securityenforcementdynamicextensionfilter.java

ACEGI数据库保存 ACEGI数据库保存 ACEGI数据库保存

/*
 * Copyright 2005-2010 the original author or autors
 *  
 *    http://www.skyon.com.cn
 *
 * Project { SkyonFramwork }
 */
package com.skyon.um.security.acegi.intercept.web;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.InsufficientAuthenticationException;
import net.sf.acegisecurity.context.SecurityContextHolder;
import net.sf.acegisecurity.intercept.web.FilterInvocation;
import net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;

/**
 * @see com.skyon.um.security.acegi.intercept.web.FilterInvocationDefinitionSourceCache
 * @see com.skyon.um.security.acegi.intercept.event.FilterInvocationDefinitionSourceChangedEvent
 * @see com.skyon.um.security.acegi.intercept.event.FilterInvocationDefinitionSourceListener
 * @since 2005-8-7
 * @author 王政
 * @version $Id: SecurityEnforcementDynamicExtensionFilter.java,v 1.5 2005/12/05 02:40:52 wangzheng Exp $
 */
public class SecurityEnforcementDynamicExtensionFilter extends
        SecurityEnforcementFilter implements InitializingBean {
    
	private static final Log logger = LogFactory.getLog(SecurityEnforcementDynamicExtensionFilter.class);
	
    private FilterInvocationDefinitionSourceCache definitionSourceCache;
    
    private boolean forbiddenAnyAnonymousVisit = false;
    
    /**
     * @return Returns the definitionSourceCache.
     */
    public FilterInvocationDefinitionSourceCache getDefinitionSourceCache() {
        return definitionSourceCache;
    }

    /**
     * @param definitionSourceCache The definitionSourceCache to set.
     */
    public void setDefinitionSourceCache(FilterInvocationDefinitionSourceCache definitionSourceHolder) {
        this.definitionSourceCache = definitionSourceHolder;
    }
    
    /**
	 * @return Returns the forbiddenAnyAnonymousVisit.
	 */
	public boolean isForbiddenAnyAnonymousVisit() {
		return forbiddenAnyAnonymousVisit;
	}

	/**
	 * 设定是否任何资源都不允许匿名访问, 注意如果设置 为 true, /login.jsp 一定不能使用此 Filter, 否则会死循环!
	 * @param forbiddenAnyAnonymousVisit The forbiddenAnyAnonymousVisit to set.
	 */
	public void setForbiddenAnyAnonymousVisit(boolean forbiddenAnyAnonymousVisit) {
		this.forbiddenAnyAnonymousVisit = forbiddenAnyAnonymousVisit;
	}

	/**
     * @see net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter#afterPropertiesSet()
     */
    public void afterPropertiesSet() throws Exception {
        super.afterPropertiesSet();
        Assert.notNull(getDefinitionSourceCache(), " definitionSourceCache must be specified ");
    }

    /**
     * 从 {@link FilterInvocationDefinitionSourceCache} 中读取 {@link net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSource}
     * @see net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {    	   	
		// get the defination source form soure holder
		getFilterSecurityInterceptor().setObjectDefinitionSource(getDefinitionSourceCache().getFilterInvocationDefinitionSource());
		
		if (!(request instanceof HttpServletRequest)) {
		    throw new ServletException("HttpServletRequest required");
		}
		
		if (!(response instanceof HttpServletResponse)) {
		    throw new ServletException("HttpServletResponse required");
		}
		
		boolean continueDoFilter = true;
		/** 任何匿名访问都将定位到登陆页面, 注意如果 {@link #isForbiddenAnyAnonymousVisit()} 为 true, /login.jsp 一定不能使用此 Filter, 否则会死循环!  */ 
		if (isForbiddenAnyAnonymousVisit()) {
			FilterInvocation fi = new FilterInvocation(request, response, chain);
			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
			if (authentication == null || getAuthenticationTrustResolver().isAnonymous(authentication)) {
			    if (logger.isDebugEnabled()) {
			        logger.debug("Access is denied (user is anonymous); redirecting to authentication entry point");
			    }
			    continueDoFilter = false;
			    sendStartAuthentication(fi, new InsufficientAuthenticationException( "Full authentication is required to access this resource"));
			}
		}
		
		if (continueDoFilter) {
			super.doFilter(request, response, chain);
		}   
    }   
}