+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.filter;\r
-\r
-import java.io.IOException;\r
-import java.lang.reflect.Constructor;\r
-import java.util.ArrayList;\r
-import java.util.List;\r
-\r
-import javax.servlet.Filter;\r
-import javax.servlet.FilterChain;\r
-import javax.servlet.FilterConfig;\r
-import javax.servlet.ServletException;\r
-import javax.servlet.ServletRequest;\r
-import javax.servlet.ServletResponse;\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.CadiWrap;\r
-import org.onap.aaf.cadi.Lur;\r
-import org.onap.aaf.cadi.PropAccess;\r
-import org.onap.aaf.cadi.ServletContextAccess;\r
-import org.onap.aaf.cadi.TrustChecker;\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.config.Config;\r
-import org.onap.aaf.cadi.config.Get;\r
-import org.onap.aaf.cadi.taf.TafResp;\r
-import org.onap.aaf.cadi.taf.TafResp.RESP;\r
-\r
-/**\r
- * CadiFilter\r
- * \r
- * This class implements Servlet Filter, and ties together CADI implementations\r
- * \r
- * This class can be used in a standard J2EE Servlet manner. Optimal usage is for POJO operations, where\r
- * one can enforce this Filter being first and primary. Depending on the Container, it \r
- * may be more effective, in some cases, to utilize features that allow earlier determination of \r
- * AUTHN (Authorization). An example would be "Tomcat Valve". These implementations, however, should\r
- * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes.\r
- * \r
- * \r
- *\r
- */\r
-public class CadiFilter implements Filter {\r
- private static CadiHTTPManip httpChecker;\r
- private static String[] pathExceptions;\r
- private static List<Pair> mapPairs;\r
- private Access access;\r
- private Object[] additionalTafLurs;\r
- private static int count=0;\r
- \r
- public Lur getLur() {\r
- return httpChecker.getLur();\r
- }\r
- \r
- /**\r
- * Construct a viable Filter\r
- * \r
- * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on \r
- * them at a later time. Therefore, this object creates with an object that denies all access\r
- * until appropriate Init happens, just in case the container lets something slip by in the meantime.\r
- * \r
- */\r
- public CadiFilter() {\r
- additionalTafLurs = CadiHTTPManip.noAdditional;\r
- }\r
-\r
- /**\r
- * This constructor to be used when directly constructing and placing in HTTP Engine\r
- * \r
- * @param access\r
- * @param moreTafLurs\r
- * @throws ServletException \r
- */\r
- public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException {\r
- additionalTafLurs = moreTafLurs;\r
- init(new AccessGetter(this.access = access));\r
- }\r
-\r
-\r
- /**\r
- * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it\r
- * @param init\r
- * @param access\r
- * @param moreTafLurs\r
- * @throws ServletException\r
- */\r
- public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException {\r
- this.access = access;\r
- if(init) {\r
- init(new AccessGetter(access));\r
- }\r
- additionalTafLurs = moreTafLurs;\r
- }\r
-\r
- /**\r
- * Init\r
- * \r
- * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a\r
- * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this\r
- * mechanism already.\r
- */\r
- //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions\r
- public void init(FilterConfig filterConfig) throws ServletException {\r
- // need the Context for Logging, instantiating ClassLoader, etc\r
- ServletContextAccess sca=new ServletContextAccess(filterConfig); \r
- if(access==null) {\r
- access = sca;\r
- }\r
- \r
- // Set Protected getter with base Access, for internal class instantiations\r
- init(new FCGet(access, sca.context(), filterConfig));\r
- }\r
- \r
-\r
- private void init(Get getter) throws ServletException {\r
- // Start with the assumption of "Don't trust anyone".\r
- TrustChecker tc = TrustChecker.NOTRUST; // default position\r
- try {\r
- @SuppressWarnings("unchecked")\r
- Class<TrustChecker> ctc = (Class<TrustChecker>) Class.forName("com.att.cadi.aaf.v2_0.AAFTrustChecker");\r
- if(ctc!=null) {\r
- Constructor<TrustChecker> contc = ctc.getConstructor(Access.class);\r
- if(contc!=null) {\r
- tc = contc.newInstance(access);\r
- }\r
- }\r
- } catch (Exception e) {\r
- access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());\r
- }\r
- \r
- \r
- // Synchronize, because some instantiations call init several times on the same object\r
- // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.\r
- synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {\r
- ++count;\r
- if(httpChecker == null) {\r
- if(access==null) {\r
- access = new PropAccess();\r
- }\r
- try {\r
- httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs);\r
- } catch (CadiException e1) {\r
- throw new ServletException(e1);\r
- }\r
- } else if(access==null) {\r
- access= httpChecker.getAccess();\r
- }\r
-\r
- /*\r
- * Setup Authn Path Exceptions\r
- */\r
- if(pathExceptions==null) {\r
- String str = getter.get(Config.CADI_NOAUTHN, null, true);\r
- if(str!=null) {\r
- pathExceptions = str.split("\\s*:\\s*");\r
- }\r
- }\r
- \r
- /* \r
- * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions\r
- */\r
- if(mapPairs==null) {\r
- String str = getter.get(Config.AAF_PERM_MAP, null, true);\r
- if(str!=null) {\r
- String mstr = getter.get(Config.AAF_PERM_MAP, null, true);\r
- if(mstr!=null) {\r
- String map[] = mstr.split("\\s*:\\s*");\r
- if(map.length>0) {\r
- MapPermConverter mpc=null;\r
- int idx;\r
- mapPairs = new ArrayList<Pair>();\r
- for(String entry : map) {\r
- if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter\r
- access.log(Level.INIT,"Loading Perm Conversions for:",entry);\r
- mapPairs.add(new Pair(entry,mpc=new MapPermConverter()));\r
- } else {\r
- if(mpc!=null) {\r
- mpc.map().put(entry.substring(0,idx),entry.substring(idx+1));\r
- } else {\r
- access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped");\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
-\r
- // Remove Getter\r
- getter = Get.NULL;\r
- }\r
-\r
- /**\r
- * Containers call "destroy" when time to cleanup \r
- */\r
- public void destroy() {\r
- // Synchronize, in case multiCadiFilters are used.\r
- synchronized(CadiHTTPManip.noAdditional) {\r
- if(--count<=0 && httpChecker!=null) {\r
- httpChecker.destroy();\r
- httpChecker=null;\r
- access=null;\r
- pathExceptions=null;\r
- }\r
- }\r
- }\r
-\r
- /**\r
- * doFilter\r
- * \r
- * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and\r
- * only call the next item in the filterChain if request is suitably Authenticated.\r
- */\r
- //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions\r
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {\r
- try {\r
- HttpServletRequest hreq = (HttpServletRequest)request;\r
- if(noAuthn(hreq)) {\r
- chain.doFilter(request, response);\r
- } else {\r
- HttpServletResponse hresp = (HttpServletResponse)response;\r
- TafResp tresp = httpChecker.validate(hreq, hresp);\r
- if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {\r
- CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));\r
- if(httpChecker.notCadi(cw, hresp)) {\r
- chain.doFilter(cw,response);\r
- }\r
- } \r
- }\r
- } catch (ClassCastException e) {\r
- throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e);\r
- }\r
- }\r
-\r
-\r
- /** \r
- * If PathExceptions exist, report if these should not have Authn applied.\r
- * @param hreq\r
- * @return\r
- */\r
- private boolean noAuthn(HttpServletRequest hreq) {\r
- if(pathExceptions!=null) {\r
- String pi = hreq.getPathInfo();\r
- if(pi==null) return false; // JBoss sometimes leaves null\r
- for(String pe : pathExceptions) {\r
- if(pi.startsWith(pe))return true;\r
- }\r
- }\r
- return false;\r
- }\r
- \r
- /**\r
- * Get Converter by Path\r
- */\r
- private PermConverter getConverter(HttpServletRequest hreq) {\r
- if(mapPairs!=null) {\r
- String pi = hreq.getPathInfo();\r
- if(pi!=null) {\r
- for(Pair p: mapPairs) {\r
- if(pi.startsWith(p.name))return p.pc;\r
- }\r
- }\r
- }\r
- return NullPermConverter.singleton();\r
- }\r
- \r
- /**\r
- * store PermConverters by Path prefix\r
- *\r
- */\r
- private class Pair {\r
- public Pair(String key, PermConverter pc) {\r
- name = key;\r
- this.pc = pc;\r
- }\r
- public String name;\r
- public PermConverter pc;\r
- }\r
-\r
-}\r
-\r