SecurityFilter xref

View Javadoc

1   /*
2    * $Id: SecurityFilter.java 269 2005-08-10 17:49:22Z josem $
3    *
4    * Tarsis
5    * Copyright (C) 2002 Talika Open Source Group
6    *
7    * This program is free software; you can redistribute it and/or modify
8    * it under the terms of the GNU General Public License as published by
9    * the Free Software Foundation; either version 2 of the License, or
10   * (at your option) any later version.
11   *
12   * This program is distributed in the hope that it will be useful,
13   * but WITHOUT ANY WARRANTY; without even the implied warranty of
14   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15   * GNU General Public License for more details.
16   *
17   * You should have received a copy of the GNU General Public License
18   * along with this program; if not, write to the Free Software
19   * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
20   *
21   */
22  
23  package org.talika.tarsis.filters.security;
24  
25  import java.io.IOException;
26  
27  import javax.servlet.FilterChain;
28  import javax.servlet.FilterConfig;
29  import javax.servlet.ServletException;
30  import javax.servlet.ServletRequest;
31  import javax.servlet.ServletResponse;
32  import javax.servlet.http.HttpServletRequest;
33  
34  import org.talika.tarsis.command.Command;
35  import org.talika.tarsis.filters.CommandFilter;
36  import org.talika.tarsis.security.AuthenticationRequiredException;
37  import org.talika.tarsis.security.Authorizator;
38  import org.talika.tarsis.security.SecuritySession;
39  import org.talika.tarsis.security.SecuritySessionManager;
40  import org.talika.tarsis.security.User;
41  
42  /**
43   * Checks if client has authorization to access requested command.
44   *
45   * @author  Jose M. Palomar
46   * @version $Revision: 269 $
47   */
48  public final class SecurityFilter extends CommandFilter {
49  
50      // Fields
51      /**
52       * Tarsis authorizator.
53       */
54      private Authorizator authorizator;
55  
56      /**
57       * Tarsis session manager.
58       */
59      private SecuritySessionManager sessionManager;
60  
61      // Methods
62      /**
63       * Called by the web container to indicate to a filter that it is being placed
64       * into service.<br>
65       * <br>
66       * Initialization consits in calling super <code>int</code> method and storing
67       * in a local variable authorizator instance for further use.
68       *
69       * @param filterConfig FilterConfig filter configutarion.
70       * @throws ServletException if an exception has occurred that interferes with the
71       * filter's normal operation
72       * @see javax.servlet.Filter#init(FilterConfig)
73       */
74      public void init(FilterConfig filterConfig) throws ServletException {
75          super.init(filterConfig);
76  
77          this.sessionManager = SecuritySessionManager.getInstance();
78          this.authorizator = getContext().getAuthorizator();
79  
80      }
81  
82      /**
83       * Checks if client has authorization to access requested command.
84       *
85       * @param request ServletRequest the <code>ServletRequest</code> object
86       * that contains the client's request.
87       * @param response ServletResponse the <code>ServletResponse</code> object
88       * that contains the servlet's response.
89       * @param filterChain FilterChain invocation chain of filtered request.
90       * @throws IOException if an input or output exception occurs
91       * @throws ServletException if an exception has occurred that interferes with the
92       * filter's normal operation
93       * @see javax.servlet.Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
94       */
95      public void doFilter(ServletRequest request, ServletResponse response,
96      FilterChain filterChain)
97      throws IOException, ServletException {
98  
99          if (getLogger().isDebugEnabled()) {
100             getLogger().logDebug(getFilterConfig().getFilterName() + ": invoked");
101         }
102 
103         Command cmd = findCommand(request);
104         if ((cmd != null) && (authorizator.isRestricted(cmd))) {
105 
106             try {
107 
108                 // Check session
109                 checkSession(request);
110 
111                 // Check authorization
112                 User user = getUser(request);
113                 authorizator.authorize(user, cmd);
114 
115             }
116             catch (Throwable t) {
117                 throw new ServletException(t);
118             }
119 
120         }
121 
122         filterChain.doFilter(request, response);
123 
124     }
125 
126     /**
127      * Checks if client's request has a valid security session.
128      *
129      * @param request ServletRequest the <code>ServletRequest</code> object
130      * that contains the client's request.
131      * @throws AuthenticationRequiredException if session is invalid or not exists.
132      */
133     protected void checkSession(ServletRequest request)
134     throws AuthenticationRequiredException {
135 
136         if (!sessionManager.isSecuritySessionValid((HttpServletRequest) request)) {
137             throw new AuthenticationRequiredException();
138         }
139 
140     }
141 
142     /**
143      * Retrieves user from client's request.
144      *
145      * @param request ServletRequest the <code>ServletRequest</code> object
146      * that contains the client's request.
147      * @return User user.
148      */
149     protected User getUser(ServletRequest request) {
150 
151         SecuritySession securitySession =
152             sessionManager.getSecuritySession((HttpServletRequest) request);
153         return securitySession.getUser();
154 
155     }
156 
157 }