1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package info.magnolia.cms.security;
35
36 import info.magnolia.context.MgnlContext;
37
38 import java.io.IOException;
39
40 import javax.jcr.Session;
41 import javax.servlet.http.HttpServletRequest;
42 import javax.servlet.http.HttpServletResponse;
43
44 import org.slf4j.Logger;
45 import org.slf4j.LoggerFactory;
46
47
48
49
50
51 public class URISecurityFilter extends BaseSecurityFilter {
52
53 private static final Logger log = LoggerFactory.getLogger(URISecurityFilter.class);
54
55 public static final String URI_REPOSITORY = "uri";
56
57 public static final String URI_WORKSPACE = "default";
58
59
60
61
62
63
64
65
66
67 @Override
68 public boolean isAllowed(HttpServletRequest request, HttpServletResponse response) throws IOException {
69
70 final IPSecurityManager ipSecurityManager = IPSecurityManager.Factory.getInstance();
71 if (!ipSecurityManager.isAllowed(request)) {
72 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
73 return false;
74 }
75
76 final boolean authorized = isAuthorized(request);
77 if (!authorized) {
78 final int statusCode = SecurityUtil.isAnonymous() ? HttpServletResponse.SC_UNAUTHORIZED : HttpServletResponse.SC_FORBIDDEN;
79 response.setStatus(statusCode);
80 }
81 return authorized;
82 }
83
84
85
86
87
88
89 @Deprecated
90 protected boolean isAuthorized(AccessManager accessManager, HttpServletRequest request) {
91 return isAuthorized(request);
92 }
93
94
95
96
97 protected boolean isAuthorized(HttpServletRequest request) {
98 String permission;
99 if (request.getMethod().equalsIgnoreCase("HEAD") || request.getMethod().equalsIgnoreCase("GET")) {
100 permission = Session.ACTION_READ;
101 } else {
102 permission = Session.ACTION_ADD_NODE;
103 }
104
105 final String uri = MgnlContext.getAggregationState().getCurrentURI();
106
107 boolean grant = PermissionUtil.isGranted("uri", uri, permission);
108 log.debug("user {} has {}been granted permission {} to access uri {}", MgnlContext.getUser().getName(), (grant ? "" : "NOT "), permission, uri);
109 return grant;
110 }
111
112 }