File Source: privateblogfilterinvocationdefinitionsource.java
/*
P/P * Method: net.sourceforge.pebble.security.PrivateBlogFilterInvocationDefinitionSource__static_init
*
* Postconditions:
* init'ed(log)
*/
1 /*
2 * Copyright (c) 2003-2006, Simon Brown
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 *
8 * - Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * - Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * - Neither the name of Pebble nor the names of its contributors may
17 * be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32 package net.sourceforge.pebble.security;
33
34 import net.sourceforge.pebble.Constants;
35 import net.sourceforge.pebble.domain.AbstractBlog;
36 import net.sourceforge.pebble.domain.Blog;
37 import org.acegisecurity.ConfigAttributeDefinition;
38 import org.acegisecurity.intercept.web.FilterInvocation;
39 import org.acegisecurity.intercept.web.FilterInvocationDefinitionSource;
40 import org.apache.commons.logging.Log;
41 import org.apache.commons.logging.LogFactory;
42
/*
P/P * Method: void net.sourceforge.pebble.security.PrivateBlogFilterInvocationDefinitionSource()
*/
43 import javax.servlet.http.HttpServletRequest;
44 import java.util.Iterator;
45 import java.util.List;
46
47 /**
48 * Bespoke FilterInvocationDefinitionSource that holds a mapping between blog
49 * IDs and the roles that can access them. This is used when blog owners mark
50 * their blog as "private", which forces authentication before the content
51 * can be accessed. This implementation allows mappings to be removed
52 * and added at runtime, making it possible to make blogs private
53 * without restarting the web/application server.
54 *
55 * @author Simon Brown
56 */
57 public class PrivateBlogFilterInvocationDefinitionSource implements FilterInvocationDefinitionSource {
58
59 private static final Log log = LogFactory.getLog(PrivateBlogFilterInvocationDefinitionSource.class);
60
61
62 /**
63 * Accesses the <code>ConfigAttributeDefinition</code> that applies to a given secure object.<P>Returns
64 * <code>null</code> if no <code>ConfigAttribiteDefinition</code> applies.</p>
65 *
66 * @param object the object being secured
67 * @return the <code>ConfigAttributeDefinition</code> that applies to the passed object
68 * @throws IllegalArgumentException if the passed object is not of a type supported by the
69 * <code>ObjectDefinitionSource</code> implementation
70 */
71 public ConfigAttributeDefinition getAttributes(Object object) throws IllegalArgumentException {
72 if ((object == null) || !this.supports(object.getClass())) {
73 throw new IllegalArgumentException("Object must be a FilterInvocation");
74 }
75
/*
P/P * Method: ConfigAttributeDefinition getAttributes(Object)
*
* Preconditions:
* object != null
*
* Presumptions:
* java.lang.Class:isAssignableFrom(...)@124 == 1
* javax.servlet.http.HttpServletRequest:getAttribute(...)@77 != null
* org.acegisecurity.intercept.web.FilterInvocation:getHttpRequest(...)@76 != null
* org.acegisecurity.intercept.web.FilterInvocation:getHttpRequest(...)@93 != null
*
* Postconditions:
* return_value in Addr_Set{null,&new PrivateBlogConfigAttributeDefinition(getAttributes#1)}
* new PrivateBlogConfigAttributeDefinition(getAttributes#1) num objects <= 1
* new PrivateBlogConfigAttributeDefinition(getAttributes#1).blog != null
*
* Test Vectors:
* java.lang.String:endsWith(...)@79: {1}, {0}
* java.lang.String:endsWith(...)@80: {1}, {0}
* java.lang.String:equals(...)@85: {1}, {0}
* java.lang.String:equals(...)@86: {1}, {0}
* java.lang.String:equals(...)@87: {1}, {0}
* java.lang.String:startsWith(...)@81: {1}, {0}
* java.lang.String:startsWith(...)@82: {1}, {0}
* java.lang.String:startsWith(...)@83: {1}, {0}
* java.lang.String:startsWith(...)@84: {1}, {0}
* java.lang.String:startsWith(...)@88: {0}, {1}
* ...
*/
76 HttpServletRequest request = ((FilterInvocation)object).getHttpRequest();
77 String uri = (String)request.getAttribute(Constants.INTERNAL_URI);
78 if (
79 uri.endsWith("loginPage.action") ||
80 uri.endsWith(".secureaction") ||
81 uri.startsWith("/themes/") ||
82 uri.startsWith("/scripts/") ||
83 uri.startsWith("/common/") ||
84 uri.startsWith("/dwr/") ||
85 uri.equals("/robots.txt") ||
86 uri.equals("/pebble.css") ||
87 uri.equals("/favicon.ico") ||
88 uri.startsWith("/FCKeditor/")
89 ) {
90 return null;
91 }
92
93 AbstractBlog ab = (AbstractBlog)((FilterInvocation)object).getHttpRequest().getAttribute(Constants.BLOG_KEY);
94 if (ab instanceof Blog) {
95 Blog blog = (Blog)ab;
96 List<String> blogReaders = blog.getBlogReaders();
97 if (blogReaders != null && blogReaders.size() > 0) {
98 return new PrivateBlogConfigAttributeDefinition(blog);
99 }
100 }
101
102 return null;
103 }
104
105 /**
106 * If available, all of the <code>ConfigAttributeDefinition</code>s defined by the implementing class.<P>This
107 * is used by the {@link org.acegisecurity.intercept.AbstractSecurityInterceptor} to perform startup time validation of each
108 * <code>ConfigAttribute</code> configured against it.</p>
109 *
110 * @return an iterator over all the <code>ConfigAttributeDefinition</code>s or <code>null</code> if unsupported
111 */
/*
P/P * Method: Iterator getConfigAttributeDefinitions()
*
* Postconditions:
* return_value == null
*/
112 public Iterator getConfigAttributeDefinitions() {
113 return null;
114 }
115
116 /**
117 * Indicates whether the <code>ObjectDefinitionSource</code> implementation is able to provide
118 * <code>ConfigAttributeDefinition</code>s for the indicated secure object type.
119 *
120 * @param clazz the class that is being queried
121 * @return true if the implementation can process the indicated class
122 */
/*
P/P * Method: bool supports(Class)
*
* Postconditions:
* init'ed(return_value)
*
* Test Vectors:
* java.lang.Class:isAssignableFrom(...)@124: {0}, {1}
*/
123 public boolean supports(Class clazz) {
124 if (FilterInvocation.class.isAssignableFrom(clazz)) {
125 return true;
126 } else {
127 return false;
128 }
129 }
130 }
SofCheck Inspector Build Version : 2.22510
| privateblogfilterinvocationdefinitionsource.java |
2010-Jun-25 19:40:32 |
| privateblogfilterinvocationdefinitionsource.class |
2010-Jul-19 20:23:38 |