On Thu, 20 Jan 2005 06:53:36 -0800, Dakota Jack <[EMAIL PROTECTED]> wrote:
> I am also too lazy to make a filter! LOL ;-) Anyone have one of
> these in their toolbox they would like to share?
package com.sssc.csr.web.filters;
import java.io.IOException;
import java.util.Iterator;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.sssc.csr.ConfigurationNames;
import com.sssc.model.User;
import com.sssc.csr.utils.*;
import com.sssc.csr.web.SessionAttributeNames;
import com.sssc.generics.utilities.LogWrapper;
import com.sssc.generics.utilities.ResourceBucket;
/**Ensure that a user has the appropriate access for the url they are
* requesting.
* By default all access to jsp pages are denied... however you can override
* this
* in the configuration file, if you wish.
* <p>The configuration file should consist of name/value pairs where the name
* is
* the regex, and the value is the role. The filter goes through each name, and
* checks to see if the URI matches, and if it does returns the role. If the
* user
* has the role, or the role is the value of [EMAIL PROTECTED] #ALLOW_ALL
ALLOW_ALL} it
* will
* allow anyone, logged in or not access.</p>
* @version $Revision$
* @author $Author$
*/
public class AuthorizationFilter implements Filter {
/**Any URL marked with this role will be denied access no matter what.
*
*/
public static final String DENY_ALL = "DENY_ALL_ACCESS";
/**Any URL marked with this role will be allowed access no matter what role,
* or lack of role they may have.
*/
public static final String ALLOW_ALL = "ALLOW_ALL_ACCESS";
/**How the filter is configured.
*
*/
private FilterConfig config = null;
/**Maps urls to their respective roles. If a map has a null, then that
* means
* that no one is allowed to view that url.
*/
private RegexMap url2RoleMap = new RegexMap();
private ResourceBucket bucket =
(ResourceBucket) ResourceBucket.getInstance();
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig config) throws ServletException {
LogWrapper.logEnter("init", AuthorizationFilter.class);
setConfig(config);
getUrl2RoleMap().put(".*\\.jsp", DENY_ALL);
Properties properties =
bucket.getProperties(
ConfigurationNames.AUTHORIZATIONFILTERCONFIGURATIONFILE);
for (Iterator iter = properties.keySet().iterator(); iter.hasNext();) {
String regexUrl = (String) iter.next();
String role = (String) properties.get(regexUrl);
LogWrapper.log(
LogWrapper.DEBUG,
"Loading " + regexUrl + ":" + role,
AuthorizationFilter.class);
getUrl2RoleMap().put(regexUrl, role);
}
LogWrapper.logExit("init", AuthorizationFilter.class);
}
/* (non-Javadoc)
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
LogWrapper.logEnter("doFilter", AuthorizationFilter.class);
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
String path = req.getRequestURI();
String roleNeededToAccess = (String) getUrl2RoleMap().get(path);
//If the path doesn't match anything, then deny it by default
roleNeededToAccess =
(roleNeededToAccess == null ? DENY_ALL : roleNeededToAccess);
User user =
(User) req.getSession().getAttribute(
SessionAttributeNames.CURRENT_USER);
LogWrapper.log(
LogWrapper.DEBUG,
"Context path: "
+ req.getContextPath()
+ " Path: "
+ path
+ " roleNeededToAccess: "
+ roleNeededToAccess
+ " User: "
+ (user == null ? "None" : user.toString()),
AuthorizationFilter.class);
if ((roleNeededToAccess.equals(ALLOW_ALL))
|| ((user != null) && (user.hasRole(roleNeededToAccess)))
|| path.equals(req.getContextPath() + "/")) {
chain.doFilter(request, response);
} else { //Deny everything else.
req.getSession().invalidate();
HttpServletRequest httpRequest = (HttpServletRequest) request;
resp.sendRedirect(httpRequest.getContextPath() + "/showLogin.do");
LogWrapper.logAlert(
"Attempt to access a resource ("
+ req.getRequestURL()
+ ") which the user ("
+ ((user != null) ? user.toString() : "No user logged in.")
+ " from "
+ req.getRemoteAddr()
+ ") is not allowed.");
}
LogWrapper.logExit("doFilter", AuthorizationFilter.class);
}
/* (non-Javadoc)
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {}
public void setConfig(FilterConfig config) {
this.config = config;
}
public FilterConfig getConfig() {
return config;
}
public void setUrl2RoleMap(RegexMap url2RoleMap) {
this.url2RoleMap = url2RoleMap;
}
public RegexMap getUrl2RoleMap() {
return url2RoleMap;
}
}
>
> Jack
>
> On Thu, 20 Jan 2005 12:49:41 +0800, Andrew Hill
> <[EMAIL PROTECTED]> wrote:
> > Id support the filter suggestion, though for myself I generally do the
> > check in the RequestProcessor, as Ive usually overrideen it to perform
> > other evil anyhow, and Im lazy to make a filter.
> >
> > If you dont keep your JSP under WEB-INF (IMHO thats where they belong
> > because they are 'code & config' , just like your classes,jars, and
> > struts-config.xml and tlds) then you should declare some sort of
> > security constraint so they can only be reached by a server side forward
> > from their respective preperation action.
> >
> >
> > Frank W. Zammetti wrote:
> >
> > > If the user clicks a button, you are either going to (a) go directly to
> > > a JSP, which is generally not a good idea in a Struts-based application
> > > anyway (or any servlet-based application for that matter) or (b) go to
> > > an Action, as you probably should be doing. In either case, choice 1 is
> > > what I would do personally. Putting things under WEB-INF as David
> > > suggests works great, but it just feels kind of wrong to me.
> > >
> > > You'll also want to call some common code from all your Actions that
> > > does the same basic check and forwards immediately to your "logon again"
> > > page. I do this by means of an ActionHelpers class that has two static
> > > methods, start() and finish() that are called, as I'm sure you could
> > > guess, at the start and end of all my Actions. They do some common
> > > tasks, including this check.
> > >
> > > If you want a real solution though, externalize your security using
> > > something like Netegrity Siteminder. It will deal with this situation
> > > for you, in a theoretically more secure fashion than you could probably
> > > do on your own.
> > >
> > > Yet another idea is a filter that will check if a session is alive and
> > > redirect as appropriate. This I believe can work no matter what your
> > > request is to (Action or JSP directly), or any other resource, assuming
> > > the app server serves everything.
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> --
> ------------------------------
>
> "You can lead a horse to water but you cannot make it float on its back."
>
> ~Dakota Jack~
>
> "You can't wake a person who is pretending to be asleep."
>
> ~Native Proverb~
>
> "Each man is good in His sight. It is not necessary for eagles to be crows."
>
> ~Hunkesni (Sitting Bull), Hunkpapa Sioux~
>
> -----------------------------------------------
>
> "This message may contain confidential and/or privileged information.
> If you are not the addressee or authorized to receive this for the
> addressee, you must not use, copy, disclose, or take any action based
> on this message or any information herein. If you have received this
> message in error, please advise the sender immediately by reply e-mail
> and delete this message. Thank you for your cooperation."
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
