authenticatedaction.java

这是linux下ssl vpn的实现程序

/*
 *  SSL-Explorer
 *
 *  Copyright (C) 2003-2006 3SP LTD. All Rights Reserved
 *
 *  This program is free software; you can redistribute it and/or
 *  modify it under the terms of the GNU General Public License
 *  as published by the Free Software Foundation; either version 2 of
 *  the License, or (at your option) any later version.
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public
 *  License along with this program; if not, write to the Free Software
 *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
			
package com.sslexplorer.core.actions;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.struts.Globals;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionMessage;
import org.apache.struts.action.ActionMessages;

import com.sslexplorer.boot.Util;
import com.sslexplorer.core.CoreMenuTree;
import com.sslexplorer.core.CoreServlet;
import com.sslexplorer.core.CoreUtil;
import com.sslexplorer.core.ServletRequestAdapter;
import com.sslexplorer.core.ServletResponseAdapter;
import com.sslexplorer.navigation.MenuTree;
import com.sslexplorer.navigation.NavigationManager;
import com.sslexplorer.policyframework.ActionDeniedException;
import com.sslexplorer.policyframework.Permission;
import com.sslexplorer.policyframework.ResourceType;
import com.sslexplorer.properties.PropertyProfile;
import com.sslexplorer.security.Constants;
import com.sslexplorer.security.InvalidTicketException;
import com.sslexplorer.security.LogonController;
import com.sslexplorer.security.SessionInfo;
import com.sslexplorer.security.User;
import com.sslexplorer.security.VPNSession;

/**
 * 
 * Generic action to be used for all authenticated actions by the SSL Explorer
 * project. This checks that the user is logged on and if not directs them to
 * the logon page. Once logon is complete, the user will be directed to the
 * request path.
 * 
 * @author Lee David Painter <lee@3sp.com>
 * @author Brett Smith <brett@3sp.com>
 * @since 0.1
 * @see com.sslexplorer.core.actions.AuthenticatedDispatchAction
 */
public abstract class AuthenticatedAction extends DefaultAction implements CoreAction {

    static Log log = LogFactory.getLog(AuthenticatedAction.class);

    // Private instance variables
    
    private boolean requiresAdministrator;
    private boolean checkForVPNMessages = true;
    private ResourceType resourceType;
    private Permission[] permissions;
    private SessionInfo sessionInfo;

    /**
     * Use this constructor for actions that do not require any resource
     * permissions
     */
    public AuthenticatedAction() {
    }

    /**
     * Use this constructor for actions that require a resource permission to
     * operator
     * 
     * @param resourceType resource type
     * @param permissions permission required
     */
    public AuthenticatedAction(ResourceType resourceType, Permission permissions[]) {
        if (resourceType == null || permissions == null || permissions.length < 1) {
            throw new IllegalArgumentException("Must provide a resource type and at least 1 permission.");
        }
        this.resourceType = resourceType;
        this.permissions = permissions;
    }

    /**
     * For some actions such as UploadAction, no check should be made for VPN
     * messages as this would require parsing the input stream.
     * 
     * @param checkForVPNMessages
     */
    protected void setCheckForVPNMessages(boolean checkForVPNMessages) {
        this.checkForVPNMessages = checkForVPNMessages;
    }
    
    /**
     * Get the {@link SessionInfo} for this session. This will only be
     * available after {@link #execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)}
     * has been called.
     * <p>
     * There are many places where the session info object is required. The 
     * usual way is to use {@link LogonController#getSessionInfo(HttpServletRequest)}.
     * Whereever possible that method should be replaced with a call to this method.
     * 
     * @return session info for request
     */
    public SessionInfo getSessionInfo() {
        return sessionInfo;
    }

    public final ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request,
                    HttpServletResponse response) throws Exception {
        // Setup mode
        boolean installMode = isInstallMode();
        if (installMode) {
            if ((getNavigationContext(mapping, form, request, response) & SessionInfo.SETUP_CONSOLE_CONTEXT) == 0) {
                return mapping.findForward("setup");
            } else {
                CoreUtil.checkNavigationContext(this, mapping, form, request, response);
                return onExecute(mapping, form, request, response);
            }
        }

        try {
            if (checkForVPNMessages) {
                checkForVPNMessages(request);
            }

            try {
                if (!CoreServlet.getServlet().getSystemDatabase().verifyIPAddress(request.getRemoteAddr())) {
                    String link = null;
                    log.error(request.getRemoteHost() + " is not authorized");
                    ActionMessages mesgs = new ActionMessages();
                    mesgs.add(Globals.ERROR_KEY, new ActionMessage("login.unauthorizedAddress"));
                    saveErrors(request, mesgs);

                    VPNSession vpnSession = CoreServlet.getServlet().getLogonController().getPrimaryVPNSession(CoreServlet.getServlet().getLogonController().getVPNSessionsByLogon(request));
                    // The client may have already de-registered if it was
                    // stopped nicely
                    if (vpnSession != null) {
                        link = "http://localhost:" + vpnSession.getClientPort() + "/shutdown";
                    }
                    if (log.isInfoEnabled())
                    	log.info("Logging off, IP address verification failed.");
                    CoreServlet.getServlet().getLogonController().logoffSession(request, response);
                    request.getSession().invalidate();

                    if (link != null) {
                        ActionForward fwd = new ActionForward(link, true);
                        return fwd;
                    } else {
                        return (mapping.findForward("logon"));
                    }

                } else {

                    int logonStatus = CoreServlet.getServlet().getLogonController().hasClientLoggedOn(request, response);
                    if (logonStatus == LogonController.INVALID_TICKET) {
                        ActionMessages msgs = new ActionMessages();
                        msgs.add(Globals.ERROR_KEY, new ActionMessage("login.invalidTicket"));
                        saveErrors(request, msgs);
                    } else if (logonStatus == LogonController.LOGGED_ON) {

                        User currentUser = CoreServlet.getServlet().getLogonController().getUser(request);

                        // Set the logon ticket / domain logon ticket again
                        CoreServlet.getServlet().getLogonController().addCookies(new ServletRequestAdapter(request), new ServletResponseAdapter(response),
                                        (String) request.getSession().getAttribute(Constants.LOGON_TICKET), currentUser);

                        if (!CoreServlet.getServlet().getLogonController().isAdministrator(currentUser) && requiresAdministrator) {
                            response.sendError(403, "You do not have permission to access this area");
                            return null;
                        } else {
                            ActionForward fwd = checkIntercept(mapping, request, response);
                            if (fwd != null) {
                                return fwd;
                            }

                            /*