+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.filter;\r
-\r
-import java.io.IOException;\r
-\r
-import javax.servlet.Filter;\r
-import javax.servlet.FilterChain;\r
-import javax.servlet.FilterConfig;\r
-import javax.servlet.ServletContext;\r
-import javax.servlet.ServletException;\r
-import javax.servlet.ServletRequest;\r
-import javax.servlet.ServletResponse;\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.config.Config;\r
-\r
-/**\r
- * PathFilter\r
- * \r
- * This class implements Servlet Filter, and uses AAF to validate access to a Path.\r
- * \r
- * This class can be used in a standard J2EE Servlet manner.\r
- * \r
- *\r
- */\r
-public class PathFilter implements Filter {\r
- private ServletContext context;\r
- private String aaf_type;\r
- private String not_authorized_msg;\r
- private final Log log;\r
-\r
- /**\r
- * Construct a viable Filter for installing in Container WEB.XML, etc.\r
- * \r
- */\r
- public PathFilter() {\r
- log = new Log() {\r
- public void info(String ... msg) {\r
- context.log(build("INFO:",msg));\r
- }\r
- public void audit(String ... msg) {\r
- context.log(build("AUDIT:",msg));\r
- }\r
- private String build(String type, String []msg) {\r
- StringBuilder sb = new StringBuilder(type);\r
- for(String s : msg) {\r
- sb.append(' ');\r
- sb.append(s);\r
- }\r
- return sb.toString();\r
- }\r
- \r
- };\r
- }\r
- \r
- /**\r
- * Filter that can be constructed within Java\r
- * @param access\r
- */\r
- public PathFilter(final Access access) {\r
- log = new Log() {\r
- public void info(String ... msg) {\r
- access.log(Level.INFO, (Object[])msg);\r
- }\r
- public void audit(String ... msg) {\r
- access.log(Level.AUDIT, (Object[])msg);\r
- }\r
- };\r
- }\r
- \r
- /**\r
- * Init\r
- * \r
- * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a\r
- * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this\r
- * mechanism already.\r
- */\r
- public void init(FilterConfig filterConfig) throws ServletException {\r
- // need the Context for Logging, instantiating ClassLoader, etc\r
- context = filterConfig.getServletContext();\r
- StringBuilder sb = new StringBuilder();\r
- StringBuilder err = new StringBuilder(); \r
- Object attr = context.getAttribute(Config.PATHFILTER_NS);\r
- if(attr==null) {\r
- err.append("PathFilter - pathfilter_ns is not set");\r
- } else {\r
- sb.append(attr.toString()); \r
- }\r
-\r
- attr = context.getAttribute(Config.PATHFILTER_STACK);\r
- if(attr==null) {\r
- log.info("PathFilter - No pathfilter_stack set, ignoring");\r
- } else {\r
- sb.append('.');\r
- sb.append(attr.toString());\r
- }\r
-\r
- attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);\r
- if(attr==null) {\r
- log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");\r
- sb.append(".urlpattern");\r
- } else {\r
- sb.append('.');\r
- sb.append(attr.toString());\r
- }\r
-\r
- log.info("PathFilter - AAF Permission Type is",sb.toString());\r
- \r
- sb.append('|');\r
- \r
- aaf_type = sb.toString();\r
-\r
- attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);\r
- if(attr==null) {\r
- not_authorized_msg = "Forbidden - Not Authorized to access this Path";\r
- } else {\r
- not_authorized_msg = attr.toString();\r
- }\r
-\r
- if(err.length()>0) {\r
- throw new ServletException(err.toString());\r
- }\r
- }\r
-\r
- private interface Log {\r
- public void info(String ... msg);\r
- public void audit(String ... msg);\r
- }\r
-\r
- /**\r
- * doFilter\r
- * \r
- * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and\r
- * only call the next item in the filterChain if request is suitably Authenticated.\r
- */\r
- //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions\r
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {\r
- HttpServletRequest hreq = (HttpServletRequest)request;\r
- HttpServletResponse hresp = (HttpServletResponse)response;\r
- String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod();\r
- if(hreq.isUserInRole(perm)) {\r
- chain.doFilter(request, response);\r
- } else {\r
- log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm);\r
- hresp.sendError(403,not_authorized_msg);\r
- }\r
- }\r
-\r
- /**\r
- * Containers call "destroy" when time to cleanup \r
- */\r
- public void destroy() {\r
- log.info("PathFilter destroyed.");\r
- }\r
-\r
-\r
-\r
-}\r
-\r
Code Review / aaf / cadi.git / blobdiff