001: /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
002: *
003: * Licensed under the Apache License, Version 2.0 (the "License");
004: * you may not use this file except in compliance with the License.
005: * You may obtain a copy of the License at
006: *
007: * http://www.apache.org/licenses/LICENSE-2.0
008: *
009: * Unless required by applicable law or agreed to in writing, software
010: * distributed under the License is distributed on an "AS IS" BASIS,
011: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
012: * See the License for the specific language governing permissions and
013: * limitations under the License.
014: */
015:
016: package org.acegisecurity.wrapper;
017:
018: import org.acegisecurity.Authentication;
019: import org.acegisecurity.AuthenticationTrustResolver;
020: import org.acegisecurity.AuthenticationTrustResolverImpl;
021:
022: import org.acegisecurity.context.SecurityContextHolder;
023:
024: import org.acegisecurity.userdetails.UserDetails;
025: import org.acegisecurity.util.PortResolver;
026:
027: import java.security.Principal;
028:
029: import javax.servlet.http.HttpServletRequest;
030: import javax.servlet.http.HttpServletRequestWrapper;
031:
032: /**
033: * An Acegi Security-aware <code>HttpServletRequestWrapper</code>, which uses the
034: * <code>SecurityContext</code>-defined <code>Authentication</code> object for {@link
035: * SecurityContextHolderAwareRequestWrapper#isUserInRole(java.lang.String)} and {@link
036: * javax.servlet.http.HttpServletRequestWrapper#getRemoteUser()} responses.
037: *
038: * @author Orlando Garcia Carmona
039: * @author Ben Alex
040: * @version $Id: SecurityContextHolderAwareRequestWrapper.java 1859 2007-05-24 23:20:40Z vishalpuri $
041: */
042: public class SecurityContextHolderAwareRequestWrapper extends
043: HttpServletRequestWrapper {
044: //~ Instance fields ================================================================================================
045:
046: private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
047:
048: //~ Constructors ===================================================================================================
049:
050: public SecurityContextHolderAwareRequestWrapper(
051: HttpServletRequest request, PortResolver portResolver) {
052: super (request);
053: }
054:
055: //~ Methods ========================================================================================================
056:
057: /**
058: * Obtain the current active <code>Authentication</code>
059: *
060: * @return the authentication object or <code>null</code>
061: */
062: private Authentication getAuthentication() {
063: Authentication auth = SecurityContextHolder.getContext()
064: .getAuthentication();
065:
066: if (!authenticationTrustResolver.isAnonymous(auth)) {
067: return auth;
068: }
069:
070: return null;
071: }
072:
073: /**
074: * Returns the principal's name, as obtained from the <code>SecurityContextHolder</code>. Properly handles
075: * both <code>String</code>-based and <code>UserDetails</code>-based principals.
076: *
077: * @return the username or <code>null</code> if unavailable
078: */
079: public String getRemoteUser() {
080: Authentication auth = getAuthentication();
081:
082: if ((auth == null) || (auth.getPrincipal() == null)) {
083: return null;
084: }
085:
086: if (auth.getPrincipal() instanceof UserDetails) {
087: return ((UserDetails) auth.getPrincipal()).getUsername();
088: }
089:
090: return auth.getPrincipal().toString();
091: }
092:
093: /**
094: * Returns the <code>Authentication</code> (which is a subclass of <code>Principal</code>), or
095: * <code>null</code> if unavailable.
096: *
097: * @return the <code>Authentication</code>, or <code>null</code>
098: */
099: public Principal getUserPrincipal() {
100: Authentication auth = getAuthentication();
101:
102: if ((auth == null) || (auth.getPrincipal() == null)) {
103: return null;
104: }
105:
106: return auth;
107: }
108:
109: private boolean isGranted(String role) {
110: Authentication auth = getAuthentication();
111:
112: if ((auth == null) || (auth.getPrincipal() == null)
113: || (auth.getAuthorities() == null)) {
114: return false;
115: }
116:
117: for (int i = 0; i < auth.getAuthorities().length; i++) {
118: if (role.equals(auth.getAuthorities()[i].getAuthority())) {
119: return true;
120: }
121: }
122:
123: return false;
124: }
125:
126: /**
127: * Simple searches for an exactly matching {@link org.acegisecurity.GrantedAuthority#getAuthority()}.<p>Will
128: * always return <code>false</code> if the <code>SecurityContextHolder</code> contains an
129: * <code>Authentication</code> with <code>null</code><code>principal</code> and/or <code>GrantedAuthority[]</code>
130: * objects.</p>
131: *
132: * @param role the <code>GrantedAuthority</code><code>String</code> representation to check for
133: *
134: * @return <code>true</code> if an <b>exact</b> (case sensitive) matching granted authority is located,
135: * <code>false</code> otherwise
136: */
137: public boolean isUserInRole(String role) {
138: return isGranted(role);
139: }
140: }
|