Source code

001/*
002 *  (C) Copyright 2000-2003 Yale University. All rights reserved.
003 *
004 *  THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED
005 *  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
006 *  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY
007 *  DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE
008 *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
009 *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF
010 *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR
011 *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
012 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
013 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
014 *  SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH
015 *  DAMAGE.
016 *
017 *  Redistribution and use of this software in source or binary forms,
018 *  with or without modification, are permitted, provided that the
019 *  following conditions are met:
020 *
021 *  1. Any redistribution must include the above copyright notice and
022 *  disclaimer and this list of conditions in any related documentation
023 *  and, if feasible, in the redistributed software.
024 *
025 *  2. Any redistribution must include the acknowledgment, "This product
026 *  includes software developed by Yale University," in any related
027 *  documentation and, if feasible, in the redistributed software.
028 *
029 *  3. The names "Yale" and "Yale University" must not be used to endorse
030 *  or promote products derived from this software.
031 */
032package edu.yale.its.tp.cas.client.filter;
033
034import java.io.IOException;
035import java.util.ArrayList;
036import java.util.List;
037import java.util.StringTokenizer;
038
039import javax.servlet.Filter;
040import javax.servlet.FilterChain;
041import javax.servlet.FilterConfig;
042import javax.servlet.ServletException;
043import javax.servlet.ServletRequest;
044import javax.servlet.ServletResponse;
045import javax.servlet.http.HttpServletRequest;
046import javax.servlet.http.HttpServletResponse;
047import javax.servlet.http.HttpSession;
048
049/**
050 * <p>
051 * Filter protects resources such that only specified usernames, as authenticated with CAS, can access.
052 * </p>
053 * <p>
054 * <code>edu.yale.its.tp.cas.client.filter.user</code> must be set before this filter in the filter chain.
055 * </p>
056 * <p>
057 * This filter takes the init-param <code>edu.yale.its.tp.cas.client.filter.authorizedUsers</code>, a
058 * whitespace-delimited list of users authorized to pass through this filter.
059 * </p>
060 *
061 * @author Andrew Petro
062 */
063public class SimpleCASAuthorizationFilter implements Filter {
064
065    // *********************************************************************
066    // Constants
067
068    public static final String AUTHORIZED_USER_STRING = "edu.yale.its.tp.cas.client.filter.authorizedUsers";
069
070    public static final String FILTER_NAME = "SimpleCASAuthorizationFilter";
071
072    // *********************************************************************
073    // Configuration state
074
075    private String authorizedUsersString;
076
077    private List<String> authorizedUsers;
078
079    // *********************************************************************
080    // Initialization
081
082    @Override
083    public void init(FilterConfig config) throws ServletException {
084        this.authorizedUsersString = config.getInitParameter(AUTHORIZED_USER_STRING);
085        StringTokenizer tokenizer = new StringTokenizer(authorizedUsersString);
086        this.authorizedUsers = new ArrayList<>();
087        while (tokenizer.hasMoreTokens()) {
088            this.authorizedUsers.add((String) tokenizer.nextElement());
089        }
090    }
091
092    // *********************************************************************
093    // Filter processing
094
095    @Override
096    public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws ServletException,
097            IOException {
098
099        // make sure we've got an HTTP request
100        if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
101            throw new ServletException(FILTER_NAME + ": protects only HTTP resources");
102        }
103
104        HttpSession session = ((HttpServletRequest) request).getSession();
105
106        if (this.authorizedUsers.isEmpty()) {
107            // user cannot be authorized if no users are authorized
108            // break the fiter chain by throwing exception
109            throw new ServletException(FILTER_NAME + ": no authorized users set.");
110
111        } else if (!this.authorizedUsers.contains((session.getAttribute(CASFilter.CAS_FILTER_USER)))) {
112            // this user is not among the authorized users
113            // break the filter chain by throwing exception
114            throw new ServletException(FILTER_NAME + ": user " + session.getAttribute(CASFilter.CAS_FILTER_USER)
115                    + " not authorized.");
116        }
117
118        // continue processing the request
119        fc.doFilter(request, response);
120    }
121
122    // *********************************************************************
123    // Destruction
124
125    @Override
126    public void destroy() {
127    }
128
129}