sdf

Java code posted
created at 13 Sep 16:39

Edit | Back 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
package njust.consman.secman;

import hirondelle.web4j.security.SafeText;
import hirondelle.web4j.util.Util;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import njust.consman.model.user.PrivilegeGroup;
import njust.consman.model.user.PrivilegeGroupUtil;
import njust.consman.model.user.User;
import njust.consman.model.user.UserPrivilegeCache;

import org.apache.commons.lang3.StringUtils;

import static njust.consman.model.user.UserUtil.LOGIN_STATE;
import static njust.consman.model.user.UserUtil.LOGIN_USER;


public final class SecurityManager implements Filter{

  @Override
  public void destroy() {
    
  }

  @Override
  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
      throws IOException,
      ServletException {
    HttpServletRequest request = (HttpServletRequest)req;
    HttpServletResponse response = (HttpServletResponse)res;
    String base = request.getContextPath();
    String uri = StringUtils.removeStart(request.getRequestURI(), base);
    log.fine(uri);

    // 根目录下的都能访问,一般是一些静态的HTML文件
    if (isRoot(uri)) {
      chain.doFilter(req, res);
      return;
    }
    
    // 忽略的URI前缀
    for (String i : ignoredPrefix) {
      if (uri.startsWith(i)) {
        chain.doFilter(req, res);
        return;
      }
    }
    
    Boolean login = Boolean.FALSE;  // 当前是否有用户已经登陆
    HttpSession session = request.getSession(false);
    if (session != null) {
      login = (Boolean)session.getAttribute(LOGIN_STATE);
    }
    login = Util.nullMeansFalse(login);
    // 未登录则跳转到登陆页面
    if (!login) {
      response.sendRedirect(base + loginURI);
      
      log.info("Access denied when requesting:" + uri);
      return;
    }
    
    /* 到此用户肯定已经登陆了 */
    // 注销和文件下载URI只要登录便可访问
    // FIXME 文件下载URI根据用户的权限做进一步访问控制,可能需要在文件下载的Servlet中做
    if (uri.startsWith(logoutURI) || uri.startsWith(resURI) || uri.startsWith(welcomeURI)) {
      chain.doFilter(req, res);
      return;
    }
    
    // 登录用户都可以访问设置页面(密码修改,个人信息修改)
    if (uri.startsWith(settingURI)) {
      chain.doFilter(req, res);
      return;
    }
    
    // 四个平台的访问控制
    User user = (User)session.getAttribute(LOGIN_USER);
    SafeText name = user.getName();
    List<PrivilegeGroup> privileges = UserPrivilegeCache.get(name.getRawString());
    for (PrivilegeGroup i : privileges) {
      String prefix = i.getPlatform().getRawString();
      if (uri.startsWith(prefix) || hasImplicitPermission(prefix, uri)) {
        chain.doFilter(req, res);
        return;
      }
    }
    
    // 其余全部拒绝访问
    response.sendError(HttpServletResponse.SC_FORBIDDEN);
  }
  
  private boolean hasImplicitPermission(String prefix, String uri) {
    if (PrivilegeGroupUtil.BASIC_PLATFORM.equals(prefix) ||
      PrivilegeGroupUtil.STAT_PLATFORM.equals(prefix)) {
      return uri.startsWith(PrivilegeGroupUtil.INFO_PLATFORM);
    }
    return false;
  }

  @Override
  public void init(FilterConfig config) throws ServletException {
    String ignores = config.getInitParameter(PARAM_IGNORE);
    if(ignores != null) {
      for(String i : StringUtils.split(ignores, ','))
        ignoredPrefix.add(i.trim());  
    }
    log.info("Ignore prefixs:\n" + Util.logOnePerLine(ignoredPrefix));
    
    loginURI = config.getInitParameter(PARAM_LOGIN_URI);
    log.info("Login URI: " + loginURI);
    
    logoutURI = config.getInitParameter(PARAM_LOGOUT_URI);
    log.info("Logout URI: " + logoutURI);
    
    resURI = config.getInitParameter(PARAM_RES_URI);
    log.info("Resource download URI: " + resURI);
    
    welcomeURI = config.getInitParameter(PARAM_WELCOME_URI);
    log.info("Welcome URI: " + welcomeURI);
    
    settingURI = config.getInitParameter(PARAM_SETTING_URI);
    log.info("settings URI: " + settingURI);
  }

  // PRIVATE //
  private static final String PARAM_IGNORE = "ignore";
  private static final String PARAM_LOGOUT_URI = "logout-uri";
  private static final String PARAM_LOGIN_URI = "login-uri";
  private static final String PARAM_RES_URI = "res-uri";
  private static final String PARAM_WELCOME_URI = "welcome-uri";
  private static final String PARAM_SETTING_URI = "setting-uri";
  
  private static final String URI_SEPERATOR = "/";
  
  private String loginURI;  // 系统登陆的URI
  private String resURI, logoutURI, welcomeURI;  // 文件下载的URI,注销URI,以及欢迎URI
  private String settingURI; // 个人信息管理
  private List<String> ignoredPrefix = new ArrayList<String>();
  
  private static final Logger log = Util.getLogger(SecurityManager.class);
  
  
  /**
   * Test if a URI is located in the root path.
   * @param uri URI to test
   * @return true if URI is located in the root path, otherwise return false;
   */
  private boolean isRoot(String uri) {
    int idx = uri.lastIndexOf(URI_SEPERATOR);
    return (idx == 0);
  }
}
4.96 KB in 7 ms with coderay