pragmatichttpaccessguard.java

关于Ultraseek的一些用法,刚初学,所以都是比较简单

/* -*- mode:java; indent-tabs-mode:nil; c-basic-offset:2 -*-
 *  $Id: PragmaticHTTPAccessGuard.java,v 1.10 2006/02/01 00:20:30 davidsch Exp $
 *  Copyright (c) 2004 Autonomy Corp.  All Rights Reserved.
 */

import java.io.IOException;
import java.net.URL;

import com.ultraseek.xpa.search.HTTPProxyAccessGuard;
import com.ultraseek.xpa.search.HTTPResponseWrapper;

/** 
 * Use an HTTP Proxy to decide whether to allow access to a <code>SearchResult</code>.
 * <p>
 * This implementation contains workarounds to problems that Ultraseek Professional
 * services found when deploying Secure Search into customer environments.
 * <p>
 * <blockquote>
 * <table>
 * <tr><td valign="top">1.</td>
 * <td valign="top"><table>
 * <tr><th valign=top>Problem:</th>
 *     <td>Some versions of IIS do not properly respond to a HEAD request 
 *         for a ".shtml" file.</td></tr>
 * <tr><th valign=top>Solution:</th>
 *     <td><code>getMethod</code> specifies GET for a ".shmtl" file.</td></tr>
 * </table>
 * </td></tr>
 *
 * <tr><td valign="top">2.</td>
 * <td valign="top"><table>
 * <tr><th valign=top>Problem:</th>
 *     <td>IIS can be overloaded with HEAD requests when a <code>SearchResultList</code> is
 *         being processed.  When it is overloaded it responds to requests
 *         specifying HTTP version 0.9.
 *         </td></tr>
 * <tr><th valign=top>Solution:</th>
 *     <td>Receiving an HTTP/0.9 response causes the connection to be dropped and
 *         a SecurityException to be thrown.
 *         This may result in "false negatives" - SearchResults that are omitted when
 *         they really should be allowed.
 *     </td></tr>
 * </table></td></tr>
 *
 * <tr><td valign="top">3.</td>
 * <td valign="top"><table>
 * <tr><th valign=top>Problem:</th>
 *     <td>When using Domino Session based ACL authentication, and the
 *         user does not have valid credentials,
 *         Domino may respond to a document request with 
 *         an authentication form.  The "200 OK" response represents the
 *         <em>authentication form</em>, not the document.
 *         </td></tr>
 * <tr><th valign=top>Solution:</th>
 *     <td>This implementation heuristicly detects the "login form" being sent, rather
 *         than a response regarding the requested URL.
 *         <p>
 *         The heuristics examine the HTTP response headers for the following:
 *         <blockquote>
 *         <table>
 *         <tr><th>Header</th><th>Value</th></tr>
 *         <tr><td>Server:</td><td>contains "lotus"</td></tr>
 *         <tr><td>WWW-Authenticate:</td><td>if present, throw <code>SecurityException</code></td></tr>
 *         <tr><td>Proxy-Authenticate:</td><td>if present, throw <code>SecurityException</code></td></tr>
 *         <tr><td>Cache-Control:</td><td>contains "no-cache"</td></tr>
 *         <tr><td>and</td></tr>
 *         <tr><td>Content-Length:</td><td>is 1289<br>then throw <code>SecurityException</code></td></tr>
 *         </table>
 *         </blockquote>
 *         Use {@link #setDominoFormContentLength} if your environment has
 *         a different login form length.
 *     </td></tr>
 * </table>
 * </td></tr></table>
 * </blockquote>
 *  @since XPA2.2
 */
public class PragmaticHTTPAccessGuard
  extends HTTPProxyAccessGuard
{

  //
  // Statics
  //

  /** Domino ACL Form Content Length */
  public static int DEFAULT_DOMINO_FORM_CONTENT_LENGTH = 1289;  
  
  //
  // Private variables
  //
  
  /** Domino Form Length*/
  private int dominoFormContentLength;

  /** .shtml String */ 
  private static String DOT_SHTML = ".shtml";

  /** 0.9 string*/
  private static String DOT_9= "0.9";

  /** WWW_AUTHENTICATE string*/
  private static String WWW_AUTHENTICATE = "WWW-Authenticate";
  /** PROXY_AUTHENTICATE string*/
  private static String PROXY_AUTHENTICATE = "Proxy-Authenticate";
  /** Content Length*/
  private static String CONTENT_LENGTH = "Content-Length";
  /** Cache_Control*/
  private static String CACHE_CONTROL = "Cache-Control";
  /** No Cache*/
  private static String NO_CACHE= "no-cache";
  /** LOTUS*/
  private static String LOTUS = "lotus";
  /** SERVER*/
  private static String SERVER = "Server";
  
  //
  // Constructors
  //
  
  /**
   * Constructs a new <code>PragmaticProxyAccessGuard</code> 
   * with default settings.
   */
  public PragmaticHTTPAccessGuard() {
    dominoFormContentLength = DEFAULT_DOMINO_FORM_CONTENT_LENGTH;
  }
  
  //
  // Public Methods
  //
  
  /**
   * Get the DominoForm Content Length
   * @return int, content-length header of the form sign-on page.
   *              default value is 1289 ( session based auth, Domino 5.07)
   */
  public synchronized int getDominoFormContentLength() {
    return dominoFormContentLength;  
  }
  
  /**
   * Set the DominoForm Content Length
   * @param formPageLength content-length header of the form sign-on page.
   *                    default value is 1289 (session based auth, Domino 5.07)
   */
  public synchronized void setDominoFormContentLength(int formPageLength) {
    dominoFormContentLength = formPageLength;  
  }
  

  //
  // Protected Methods
  //

  /**
   * {@inheritDoc}
   *
   * Some versions of IIS fail on a HEAD request for a ".shmtl" file.
   * This implementation of <code>getMethod</code> specifies
   * an HTTP GET for .shmtl files.
   */
  public int getMethod(URL url)
    throws SecurityException
  {
    String file = url.getFile();       

    // Bug in IIS, fails on HEAD request for ".shtml" files
    if(file.endsWith(DOT_SHTML))
      return GET;
    return super.getMethod(url);
  }


  public void checkHTTPResponse(int method,
                                URL url,
                                HTTPResponseWrapper resp)
    throws IOException,
           SecurityException
  {
    int code = resp.getStatusCode();
    if (code == 302) throw new SecurityException("" + resp);
    if (code == 200) {
      // authorized

      // Bug in IIS, when multiple HEAD requests
      // hit the server the server chokes in case of 401 auth and starts 
      // responding with HTTP/0.9 and some junk.
      if(resp.getVersion().indexOf(DOT_9) != -1) {
        /* Throw an IOException so the connection is removed
           from the connection pool. */
        throw new IOException("Remote server may be overloaded");
      }

      //Fix for Domino's ACL's
      String server = resp.getHeader(SERVER); 
      if( ( server != null) &&
          ((server.toLowerCase()).indexOf(LOTUS) != -1) ) {

        // Bug in Lotus, sends 200 for authentication requests
        if(resp.getHeader(WWW_AUTHENTICATE) != null) {
          String msg = "401 Unauthorized - server was " + server + " " 
            + WWW_AUTHENTICATE + " " + resp.getHeader(WWW_AUTHENTICATE);  
          throw new SecurityException(msg);
        }
        if(resp.getHeader(PROXY_AUTHENTICATE) != null) {
          String msg = "401 Unauthorized - server was " + server + " " 
            + PROXY_AUTHENTICATE + " " + resp.getHeader(PROXY_AUTHENTICATE);  
          throw new SecurityException(msg);
        }

        // Bug in Lotus, sends 200 for Form-auth
        if( (resp.getHeaderAsInt(CONTENT_LENGTH) == dominoFormContentLength) &&
            ((resp.getHeader(CACHE_CONTROL).toLowerCase()).indexOf(NO_CACHE)) != -1) {
          String msg = "401 Unauthorized - server was " + server + " " 
            + CONTENT_LENGTH + ": " + resp.getHeader(CONTENT_LENGTH)
            + CACHE_CONTROL + ": " + resp.getHeader(CACHE_CONTROL);  
          throw new SecurityException(msg);
        }
      }
    };
    super.checkHTTPResponse(method,url,resp);
  }
  
}