Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
PrivateBlogSecurityInterceptor |
|
| 1.5;1.5 |
1 | /* | |
2 | * Copyright (c) 2003-2011, Simon Brown | |
3 | * All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions are met: | |
7 | * | |
8 | * - Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * | |
11 | * - Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in | |
13 | * the documentation and/or other materials provided with the | |
14 | * distribution. | |
15 | * | |
16 | * - Neither the name of Pebble nor the names of its contributors may | |
17 | * be used to endorse or promote products derived from this software | |
18 | * without specific prior written permission. | |
19 | * | |
20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | |
24 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
30 | * POSSIBILITY OF SUCH DAMAGE. | |
31 | */ | |
32 | package net.sourceforge.pebble.security; | |
33 | ||
34 | import org.springframework.security.access.SecurityMetadataSource; | |
35 | import org.springframework.security.access.intercept.AbstractSecurityInterceptor; | |
36 | import org.springframework.security.access.intercept.InterceptorStatusToken; | |
37 | import org.springframework.security.web.FilterInvocation; | |
38 | ||
39 | import javax.servlet.*; | |
40 | import java.io.IOException; | |
41 | ||
42 | /** | |
43 | * Specialised FilterSecurityInterceptor that returns its own type of | |
44 | * ObjectDefinitionSource. This is acopy-paste job from Acegi's | |
45 | * FilterSecurityInterceptor. :-( | |
46 | * | |
47 | * @author Simon Brown | |
48 | */ | |
49 | 0 | public class PrivateBlogSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { |
50 | ||
51 | private static final String FILTER_APPLIED = "__spring_security_privateBlogSecurityInterceptor_filterApplied"; | |
52 | ||
53 | //~ Instance fields ================================================================================================ | |
54 | ||
55 | 0 | private boolean observeOncePerRequest = true; |
56 | ||
57 | //~ Methods ======================================================================================================== | |
58 | ||
59 | /** | |
60 | * Not used (we rely on IoC container lifecycle services instead) | |
61 | */ | |
62 | 0 | public void destroy() {} |
63 | ||
64 | /** | |
65 | * Method that is actually called by the filter chain. Simply delegates to the {@link | |
66 | * #invoke(FilterInvocation)} method. | |
67 | * | |
68 | * @param request the servlet request | |
69 | * @param response the servlet response | |
70 | * @param chain the filter chain | |
71 | * | |
72 | * @throws IOException if the filter chain fails | |
73 | * @throws ServletException if the filter chain fails | |
74 | */ | |
75 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) | |
76 | throws IOException, ServletException { | |
77 | 0 | FilterInvocation fi = new FilterInvocation(request, response, chain); |
78 | 0 | invoke(fi); |
79 | 0 | } |
80 | ||
81 | public Class getSecureObjectClass() { | |
82 | 0 | return FilterInvocation.class; |
83 | } | |
84 | ||
85 | /** | |
86 | * Not used (we rely on IoC container lifecycle services instead) | |
87 | * | |
88 | * @param arg0 ignored | |
89 | * | |
90 | * @throws ServletException never thrown | |
91 | */ | |
92 | 0 | public void init(FilterConfig arg0) throws ServletException {} |
93 | ||
94 | public void invoke(FilterInvocation fi) throws IOException, ServletException { | |
95 | 0 | if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null) |
96 | && observeOncePerRequest) { | |
97 | // filter already applied to this request and user wants us to observce | |
98 | // once-per-request handling, so don't re-do security checking | |
99 | 0 | fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); |
100 | } else { | |
101 | // first time this request being called, so perform security checking | |
102 | 0 | if (fi.getRequest() != null) { |
103 | 0 | fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE); |
104 | } | |
105 | ||
106 | 0 | InterceptorStatusToken token = super.beforeInvocation(fi); |
107 | ||
108 | try { | |
109 | 0 | fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); |
110 | } finally { | |
111 | 0 | super.afterInvocation(token, null); |
112 | 0 | } |
113 | } | |
114 | 0 | } |
115 | ||
116 | /** | |
117 | * Indicates whether once-per-request handling will be observed. By default this is <code>true</code>, | |
118 | * meaning the <code>FilterSecurityInterceptor</code> will only execute once-per-request. Sometimes users may wish | |
119 | * it to execute more than once per request, such as when JSP forwards are being used and filter security is | |
120 | * desired on each included fragment of the HTTP request. | |
121 | * | |
122 | * @return <code>true</code> (the default) if once-per-request is honoured, otherwise <code>false</code> if | |
123 | * <code>FilterSecurityInterceptor</code> will enforce authorizations for each and every fragment of the | |
124 | * HTTP request. | |
125 | */ | |
126 | public boolean isObserveOncePerRequest() { | |
127 | 0 | return observeOncePerRequest; |
128 | } | |
129 | ||
130 | public void setObserveOncePerRequest(boolean observeOncePerRequest) { | |
131 | 0 | this.observeOncePerRequest = observeOncePerRequest; |
132 | 0 | } |
133 | ||
134 | @Override | |
135 | public SecurityMetadataSource obtainSecurityMetadataSource() { | |
136 | 0 | return new PrivateBlogSecurityMetadataSource(); |
137 | } | |
138 | } |