Coverage Report - net.sourceforge.pebble.security.PrivateBlogSecurityMetadataSource
 
Classes in this File Line Coverage Branch Coverage Complexity
PrivateBlogSecurityMetadataSource
0%
0/17
0%
0/30
7
 
 1  
 /*
 2  
  * Copyright (c) 2003-2011, Simon Brown
 3  
  * All rights reserved.
 4  
  *
 5  
  * Redistribution and use in source and binary forms, with or without
 6  
  * modification, are permitted provided that the following conditions are met:
 7  
  *
 8  
  *   - Redistributions of source code must retain the above copyright
 9  
  *     notice, this list of conditions and the following disclaimer.
 10  
  *
 11  
  *   - Redistributions in binary form must reproduce the above copyright
 12  
  *     notice, this list of conditions and the following disclaimer in
 13  
  *     the documentation and/or other materials provided with the
 14  
  *     distribution.
 15  
  *
 16  
  *   - Neither the name of Pebble nor the names of its contributors may
 17  
  *     be used to endorse or promote products derived from this software
 18  
  *     without specific prior written permission.
 19  
  *
 20  
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 21  
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 22  
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 23  
  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 24  
  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 25  
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 26  
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 27  
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 28  
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 29  
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 30  
  * POSSIBILITY OF SUCH DAMAGE.
 31  
  */
 32  
 package net.sourceforge.pebble.security;
 33  
 
 34  
 import net.sourceforge.pebble.Constants;
 35  
 import net.sourceforge.pebble.domain.AbstractBlog;
 36  
 import net.sourceforge.pebble.domain.Blog;
 37  
 import org.apache.commons.logging.Log;
 38  
 import org.apache.commons.logging.LogFactory;
 39  
 import org.springframework.security.access.ConfigAttribute;
 40  
 import org.springframework.security.access.SecurityMetadataSource;
 41  
 import org.springframework.security.web.FilterInvocation;
 42  
 
 43  
 import javax.servlet.http.HttpServletRequest;
 44  
 import java.util.*;
 45  
 
 46  
 /**
 47  
  * Bespoke FilterInvocationDefinitionSource that holds a mapping between blog
 48  
  * IDs and the roles that can access them. This is used when blog owners mark
 49  
  * their blog as "private", which forces authentication before the content
 50  
  * can be accessed. This implementation allows mappings to be removed
 51  
  * and added at runtime, making it possible to make blogs private
 52  
  * without restarting the web/application server.
 53  
  *
 54  
  * @author Simon Brown
 55  
  */
 56  0
 public class PrivateBlogSecurityMetadataSource implements SecurityMetadataSource {
 57  
 
 58  0
   private static final Log log = LogFactory.getLog(PrivateBlogSecurityMetadataSource.class);
 59  
 
 60  
 
 61  
   /**
 62  
    * Accesses the <code>ConfigAttributeDefinition</code> that applies to a given secure object.<P>Returns
 63  
    * <code>null</code> if no <code>ConfigAttribiteDefinition</code> applies.</p>
 64  
    *
 65  
    * @param object the object being secured
 66  
    * @return the <code>ConfigAttributeDefinition</code> that applies to the passed object
 67  
    * @throws IllegalArgumentException if the passed object is not of a type supported by the
 68  
    *                                  <code>ObjectDefinitionSource</code> implementation
 69  
    */
 70  
   public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
 71  0
     if ((object == null) || !this.supports(object.getClass())) {
 72  0
         throw new IllegalArgumentException("Object must be a FilterInvocation");
 73  
     }
 74  
 
 75  0
     HttpServletRequest request = ((FilterInvocation)object).getHttpRequest();
 76  0
     String uri = (String)request.getAttribute(Constants.INTERNAL_URI);
 77  0
     if (
 78  
         uri.endsWith("loginPage.action") ||
 79  
         uri.endsWith(".secureaction") ||
 80  
         uri.startsWith("/themes/") ||
 81  
         uri.startsWith("/scripts/") ||
 82  
         uri.startsWith("/common/") ||
 83  
         uri.startsWith("/dwr/") ||
 84  
         uri.equals("/robots.txt") ||
 85  
         uri.equals("/pebble.css") ||
 86  
         uri.equals("/favicon.ico") ||
 87  
         uri.startsWith("/FCKeditor/")
 88  
         ) {
 89  0
       return null;
 90  
     }
 91  
     
 92  0
     AbstractBlog ab = (AbstractBlog)((FilterInvocation)object).getHttpRequest().getAttribute(Constants.BLOG_KEY);
 93  0
     if (ab instanceof Blog) {
 94  0
       Blog blog = (Blog)ab;
 95  0
       List<String> blogReaders = blog.getBlogReaders();
 96  0
       if (blogReaders != null && blogReaders.size() > 0) {
 97  0
         return Arrays.<ConfigAttribute>asList(new PrivateBlogConfigAttributeDefinition(blog));
 98  
       }
 99  
     }
 100  
 
 101  0
     return null;
 102  
   }
 103  
 
 104  
   /**
 105  
    * If available, all of the <code>ConfigAttributeDefinition</code>s defined by the implementing class.<P>This
 106  
    * is used by the {@link org.springframework.security.access.intercept.AbstractSecurityInterceptor} to perform startup time validation of each
 107  
    * <code>ConfigAttribute</code> configured against it.</p>
 108  
    *
 109  
    * @return an iterator over all the <code>ConfigAttributeDefinition</code>s or <code>null</code> if unsupported
 110  
    */
 111  
   public Collection<ConfigAttribute> getAllConfigAttributes() {
 112  0
     return null;
 113  
   }
 114  
 
 115  
   /**
 116  
    * Indicates whether the <code>ObjectDefinitionSource</code> implementation is able to provide
 117  
    * <code>ConfigAttributeDefinition</code>s for the indicated secure object type.
 118  
    *
 119  
    * @param clazz the class that is being queried
 120  
    * @return true if the implementation can process the indicated class
 121  
    */
 122  
   public boolean supports(Class clazz) {
 123  0
     return FilterInvocation.class.isAssignableFrom(clazz);
 124  
   }
 125  
 }