Source code

001package edu.yale.its.tp.cas.client.filter;
002
003import java.io.IOException;
004import java.util.ArrayList;
005import java.util.List;
006import java.util.StringTokenizer;
007
008import javax.servlet.Filter;
009import javax.servlet.FilterChain;
010import javax.servlet.FilterConfig;
011import javax.servlet.ServletException;
012import javax.servlet.ServletRequest;
013import javax.servlet.ServletResponse;
014import javax.servlet.http.HttpServletRequest;
015import javax.servlet.http.HttpServletResponse;
016import javax.servlet.http.HttpSession;
017
018/**
019 * <p>
020 * Filter protects resources such that only specified usernames, as authenticated with CAS, can access.
021 * </p>
022 * <p>
023 * <code>edu.yale.its.tp.cas.client.filter.user</code> must be set before this filter in the filter chain.
024 * </p>
025 * <p>
026 * This filter takes the init-param <code>edu.yale.its.tp.cas.client.filter.authorizedUsers</code>, a
027 * whitespace-delimited list of users authorized to pass through this filter.
028 * </p>
029 *
030 * @author Andrew Petro
031 */
032public class SimpleCASAuthorizationFilter implements Filter {
033
034    // *********************************************************************
035    // Constants
036
037    public static final String AUTHORIZED_USER_STRING = "edu.yale.its.tp.cas.client.filter.authorizedUsers";
038
039    public static final String FILTER_NAME = "SimpleCASAuthorizationFilter";
040
041    // *********************************************************************
042    // Configuration state
043
044    private String authorizedUsersString;
045
046    private List authorizedUsers;
047
048    // *********************************************************************
049    // Initialization
050
051    public void init(FilterConfig config) throws ServletException {
052        this.authorizedUsersString = config.getInitParameter(AUTHORIZED_USER_STRING);
053        StringTokenizer tokenizer = new StringTokenizer(authorizedUsersString);
054        this.authorizedUsers = new ArrayList();
055        while (tokenizer.hasMoreTokens()) {
056            this.authorizedUsers.add(tokenizer.nextElement());
057        }
058    }
059
060    // *********************************************************************
061    // Filter processing
062
063    public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws ServletException,
064            IOException {
065
066        // make sure we've got an HTTP request
067        if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
068            throw new ServletException(FILTER_NAME + ": protects only HTTP resources");
069        }
070
071        HttpSession session = ((HttpServletRequest) request).getSession();
072
073        if (this.authorizedUsers.isEmpty()) {
074            // user cannot be authorized if no users are authorized
075            // break the fiter chain by throwing exception
076            throw new ServletException(FILTER_NAME + ": no authorized users set.");
077
078        } else if (!this.authorizedUsers.contains(((String) session.getAttribute(CASFilter.CAS_FILTER_USER)))) {
079            // this user is not among the authorized users
080            // break the filter chain by throwing exception
081            throw new ServletException(FILTER_NAME + ": user " + session.getAttribute(CASFilter.CAS_FILTER_USER)
082                    + " not authorized.");
083        }
084
085        // continue processing the request
086        fc.doFilter(request, response);
087    }
088
089    // *********************************************************************
090    // Destruction
091
092    public void destroy() {
093    }
094
095}