websecurityinterceptor.java

一个很好的开源项目管理系统源代码

package net.java.workeffort.webapp.security;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import net.java.workeffort.infrastructure.context.IRequestContext;
import net.java.workeffort.infrastructure.context.RequestContext;
import net.java.workeffort.infrastructure.context.RequestContextHolder;
import net.java.workeffort.infrastructure.security.ISecurityProfile;
import net.java.workeffort.webapp.support.WebConstants;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.util.UrlPathHelper;

/**
 * Does the following:
 * <ol>
 * <li>Check is user has already logged in. If not will redirect to login page.
 * </li>
 * <li>If user is already logged in checks whether user has authorization to
 * access the specific url (Controller path as configured in *servlet.xml)</li>
 * <li>If authorization succeeds: store the user's <code>SecurityProfile</code>
 * in the <code>RequestContext</code>(a thread local variable) so that the
 * SecurityProfile is accessible during execution of the thread.</li>
 * </ol>
 * @author Antony Joseph
 */
public class WebSecurityInterceptor extends HandlerInterceptorAdapter {
    protected static final Log logger = LogFactory
            .getLog(WebSecurityInterceptor.class);

    private IWebAuthorizer webAuthorizer;

    public boolean preHandle(HttpServletRequest request,
            HttpServletResponse response, Object handler) throws Exception {
        logger.info("preHandle() invoked");
        if (request.getSession(false) == null
                || request.getSession().getAttribute(
                        WebConstants.SECURITY_PROFILE) == null) {
            // Not logged in . Redirect to login
            response.sendRedirect("login.do");
            return false;
        }
        else {
            // User already logged in. Check authorization.
            String controllerPath = new UrlPathHelper()
                    .getLookupPathForRequest(request);
            if (logger.isInfoEnabled())
                logger.info("Authorizing controller path:" + controllerPath);


            
            webAuthorizer.authorize((ISecurityProfile) request.getSession()
                    .getAttribute(WebConstants.SECURITY_PROFILE),
                    controllerPath);
            // if code reaches here authorization was successful.

            // make the security profile available in a thread local variable.
            IRequestContext requestContext = new RequestContext(
                    (ISecurityProfile) request.getSession().getAttribute(
                            WebConstants.SECURITY_PROFILE));
            RequestContextHolder.setRequestContext(requestContext);
            return true;
        }
    }

    /**
     * @param webAuthorizer The webAuthorizer to set.
     */
    public void setWebAuthorizer(IWebAuthorizer webAuthorizer) {
        this.webAuthorizer = webAuthorizer;
    }
}