001: /**********************************************************************************
002: * $URL: https://source.sakaiproject.org/svn/sections/tags/sakai_2-4-1/sections-app/src/java/org/sakaiproject/tool/section/filter/RoleFilter.java $
003: * $Id: RoleFilter.java 18134 2006-11-14 18:59:25Z jholtzman@berkeley.edu $
004: ***********************************************************************************
005: *
006: * Copyright (c) 2005, 2006 The Regents of the University of California and The Regents of the University of Michigan
007: *
008: * Licensed under the Educational Community License, Version 1.0 (the "License");
009: * you may not use this file except in compliance with the License.
010: * You may obtain a copy of the License at
011: *
012: * http://www.opensource.org/licenses/ecl1.php
013: *
014: * Unless required by applicable law or agreed to in writing, software
015: * distributed under the License is distributed on an "AS IS" BASIS,
016: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017: * See the License for the specific language governing permissions and
018: * limitations under the License.
019: *
020: **********************************************************************************/package org.sakaiproject.tool.section.filter;
021:
022: import java.io.IOException;
023:
024: import javax.servlet.Filter;
025: import javax.servlet.FilterChain;
026: import javax.servlet.FilterConfig;
027: import javax.servlet.ServletException;
028: import javax.servlet.ServletRequest;
029: import javax.servlet.ServletResponse;
030: import javax.servlet.http.HttpServletRequest;
031: import javax.servlet.http.HttpServletResponse;
032:
033: import org.apache.commons.logging.Log;
034: import org.apache.commons.logging.LogFactory;
035: import org.sakaiproject.section.api.facade.manager.Authn;
036: import org.sakaiproject.section.api.facade.manager.Authz;
037: import org.sakaiproject.section.api.facade.manager.Context;
038: import org.springframework.context.ApplicationContext;
039: import org.springframework.web.context.WebApplicationContext;
040:
041: /**
042: * An authorization filter to keep users out of pages they are not authorized
043: * to access.
044: *
045: * @author <a href="mailto:jholtzman@berkeley.edu">Josh Holtzman</a>
046: *
047: */
048: public class RoleFilter implements Filter {
049: private static Log logger = LogFactory.getLog(RoleFilter.class);
050:
051: private String authnBeanName;
052: private String authzBeanName;
053: private String contextBeanName;
054: private String authorizationFilterConfigurationBeanName;
055: private String selectSiteRedirect;
056:
057: private ApplicationContext ac;
058:
059: public void init(FilterConfig filterConfig) throws ServletException {
060: if (logger.isInfoEnabled())
061: logger.info("Initializing sections role filter");
062:
063: ac = (ApplicationContext) filterConfig
064: .getServletContext()
065: .getAttribute(
066: WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);
067:
068: authnBeanName = filterConfig
069: .getInitParameter("authnServiceBean");
070: authzBeanName = filterConfig
071: .getInitParameter("authzServiceBean");
072: contextBeanName = filterConfig
073: .getInitParameter("contextManagementServiceBean");
074: authorizationFilterConfigurationBeanName = filterConfig
075: .getInitParameter("authorizationFilterConfigurationBean");
076: selectSiteRedirect = filterConfig
077: .getInitParameter("selectSiteRedirect");
078: }
079:
080: public void doFilter(ServletRequest servletRequest,
081: ServletResponse response, FilterChain chain)
082: throws IOException, ServletException {
083:
084: HttpServletRequest request = (HttpServletRequest) servletRequest;
085: String servletPath = request.getServletPath();
086: if (logger.isDebugEnabled())
087: logger.debug("Filtering request for servletPath="
088: + servletPath);
089: servletPath = servletPath.replaceFirst("^/", "");
090: if (servletPath.indexOf("/") >= 0) {
091: // Only protect the top-level folder, to allow for login through
092: // a subdirectory, shared resource files, and so on.
093: chain.doFilter(request, response);
094: return;
095: }
096:
097: Authn authn = (Authn) ac.getBean(authnBeanName);
098: Authz authz = (Authz) ac.getBean(authzBeanName);
099: Context context = (Context) ac.getBean(contextBeanName);
100: AuthorizationFilterConfigurationBean authzFilterConfigBean = (AuthorizationFilterConfigurationBean) ac
101: .getBean(authorizationFilterConfigurationBeanName);
102: String userUid = authn.getUserUid(request);
103:
104: if (logger.isDebugEnabled())
105: logger.debug("Filtering request for user " + userUid
106: + ", pathInfo=" + request.getPathInfo());
107:
108: // Try to get the currently selected site context, if any
109: String siteContext = context.getContext(request);
110:
111: if (logger.isDebugEnabled())
112: logger.debug("context=" + siteContext);
113:
114: if (siteContext != null) {
115: // Get the name of the page from the servlet path.
116: String[] splitPath = servletPath.split("[./]");
117: String pageName = splitPath[0];
118:
119: boolean isAuthorized = false;
120: if (authz.isSectionManagementAllowed(userUid, siteContext)
121: && authzFilterConfigBean.getManageAllSections()
122: .contains(pageName)) {
123: isAuthorized = true;
124: } else if (authz.isViewAllSectionsAllowed(userUid,
125: siteContext)
126: && authzFilterConfigBean.getViewAllSections()
127: .contains(pageName)) {
128: isAuthorized = true;
129: } else if (authz.isSectionTaManagementAllowed(userUid,
130: siteContext)
131: && authzFilterConfigBean
132: .getManageTeachingAssistants().contains(
133: pageName)) {
134: isAuthorized = true;
135: } else if (authz.isSectionEnrollmentMangementAllowed(
136: userUid, siteContext)
137: && authzFilterConfigBean.getManageEnrollments()
138: .contains(pageName)) {
139: isAuthorized = true;
140: } else if (authz.isViewOwnSectionsAllowed(userUid,
141: siteContext)
142: && authzFilterConfigBean.getViewOwnSections()
143: .contains(pageName)) {
144: isAuthorized = true;
145: }
146:
147: if (isAuthorized) {
148: chain.doFilter(request, response);
149: } else {
150: logger.error("AUTHORIZATION FAILURE: User " + userUid
151: + " in site " + siteContext
152: + " attempted to reach URL "
153: + request.getRequestURL());
154: ((HttpServletResponse) response)
155: .sendError(HttpServletResponse.SC_UNAUTHORIZED);
156: }
157: } else {
158: if (selectSiteRedirect != null) {
159: ((HttpServletResponse) response)
160: .sendRedirect(selectSiteRedirect);
161: } else {
162: ((HttpServletResponse) response)
163: .sendError(HttpServletResponse.SC_UNAUTHORIZED);
164: }
165: }
166: }
167:
168: public void destroy() {
169: ac = null;
170: }
171: }
|