001package edu.yale.its.tp.cas.client.filter; 002 003import java.io.IOException; 004import java.util.ArrayList; 005import java.util.List; 006import java.util.StringTokenizer; 007 008import javax.servlet.Filter; 009import javax.servlet.FilterChain; 010import javax.servlet.FilterConfig; 011import javax.servlet.ServletException; 012import javax.servlet.ServletRequest; 013import javax.servlet.ServletResponse; 014import javax.servlet.http.HttpServletRequest; 015import javax.servlet.http.HttpServletResponse; 016import javax.servlet.http.HttpSession; 017 018/** 019 * <p> 020 * Filter protects resources such that only specified usernames, as authenticated with CAS, can access. 021 * </p> 022 * <p> 023 * <code>edu.yale.its.tp.cas.client.filter.user</code> must be set before this filter in the filter chain. 024 * </p> 025 * <p> 026 * This filter takes the init-param <code>edu.yale.its.tp.cas.client.filter.authorizedUsers</code>, a 027 * whitespace-delimited list of users authorized to pass through this filter. 028 * </p> 029 * 030 * @author Andrew Petro 031 */ 032public class SimpleCASAuthorizationFilter implements Filter { 033 034 // ********************************************************************* 035 // Constants 036 037 public static final String AUTHORIZED_USER_STRING = "edu.yale.its.tp.cas.client.filter.authorizedUsers"; 038 039 public static final String FILTER_NAME = "SimpleCASAuthorizationFilter"; 040 041 // ********************************************************************* 042 // Configuration state 043 044 private String authorizedUsersString; 045 046 private List authorizedUsers; 047 048 // ********************************************************************* 049 // Initialization 050 051 public void init(FilterConfig config) throws ServletException { 052 this.authorizedUsersString = config.getInitParameter(AUTHORIZED_USER_STRING); 053 StringTokenizer tokenizer = new StringTokenizer(authorizedUsersString); 054 this.authorizedUsers = new ArrayList(); 055 while (tokenizer.hasMoreTokens()) { 056 this.authorizedUsers.add(tokenizer.nextElement()); 057 } 058 } 059 060 // ********************************************************************* 061 // Filter processing 062 063 public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws ServletException, 064 IOException { 065 066 // make sure we've got an HTTP request 067 if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) { 068 throw new ServletException(FILTER_NAME + ": protects only HTTP resources"); 069 } 070 071 HttpSession session = ((HttpServletRequest) request).getSession(); 072 073 if (this.authorizedUsers.isEmpty()) { 074 // user cannot be authorized if no users are authorized 075 // break the fiter chain by throwing exception 076 throw new ServletException(FILTER_NAME + ": no authorized users set."); 077 078 } else if (!this.authorizedUsers.contains(((String) session.getAttribute(CASFilter.CAS_FILTER_USER)))) { 079 // this user is not among the authorized users 080 // break the filter chain by throwing exception 081 throw new ServletException(FILTER_NAME + ": user " + session.getAttribute(CASFilter.CAS_FILTER_USER) 082 + " not authorized."); 083 } 084 085 // continue processing the request 086 fc.doFilter(request, response); 087 } 088 089 // ********************************************************************* 090 // Destruction 091 092 public void destroy() { 093 } 094 095}