001: /*
002: * $Id: RolesInterceptor.java 478625 2006-11-23 17:31:52Z wsmoak $
003: *
004: * Licensed to the Apache Software Foundation (ASF) under one
005: * or more contributor license agreements. See the NOTICE file
006: * distributed with this work for additional information
007: * regarding copyright ownership. The ASF licenses this file
008: * to you under the Apache License, Version 2.0 (the
009: * "License"); you may not use this file except in compliance
010: * with the License. You may obtain a copy of the License at
011: *
012: * http://www.apache.org/licenses/LICENSE-2.0
013: *
014: * Unless required by applicable law or agreed to in writing,
015: * software distributed under the License is distributed on an
016: * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017: * KIND, either express or implied. See the License for the
018: * specific language governing permissions and limitations
019: * under the License.
020: */
021: package org.apache.struts2.interceptor;
022:
023: import java.util.ArrayList;
024: import java.util.Arrays;
025: import java.util.Collections;
026: import java.util.List;
027:
028: import javax.servlet.http.HttpServletRequest;
029: import javax.servlet.http.HttpServletResponse;
030:
031: import com.opensymphony.xwork2.ActionInvocation;
032: import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
033:
034: import org.apache.struts2.ServletActionContext;
035:
036: /**
037: * <!-- START SNIPPET: description --> This interceptor ensures that the action
038: * will only be executed if the user has the correct role. <!--
039: * END SNIPPET: description -->
040: *
041: * <p/> <u>Interceptor parameters:</u>
042: *
043: * <!-- START SNIPPET: parameters -->
044: *
045: * <ul>
046: *
047: * <li>allowedRoles - a comma-separated list of roles to allow</li>
048: *
049: * <li>disallowedRoles - a comma-separated list of roles to disallow</li>
050: *
051: * </ul>
052: *
053: * <!-- END SNIPPET: parameters -->
054: *
055: * <!-- START SNIPPET: extending --> There are two extensions to the
056: * existing interceptor:
057: * <ul>
058: * <li>isAllowed(HttpServletRequest,Object) - whether or not to allow
059: * the passed action execution with this request</li>
060: * <li>handleRejection(ActionInvocation) - handles an unauthorized
061: * request.</li>
062: * </ul>
063: * <!-- END SNIPPET: extending -->
064: *
065: * <pre>
066: * <!-- START SNIPPET: example -->
067: * <!-- only allows the admin and member roles -->
068: * <action name="someAction" class="com.examples.SomeAction">
069: * <interceptor-ref name="completeStack"/>
070: * <interceptor-ref name="roles">
071: * <param name="allowedRoles">admin,member</param>
072: * </interceptor-ref>
073: * <result name="success">good_result.ftl</result>
074: * </action>
075: * <!-- END SNIPPET: example -->
076: * </pre>
077: */
078: public class RolesInterceptor extends AbstractInterceptor {
079:
080: private List<String> allowedRoles = new ArrayList<String>();
081: private List<String> disallowedRoles = new ArrayList<String>();
082:
083: public void setAllowedRoles(String roles) {
084: this .allowedRoles = stringToList(roles);
085: }
086:
087: public void setDisallowedRoles(String roles) {
088: this .disallowedRoles = stringToList(roles);
089: }
090:
091: public String intercept(ActionInvocation invocation)
092: throws Exception {
093: HttpServletRequest request = ServletActionContext.getRequest();
094: HttpServletResponse response = ServletActionContext
095: .getResponse();
096: String result = null;
097: if (!isAllowed(request, invocation.getAction())) {
098: result = handleRejection(invocation, response);
099: } else {
100: result = invocation.invoke();
101: }
102: return result;
103: }
104:
105: /**
106: * Splits a string into a List
107: */
108: protected List<String> stringToList(String val) {
109: if (val != null) {
110: String[] list = val.split("[ ]*,[ ]*");
111: return Arrays.asList(list);
112: } else {
113: return Collections.EMPTY_LIST;
114: }
115: }
116:
117: /**
118: * Determines if the request should be allowed for the action
119: *
120: * @param request The request
121: * @param action The action object
122: * @return True if allowed, false otherwise
123: */
124: protected boolean isAllowed(HttpServletRequest request,
125: Object action) {
126: if (allowedRoles.size() > 0) {
127: boolean result = false;
128: for (String role : allowedRoles) {
129: if (request.isUserInRole(role)) {
130: result = true;
131: }
132: }
133: return result;
134: } else if (disallowedRoles.size() > 0) {
135: for (String role : disallowedRoles) {
136: if (request.isUserInRole(role)) {
137: return false;
138: }
139: }
140: }
141: return true;
142: }
143:
144: /**
145: * Handles a rejection by sending a 403 HTTP error
146: *
147: * @param invocation The invocation
148: * @return The result code
149: * @throws Exception
150: */
151: protected String handleRejection(ActionInvocation invocation,
152: HttpServletResponse response) throws Exception {
153: response.sendError(HttpServletResponse.SC_FORBIDDEN);
154: return null;
155: }
156: }
|