1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.filter;
\r
25 import java.io.IOException;
\r
27 import javax.servlet.Filter;
\r
28 import javax.servlet.FilterChain;
\r
29 import javax.servlet.FilterConfig;
\r
30 import javax.servlet.ServletContext;
\r
31 import javax.servlet.ServletException;
\r
32 import javax.servlet.ServletRequest;
\r
33 import javax.servlet.ServletResponse;
\r
34 import javax.servlet.http.HttpServletRequest;
\r
35 import javax.servlet.http.HttpServletResponse;
\r
37 import org.onap.aaf.cadi.Access;
\r
38 import org.onap.aaf.cadi.Access.Level;
\r
39 import org.onap.aaf.cadi.config.Config;
\r
44 * This class implements Servlet Filter, and uses AAF to validate access to a Path.
\r
46 * This class can be used in a standard J2EE Servlet manner.
\r
50 public class PathFilter implements Filter {
\r
51 private ServletContext context;
\r
52 private String aaf_type;
\r
53 private String not_authorized_msg;
\r
54 private final Log log;
\r
57 * Construct a viable Filter for installing in Container WEB.XML, etc.
\r
60 public PathFilter() {
\r
62 public void info(String ... msg) {
\r
63 context.log(build("INFO:",msg));
\r
65 public void audit(String ... msg) {
\r
66 context.log(build("AUDIT:",msg));
\r
68 private String build(String type, String []msg) {
\r
69 StringBuilder sb = new StringBuilder(type);
\r
70 for(String s : msg) {
\r
74 return sb.toString();
\r
81 * Filter that can be constructed within Java
\r
84 public PathFilter(final Access access) {
\r
86 public void info(String ... msg) {
\r
87 access.log(Level.INFO, (Object[])msg);
\r
89 public void audit(String ... msg) {
\r
90 access.log(Level.AUDIT, (Object[])msg);
\r
98 * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a
\r
99 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
\r
100 * mechanism already.
\r
102 public void init(FilterConfig filterConfig) throws ServletException {
\r
103 // need the Context for Logging, instantiating ClassLoader, etc
\r
104 context = filterConfig.getServletContext();
\r
105 StringBuilder sb = new StringBuilder();
\r
106 StringBuilder err = new StringBuilder();
\r
107 Object attr = context.getAttribute(Config.PATHFILTER_NS);
\r
109 err.append("PathFilter - pathfilter_ns is not set");
\r
111 sb.append(attr.toString());
\r
114 attr = context.getAttribute(Config.PATHFILTER_STACK);
\r
116 log.info("PathFilter - No pathfilter_stack set, ignoring");
\r
119 sb.append(attr.toString());
\r
122 attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);
\r
124 log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");
\r
125 sb.append(".urlpattern");
\r
128 sb.append(attr.toString());
\r
131 log.info("PathFilter - AAF Permission Type is",sb.toString());
\r
135 aaf_type = sb.toString();
\r
137 attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);
\r
139 not_authorized_msg = "Forbidden - Not Authorized to access this Path";
\r
141 not_authorized_msg = attr.toString();
\r
144 if(err.length()>0) {
\r
145 throw new ServletException(err.toString());
\r
149 private interface Log {
\r
150 public void info(String ... msg);
\r
151 public void audit(String ... msg);
\r
157 * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and
\r
158 * only call the next item in the filterChain if request is suitably Authenticated.
\r
160 //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
\r
161 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
\r
162 HttpServletRequest hreq = (HttpServletRequest)request;
\r
163 HttpServletResponse hresp = (HttpServletResponse)response;
\r
164 String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod();
\r
165 if(hreq.isUserInRole(perm)) {
\r
166 chain.doFilter(request, response);
\r
168 log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm);
\r
169 hresp.sendError(403,not_authorized_msg);
\r
174 * Containers call "destroy" when time to cleanup
\r
176 public void destroy() {
\r
177 log.info("PathFilter destroyed.");
\r