Source code

001/*
002 *  (C) Copyright 2000-2003 Yale University. All rights reserved.
003 *
004 *  THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED
005 *  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
006 *  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY
007 *  DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE
008 *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
009 *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF
010 *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR
011 *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
012 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
013 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
014 *  SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH
015 *  DAMAGE.
016 *
017 *  Redistribution and use of this software in source or binary forms,
018 *  with or without modification, are permitted, provided that the
019 *  following conditions are met:
020 *
021 *  1. Any redistribution must include the above copyright notice and
022 *  disclaimer and this list of conditions in any related documentation
023 *  and, if feasible, in the redistributed software.
024 *
025 *  2. Any redistribution must include the acknowledgment, "This product
026 *  includes software developed by Yale University," in any related
027 *  documentation and, if feasible, in the redistributed software.
028 *
029 *  3. The names "Yale" and "Yale University" must not be used to endorse
030 *  or promote products derived from this software.
031 */
032package edu.yale.its.tp.cas.client.filter;
033
034import java.io.IOException;
035import java.util.ArrayList;
036import java.util.List;
037import java.util.StringTokenizer;
038
039import javax.servlet.Filter;
040import javax.servlet.FilterChain;
041import javax.servlet.FilterConfig;
042import javax.servlet.ServletException;
043import javax.servlet.ServletRequest;
044import javax.servlet.ServletResponse;
045import javax.servlet.http.HttpServletRequest;
046import javax.servlet.http.HttpServletResponse;
047import javax.servlet.http.HttpSession;
048
049/**
050 * <p>
051 * Filter protects resources such that only specified usernames, as authenticated with CAS, can access.
052 * </p>
053 * <p>
054 * <code>edu.yale.its.tp.cas.client.filter.user</code> must be set before this filter in the filter chain.
055 * </p>
056 * <p>
057 * This filter takes the init-param <code>edu.yale.its.tp.cas.client.filter.authorizedUsers</code>, a
058 * whitespace-delimited list of users authorized to pass through this filter.
059 * </p>
060 *
061 * @author Andrew Petro
062 */
063public class SimpleCASAuthorizationFilter implements Filter {
064
065    // *********************************************************************
066    // Constants
067
068    public static final String AUTHORIZED_USER_STRING = "edu.yale.its.tp.cas.client.filter.authorizedUsers";
069
070    public static final String FILTER_NAME = "SimpleCASAuthorizationFilter";
071
072    // *********************************************************************
073    // Configuration state
074
075    private String authorizedUsersString;
076
077    private List authorizedUsers;
078
079    // *********************************************************************
080    // Initialization
081
082    public void init(FilterConfig config) throws ServletException {
083        this.authorizedUsersString = config.getInitParameter(AUTHORIZED_USER_STRING);
084        StringTokenizer tokenizer = new StringTokenizer(authorizedUsersString);
085        this.authorizedUsers = new ArrayList();
086        while (tokenizer.hasMoreTokens()) {
087            this.authorizedUsers.add(tokenizer.nextElement());
088        }
089    }
090
091    // *********************************************************************
092    // Filter processing
093
094    public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws ServletException,
095            IOException {
096
097        // make sure we've got an HTTP request
098        if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
099            throw new ServletException(FILTER_NAME + ": protects only HTTP resources");
100        }
101
102        HttpSession session = ((HttpServletRequest) request).getSession();
103
104        if (this.authorizedUsers.isEmpty()) {
105            // user cannot be authorized if no users are authorized
106            // break the fiter chain by throwing exception
107            throw new ServletException(FILTER_NAME + ": no authorized users set.");
108
109        } else if (!this.authorizedUsers.contains(((String) session.getAttribute(CASFilter.CAS_FILTER_USER)))) {
110            // this user is not among the authorized users
111            // break the filter chain by throwing exception
112            throw new ServletException(FILTER_NAME + ": user " + session.getAttribute(CASFilter.CAS_FILTER_USER)
113                    + " not authorized.");
114        }
115
116        // continue processing the request
117        fc.doFilter(request, response);
118    }
119
120    // *********************************************************************
121    // Destruction
122
123    public void destroy() {
124    }
125
126}