Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added a ContextHolderAwareRequestWrapper to integrate with getRemoteUser() and isUserInRole(String). Thanks to Orlando Garcia Carmona ("paramosyermos" on Spring forums).

This commit is contained in:
Ben Alex 2004-12-05 06:11:18 +00:00
parent c9aa80b655
commit c5900cab9c
7 changed files with 417 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
core/src/main/java/org/acegisecurity/ui/wrapper/ContextHolderAwareRequestFilter.java Normal file
View File

@ -0,0 +1,54 @@
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.wrapper;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* A <code>Filter</code> which populates the <code>ServletRequest</code> with
* an {@link ContextHolderAwareRequestWrapper}.
*
* @author Orlando Garcia Carmona
* @version $Id$
*/
public class ContextHolderAwareRequestFilter implements Filter {
//~ Methods ================================================================
public void destroy() {}
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
if (!(request instanceof ContextHolderAwareRequestWrapper)) {
request = new ContextHolderAwareRequestWrapper(request);
}
filterChain.doFilter(request, servletResponse);
}
public void init(FilterConfig filterConfig) throws ServletException {}
}

117
core/src/main/java/org/acegisecurity/ui/wrapper/ContextHolderAwareRequestWrapper.java Normal file
View File

@ -0,0 +1,117 @@
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.wrapper;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.context.ContextHolder;
import net.sf.acegisecurity.context.SecureContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* An Acegi Security-aware <code>HttpServletRequestWrapper</code>, which uses
* the <code>ContextHolder</code>-defined <code>Authentication</code> object
* for {@link ContextHolderAwareRequestWrapper#isUserInRole(java.lang.String)}
* and {@link javax.servlet.http.HttpServletRequestWrapper#getRemoteUser()}
* responses.
*
* @author Orlando Garcia Carmona
* @author Ben Alex
* @version $Id$
*/
public class ContextHolderAwareRequestWrapper extends HttpServletRequestWrapper {
//~ Constructors ===========================================================
public ContextHolderAwareRequestWrapper(HttpServletRequest request) {
super(request);
}
//~ Methods ================================================================
/**
* Returns the principal's name, as obtained from the
* <code>ContextHolder</code>. Properly handles both
* <code>String</code>-based and <code>UserDetails</code>-based
* principals.
*
* @return the username or <code>null</code> if unavailable
*/
public String getRemoteUser() {
Authentication auth = getAuthentication();
if ((auth == null) || (auth.getPrincipal() == null)) {
return null;
}
if (auth.getPrincipal() instanceof UserDetails) {
return ((UserDetails) auth.getPrincipal()).getUsername();
}
return auth.getPrincipal().toString();
}
/**
* Simple searches for an exactly matching {@link
* GrantedAuthority#getAuthority()}.
*
* <p>
* Will always return <code>false</code> if the <code>ContextHolder</code>
* contains an <code>Authentication</code> with
* <code>null</code><code>principal</code> and/or
* <code>GrantedAuthority[]</code> objects.
* </p>
*
* @param role the <code>GrantedAuthority</code><code>String</code>
* representation to check for
*
* @return <code>true</code> if an <b>exact</b> (case sensitive) matching
* granted authority is located, <code>false</code> otherwise
*/
public boolean isUserInRole(String role) {
return isGranted(role);
}
private Authentication getAuthentication() {
if ((ContextHolder.getContext() != null)
&& ContextHolder.getContext() instanceof SecureContext) {
return ((SecureContext) ContextHolder.getContext())
.getAuthentication();
}
return null;
}
private boolean isGranted(String role) {
Authentication auth = getAuthentication();
if ((auth == null) || (auth.getPrincipal() == null)
|| (auth.getAuthorities() == null)) {
return false;
}
for (int i = 0; i < auth.getAuthorities().length; i++) {
if (role.equals(auth.getAuthorities()[i].getAuthority())) {
return true;
}
}
return false;
}
}

9
core/src/main/java/org/acegisecurity/ui/wrapper/package.html Normal file
View File

@ -0,0 +1,9 @@
<html>
<body>
Populates a Servlet request with a new Acegi Security compliant
<code>HttpServletRequestWrapper</code>.
<p>To use, simply add the <code>ContextHolderAwareRequestFilter</code>
to <code>web.xml</code>.
</body>
</html>

94
core/src/test/java/org/acegisecurity/ui/wrapper/ContextHolderAwareRequestFilterTests.java Normal file
View File

@ -0,0 +1,94 @@
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.wrapper;
import junit.framework.TestCase;
import net.sf.acegisecurity.MockFilterConfig;
import net.sf.acegisecurity.MockHttpServletRequest;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* Tests {@link ContextHolderAwareRequestFilter}.
*
* @author Ben Alex
* @version $Id$
*/
public class ContextHolderAwareRequestFilterTests extends TestCase {
//~ Constructors ===========================================================
public ContextHolderAwareRequestFilterTests() {
super();
}
public ContextHolderAwareRequestFilterTests(String arg0) {
super(arg0);
}
//~ Methods ================================================================
public final void setUp() throws Exception {
super.setUp();
}
public static void main(String[] args) {
junit.textui.TestRunner.run(ContextHolderAwareRequestFilterTests.class);
}
public void testCorrectOperation() throws Exception {
ContextHolderAwareRequestFilter filter = new ContextHolderAwareRequestFilter();
filter.init(new MockFilterConfig());
filter.doFilter(new MockHttpServletRequest(null, null), null,
new MockFilterChain(ContextHolderAwareRequestWrapper.class));
// Now re-execute the filter, ensuring our replacement wrapper is still used
filter.doFilter(new MockHttpServletRequest(null, null), null,
new MockFilterChain(ContextHolderAwareRequestWrapper.class));
filter.destroy();
}
//~ Inner Classes ==========================================================
private class MockFilterChain implements FilterChain {
private Class expectedServletRequest;
public MockFilterChain(Class expectedServletRequest) {
this.expectedServletRequest = expectedServletRequest;
}
private MockFilterChain() {
super();
}
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
if (request.getClass().isAssignableFrom(expectedServletRequest)) {
assertTrue(true);
} else {
fail("Expected class to be of type " + expectedServletRequest
+ " but was: " + request.getClass());
}
}
}
}

139
core/src/test/java/org/acegisecurity/ui/wrapper/ContextHolderAwareRequestWrapperTests.java Normal file
View File

@ -0,0 +1,139 @@
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.wrapper;
import junit.framework.TestCase;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.GrantedAuthorityImpl;
import net.sf.acegisecurity.MockHttpServletRequest;
import net.sf.acegisecurity.context.ContextHolder;
import net.sf.acegisecurity.context.SecureContext;
import net.sf.acegisecurity.context.SecureContextImpl;
import net.sf.acegisecurity.providers.TestingAuthenticationToken;
import net.sf.acegisecurity.providers.dao.User;
/**
* Tests {@link ContextHolderAwareRequestWrapper}.
*
* @author Ben Alex
* @version $Id$
*/
public class ContextHolderAwareRequestWrapperTests extends TestCase {
//~ Constructors ===========================================================
public ContextHolderAwareRequestWrapperTests() {
super();
}
public ContextHolderAwareRequestWrapperTests(String arg0) {
super(arg0);
}
//~ Methods ================================================================
public final void setUp() throws Exception {
super.setUp();
}
public static void main(String[] args) {
junit.textui.TestRunner.run(ContextHolderAwareRequestWrapperTests.class);
}
public void testCorrectOperationWithStringBasedPrincipal()
throws Exception {
SecureContext sc = new SecureContextImpl();
Authentication auth = new TestingAuthenticationToken("marissa",
"koala",
new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_FOO")});
sc.setAuthentication(auth);
ContextHolder.setContext(sc);
ContextHolderAwareRequestWrapper wrapper = new ContextHolderAwareRequestWrapper(new MockHttpServletRequest(
"/"));
assertEquals("marissa", wrapper.getRemoteUser());
assertTrue(wrapper.isUserInRole("ROLE_FOO"));
assertFalse(wrapper.isUserInRole("ROLE_NOT_GRANTED"));
ContextHolder.setContext(null);
}
public void testCorrectOperationWithUserDetailsBasedPrincipal()
throws Exception {
SecureContext sc = new SecureContextImpl();
Authentication auth = new TestingAuthenticationToken(new User(
"marissaAsUserDetails", "koala", true,
new GrantedAuthority[] {}), "koala",
new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_HELLO"), new GrantedAuthorityImpl(
"ROLE_FOOBAR")});
sc.setAuthentication(auth);
ContextHolder.setContext(sc);
ContextHolderAwareRequestWrapper wrapper = new ContextHolderAwareRequestWrapper(new MockHttpServletRequest(
"/"));
assertEquals("marissaAsUserDetails", wrapper.getRemoteUser());
assertFalse(wrapper.isUserInRole("ROLE_FOO"));
assertFalse(wrapper.isUserInRole("ROLE_NOT_GRANTED"));
assertTrue(wrapper.isUserInRole("ROLE_FOOBAR"));
assertTrue(wrapper.isUserInRole("ROLE_HELLO"));
ContextHolder.setContext(null);
}
public void testNullAuthenticationHandling() throws Exception {
SecureContext sc = new SecureContextImpl();
sc.setAuthentication(null);
ContextHolder.setContext(sc);
ContextHolderAwareRequestWrapper wrapper = new ContextHolderAwareRequestWrapper(new MockHttpServletRequest(
"/"));
assertNull(wrapper.getRemoteUser());
assertFalse(wrapper.isUserInRole("ROLE_ANY"));
ContextHolder.setContext(null);
}
public void testNullContextHolderHandling() throws Exception {
ContextHolder.setContext(null);
ContextHolderAwareRequestWrapper wrapper = new ContextHolderAwareRequestWrapper(new MockHttpServletRequest(
"/"));
assertNull(wrapper.getRemoteUser());
assertFalse(wrapper.isUserInRole("ROLE_ANY"));
}
public void testNullPrincipalHandling() throws Exception {
SecureContext sc = new SecureContextImpl();
Authentication auth = new TestingAuthenticationToken(null, "koala",
new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_HELLO"), new GrantedAuthorityImpl(
"ROLE_FOOBAR")});
sc.setAuthentication(auth);
ContextHolder.setContext(sc);
ContextHolderAwareRequestWrapper wrapper = new ContextHolderAwareRequestWrapper(new MockHttpServletRequest(
"/"));
assertNull(wrapper.getRemoteUser());
assertFalse(wrapper.isUserInRole("ROLE_HELLO")); // principal is null, so reject
assertFalse(wrapper.isUserInRole("ROLE_FOOBAR")); // principal is null, so reject
ContextHolder.setContext(null);
}
}

1
doc/xdocs/changes.xml
View File

@ -43,6 +43,7 @@
<action dev="benalex" type="add">Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD</action>
<action dev="benalex" type="add">Added additional remoting protocol demonstrations to Contacts sample</action>
<action dev="benalex" type="add">Added AbstractProcessingFilter property to always use defaultTargetUrl</action>
<action dev="benalex" type="add">Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser()</action>
<action dev="benalex" type="update">Improved BasicAclProvider to only respond to specified ACL object requests</action>
<action dev="benalex" type="update">Refactored MethodDefinitionSource to work with Method, not MethodInvocation</action>
<action dev="benalex" type="update">Refactored AbstractFilterInvocationDefinitionSource to work with URL Strings alone</action>

3
project.xml
View File

@ -126,6 +126,9 @@
<contributor>
<name>Aaron Tang</name>
</contributor>
<contributor>
<name>Orlando Garcia Carmona</name>
</contributor>
</contributors>
<dependencies>
<dependency>