001: /*
002: * argun 1.0
003: * Web 2.0 delivery framework
004: * Copyright (C) 2007 Hammurapi Group
005: *
006: * This program is free software; you can redistribute it and/or
007: * modify it under the terms of the GNU Lesser General Public
008: * License as published by the Free Software Foundation; either
009: * version 2 of the License, or (at your option) any later version.
010: *
011: * This program is distributed in the hope that it will be useful,
012: * but WITHOUT ANY WARRANTY; without even the implied warranty of
013: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014: * Lesser General Public License for more details.
015: *
016: * You should have received a copy of the GNU Lesser General Public
017: * License along with this library; if not, write to the Free Software
018: * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
019: *
020: * URL: http://www.hammurapi.biz
021: * e-Mail: support@hammurapi.biz
022: */
023: package biz.hammurapi.web.security;
024:
025: import java.sql.SQLException;
026: import java.util.ArrayList;
027: import java.util.Collection;
028: import java.util.HashMap;
029: import java.util.Iterator;
030: import java.util.Map;
031:
032: import javax.servlet.http.HttpServletRequest;
033: import javax.servlet.http.HttpServletResponse;
034: import javax.servlet.http.HttpSession;
035:
036: import biz.hammurapi.config.Context;
037: import biz.hammurapi.web.ActionServlet;
038: import biz.hammurapi.web.HammurapiWebException;
039: import biz.hammurapi.web.HttpError;
040: import biz.hammurapi.web.SimpleRedirect;
041: import biz.hammurapi.web.menu.MenuFilter;
042: import biz.hammurapi.web.security.sql.ApplicationPermission;
043: import biz.hammurapi.web.security.sql.SecurityEngine;
044:
045: public class ActionsBase extends biz.hammurapi.web.ActionsBase {
046:
047: protected static SecurityEngine getEngine(HttpServletRequest request) {
048: return (SecurityEngine) getGlobal(request, "db/SecurityEngine");
049: }
050:
051: public Object summary(HttpServletRequest request,
052: HttpServletResponse response, ActionServlet servlet)
053: throws SQLException {
054: return getEngine(request).getSummary();
055: }
056:
057: private Map classPermissions = new HashMap();
058:
059: public Object login(HttpServletRequest request,
060: HttpServletResponse response, ActionServlet servlet)
061: throws SQLException, HammurapiWebException {
062: Map ret = new HashMap();
063: String targetUrl = (String) request.getSession().getAttribute(
064: MenuFilter.MENU_REDIRECT);
065: if (!isBlank(targetUrl)) {
066: ret.put("targetUrl", targetUrl);
067: }
068:
069: if ("yes".equals(request.getParameter("xLogin"))) { // Indicator that request came from login form.
070: String loginName = request.getParameter("xUser");
071: if (loginName == null) {
072: ret.put("Error", "Login name is blank");
073: return ret;
074: }
075:
076: ret.put("xUser", loginName);
077:
078: String password = request.getParameter("xPassword");
079: if (password == null) {
080: ret.put("Error", "Password is blank");
081: return ret;
082: }
083:
084: SecurityEngine engine = (SecurityEngine) ((Context) request
085: .getAttribute("global")).get("db/SecurityEngine");
086: User user = (User) engine.getApplicationUser(loginName,
087: User.class);
088: HttpSession session = request.getSession();
089: if (user == null
090: || user.getIsBlocked()
091: || !ApplicationUserActions.hashPassword(password)
092: .equals(user.getUserPassword())) {
093: Integer attempts = (Integer) session
094: .getAttribute(AuthFilter.REMAINING_LOGIN_ATTEMPTS);
095: if (attempts == null) {
096: session
097: .setAttribute(
098: AuthFilter.REMAINING_LOGIN_ATTEMPTS,
099: session
100: .getAttribute(AuthFilter.MAX_LOGIN_ATTEMPTS));
101: } else {
102: if (attempts.intValue() <= 0) {
103: return new HttpError(
104: HttpServletResponse.SC_UNAUTHORIZED,
105: "Too many failed login attempts");
106: }
107: session.setAttribute(
108: AuthFilter.REMAINING_LOGIN_ATTEMPTS,
109: new Integer(attempts.intValue() - 1));
110: }
111: ret.put("Error", "Invalid user name or password");
112: return ret;
113: }
114:
115: Collection permissions = engine
116: .getApplicationPermission(new ArrayList());
117: Iterator it = permissions.iterator();
118: while (it.hasNext()) {
119: ApplicationPermission ap = (ApplicationPermission) it
120: .next();
121: if (!Boolean.TRUE.equals(user.hasPermission(ap
122: .getClassName(), ap.getActionName()))) {
123: it.remove();
124: }
125: }
126:
127: session.setAttribute(AuthFilter.USER, user);
128: session.setAttribute(AuthFilter.AUTHORIZATION_PROVIDER,
129: new UserAuthorizationProvider(user, permissions,
130: classPermissions));
131: MenuFilter menuFilter = (MenuFilter) servlet
132: .getServletContext().getAttribute(
133: "filter/MenuFilter");
134: if (menuFilter.buildMenu(request)) {
135: session
136: .removeAttribute(AuthFilter.REMAINING_LOGIN_ATTEMPTS);
137: targetUrl = (String) session
138: .getAttribute(AuthFilter.LOGIN_TARGET);
139: if (isBlank(targetUrl)) {
140: targetUrl = request.getParameter("targetUrl");
141: }
142: if (isBlank(targetUrl)) {
143: targetUrl = request.getContextPath();
144: }
145: // System.out.println("Logged in");
146: return new SimpleRedirect(targetUrl, "Logged in");
147: }
148:
149: return new HttpError(HttpServletResponse.SC_FORBIDDEN,
150: "Could not start menu, access denied");
151: }
152:
153: return ret;
154: }
155:
156: public Object logout(HttpServletRequest request,
157: HttpServletResponse response, ActionServlet servlet) {
158: HttpSession session = request.getSession();
159: session.removeAttribute(AuthFilter.AUTHORIZATION_PROVIDER);
160: session.removeAttribute(MenuFilter.MENU_ATTRIBUTE);
161: session.invalidate();
162: return new SimpleRedirect(request.getContextPath(),
163: "Logged out");
164: }
165:
166: }
|