/*
* Licensed to csti consulting
* You may obtain a copy of the License at
*
* http://www.csticonsulting.com
* Copyright (c) 2006-Aug 24, 2010 Consultation CS-TI inc.
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package com.salesmanager.core.security;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import com.salesmanager.core.constants.SecurityConstants;
import com.salesmanager.core.module.model.application.CustomerLogonModule;
public class JAASCustomerSecurityFilter extends AuthFilter {
private static final String CUSTOMER_AUTH_TOKEN = "customerAuthToken";
private CustomerLogonModule logonModule = null;
private Logger log = Logger.getLogger(JAASCustomerSecurityFilter.class);
private static final List<String> escapeActionList = Arrays
.asList(new String[] { "/logon.action", "/signin.action",
"/authenticate.action", "/logout.action",
"/sendCustomerInformation.action" });
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
logonModule = (CustomerLogonModule) com.salesmanager.core.util.SpringUtil
.getBean("customerlogon");
}
@Override
String getLogonPage(HttpServletRequest request) {
return request.getContextPath() + "/signin.action";
}
@Override
String getUser(HttpServletRequest request) {
return (request.getSession() != null ? ((String) request.getSession()
.getAttribute(SecurityConstants.SM_CUSTOMER_USER)) : null);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
resp.setHeader("Cache-Control", "no-cache");
resp.setHeader("Pragma", "no-cache");
resp.setDateHeader("Expires", 0);
String url = req.getRequestURI();
if (isEscapeUrlFromFilter(url) || url.endsWith(".css")
|| url.endsWith(".js")) {
chain.doFilter(request, response);
return;
}
String authToken = request.getParameter(CUSTOMER_AUTH_TOKEN);
if (StringUtils.isBlank(authToken)) {
HttpSession session = req.getSession();
if (session == null) {
resp.sendRedirect(getLogonPage(req));
} else {
if (session.getAttribute(SecurityConstants.SM_CUSTOMER_USER) != null) {
chain.doFilter(request, response);
} else {
resp.sendRedirect(getLogonPage(req));
}
}
} else {
if (logonModule.isValidAuthToken(authToken)) {
chain.doFilter(request, response);
} else {
((HttpServletResponse) response)
.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
}
}
private boolean isEscapeUrlFromFilter(String url) {
for (String escapeUrl : escapeActionList) {
if (url.contains(escapeUrl)) {
return true;
}
}
return false;
}
public boolean bypassUrl(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
return false;
}
}