RoleFilter.java

/**********************************************************************************
 * $URL: https://source.sakaiproject.org/svn/sections/trunk/sections-app/src/java/org/sakaiproject/tool/section/filter/RoleFilter.java $
 * $Id: RoleFilter.java 105080 2012-02-24 23:10:31Z ottenhoff@longsight.com $
 ***********************************************************************************
 *
 * Copyright (c) 2005, 2006, 2008 The Sakai Foundation
 *
 * Licensed under the Educational Community License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.opensource.org/licenses/ECL-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 **********************************************************************************/
package org.sakaiproject.tool.section.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.sakaiproject.section.api.facade.manager.Authn;
import org.sakaiproject.section.api.facade.manager.Authz;
import org.sakaiproject.section.api.facade.manager.Context;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.WebApplicationContext;

import org.sakaiproject.component.cover.ServerConfigurationService;

/**
 * An authorization filter to keep users out of pages they are not authorized
 * to access.
 *  
 * @author <a href="mailto:jholtzman@berkeley.edu">Josh Holtzman</a>
 *
 */
public class RoleFilter implements Filter {
	private static Log logger = LogFactory.getLog(RoleFilter.class);

	private String authnBeanName;
	private String authzBeanName;
	private String contextBeanName;
	private String authorizationFilterConfigurationBeanName;
	private String selectSiteRedirect;

    private ApplicationContext ac;

	public void init(FilterConfig filterConfig) throws ServletException {
        if(logger.isInfoEnabled()) logger.info("Initializing sections role filter");

        ac = (ApplicationContext)filterConfig.getServletContext().getAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);

        authnBeanName = filterConfig.getInitParameter("authnServiceBean");
		authzBeanName = filterConfig.getInitParameter("authzServiceBean");
		contextBeanName = filterConfig.getInitParameter("contextManagementServiceBean");
		authorizationFilterConfigurationBeanName = filterConfig.getInitParameter("authorizationFilterConfigurationBean");
		selectSiteRedirect = filterConfig.getInitParameter("selectSiteRedirect");
    }

	public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain)
		throws IOException, ServletException {

		HttpServletRequest request = (HttpServletRequest)servletRequest;
		String servletPath = request.getServletPath();
		if (logger.isDebugEnabled()) logger.debug("Filtering request for servletPath=" + servletPath);
		servletPath = servletPath.replaceFirst("^/", "");
		if (servletPath.indexOf("/") >= 0) {
			// Only protect the top-level folder, to allow for login through
			// a subdirectory, shared resource files, and so on.
			chain.doFilter(request, response);
			return;
		}

		Authn authn = (Authn)ac.getBean(authnBeanName);
		Authz authz = (Authz)ac.getBean(authzBeanName);
		Context context = (Context)ac.getBean(contextBeanName);
		AuthorizationFilterConfigurationBean authzFilterConfigBean = (AuthorizationFilterConfigurationBean)ac.getBean(authorizationFilterConfigurationBeanName);
		String userUid = authn.getUserUid(request);

        if (logger.isDebugEnabled()) logger.debug("Filtering request for user " + userUid + ", pathInfo=" + request.getPathInfo());

		// Try to get the currently selected site context, if any
		String siteContext = context.getContext(request);
		
        if(logger.isDebugEnabled()) logger.debug("context=" + siteContext);

		if (siteContext != null) {
			// Get the name of the page from the servlet path.
			String[] splitPath = servletPath.split("[./]");
			String pageName = splitPath[0];

			boolean isAuthorized = false;
			if(authz.isSectionManagementAllowed(userUid, siteContext) &&
					authzFilterConfigBean.getManageAllSections().contains(pageName)) {
				isAuthorized = true;
			} else if (authz.isViewAllSectionsAllowed(userUid, siteContext)
					&& authzFilterConfigBean.getViewAllSections().contains(pageName)) {
				isAuthorized = true;
			} else if (authz.isSectionTaManagementAllowed(userUid, siteContext)
					&& authzFilterConfigBean.getManageTeachingAssistants().contains(pageName)) {
				isAuthorized = true;
			} else if (authz.isSectionEnrollmentMangementAllowed(userUid, siteContext)
					&& authzFilterConfigBean.getManageEnrollments().contains(pageName)) {
				isAuthorized = true;
			} else if (authz.isViewOwnSectionsAllowed(userUid, siteContext)
					&& authzFilterConfigBean.getViewOwnSections().contains(pageName)) {
				isAuthorized = true;
			} else if (pageName.contains("closed")) {
				isAuthorized = true;
			}

			// SAK-13408 - This fix addresses the problem of the filter receiving a blank field on WebSphere.
			// Without this, users would be denied access to the tool
			if ( "websphere".equals(ServerConfigurationService.getString("servlet.container")) && ( isAuthorized || pageName.equals(""))) {
				chain.doFilter(request,response);
			} else if ( !"websphere".equals(ServerConfigurationService.getString("servlet.container")) && isAuthorized ) {
				chain.doFilter(request, response);
			} else {
				logger.error("AUTHORIZATION FAILURE: User " + userUid + " in site " +
					siteContext + " attempted to reach URL " + request.getRequestURL());
				((HttpServletResponse)response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
			}
		} else {
			if (selectSiteRedirect != null) {
				((HttpServletResponse)response).sendRedirect(selectSiteRedirect);
			} else {
				((HttpServletResponse)response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
			}
		}
	}

	public void destroy() {
		ac = null;
	}
}