📄 webcontainerauthorizer.java
字号:
/* JSPWiki - a JSP-based WikiWiki clone. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */package com.ecyrd.jspwiki.auth.authorize;import java.io.IOException;import java.net.URL;import java.security.Principal;import java.util.HashSet;import java.util.Iterator;import java.util.List;import java.util.Properties;import java.util.Set;import javax.servlet.http.HttpServletRequest;import org.apache.log4j.Logger;import org.jdom.Document;import org.jdom.Element;import org.jdom.Namespace;import org.jdom.JDOMException;import org.jdom.input.SAXBuilder;import org.jdom.xpath.XPath;import org.xml.sax.EntityResolver;import org.xml.sax.InputSource;import org.xml.sax.SAXException;import com.ecyrd.jspwiki.InternalWikiException;import com.ecyrd.jspwiki.WikiEngine;import com.ecyrd.jspwiki.WikiSession;/** * Authorizes users by delegating role membership checks to the servlet * container. In addition to implementing methods for the * <code>Authorizer</code> interface, this class also provides a convenience * method {@link #isContainerAuthorized()} that queries the web application * descriptor to determine if the container manages authorization. * @author Andrew Jaquith * @since 2.3 */public class WebContainerAuthorizer implements WebAuthorizer{ private static final String J2EE_SCHEMA_24_NAMESPACE = "http://java.sun.com/xml/ns/j2ee"; protected static final Logger log = Logger.getLogger( WebContainerAuthorizer.class ); protected WikiEngine m_engine; /** * A lazily-initialized array of Roles that the container knows about. These * are parsed from JSPWiki's <code>web.xml</code> web application * deployment descriptor. If this file cannot be read for any reason, the * role list will be empty. This is a hack designed to get around the fact * that we have no direct way of querying the web container about which * roles it manages. */ protected Role[] m_containerRoles = new Role[0]; /** * Lazily-initialized boolean flag indicating whether the web container * protects JSPWiki resources. */ protected boolean m_containerAuthorized = false; private Document m_webxml = null; /** * Constructs a new instance of the WebContainerAuthorizer class. */ public WebContainerAuthorizer() { super(); } /** * Initializes the authorizer for. * @param engine the current wiki engine * @param props the wiki engine initialization properties */ public void initialize( WikiEngine engine, Properties props ) { m_engine = engine; m_containerAuthorized = false; // FIXME: Error handling here is not very verbose try { m_webxml = getWebXml(); if ( m_webxml != null ) { // Add the J2EE 2.4 schema namespace m_webxml.getRootElement().setNamespace( Namespace.getNamespace( J2EE_SCHEMA_24_NAMESPACE ) ); m_containerAuthorized = isConstrained( "/Delete.jsp", Role.ALL ) && isConstrained( "/Login.jsp", Role.ALL ); } if ( m_containerAuthorized ) { m_containerRoles = getRoles( m_webxml ); log.info( "JSPWiki is using container-managed authentication." ); } else { log.info( "JSPWiki is using custom authentication." ); } } catch ( IOException e ) { log.error("Initialization failed: ",e); throw new InternalWikiException( e.getClass().getName()+": "+e.getMessage() ); } catch ( JDOMException e ) { log.error("Malformed XML in web.xml",e); throw new InternalWikiException( e.getClass().getName()+": "+e.getMessage() ); } if ( m_containerRoles.length > 0 ) { String roles = ""; for( Role containerRole : m_containerRoles ) { roles = roles + containerRole + " "; } log.info( " JSPWiki determined the web container manages these roles: " + roles ); } log.info( "Authorizer WebContainerAuthorizer initialized successfully." ); } /** * Determines whether a user associated with an HTTP request possesses * a particular role. This method simply delegates to * {@link javax.servlet.http.HttpServletRequest#isUserInRole(String)} * by converting the Principal's name to a String. * @param request the HTTP request * @param role the role to check * @return <code>true</code> if the user is considered to be in the role, * <code>false</code> otherwise */ public boolean isUserInRole( HttpServletRequest request, Principal role ) { return request.isUserInRole( role.getName() ); } /** * Determines whether the Subject associated with a WikiSession is in a * particular role. This method takes two parameters: the WikiSession * containing the subject and the desired role ( which may be a Role or a * Group). If either parameter is <code>null</code>, this method must * return <code>false</code>. * This method simply examines the WikiSession subject to see if it * possesses the desired Principal. We assume that the method * {@link com.ecyrd.jspwiki.ui.WikiServletFilter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)} * previously executed, and that it has set the WikiSession * subject correctly by logging in the user with the various login modules, * in particular {@link com.ecyrd.jspwiki.auth.login.WebContainerLoginModule}}. * This is definitely a hack, * but it eliminates the need for WikiSession to keep dangling * references to the last WikiContext hanging around, just * so we can look up the HttpServletRequest. * * @param session the current WikiSession * @param role the role to check * @return <code>true</code> if the user is considered to be in the role, * <code>false</code> otherwise * @see com.ecyrd.jspwiki.auth.Authorizer#isUserInRole(com.ecyrd.jspwiki.WikiSession, java.security.Principal) */ public boolean isUserInRole( WikiSession session, Principal role ) { if ( session == null || role == null ) { return false; } return session.hasPrincipal( role ); } /** * Looks up and returns a Role Principal matching a given String. If the * Role does not match one of the container Roles identified during * initialization, this method returns <code>null</code>. * @param role the name of the Role to retrieve * @return a Role Principal, or <code>null</code> * @see com.ecyrd.jspwiki.auth.Authorizer#initialize(WikiEngine, Properties) */ public Principal findRole( String role ) { for( Role containerRole : m_containerRoles ) { if ( containerRole.getName().equals( role ) ) { return containerRole; } } return null; } /** * <p> * Protected method that identifies whether a particular webapp URL is * constrained to a particular Role. The resource is considered constrained * if: * </p> * <ul> * <li>the web application deployment descriptor contains a * <code>security-constraint</code> with a child * <code>web-resource-collection/url-pattern</code> element matching the * URL, <em>and</em>:</li> * <li>this constraint also contains an * <code>auth-constraint/role-name</code> element equal to the supplied * Role's <code>getName()</code> method. If the supplied Role is Role.ALL, * it matches all roles</li> * </ul> * @param url the web resource * @param role the role * @return <code>true</code> if the resource is constrained to the role, * <code>false</code> otherwise * @throws JDOMException if elements cannot be parsed correctly⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -