ssosearchservlet.java

关于Ultraseek的一些用法,刚初学,所以都是比较简单

/* -*- mode:java; indent-tabs-mode:nil; c-basic-offset:2 -*-
 *
 *  $RCSFile$ $Revision: 1.23 $ $Date: 2006/02/01 00:20:29 $
 *
 *  Copyright (c) 2001-2004 Autonomy Corp.  All Rights Reserved.
 *  Permission to use, copy, modify, and distribute this file is hereby
 *  granted without fee, provided that the above copyright notice appear
 *  in all copies.
 */

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

import com.ultraseek.xpa.search.*;

/**
 * This Servlet demonstrates how to implement 
 * secure search with hit-level authentication using
 * XPA, Ultraseek, and your site's document security system.
 * <p>
 * You may find it useful to use the DebugServlet output
 * to diagnose the interface with your security system.
 * To use the DebugServlet, modify this file to extend DebugServlet
 * instead of SearchServlet (2 locations).
 * <p>
 * Make sure the URL(s) that browsers use to access this Servlet is
 * protected by your Single-Sign-On environment.  Otherwise
 * the users will not be authenticated and all secure documents
 * will be removed from search results.
 * <p>
 * Some of the issues you need to resolve for your secure
 * search implementation are:
 * <ul>
 * <li>How to authenticate a user.
 * <li>How to determine which documents the user is allowed to view.
 * <li>How to display an search result for an allowed document.
 * <li>What to do with a search result to a disallowed document
 *    <ul>
 *    <li>Do not show it at all.
 *    <li>Show a link "More documents exist, please login to view them".
 *    <li>Show a summary of the search result (Title only, No description, no
 *        term counts, etc.)
 *    <li>Show it with a "locked" icon
 *    <li>Show it (in which event you should just use SearchServlet)
 *    </ul>
 * <li>Do not imply the existance of search results which the searcher is not
 *     authorized to view.
 *    <ul>
 *    <li>Do not show per-term document hit counts.
 *    <li>Do not show the "Next page" link unless there is a viewable search result.
 *    <li>Show the "no hits" display when there are search results, but none of
 *        them are authorized.
 *    <li>The <code>"st"</code> parameter must index by viewable search result.
 *    </ul>
 * <li>Performance
 * </ul>
 * @version 2.2
 * @since XPA2.2
 * @serial exclude
 * @see SecureFilterSearchable
 * @see SSOSearchServletAccessGuard
 */
public class SSOSearchServlet 
  extends SearchServlet          // for production  (must change in 2 locations!)
  //extends DebugServlet           // for development (must change in 2 locations!)
{
  static final String getClass_getName = SSOSearchServlet.class.getName();

  public String getServletInfo() {
    return getClass_getName + " based on\n" +
      super.getServletInfo();
  }

  public void init(ServletConfig config) 
    throws ServletException 
  {
    super.init(config);
    initSSO(config);
  }

  /** Single Sign-On link*/
  String singleSignOnLink;

  /**
   * The name of the <code>HttpSession</code> attribute where the 
   * session-specific access guard is stored.
   * @see SearchRequest#accessGuard
   * @see SearchRequest#getAccessGuard
   */
  static protected final String GUARD_ATTRIBUTE = getClass_getName + ".accessGuard";

  /** 
   * Number of background threads doing hit level authentication for
   * each user query.
   * <br>
   * Default: 10
   */
  int accessGuard_maxThreads = 10;

  /** 
   * Milliseconds to cache the access check for a (user,URL) pair.
   * <br>
   * (Very Important) Make sure this time out is in sync with your Single Sign-On 
   * session time out. Preferably, use a value around 10% less the SSO time out.
   * Otherwise, the AccessGuard may have cache an "APPROVED" security check for
   * a document, but access to the document is no longer approved due to the
   * user's session timing out.
   * <br>
   * Default: 5 minutes
   */
  long accessGuard_cacheLifeTime = 5 * 60 * 1000;    // 5 minutes

  /**
   * Milliseconds to wait before releasing HTTP connections
   * from the AccessGuard pool.
   * <br>
   * Default: 60 seconds
   */
  long accessGuard_connPoolCleanUpWait = 60 * 1000;  // 60 seconds

  /**
   * Milliseconds to wait on a socket doing hit-level authorization.
   * <br>
   * Default: 10 seconds
   */
  long accessGuard_timeout = 10 * 1000;              // 10 seconds


  /**
   * HTTP request headers that the <code>SSOSearchServletAccessGuard</code>
   * will forward from the searcher's browser to the document-serving web server
   * when performing an authentication for each hit.
   * <p>
   * Each web server in your environment may require a different set of headers to
   * be forwarded.  Define this as a union of all your webserver's requirements.
   */
  static public final String HEADER_NAMES[] = {"Cookie","Content-Type","User-Agent"};

  /**
   *  Servlet initialization of SSO specific parameters.
   **/
  public void
    initSSO(ServletConfig config)
    throws ServletException
  {
    //Get Single Sign On link
    singleSignOnLink =  config.getInitParameter("SingleSignOnLink");

    try {
      accessGuard_cacheLifeTime = Integer.parseInt(config.getInitParameter("AccessGuard.CacheLifeTime"));
    } catch (Exception ignored) {};
    try {
      accessGuard_connPoolCleanUpWait = Long.parseLong(config.getInitParameter("AccessGuard.ConnPoolCleanUpWait"));
    } catch (Exception ignored) {};
    try {
      accessGuard_timeout = Long.parseLong(config.getInitParameter("AccessGuard.timeout"));
    } catch (Exception ignored) {};
    try {
      accessGuard_maxThreads = Integer.parseInt(config.getInitParameter("AccessGuard.maxThreads"));
    } catch (Exception ignored) {};
   
    if (debug)
      DebugAccessGuard.setConnPoolCleanUpWait(accessGuard_connPoolCleanUpWait);
    else
      SSOSearchServletAccessGuard.setConnPoolCleanUpWait(accessGuard_connPoolCleanUpWait);

  }


  protected SearchServlet.SearchRequest makeSearchRequest(HttpServletRequest req,
                                                          HttpServletResponse resp)
    throws IOException, ServletException {
    return new SearchRequest(req,resp);
  }

  /**
   * An instance of <code>SearchRequest</code> is created for each HTTP request
   * to this Servlet.
   * <p>
   * The properties of SearchRequest are unique for each search.
   * To preserve properties (such as Guarded results), they must
   * be stored in session properties.
   */
  protected class SearchRequest
    extends SearchServlet.SearchRequest {   // for production  (must change in 2 locations!)
    //extends DebugServlet.SearchRequest {    // for development (must change in 2 locations!)

    SearchRequest(HttpServletRequest req, HttpServletResponse resp)
      throws IOException {
      super(req,resp);
    }

    /**
     * The security guard for this search request.
     * <p>
     * The guard caches the results of prior security checks,
     * and is stored in the <code>HttpSession</code> between HTTP requests.
     * @see #GUARD_ATTRIBUTE
     * @see #getAccessGuard
     */
    SSOSearchServletAccessGuard accessGuard = null;

    protected void parseQueryParameters() 
      throws IOException, ServletException {

      if (!checkForAuthentication(this.req)) {
        /* Browser got here without sending a cookie, force them to the login page */
        /* The standard SSOSearchServlet takes no action */
      }

      /* Make sure this request has a session */
      this.session = req.getSession(true);

      /* Recover the SearchResult access guard for this session. */
      this.accessGuard = getAccessGuard(session);
      this.accessGuard.updateAuthentication(this.req);