|
1 |
| package photospace.web.security; |
|
2 |
| |
|
3 |
| import java.io.*; |
|
4 |
| import java.util.*; |
|
5 |
| import javax.servlet.*; |
|
6 |
| import javax.servlet.http.*; |
|
7 |
| import org.apache.commons.logging.*; |
|
8 |
| import net.sf.acegisecurity.context.*; |
|
9 |
| import net.sf.acegisecurity.*; |
|
10 |
| |
|
11 |
| public class ContributorFilter |
|
12 |
| implements Filter |
|
13 |
| { |
|
14 |
| private static final Log log = LogFactory.getLog(ContributorFilter.class); |
|
15 |
| |
|
16 |
| protected static final GrantedAuthority CONTRIBUTOR = new GrantedAuthorityImpl("ROLE_CONTRIBUTOR"); |
|
17 |
| protected static final GrantedAuthority ADMIN = new GrantedAuthorityImpl("ROLE_ADMIN"); |
|
18 |
| |
|
19 |
0
| public void init(FilterConfig config)
|
|
20 |
| { |
|
21 |
| } |
|
22 |
| |
|
23 |
7
| public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
|
|
24 |
| throws IOException, ServletException |
|
25 |
| { |
|
26 |
7
| HttpServletRequest request = (HttpServletRequest) servletRequest;
|
|
27 |
7
| HttpServletResponse response = (HttpServletResponse) servletResponse;
|
|
28 |
| |
|
29 |
7
| SecureContext context = (SecureContext) ContextHolder.getContext();
|
|
30 |
7
| if (context == null)
|
|
31 |
| { |
|
32 |
1
| response.sendError(HttpServletResponse.SC_FORBIDDEN, "Sorry, you're not allowed to do that.");
|
|
33 |
1
| return;
|
|
34 |
| } |
|
35 |
6
| Authentication auth = context.getAuthentication();
|
|
36 |
6
| List authorities = Arrays.asList(auth.getAuthorities());
|
|
37 |
| |
|
38 |
6
| if (authorities.contains(CONTRIBUTOR) && isPermittedContributor(auth.getName(), authorities, request))
|
|
39 |
| { |
|
40 |
3
| filterChain.doFilter(request, response);
|
|
41 |
| } |
|
42 |
| else |
|
43 |
| { |
|
44 |
3
| log.warn(auth.getName() + " forbidden access to " + request.getPathInfo());
|
|
45 |
3
| response.sendError(HttpServletResponse.SC_FORBIDDEN, "Sorry, you're not allowed to do that.");
|
|
46 |
3
| return;
|
|
47 |
| } |
|
48 |
| } |
|
49 |
| |
|
50 |
5
| private boolean isPermittedContributor(String username, List authorities, HttpServletRequest request)
|
|
51 |
| { |
|
52 |
1
| if (authorities.contains(ADMIN)) return true;
|
|
53 |
| |
|
54 |
0
| if (request.getPathInfo() == null) return false;
|
|
55 |
0
| if (request.getPathInfo().equals("/" + username)) return true;
|
|
56 |
1
| if (isUserPath(request.getPathInfo(), username)) return true;
|
|
57 |
1
| if (!request.getPathInfo().startsWith("/admin/")) return false;
|
|
58 |
| |
|
59 |
2
| String path = request.getParameter("path");
|
|
60 |
2
| if (path != null)
|
|
61 |
| { |
|
62 |
0
| if (!isUserPath(path, username)) return false;
|
|
63 |
| } |
|
64 |
| |
|
65 |
2
| String[] paths = request.getParameterValues("paths");
|
|
66 |
2
| if (paths != null)
|
|
67 |
| { |
|
68 |
2
| for (int i = 0; i < paths.length; i++)
|
|
69 |
| { |
|
70 |
1
| if (!isUserPath(paths[i], username)) return false;
|
|
71 |
| } |
|
72 |
| } |
|
73 |
| |
|
74 |
1
| return true;
|
|
75 |
| } |
|
76 |
| |
|
77 |
9
| private boolean isUserPath(String path, String username)
|
|
78 |
| { |
|
79 |
0
| if (path == null) return false;
|
|
80 |
0
| if (username == null) return false;
|
|
81 |
| |
|
82 |
9
| return path.startsWith("/" + username + "/");
|
|
83 |
| } |
|
84 |
| |
|
85 |
0
| public void destroy() {}
|
|
86 |
| } |
