/* 
    P/P   *  Method: net.sourceforge.pebble.security.PrivateBlogSecurityInterceptor__static_init
          */
     1  /*
     2   * Copyright (c) 2003-2006, Simon Brown
     3   * All rights reserved.
     4   *
     5   * Redistribution and use in source and binary forms, with or without
     6   * modification, are permitted provided that the following conditions are met:
     7   *
     8   *   - Redistributions of source code must retain the above copyright
     9   *     notice, this list of conditions and the following disclaimer.
    10   *
    11   *   - Redistributions in binary form must reproduce the above copyright
    12   *     notice, this list of conditions and the following disclaimer in
    13   *     the documentation and/or other materials provided with the
    14   *     distribution.
    15   *
    16   *   - Neither the name of Pebble nor the names of its contributors may
    17   *     be used to endorse or promote products derived from this software
    18   *     without specific prior written permission.
    19   *
    20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
    24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    30   * POSSIBILITY OF SUCH DAMAGE.
    31   */
    32  package net.sourceforge.pebble.security;
    33  
    34  import org.acegisecurity.intercept.AbstractSecurityInterceptor;
    35  import org.acegisecurity.intercept.InterceptorStatusToken;
    36  import org.acegisecurity.intercept.ObjectDefinitionSource;
    37  import org.acegisecurity.intercept.web.FilterInvocation;
    38  import org.acegisecurity.intercept.web.FilterInvocationDefinitionSource;
    39  
    40  import javax.servlet.*;
    41  import java.io.IOException;
    42  
    43  /**
    44   * Specialised FilterSecurityInterceptor that returns its own type of
    45   * ObjectDefinitionSource. This is acopy-paste job from Acegi's
    46   * FilterSecurityInterceptor. :-(
    47   *
    48   * @author Simon Brown
    49   */
         /* 
    P/P   *  Method: void net.sourceforge.pebble.security.PrivateBlogSecurityInterceptor()
          * 
          *  Postconditions:
          *    this.observeOncePerRequest == 1
          */
    50  public class PrivateBlogSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
    51  
    52    private static final String FILTER_APPLIED = "__acegi_privateBlogSecurityInterceptor_filterApplied";
    53  
    54    //~ Instance fields ================================================================================================
    55  
    56    private boolean observeOncePerRequest = true;
    57  
    58    //~ Methods ========================================================================================================
    59  
    60    /**
    61     * Not used (we rely on IoC container lifecycle services instead)
    62     */
           /* 
    P/P     *  Method: void destroy()
            */
    63    public void destroy() {}
    64  
    65    /**
    66     * Method that is actually called by the filter chain. Simply delegates to the {@link
    67     * #invoke(FilterInvocation)} method.
    68     *
    69     * @param request the servlet request
    70     * @param response the servlet response
    71     * @param chain the filter chain
    72     *
    73     * @throws IOException if the filter chain fails
    74     * @throws ServletException if the filter chain fails
    75     */
           /* 
    P/P     *  Method: void doFilter(ServletRequest, ServletResponse, FilterChain)
            * 
            *  Preconditions:
            *    (soft) init'ed(this.observeOncePerRequest)
            */
    76    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    77        throws IOException, ServletException {
    78        FilterInvocation fi = new FilterInvocation(request, response, chain);
    79        invoke(fi);
    80    }
    81  
           /* 
    P/P     *  Method: Class getSecureObjectClass()
            */
    82    public Class getSecureObjectClass() {
    83        return FilterInvocation.class;
    84    }
    85  
    86    /**
    87     * Not used (we rely on IoC container lifecycle services instead)
    88     *
    89     * @param arg0 ignored
    90     *
    91     * @throws ServletException never thrown
    92     */
           /* 
    P/P     *  Method: void init(FilterConfig)
            */
    93    public void init(FilterConfig arg0) throws ServletException {}
    94  
           /* 
    P/P     *  Method: void invoke(FilterInvocation)
            * 
            *  Preconditions:
            *    fi != null
            *    (soft) init'ed(this.observeOncePerRequest)
            * 
            *  Presumptions:
            *    init'ed(java.lang.Boolean.TRUE)
            *    org.acegisecurity.intercept.web.FilterInvocation:getChain(...)@100 != null
            *    org.acegisecurity.intercept.web.FilterInvocation:getChain(...)@110 != null
            *    org.acegisecurity.intercept.web.FilterInvocation:getRequest(...)@104 != null
            *    org.acegisecurity.intercept.web.FilterInvocation:getRequest(...)@96 != null
            * 
            *  Test Vectors:
            *    this.observeOncePerRequest: {0}, {1}
            *    javax.servlet.ServletRequest:getAttribute(...)@96: Addr_Set{null}, Inverse{null}
            *    org.acegisecurity.intercept.web.FilterInvocation:getRequest(...)@103: Addr_Set{null}, Inverse{null}
            *    org.acegisecurity.intercept.web.FilterInvocation:getRequest(...)@96: Addr_Set{null}, Inverse{null}
            */
    95    public void invoke(FilterInvocation fi) throws IOException, ServletException {
    96        if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
    97            && observeOncePerRequest) {
    98            // filter already applied to this request and user wants us to observce
    99            // once-per-request handling, so don't re-do security checking
   100            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
   101        } else {
   102            // first time this request being called, so perform security checking
   103            if (fi.getRequest() != null) {
   104                fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
   105            }
   106  
   107            InterceptorStatusToken token = super.beforeInvocation(fi);
   108  
   109            try {
   110                fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
   111            } finally {
   112                super.afterInvocation(token, null);
   113            }
   114        }
   115    }
   116  
   117    /**
   118     * Indicates whether once-per-request handling will be observed. By default this is <code>true</code>,
   119     * meaning the <code>FilterSecurityInterceptor</code> will only execute once-per-request. Sometimes users may wish
   120     * it to execute more than once per request, such as when JSP forwards are being used and filter security is
   121     * desired on each included fragment of the HTTP request.
   122     *
   123     * @return <code>true</code> (the default) if once-per-request is honoured, otherwise <code>false</code> if
   124     *         <code>FilterSecurityInterceptor</code> will enforce authorizations for each and every fragment of the
   125     *         HTTP request.
   126     */
           /* 
    P/P     *  Method: bool isObserveOncePerRequest()
            * 
            *  Preconditions:
            *    init'ed(this.observeOncePerRequest)
            * 
            *  Postconditions:
            *    return_value == this.observeOncePerRequest
            *    init'ed(return_value)
            */
   127    public boolean isObserveOncePerRequest() {
   128        return observeOncePerRequest;
   129    }
   130  
           /* 
    P/P     *  Method: void setObserveOncePerRequest(bool)
            * 
            *  Postconditions:
            *    this.observeOncePerRequest == observeOncePerRequest
            *    init'ed(this.observeOncePerRequest)
            */
   131    public void setObserveOncePerRequest(boolean observeOncePerRequest) {
   132        this.observeOncePerRequest = observeOncePerRequest;
   133    }
   134  
           /* 
    P/P     *  Method: FilterInvocationDefinitionSource getObjectDefinitionSource()
            * 
            *  Postconditions:
            *    return_value == &new PrivateBlogFilterInvocationDefinitionSource(getObjectDefinitionSource#1)
            *    new PrivateBlogFilterInvocationDefinitionSource(getObjectDefinitionSource#1) num objects == 1
            */
   135    public FilterInvocationDefinitionSource getObjectDefinitionSource() {
   136      return new PrivateBlogFilterInvocationDefinitionSource();
   137    }
   138  
           /* 
    P/P     *  Method: ObjectDefinitionSource obtainObjectDefinitionSource()
            * 
            *  Postconditions:
            *    return_value == &new PrivateBlogFilterInvocationDefinitionSource(obtainObjectDefinitionSource#1)
            *    new PrivateBlogFilterInvocationDefinitionSource(obtainObjectDefinitionSource#1) num objects == 1
            */
   139    public ObjectDefinitionSource obtainObjectDefinitionSource() {
   140      return new PrivateBlogFilterInvocationDefinitionSource();
   141    }
   142  
   143  }