content");
154
155                 if ((path != null) && !path.equals("")
156                         && !context.isPathAllowed(path)) {
157                     return false;
158                 }
159             }
160
161             return true;
162         }
163
164         public void init(FilterConfig JavaDoc filterConfig) {
165             this.fc = filterConfig;
166         }
167
168         public void destroy() {
169             this.fc = null;
170         }
171
172         /**
173          * Checks for a valid project map, valid projectContext (with project) in the session.
174          *
175          * @param session
176          * @return
177          */
178         private boolean validateSession(HttpSession JavaDoc session)
179             throws IOException JavaDoc {
180             boolean valid = false;
181             ProjectContext projectContext = (ProjectContext) session
182                     .getAttribute("projectContext");
183
184                 if ((session.getAttribute("projects") != null)
185                         && (projectContext != null)
186                         && (projectContext.getProject() != null)) {
187                     valid = true;
188                 }
189
190                 return valid;
191             }
192         }
193
Popular Tags