1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package info.magnolia.cms.security;
35
36 import info.magnolia.context.MgnlContext;
37
38 import java.io.IOException;
39
40 import javax.jcr.Session;
41 import javax.servlet.http.HttpServletRequest;
42 import javax.servlet.http.HttpServletResponse;
43
44 import org.slf4j.Logger;
45 import org.slf4j.LoggerFactory;
46
47
48
49
50
51
52
53 public class URISecurityFilter extends BaseSecurityFilter {
54
55 private static final Logger log = LoggerFactory.getLogger(URISecurityFilter.class);
56
57 public static final String URI_REPOSITORY = "uri";
58
59 public static final String URI_WORKSPACE = "default";
60
61
62
63
64
65
66
67
68 @Override
69 public boolean isAllowed(HttpServletRequest request, HttpServletResponse response) throws IOException {
70
71 final IPSecurityManager ipSecurityManager = IPSecurityManager.Factory.getInstance();
72 if (!ipSecurityManager.isAllowed(request)) {
73 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
74 return false;
75 }
76
77 if (Lock.isSystemLocked()) {
78
79 response.setStatus(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
80 return false;
81 }
82
83 final boolean authorized = isAuthorized(request);
84 if (!authorized) {
85 final int statusCode = SecurityUtil.isAnonymous() ? HttpServletResponse.SC_UNAUTHORIZED : HttpServletResponse.SC_FORBIDDEN;
86 response.setStatus(statusCode);
87 }
88 return authorized;
89 }
90
91
92
93
94
95
96 @Deprecated
97 protected boolean isAuthorized(AccessManager accessManager, HttpServletRequest request) {
98 return isAuthorized(request);
99 }
100
101
102
103
104 protected boolean isAuthorized(HttpServletRequest request) {
105 String permission;
106 if (request.getMethod().equalsIgnoreCase("HEAD") || request.getMethod().equalsIgnoreCase("GET")) {
107 permission = Session.ACTION_READ;
108 } else {
109 permission = Session.ACTION_ADD_NODE;
110 }
111
112 final String uri = MgnlContext.getAggregationState().getCurrentURI();
113
114 boolean grant = PermissionUtil.isGranted("uri", uri, permission);
115 log.debug("user {} has " + (grant ? "" : "NOT ") + "been granted permission {} to access uri {}", new Object[] { MgnlContext.getUser().getName(), permission, uri });
116 return grant;
117 }
118
119 }