/* (c) 2015 Open Source Geospatial Foundation - all rights reserved
* This code is licensed under the GPL 2.0 license, available at the root
* application directory.
*/
package org.geoserver.security;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
* Improved version of Spring Security AntPathRequestMatcher with optional
* query string regular expression matching in addition to path matching.
*
* The original AntPathRequestMatcher was declared final and not easily extendable
* by composition, so we have wrote our own enhanced version.
*
* @author Mauro Bartolomeoli
*
*/
public final class IncludeQueryStringAntPathRequestMatcher implements RequestMatcher {
private static final Log logger = LogFactory.getLog(IncludeQueryStringAntPathRequestMatcher.class);
private static final String MATCH_ALL = "/**";
private static final String QUERYSTRING_SEPARATOR = "|";
private final Matcher matcher;
private final Matcher queryStringMatcher;
private final String pattern;
private final HttpMethod httpMethod;
/**
* Creates a matcher with the specific pattern which will match all HTTP methods.
*
* @param pattern the ant pattern to use for matching
*/
public IncludeQueryStringAntPathRequestMatcher(String pattern) {
this(pattern, null);
}
/**
* Creates a matcher with the supplied pattern which will match all HTTP methods.
*
* @param pattern the ant pattern to use for matching
* @param httpMethod the HTTP method. The {@code matches} method will return false if the incoming request doesn't
* have the same method.
*/
public IncludeQueryStringAntPathRequestMatcher(String pattern, String httpMethod) {
Assert.hasText(pattern, "Pattern cannot be null or empty");
String queryStringPattern = "";
String originalPattern = pattern;
// check for querystring pattern existance
if(pattern.contains(QUERYSTRING_SEPARATOR)) {
queryStringPattern = pattern.substring(pattern.indexOf(QUERYSTRING_SEPARATOR) + 1);
pattern = pattern.substring(0, pattern.indexOf(QUERYSTRING_SEPARATOR));
}
if (pattern.equals(MATCH_ALL) || pattern.equals("**")) {
pattern = MATCH_ALL;
matcher = null;
} else {
pattern = pattern.toLowerCase();
// If the pattern ends with {@code /**} and has no other wildcards, then optimize to a sub-path match
if (pattern.endsWith(MATCH_ALL) && pattern.indexOf('?') == -1 &&
pattern.indexOf("*") == pattern.length() - 2) {
matcher = new SubpathMatcher(pattern.substring(0, pattern.length() - 3));
} else {
matcher = new SpringAntMatcher(pattern);
}
}
this.pattern = originalPattern;
// build query string matcher if needed
if(StringUtils.hasLength(queryStringPattern)) {
queryStringMatcher = new QueryStringMatcher(queryStringPattern);
} else {
queryStringMatcher = null;
}
this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
}
/**
* Returns true if the configured pattern(s) (and HTTP-Method) match those of the supplied request.
*
* @param request the request to match against. The ant pattern will be matched against the
* {@code servletPath} + {@code pathInfo} of the request.
*/
public boolean matches(HttpServletRequest request) {
if (httpMethod != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
if (logger.isDebugEnabled()) {
logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'"
+ " doesn't match '" + httpMethod + " " + pattern);
}
return false;
}
RequestUrlParts url = getRequestPath(request);
if (logger.isDebugEnabled()) {
logger.debug("Checking match of request : '" + url + "'; against '" + pattern + "'");
}
boolean matched = matchesPath(url) && matchesQueryString(url);
if(matched) {
logger.debug("Matched " + url + " with " + pattern);
}
return matched;
}
private boolean matchesQueryString(RequestUrlParts url) {
if(queryStringMatcher != null) {
return queryStringMatcher.matches(url.getQueryString());
}
return true;
}
private boolean matchesPath(RequestUrlParts url) {
if (pattern.equals(MATCH_ALL)) {
if (logger.isDebugEnabled()) {
logger.debug("Request matched by universal pattern '/**'");
}
return true;
}
return matcher.matches(url.getPath());
}
private RequestUrlParts getRequestPath(HttpServletRequest request) {
String url = request.getServletPath();
if (request.getPathInfo() != null) {
url += request.getPathInfo();
}
url = url.toLowerCase();
String queryString = request.getQueryString();
return new RequestUrlParts(url, queryString);
}
public String getPattern() {
return pattern;
}
@Override
public boolean equals(Object obj) {
if (!(obj instanceof IncludeQueryStringAntPathRequestMatcher)) {
return false;
}
IncludeQueryStringAntPathRequestMatcher other = (IncludeQueryStringAntPathRequestMatcher)obj;
return this.pattern.equals(other.pattern) &&
this.httpMethod == other.httpMethod;
}
@Override
public int hashCode() {
int code = 31 ^ pattern.hashCode();
if (httpMethod != null) {
code ^= httpMethod.hashCode();
}
return code;
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("Ant [pattern='").append(pattern).append("'");
if (httpMethod != null) {
sb.append(", ").append(httpMethod);
}
sb.append("]");
return sb.toString();
}
private static interface Matcher {
boolean matches(String path);
}
private static class SpringAntMatcher implements Matcher {
private static final AntPathMatcher antMatcher = new AntPathMatcher();
private final String pattern;
private SpringAntMatcher(String pattern) {
this.pattern = pattern;
}
public boolean matches(String path) {
return antMatcher.match(pattern, path);
}
}
private static class QueryStringMatcher implements Matcher {
private Pattern pattern = null;
private QueryStringMatcher(String pattern) {
try {
this.pattern = Pattern.compile(parsePattern(pattern), Pattern.CASE_INSENSITIVE);
} catch(Exception e) {
logger.error("Error in filter chain query string pattern", e);
}
}
private String parsePattern(String unparsed) {
if(!unparsed.startsWith("^")) {
unparsed = "^" + unparsed;
}
if(!unparsed.endsWith("$")) {
unparsed = unparsed + "$";
}
return unparsed;
}
public boolean matches(String path) {
if(pattern != null && path != null) {
return pattern.matcher(path).matches();
}
return false;
}
}
/**
* Optimized matcher for trailing wildcards
*/
private static class SubpathMatcher implements Matcher {
private final String subpath;
private final int length;
private SubpathMatcher(String subpath) {
assert !subpath.contains("*");
this.subpath = subpath;
this.length = subpath.length();
}
public boolean matches(String path) {
return path.startsWith(subpath) && (path.length() == length || path.charAt(length) == '/');
}
}
/**
* Value object for request parts handled by different matchers.
*
*/
private static class RequestUrlParts {
private String path;
private String queryString;
public RequestUrlParts(String path, String queryString) {
super();
this.path = path;
this.queryString = queryString;
}
public String getPath() {
return path;
}
public String getQueryString() {
return queryString;
}
@Override
public String toString() {
return "Path: " + path + ", QueryString: " + queryString;
}
}
}