2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.filter;
24 import java.io.IOException;
26 import javax.servlet.Filter;
27 import javax.servlet.FilterChain;
28 import javax.servlet.FilterConfig;
29 import javax.servlet.ServletContext;
30 import javax.servlet.ServletException;
31 import javax.servlet.ServletRequest;
32 import javax.servlet.ServletResponse;
33 import javax.servlet.http.HttpServletRequest;
34 import javax.servlet.http.HttpServletResponse;
36 import org.onap.aaf.cadi.Access;
37 import org.onap.aaf.cadi.Access.Level;
38 import org.onap.aaf.cadi.config.Config;
43 * This class implements Servlet Filter, and uses AAF to validate access to a Path.
45 * This class can be used in a standard J2EE Servlet manner.
47 * @author Jonathan, collaborating with Xue Gao
50 public class PathFilter implements Filter {
51 private final Log log;
53 private ServletContext context;
54 private String aafType;
55 private String notAuthorizedMsg;
58 * Construct a viable Filter for installing in Container WEB.XML, etc.
63 public void info(String ... msg) {
64 context.log(build("INFO:", msg));
66 public void audit(String ... msg) {
67 context.log(build("AUDIT:", msg));
69 private String build(String type, String []msg) {
70 StringBuilder sb = new StringBuilder(type);
71 for (String s : msg) {
81 * Filter that can be constructed within Java
84 public PathFilter(final Access access) {
86 public void info(String ... msg) {
87 access.log(Level.INFO, (Object[])msg);
89 public void audit(String ... msg) {
90 access.log(Level.AUDIT, (Object[])msg);
98 * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a
99 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
102 public void init(FilterConfig filterConfig) throws ServletException {
103 // need the Context for Logging, instantiating ClassLoader, etc
104 context = filterConfig.getServletContext();
105 StringBuilder sb = new StringBuilder();
106 StringBuilder err = new StringBuilder();
107 Object attr = context.getAttribute(Config.PATHFILTER_NS);
109 err.append("PathFilter - pathfilter_ns is not set");
111 sb.append(attr.toString());
114 attr = context.getAttribute(Config.PATHFILTER_STACK);
116 log.info("PathFilter - No pathfilter_stack set, ignoring");
119 sb.append(attr.toString());
122 attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);
124 log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");
125 sb.append(".urlpattern");
128 sb.append(attr.toString());
131 log.info("PathFilter - AAF Permission Type is", sb.toString());
135 aafType = sb.toString();
137 attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);
139 notAuthorizedMsg = "Forbidden - Not Authorized to access this Path";
141 notAuthorizedMsg = attr.toString();
144 if (err.length() > 0) {
145 throw new ServletException(err.toString());
149 private interface Log {
150 public void info(String ... msg);
151 public void audit(String ... msg);
157 * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and
158 * only call the next item in the filterChain if request is suitably Authenticated.
160 //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
161 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
162 HttpServletRequest hreq = (HttpServletRequest)request;
163 HttpServletResponse hresp = (HttpServletResponse)response;
164 String perm = aafType + hreq.getPathInfo() + '|' + hreq.getMethod();
165 if (hreq.isUserInRole(perm)) {
166 chain.doFilter(request, response);
168 log.audit("PathFilter has denied", hreq.getUserPrincipal().getName(), "access to", perm);
169 hresp.sendError(403, notAuthorizedMsg);
174 * Containers call "destroy" when time to cleanup
176 public void destroy() {
177 log.info("PathFilter destroyed.");