StagemonitorSecurityFilter.java

package org.stagemonitor.web.monitor.filter;

import java.io.IOException;
import java.util.Arrays;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.stagemonitor.core.Stagemonitor;
import org.stagemonitor.configuration.ConfigurationRegistry;
import org.stagemonitor.web.WebPlugin;

/**
 * Disables all endpoints under /stagemonitor/*  (except /stagemonitor/public/*)
 * if 'stagemonitor.web.widget.enabled' is set to 'false' unless the
 * the header 'X-Stagemonitor-Show-Widget' is provided with the correct 'stagemonitor.password' as value or
 * stagemonitor.password is set to a empty string. Thus it is possible to deactivate the widget for unauthorized users
 * but still having the option to activate it for authorized users.
 * <p/>
 * You can use a browser extenstion like Modify Headers to automatically insert the header on each request to your application.
 * <p/>
 * If you deactivate stagemonitor's built in security by setting stagemonitor.password to an empty string, make sure to
 * secure the endpoints otherwise. For example with spring security.
 * <p/>
 * For custom control whether the in browser widget should be displayed, set the request attribute
 * 'X-Stagemonitor-Show-Widget' with a Boolean value.
 */
public class StagemonitorSecurityFilter extends AbstractExclusionFilter {

	private final WebPlugin webPlugin;
	private final ConfigurationRegistry configuration;

	public StagemonitorSecurityFilter() {
		this(Stagemonitor.getConfiguration());
	}

	public StagemonitorSecurityFilter(ConfigurationRegistry configuration) {
		super(Arrays.asList("/stagemonitor/public", "/stagemonitor/configuration"));
		this.configuration = configuration;
		this.webPlugin = configuration.getConfig(WebPlugin.class);
	}

	@Override
	public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
			throws IOException, ServletException {

		if (!webPlugin.isWidgetAndStagemonitorEndpointsAllowed(request, configuration)) {
			// let's pretend as if stagemonitor is not there to not unnecessarily leak information
			response.sendError(HttpServletResponse.SC_NOT_FOUND);
			return;
		}
		chain.doFilter(request, response);
	}
}