1 /**
2 * This file Copyright (c) 2003-2010 Magnolia International
3 * Ltd. (http://www.magnolia-cms.com). All rights reserved.
4 *
5 *
6 * This file is dual-licensed under both the Magnolia
7 * Network Agreement and the GNU General Public License.
8 * You may elect to use one or the other of these licenses.
9 *
10 * This file is distributed in the hope that it will be
11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12 * implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14 * Redistribution, except as permitted by whichever of the GPL
15 * or MNA you select, is prohibited.
16 *
17 * 1. For the GPL license (GPL), you can redistribute and/or
18 * modify this file under the terms of the GNU General
19 * Public License, Version 3, as published by the Free Software
20 * Foundation. You should have received a copy of the GNU
21 * General Public License, Version 3 along with this program;
22 * if not, write to the Free Software Foundation, Inc., 51
23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24 *
25 * 2. For the Magnolia Network Agreement (MNA), this file
26 * and the accompanying materials are made available under the
27 * terms of the MNA which accompanies this distribution, and
28 * is available at http://www.magnolia-cms.com/mna.html
29 *
30 * Any modifications to this file must keep this entire header
31 * intact.
32 *
33 */
34 package info.magnolia.cms.security;
35
36 import info.magnolia.cms.core.Access;
37 import info.magnolia.context.MgnlContext;
38
39 import java.io.IOException;
40
41 import javax.servlet.http.HttpServletRequest;
42 import javax.servlet.http.HttpServletResponse;
43
44 import org.slf4j.Logger;
45 import org.slf4j.LoggerFactory;
46
47
48 /**
49 * This Filter protects URI as defined by ROLE(s)/GROUP(s) ACL
50 * @author Sameer Charles
51 */
52 public class URISecurityFilter extends BaseSecurityFilter {
53
54 private static final Logger log = LoggerFactory.getLogger(URISecurityFilter.class);
55
56 public static final String URI_REPOSITORY = "uri";
57
58 public static final String URI_WORKSPACE = "default";
59
60 /**
61 * Checks access from Listener / Authenticator / AccessLock.
62 * @param request HttpServletRequest as received by the service method
63 * @param response HttpServletResponse as received by the service method
64 * @return boolean <code>true</code> if access to the resource is allowed
65 * @throws IOException can be thrown when the servlet is unable to write to the response stream
66 */
67 public boolean isAllowed(HttpServletRequest request, HttpServletResponse response) throws IOException {
68 // todo MAGNOLIA-1617 move this to separate filter
69 final IPSecurityManager ipSecurityManager = IPSecurityManager.Factory.getInstance();
70 if (!ipSecurityManager.isAllowed(request)) {
71 response.sendError(HttpServletResponse.SC_FORBIDDEN);
72 return false;
73 }
74
75 if (Lock.isSystemLocked()) {
76 // todo - move Lock checks to separate filter
77 response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
78 return false;
79 }
80
81 AccessManager accessManager = MgnlContext.getAccessManager(URI_REPOSITORY, URI_WORKSPACE);
82 return isAuthorized(accessManager, request);
83 }
84
85 /**
86 * validates user permissions on URI
87 * */
88 protected boolean isAuthorized(AccessManager accessManager, HttpServletRequest request) {
89 if (null == accessManager) return false;
90 long permission;
91 if (request.getMethod().equalsIgnoreCase("POST")) {
92 permission = Permission.WRITE;
93 } else {
94 permission = Permission.READ;
95 }
96 try {
97 final String handle = MgnlContext.getAggregationState().getCurrentURI();
98 Access.isGranted(accessManager, handle, permission);
99 return true;
100 } catch (AccessDeniedException ade) {
101 log.debug(ade.getMessage());
102 }
103 return false;
104 }
105 }