1 /** 2 * This file Copyright (c) 2003-2010 Magnolia International 3 * Ltd. (http://www.magnolia-cms.com). All rights reserved. 4 * 5 * 6 * This file is dual-licensed under both the Magnolia 7 * Network Agreement and the GNU General Public License. 8 * You may elect to use one or the other of these licenses. 9 * 10 * This file is distributed in the hope that it will be 11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the 12 * implied warranty of MERCHANTABILITY or FITNESS FOR A 13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT. 14 * Redistribution, except as permitted by whichever of the GPL 15 * or MNA you select, is prohibited. 16 * 17 * 1. For the GPL license (GPL), you can redistribute and/or 18 * modify this file under the terms of the GNU General 19 * Public License, Version 3, as published by the Free Software 20 * Foundation. You should have received a copy of the GNU 21 * General Public License, Version 3 along with this program; 22 * if not, write to the Free Software Foundation, Inc., 51 23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * 2. For the Magnolia Network Agreement (MNA), this file 26 * and the accompanying materials are made available under the 27 * terms of the MNA which accompanies this distribution, and 28 * is available at http://www.magnolia-cms.com/mna.html 29 * 30 * Any modifications to this file must keep this entire header 31 * intact. 32 * 33 */ 34 package info.magnolia.cms.security; 35 36 import info.magnolia.cms.core.Access; 37 import info.magnolia.context.MgnlContext; 38 39 import java.io.IOException; 40 41 import javax.servlet.http.HttpServletRequest; 42 import javax.servlet.http.HttpServletResponse; 43 44 import org.slf4j.Logger; 45 import org.slf4j.LoggerFactory; 46 47 48 /** 49 * This Filter protects URI as defined by ROLE(s)/GROUP(s) ACL 50 * @author Sameer Charles 51 */ 52 public class URISecurityFilter extends BaseSecurityFilter { 53 54 private static final Logger log = LoggerFactory.getLogger(URISecurityFilter.class); 55 56 public static final String URI_REPOSITORY = "uri"; 57 58 public static final String URI_WORKSPACE = "default"; 59 60 /** 61 * Checks access from Listener / Authenticator / AccessLock. 62 * @param request HttpServletRequest as received by the service method 63 * @param response HttpServletResponse as received by the service method 64 * @return boolean <code>true</code> if access to the resource is allowed 65 * @throws IOException can be thrown when the servlet is unable to write to the response stream 66 */ 67 public boolean isAllowed(HttpServletRequest request, HttpServletResponse response) throws IOException { 68 // todo MAGNOLIA-1617 move this to separate filter 69 final IPSecurityManager ipSecurityManager = IPSecurityManager.Factory.getInstance(); 70 if (!ipSecurityManager.isAllowed(request)) { 71 response.sendError(HttpServletResponse.SC_FORBIDDEN); 72 return false; 73 } 74 75 if (Lock.isSystemLocked()) { 76 // todo - move Lock checks to separate filter 77 response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE); 78 return false; 79 } 80 81 AccessManager accessManager = MgnlContext.getAccessManager(URI_REPOSITORY, URI_WORKSPACE); 82 return isAuthorized(accessManager, request); 83 } 84 85 /** 86 * validates user permissions on URI 87 * */ 88 protected boolean isAuthorized(AccessManager accessManager, HttpServletRequest request) { 89 if (null == accessManager) return false; 90 long permission; 91 if (request.getMethod().equalsIgnoreCase("POST")) { 92 permission = Permission.WRITE; 93 } else { 94 permission = Permission.READ; 95 } 96 try { 97 final String handle = MgnlContext.getAggregationState().getCurrentURI(); 98 Access.isGranted(accessManager, handle, permission); 99 return true; 100 } catch (AccessDeniedException ade) { 101 log.debug(ade.getMessage()); 102 } 103 return false; 104 } 105 }