SecureArexisServlet.java

/*
 * @(#)ArexisServlet.java	1.0 2000-10-05
 *
 * Copyright (c) Prevas AB. All Rights Reserved.
 *
 * CopyrightVersion 1.0
 */

package se.arexis.agdb.servlet;

import javax.servlet.http.*;
import java.io.*;
import javax.servlet.*;

/**
 * An abstract class that provides session control for the non administrative servlets
 * in the Arexis genetic database project. It extends the
 * <code>HttpServlet</code> which simplifies writing HTTP servlets.
 * This class overrides the <code>service</code> method and verifies
 * that the requesting client has the necessary information stored in
 * her/his session object. If not, the client is being redirected to
 * another location (redirectClass)
 * Because it is an abstract class, servlet writers must subclass it
 * and override at least one method.
 * The methods normally overridden are:
 *
 * <ul>
 *      <li> <code>doGet</code>, if HTTP GET requests are supported.
 *	Overriding the <code>doGet</code> method automatically also
 *	provides support for the HEAD and conditional GET operations.
 *	Where practical, the <code>getLastModified</code> method should
 *	also be overridden, to facilitate caching the HTTP response
 *	data.  This improves performance by enabling smarter
 *	conditional GET support.
 *
 *	<li> <code>doPost</code>, if HTTP POST requests are supported.
 *      <li> <code>doPut</code>, if HTTP PUT requests are supported.
 *      <li> <code>doDelete</code>, if HTTP DELETE requests are supported.
 *
 *	<li> The lifecycle methods <code>init</code> and
 *	<code>destroy</code>, if the servlet writer needs to manage
 *	resources that are held for the lifetime of the servlet.
 *	Servlets that do not manage resources do not need to specialize
 *	these methods.
 *
 *	<li> <code>getServletInfo</code>, to provide descriptive
 *	information through a service's administrative interfaces.
 *      </ul>
 *
 * <P>Notice that the <code>service</code> method is not typically
 * overridden.  The <code>service</code> method, as provided, supports
 * standard HTTP requests by dispatching them to appropriate methods,
 * such as the methods listed above that have the prefix "do". That is,
 * if the user has the necessary session data. Otherwise the servlet will
 * respond with the redirect HTTP-header.
 * In addition, the service method also supports the HTTP 1.1 protocol's
 * TRACE and OPTIONS methods by dispatching to the <code>doTrace</code>
 * and <code>doOptions</code> methods.  The <code>doTrace</code> and
 * <code>doOptions</code> methods are not typically overridden.
 *
 * <P>Servlets typically run inside multi-threaded servers; servlets
 * must be written to handle multiple service requests simultaneously.
 * It is the servlet writer's responsibility to synchronize access to
 * any shared resources.  Such resources include in-memory data such as
 * instance or class variables of the servlet, as well as external
 * components such as files, database and network connections.
 * Information on multithreaded programming in Java can be found in the
 * <a
 * href="http://java.sun.com/Series/Tutorial/java/threads/multithreaded.html">
 * Java Tutorial on Multithreaded Programming</a>.
 *
 * @version 1.0, 2000-10-05
 */

//2003-11-26, liwa, added RES_R, RES_W, CTG_R, CTG_W, RTYPE_R, RTYPE_W.
public abstract class SecureArexisServlet extends ArexisServlet {

  // Defined values used for privilege control.
  final protected int PROJECT_ADM = 1;
  final protected int PROJECT_STA = 2;
  /*
  * NOTE:
  * The privileges GENO_W0 to GENO_W9 must be
  * defined as in a serie, where GENO_W0 has
  * the lowest, GENO_W9 the highest and there are
  * no holes.
  */
  final protected int SU_W = 3;
  final protected int SU_R = 4;
  final protected int GRP_W = 5;
  final protected int GRP_R = 6;
  final protected int IND_W = 7;
  final protected int IND_R = 8;
  final protected int VAR_W = 9;
  final protected int VAR_R = 10;
  final protected int VARS_W = 11;
  final protected int VARS_R = 12;
  final protected int UVAR_W = 13;
  final protected int UVAR_R = 14;
  final protected int UVARS_W = 15;
  final protected int UVARS_R =16;
  final protected int PHENO_W = 17;
  final protected int PHENO_R = 18;
  final protected int MRK_W = 19;
  final protected int MRK_R = 20;
  final protected int LMRK_R = 21;
  final protected int MRKS_W = 22;
  final protected int MRKS_R = 23;
  final protected int UMRK_W = 24;
  final protected int UMRK_R = 25;
  final protected int UMRKS_W = 26;
  final protected int UMRKS_R = 27;
  final protected int GENO_W0 = 28;
  final protected int GENO_W1 = 29;
  final protected int GENO_W2 = 30;
  final protected int GENO_W3 = 31;
  final protected int GENO_W4 = 32;
  final protected int GENO_W5 = 33;
  final protected int GENO_W6 = 34;
  final protected int GENO_W7 = 35;
  final protected int GENO_W8 = 36;
  final protected int GENO_W9 = 37;
  final protected int GENO_R = 38;
  final protected int FLT_W = 39;
  final protected int FLT_R = 40;
  final protected int ANA_W = 41;
  final protected int ANA_R = 42;
  final protected int RES_R = 43;
  final protected int RES_W = 44;
  final protected int CTG_R = 45;
  final protected int CTG_W = 46;
  final protected int RTYPE_R = 47;
  final protected int RTYPE_W = 48;
  

/*final protected int ;
  final protected int ;
  final protected int ;
  final protected int ;
  final protected int ;
  final protected int ;
  final protected int ;
  final protected int ;
  final protected int ;
*/

  /**
   * Constructor
   */

  public SecureArexisServlet() {
  }
  /**
   * This is the ArexisServlet-specific version of the
   * <code>HttpServlet.service</code> method, which verifies that the request
   * comes from a client with the necessary session data. If the client
   * passes the test the super class (i.e. HttpServlet) service method is
   * called. Otherwise the <code>service</code> method response is a
   * redirection to "../redierctClass
   *
   * @param req HttpServletRequest that encapsulates the request to
   * the servlet
   * @param resp HttpServletResponse that encapsulates the response
   * from the servlet
   * @exception IOException if detected when handling the request
   * @exception ServletException if the request could not be handled
   *
   * @see javax.servlet.Servlet#service
   */
  protected void service (HttpServletRequest req, HttpServletResponse res)
    throws ServletException, IOException 
  {
    HttpSession session = req.getSession(true);
    Boolean loginOk = (Boolean) session.getValue("LoginOk");

    if(checkMissingData()  == true)
    {
      res.sendError(res.SC_SERVICE_UNAVAILABLE);
    }
    String scheme = req.getScheme();
  //  System.err.println("Secure Arexis Servlet: scheme="+scheme);

    if (!scheme.equalsIgnoreCase("https")){
      redirect(res); // should redirect to warning page?
    }

    // check if user has logged in properly
   // System.err.println("Secure Arexis Servlet:login="+loginOk.booleanValue());
    if(loginOk == null || loginOk.booleanValue() != true )
    {
           redirect(res);
    }
    else {
      super.service(req, res);
    }
  }


  /**
  * A function that returns one string (out of two possible) to be written to the HTML-page
  * which string to retur is decided by a comparison of the users privileges to
  * the privileges required.
  */

  protected String privDependentString(int owned[], int required, String ifTrue, String ifFalse)
  {
      for(int i=0; i<owned.length; i++)
      {
        if (owned[i]== required)
        {
          return ifTrue;
        }
      }
      return ifFalse;
  }
}