1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 package org.talika.tarsis.filters.security;
24
25 import java.io.IOException;
26
27 import javax.servlet.FilterChain;
28 import javax.servlet.FilterConfig;
29 import javax.servlet.ServletException;
30 import javax.servlet.ServletRequest;
31 import javax.servlet.ServletResponse;
32 import javax.servlet.http.HttpServletRequest;
33
34 import org.talika.tarsis.command.Command;
35 import org.talika.tarsis.filters.CommandFilter;
36 import org.talika.tarsis.security.AuthenticationRequiredException;
37 import org.talika.tarsis.security.Authorizator;
38 import org.talika.tarsis.security.SecuritySession;
39 import org.talika.tarsis.security.SecuritySessionManager;
40 import org.talika.tarsis.security.User;
41
42 /**
43 * Checks if client has authorization to access requested command.
44 *
45 * @author Jose M. Palomar
46 * @version $Revision: 269 $
47 */
48 public final class SecurityFilter extends CommandFilter {
49
50
51 /**
52 * Tarsis authorizator.
53 */
54 private Authorizator authorizator;
55
56 /**
57 * Tarsis session manager.
58 */
59 private SecuritySessionManager sessionManager;
60
61
62 /**
63 * Called by the web container to indicate to a filter that it is being placed
64 * into service.<br>
65 * <br>
66 * Initialization consits in calling super <code>int</code> method and storing
67 * in a local variable authorizator instance for further use.
68 *
69 * @param filterConfig FilterConfig filter configutarion.
70 * @throws ServletException if an exception has occurred that interferes with the
71 * filter's normal operation
72 * @see javax.servlet.Filter#init(FilterConfig)
73 */
74 public void init(FilterConfig filterConfig) throws ServletException {
75 super.init(filterConfig);
76
77 this.sessionManager = SecuritySessionManager.getInstance();
78 this.authorizator = getContext().getAuthorizator();
79
80 }
81
82 /**
83 * Checks if client has authorization to access requested command.
84 *
85 * @param request ServletRequest the <code>ServletRequest</code> object
86 * that contains the client's request.
87 * @param response ServletResponse the <code>ServletResponse</code> object
88 * that contains the servlet's response.
89 * @param filterChain FilterChain invocation chain of filtered request.
90 * @throws IOException if an input or output exception occurs
91 * @throws ServletException if an exception has occurred that interferes with the
92 * filter's normal operation
93 * @see javax.servlet.Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
94 */
95 public void doFilter(ServletRequest request, ServletResponse response,
96 FilterChain filterChain)
97 throws IOException, ServletException {
98
99 if (getLogger().isDebugEnabled()) {
100 getLogger().logDebug(getFilterConfig().getFilterName() + ": invoked");
101 }
102
103 Command cmd = findCommand(request);
104 if ((cmd != null) && (authorizator.isRestricted(cmd))) {
105
106 try {
107
108
109 checkSession(request);
110
111
112 User user = getUser(request);
113 authorizator.authorize(user, cmd);
114
115 }
116 catch (Throwable t) {
117 throw new ServletException(t);
118 }
119
120 }
121
122 filterChain.doFilter(request, response);
123
124 }
125
126 /**
127 * Checks if client's request has a valid security session.
128 *
129 * @param request ServletRequest the <code>ServletRequest</code> object
130 * that contains the client's request.
131 * @throws AuthenticationRequiredException if session is invalid or not exists.
132 */
133 protected void checkSession(ServletRequest request)
134 throws AuthenticationRequiredException {
135
136 if (!sessionManager.isSecuritySessionValid((HttpServletRequest) request)) {
137 throw new AuthenticationRequiredException();
138 }
139
140 }
141
142 /**
143 * Retrieves user from client's request.
144 *
145 * @param request ServletRequest the <code>ServletRequest</code> object
146 * that contains the client's request.
147 * @return User user.
148 */
149 protected User getUser(ServletRequest request) {
150
151 SecuritySession securitySession =
152 sessionManager.getSecuritySession((HttpServletRequest) request);
153 return securitySession.getUser();
154
155 }
156
157 }