AdminUserFilter.java

/*
 * RHQ Management Platform
 * Copyright (C) 2005-2008 Red Hat, Inc.
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation version 2 of the License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
package org.rhq.enterprise.gui.legacy;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.rhq.core.domain.auth.Subject;
import org.rhq.enterprise.gui.legacy.util.SessionUtils;
import org.rhq.enterprise.server.util.LookupUtil;

public final class AdminUserFilter extends BaseFilter {

    private static Log log = LogFactory.getLog(AdminUserFilter.class);

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
        ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;

        HttpSession session = request.getSession();
        if (session == null) {
            throw new IllegalStateException(AdminUserFilter.class.getSimpleName() + " must be placed after "
                + AuthenticationFilter.class.getSimpleName() + " in the filter chain");
        }

        WebUser webUser = SessionUtils.getWebUser(session);
        if (webUser == null) {
            throw new IllegalStateException(AdminUserFilter.class.getSimpleName() + " must be placed after "
                + AuthenticationFilter.class.getSimpleName() + " in the filter chain");
        }

        String path = request.getServletPath();

        if (path.toLowerCase().startsWith("/admin/test/")) {
            Subject subject = webUser.getSubject();
            boolean isAdmin = LookupUtil.getAuthorizationManager().isSystemSuperuser(subject);
            if (!isAdmin) {
                log.info("User " + subject.getName() + " attempted unauthorized access to " + path);
                response.getWriter().write("Error: only the administrator has access to this page");
                return;
            }
        }

        try {
            chain.doFilter(request, response);
        } catch (IOException e) {
            log.warn("Caught IO Exception from client " + request.getRemoteAddr() + ": " + e.getMessage());
        }
    }

}