Coverage Report

Coverage Report - net.sourceforge.pebble.security.PrivateBlogSecurityMetadataSource

Classes in this File

0/17

0/30

 /*
  * Copyright (c) 2003-2011, Simon Brown
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
  *   - Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  *
  *   - Redistributions in binary form must reproduce the above copyright
  *     notice, this list of conditions and the following disclaimer in
  *     the documentation and/or other materials provided with the
  *     distribution.
  *
  *   - Neither the name of Pebble nor the names of its contributors may
  *     be used to endorse or promote products derived from this software
  *     without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 package net.sourceforge.pebble.security;
 
 import net.sourceforge.pebble.Constants;
 import net.sourceforge.pebble.domain.AbstractBlog;
 import net.sourceforge.pebble.domain.Blog;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityMetadataSource;
 import org.springframework.security.web.FilterInvocation;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.*;
 
 /**
  * Bespoke FilterInvocationDefinitionSource that holds a mapping between blog
  * IDs and the roles that can access them. This is used when blog owners mark
  * their blog as "private", which forces authentication before the content
  * can be accessed. This implementation allows mappings to be removed
  * and added at runtime, making it possible to make blogs private
  * without restarting the web/application server.
  *
  * @author Simon Brown
  */
 public class PrivateBlogSecurityMetadataSource implements SecurityMetadataSource {
 
   private static final Log log = LogFactory.getLog(PrivateBlogSecurityMetadataSource.class);
 
 
   /**
    * Accesses the <code>ConfigAttributeDefinition</code> that applies to a given secure object.<P>Returns
    * <code>null</code> if no <code>ConfigAttribiteDefinition</code> applies.</p>
    *
    * @param object the object being secured
    * @return the <code>ConfigAttributeDefinition</code> that applies to the passed object
    * @throws IllegalArgumentException if the passed object is not of a type supported by the
    *                                  <code>ObjectDefinitionSource</code> implementation
    */
   public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
     if ((object == null) || !this.supports(object.getClass())) {
         throw new IllegalArgumentException("Object must be a FilterInvocation");
     }
 
     HttpServletRequest request = ((FilterInvocation)object).getHttpRequest();
     String uri = (String)request.getAttribute(Constants.INTERNAL_URI);
     if (
         uri.endsWith("loginPage.action") ||
         uri.endsWith(".secureaction") ||
         uri.startsWith("/themes/") ||
         uri.startsWith("/scripts/") ||
         uri.startsWith("/common/") ||
         uri.startsWith("/dwr/") ||
         uri.equals("/robots.txt") ||
         uri.equals("/pebble.css") ||
         uri.equals("/favicon.ico") ||
         uri.startsWith("/FCKeditor/")
         ) {
       return null;
     }
     
     AbstractBlog ab = (AbstractBlog)((FilterInvocation)object).getHttpRequest().getAttribute(Constants.BLOG_KEY);
     if (ab instanceof Blog) {
       Blog blog = (Blog)ab;
       List<String> blogReaders = blog.getBlogReaders();
       if (blogReaders != null && blogReaders.size() > 0) {
         return Arrays.<ConfigAttribute>asList(new PrivateBlogConfigAttributeDefinition(blog));
       }
     }
 
     return null;
   }
 
   /**
    * If available, all of the <code>ConfigAttributeDefinition</code>s defined by the implementing class.<P>This
    * is used by the {@link org.springframework.security.access.intercept.AbstractSecurityInterceptor} to perform startup time validation of each
    * <code>ConfigAttribute</code> configured against it.</p>
    *
    * @return an iterator over all the <code>ConfigAttributeDefinition</code>s or <code>null</code> if unsupported
    */
   public Collection<ConfigAttribute> getAllConfigAttributes() {
     return null;
   }
 
   /**
    * Indicates whether the <code>ObjectDefinitionSource</code> implementation is able to provide
    * <code>ConfigAttributeDefinition</code>s for the indicated secure object type.
    *
    * @param clazz the class that is being queried
    * @return true if the implementation can process the indicated class
    */
   public boolean supports(Class clazz) {
     return FilterInvocation.class.isAssignableFrom(clazz);
   }
 }

1		/*
2		* Copyright (c) 2003-2011, Simon Brown
3		* All rights reserved.
4		*
5		* Redistribution and use in source and binary forms, with or without
6		* modification, are permitted provided that the following conditions are met:
7		*
8		* - Redistributions of source code must retain the above copyright
9		* notice, this list of conditions and the following disclaimer.
10		*
11		* - Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in
13		* the documentation and/or other materials provided with the
14		* distribution.
15		*
16		* - Neither the name of Pebble nor the names of its contributors may
17		* be used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23		* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24		* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25		* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26		* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27		* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28		* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30		* POSSIBILITY OF SUCH DAMAGE.
31		*/
32		package net.sourceforge.pebble.security;
33
34		import net.sourceforge.pebble.Constants;
35		import net.sourceforge.pebble.domain.AbstractBlog;
36		import net.sourceforge.pebble.domain.Blog;
37		import org.apache.commons.logging.Log;
38		import org.apache.commons.logging.LogFactory;
39		import org.springframework.security.access.ConfigAttribute;
40		import org.springframework.security.access.SecurityMetadataSource;
41		import org.springframework.security.web.FilterInvocation;
42
43		import javax.servlet.http.HttpServletRequest;
44		import java.util.*;
45
46		/**
47		* Bespoke FilterInvocationDefinitionSource that holds a mapping between blog
48		* IDs and the roles that can access them. This is used when blog owners mark
49		* their blog as "private", which forces authentication before the content
50		* can be accessed. This implementation allows mappings to be removed
51		* and added at runtime, making it possible to make blogs private
52		* without restarting the web/application server.
53		*
54		* @author Simon Brown
55		*/
56	0	public class PrivateBlogSecurityMetadataSource implements SecurityMetadataSource {
57
58	0	private static final Log log = LogFactory.getLog(PrivateBlogSecurityMetadataSource.class);
59
60
61		/**
62		* Accesses the <code>ConfigAttributeDefinition</code> that applies to a given secure object.<P>Returns
63		* <code>null</code> if no <code>ConfigAttribiteDefinition</code> applies.</p>
64		*
65		* @param object the object being secured
66		* @return the <code>ConfigAttributeDefinition</code> that applies to the passed object
67		* @throws IllegalArgumentException if the passed object is not of a type supported by the
68		* <code>ObjectDefinitionSource</code> implementation
69		*/
70		public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
71	0	if ((object == null) \|\| !this.supports(object.getClass())) {
72	0	throw new IllegalArgumentException("Object must be a FilterInvocation");
73		}
74
75	0	HttpServletRequest request = ((FilterInvocation)object).getHttpRequest();
76	0	String uri = (String)request.getAttribute(Constants.INTERNAL_URI);
77	0	if (
78		uri.endsWith("loginPage.action") \|\|
79		uri.endsWith(".secureaction") \|\|
80		uri.startsWith("/themes/") \|\|
81		uri.startsWith("/scripts/") \|\|
82		uri.startsWith("/common/") \|\|
83		uri.startsWith("/dwr/") \|\|
84		uri.equals("/robots.txt") \|\|
85		uri.equals("/pebble.css") \|\|
86		uri.equals("/favicon.ico") \|\|
87		uri.startsWith("/FCKeditor/")
88		) {
89	0	return null;
90		}
91
92	0	AbstractBlog ab = (AbstractBlog)((FilterInvocation)object).getHttpRequest().getAttribute(Constants.BLOG_KEY);
93	0	if (ab instanceof Blog) {
94	0	Blog blog = (Blog)ab;
95	0	List<String> blogReaders = blog.getBlogReaders();
96	0	if (blogReaders != null && blogReaders.size() > 0) {
97	0	return Arrays.<ConfigAttribute>asList(new PrivateBlogConfigAttributeDefinition(blog));
98		}
99		}
100
101	0	return null;
102		}
103
104		/**
105		* If available, all of the <code>ConfigAttributeDefinition</code>s defined by the implementing class.<P>This
106		* is used by the {@link org.springframework.security.access.intercept.AbstractSecurityInterceptor} to perform startup time validation of each
107		* <code>ConfigAttribute</code> configured against it.</p>
108		*
109		* @return an iterator over all the <code>ConfigAttributeDefinition</code>s or <code>null</code> if unsupported
110		*/
111		public Collection<ConfigAttribute> getAllConfigAttributes() {
112	0	return null;
113		}
114
115		/**
116		* Indicates whether the <code>ObjectDefinitionSource</code> implementation is able to provide
117		* <code>ConfigAttributeDefinition</code>s for the indicated secure object type.
118		*
119		* @param clazz the class that is being queried
120		* @return true if the implementation can process the indicated class
121		*/
122		public boolean supports(Class clazz) {
123	0	return FilterInvocation.class.isAssignableFrom(clazz);
124		}
125		}