📄 abstractauthenticator.java.svn-base
字号:
package dev.trade.common.securityfilter.authenticator;
import java.io.*;
import java.security.*;
import javax.servlet.*;
import javax.servlet.http.*;
import dev.trade.common.securityfilter.config.*;
import dev.trade.common.securityfilter.filter.*;
import dev.trade.common.securityfilter.util.RequestUtils;
import java.util.List;
import java.util.Iterator;
import java.util.Collection;
/**
* <p>Title: 权限过滤器</p>
*
* <p>Description: 通用权限验证器的抽象类(实现了大部分方法)</p>
*
* <p>Copyright: Copyright (c) 2006</p>
*
* <p>Company: </p>
*
* @author Zheng YanNan
* @version 1.0
*/
public abstract class AbstractAuthenticator implements Authenticator{
protected String AUTH_METHOD = "FORM";
protected String KEY_USER_NAME = "user_name";
protected String KEY_USER_PWD = "user_pwd";
protected String loginPage;
protected URLPattern loginPagePattern;
protected String loginSubmitPage;
protected URLPattern loginSubmitPagePattern;
protected String loginErrorPage;
protected URLPattern loginErrorPagePattern;
protected String authErrorPage;
protected URLPattern authErrorPagePattern;
protected URLPattern logoutPagePattern;
protected String defaultPage;
protected List constraints;
public AbstractAuthenticator(){
}
public AbstractAuthenticator(String authMethod, String keyUserName, String keyUserPwd){
this.AUTH_METHOD = authMethod;
this.KEY_USER_NAME = keyUserName;
this.KEY_USER_PWD = keyUserPwd;
}
/**
* 初始化
* @param filterConfig 过滤器配置(web.xml中的filter配置)
* @param securityConfig 安全配置(securityfilter-config.xml)
* @throws Exception
*/
public void init(FilterConfig filterConfig, SecurityConfig securityConfig) throws Exception{
constraints = securityConfig.getSecurityConstraints();
// default page
defaultPage = securityConfig.getDefaultPage();
URLPatternFactory patternFactory = new URLPatternFactory();
// login page
loginPage = securityConfig.getLoginPage();
if(loginPage != null)
loginPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString(loginPage),
null, null, 0);
// login submit page
loginSubmitPage = securityConfig.getLoginSubmitPage();
if(loginSubmitPage != null)
loginSubmitPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString(
loginSubmitPage), null, null, 0);
// loginError page
loginErrorPage = securityConfig.getLoginErrorPage();
if(loginErrorPage != null)
loginErrorPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString(
loginErrorPage), null, null, 0);
// authError page
authErrorPage = securityConfig.getAuthErrorPage();
if(authErrorPage != null)
authErrorPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString(
authErrorPage), null, null, 0);
// logout page
String logoutPage = securityConfig.getLogoutPage();
if(logoutPage != null){
logoutPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString(
logoutPage), null, null, 0);
}
}
/**
* 登录处理流程, 一般流程:验证是否为登录提交页面,否返回false, true进行验证处理最后返回true;
* @param request SecurityRequestWrapper
* @param response HttpServletResponse
* @param patternMatcher URLPatternMatcher
* @return boolean 如果过滤器需要跳过返回true,否则返回 false
* @throws Exception
*/
public boolean checkAndDoLogin(SecurityRequest request, HttpServletResponse response,
URLPatternMatcher patternMatcher) throws Exception{
String requestURL = request.getMatchableURL();
// check if this is a login submit request
if(RequestUtils.matchesPattern(requestURL, loginSubmitPagePattern, patternMatcher)){
String username = request.getParameter(KEY_USER_NAME);
String password = request.getParameter(KEY_USER_PWD);
Principal principal = authenticate(username, password);
if(principal != null){
// login successful
if(request.getUserPrincipal() != null && !username.equals(request.getRemoteUser())){
request.getSession().invalidate();
}
request.setUserPrincipal(principal);
String continueToURL = RequestUtils.getContinueToURL(request, defaultPage);
// This is the url that the user was initially accessing before being prompted for login.
response.sendRedirect(response.encodeRedirectURL(continueToURL));
} else{
// login failed, set response status and forward to error page
request.getSession().invalidate();
if(loginErrorPage != null){
String urlH = loginErrorPage.substring(0, 7).toLowerCase();
if("http://".equals(urlH) || "https:/".equals(urlH))
response.sendRedirect(loginErrorPage);
else
request.getRequestDispatcher(loginErrorPage).forward(request, response);
} else
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
return true;
}
return false;
}
/**
* 登录跳转流程, 用于处理需要用户登录时的跳转
* @param request HttpServletRequest
* @param response HttpServletResponse
* @throws IOException
*/
public void showLogin(HttpServletRequest request,
HttpServletResponse response) throws Exception{
// save this request
RequestUtils.saveRequestInformation(request);
// redirect to login page
String redirectURL = request.getContextPath();
if(loginPage != null){
String urlH = loginPage.substring(0, 7).toLowerCase();
if("http://".equals(urlH) || "https:/".equals(urlH))
redirectURL = loginPage;
else
redirectURL += loginPage;
} else{
redirectURL += "/";
}
response.sendRedirect(response.encodeRedirectURL(redirectURL));
return;
}
/**
* 登录验证失败流程, 用于处理需要没有权限访问指定资源时的跳转
* @param request HttpServletRequest
* @param response HttpServletResponse
* @throws IOException
*/
public void showForbidden(HttpServletRequest request,
HttpServletResponse response) throws Exception{
if(authErrorPage != null){
String urlH = authErrorPage.substring(0, 7).toLowerCase();
if("http://".equals(urlH) || "https:/".equals(urlH))
response.sendRedirect(authErrorPage);
else
request.getRequestDispatcher(authErrorPage).forward(request, response);
}
else
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
/**
* 登出处理流程,一般流程:验证是否为登出操作页面,否返回false, true进行处理最后返回true;
* @param request SecurityRequestWrapper
* @param response HttpServletResponse
* @param patternMatcher URLPatternMatcher
* @return boolean
* @throws Exception
*/
public boolean checkAndDoLogout(SecurityRequest request, HttpServletResponse response,
URLPatternMatcher patternMatcher) throws Exception{
String requestURL = request.getMatchableURL();
// check if this is a logout request
if(RequestUtils.matchesPattern(requestURL, logoutPagePattern, patternMatcher)){
return true;
}
return false;
}
/**
* 忽略URL验证, 如果当前URL无需权限验证,返回true(默认跳过login,loginSubmit,error,logout页面)
* @param request SecurityRequestWrapper
* @param patternMatcher URLPatternMatcher
* @return boolean
* @throws Exception
*/
public boolean bypassSecurityForThisRequest(SecurityRequest request,
URLPatternMatcher patternMatcher) throws Exception{
String requestURL = request.getMatchableURL();
return(
RequestUtils.matchesPattern(requestURL, loginPagePattern, patternMatcher)
|| RequestUtils.matchesPattern(requestURL, loginSubmitPagePattern, patternMatcher)
|| RequestUtils.matchesPattern(requestURL, loginErrorPagePattern, patternMatcher)
|| RequestUtils.matchesPattern(requestURL, authErrorPagePattern, patternMatcher)
|| RequestUtils.matchesPattern(requestURL, logoutPagePattern, patternMatcher)
);
}
/**
* 检测指定的URI当前用户是否有权限访问
* @param resName String securityfilter-config.xml中配置的资源名称
* @param principal Principal
* @return boolean
*/
public boolean isResourceAuthorized(Principal principal, String resName){
if(resName!=null){
Collection roles = null;
for(Iterator cIter = constraints.iterator(); cIter.hasNext(); ){
SecurityConstraint constraint = (SecurityConstraint)cIter.next();
roles = constraint.getRolesByResourceName(resName);
if(roles != null)
break;
}
if(roles != null && !roles.isEmpty()){ //配置了角色要求
boolean authorized = false;
for(Iterator it = roles.iterator(); it.hasNext() && principal != null && !authorized; ){
String role = (String)it.next();
if("*".equals(role) || isUserInRole(principal, role)){
authorized = true;
}
}
return authorized;
}
}
return true;
}
/**
* 验证用户名与密码,返回一个Principal对象
* @param username String
* @param password String
* @return Principal
*/
public abstract Principal authenticate(String username, String password);
public void setAuthMethod(String authMethod){
this.AUTH_METHOD = authMethod;
}
public String getAuthMethod(){
return AUTH_METHOD;
}
public void setUserNameKey(String key){
this.KEY_USER_NAME = key;
}
public String getUserNameKey(){
return this.KEY_USER_NAME;
}
public void setUserPwdKey(String key){
this.KEY_USER_PWD = key;
}
public String getUserPwdKey(){
return this.KEY_USER_PWD;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -