package flapjack.conf; import java.io.IOException; import java.util.Set; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import com.google.common.collect.ImmutableSet; import com.google.inject.Inject; import com.yammer.metrics.web.DefaultWebappMetricsFilter; import flapjack.auth.Role; import flapjack.entity.Person; import flapjack.entity.Session; import flapjack.manager.PersonManager; /** * Only allows admin access or traffic served from a local host. Used to prevent normal users * from being able to see the metrics. * * @author Ray Vanderborght */ public class AppMetricsFilter extends DefaultWebappMetricsFilter { private static final Set<String> allowedHosts = ImmutableSet.of("localhost", "127.0.0.1"); @Inject private PersonManager personManager; @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Session session = personManager.getSession((HttpServletRequest) request); if (session == null) { if (!allowedHosts.contains(request.getServerName())) { throw new ServletException("Not allowed"); } } else { Person person = session.getPerson(); if (person == null || person.getRole() != Role.ADMIN) { throw new ServletException("Not allowed"); } } super.doFilter(request, response, chain); } }