001/* 002 * (C) Copyright 2000-2003 Yale University. All rights reserved. 003 * 004 * THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESS OR IMPLIED 005 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 006 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE EXPRESSLY 007 * DISCLAIMED. IN NO EVENT SHALL YALE UNIVERSITY OR ITS EMPLOYEES BE 008 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 009 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED, THE COSTS OF 010 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA OR 011 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 012 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 013 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 014 * SOFTWARE, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH 015 * DAMAGE. 016 * 017 * Redistribution and use of this software in source or binary forms, 018 * with or without modification, are permitted, provided that the 019 * following conditions are met: 020 * 021 * 1. Any redistribution must include the above copyright notice and 022 * disclaimer and this list of conditions in any related documentation 023 * and, if feasible, in the redistributed software. 024 * 025 * 2. Any redistribution must include the acknowledgment, "This product 026 * includes software developed by Yale University," in any related 027 * documentation and, if feasible, in the redistributed software. 028 * 029 * 3. The names "Yale" and "Yale University" must not be used to endorse 030 * or promote products derived from this software. 031 */ 032package edu.yale.its.tp.cas.client.filter; 033 034import java.io.IOException; 035import java.util.ArrayList; 036import java.util.List; 037import java.util.StringTokenizer; 038 039import javax.servlet.Filter; 040import javax.servlet.FilterChain; 041import javax.servlet.FilterConfig; 042import javax.servlet.ServletException; 043import javax.servlet.ServletRequest; 044import javax.servlet.ServletResponse; 045import javax.servlet.http.HttpServletRequest; 046import javax.servlet.http.HttpServletResponse; 047import javax.servlet.http.HttpSession; 048 049/** 050 * <p> 051 * Filter protects resources such that only specified usernames, as authenticated with CAS, can access. 052 * </p> 053 * <p> 054 * <code>edu.yale.its.tp.cas.client.filter.user</code> must be set before this filter in the filter chain. 055 * </p> 056 * <p> 057 * This filter takes the init-param <code>edu.yale.its.tp.cas.client.filter.authorizedUsers</code>, a 058 * whitespace-delimited list of users authorized to pass through this filter. 059 * </p> 060 * 061 * @author Andrew Petro 062 */ 063public class SimpleCASAuthorizationFilter implements Filter { 064 065 // ********************************************************************* 066 // Constants 067 068 public static final String AUTHORIZED_USER_STRING = "edu.yale.its.tp.cas.client.filter.authorizedUsers"; 069 070 public static final String FILTER_NAME = "SimpleCASAuthorizationFilter"; 071 072 // ********************************************************************* 073 // Configuration state 074 075 private String authorizedUsersString; 076 077 private List authorizedUsers; 078 079 // ********************************************************************* 080 // Initialization 081 082 public void init(FilterConfig config) throws ServletException { 083 this.authorizedUsersString = config.getInitParameter(AUTHORIZED_USER_STRING); 084 StringTokenizer tokenizer = new StringTokenizer(authorizedUsersString); 085 this.authorizedUsers = new ArrayList(); 086 while (tokenizer.hasMoreTokens()) { 087 this.authorizedUsers.add(tokenizer.nextElement()); 088 } 089 } 090 091 // ********************************************************************* 092 // Filter processing 093 094 public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws ServletException, 095 IOException { 096 097 // make sure we've got an HTTP request 098 if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) { 099 throw new ServletException(FILTER_NAME + ": protects only HTTP resources"); 100 } 101 102 HttpSession session = ((HttpServletRequest) request).getSession(); 103 104 if (this.authorizedUsers.isEmpty()) { 105 // user cannot be authorized if no users are authorized 106 // break the fiter chain by throwing exception 107 throw new ServletException(FILTER_NAME + ": no authorized users set."); 108 109 } else if (!this.authorizedUsers.contains(((String) session.getAttribute(CASFilter.CAS_FILTER_USER)))) { 110 // this user is not among the authorized users 111 // break the filter chain by throwing exception 112 throw new ServletException(FILTER_NAME + ": user " + session.getAttribute(CASFilter.CAS_FILTER_USER) 113 + " not authorized."); 114 } 115 116 // continue processing the request 117 fc.doFilter(request, response); 118 } 119 120 // ********************************************************************* 121 // Destruction 122 123 public void destroy() { 124 } 125 126}