/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.crosswire.community; import java.io.IOException; import java.util.ArrayList; import java.util.regex.Pattern; import java.util.regex.PatternSyntaxException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.util.StringManager; import org.apache.catalina.valves.ValveBase; import org.crosswire.community.data.Project; import org.crosswire.community.data.User; import org.crosswire.xml.XMLRepo; /** * Implementation of a Valve that performs filtering based on comparing the * appropriate request property (selected based on which subclass you choose * to configure into your Container's pipeline) against a set of regular * expressions configured for this Valve. *

* This valve is configured by setting the allow and/or * deny properties to a comma-delimited list of regular * expressions (in the syntax supported by the jakarta-regexp library) to * which the appropriate request property will be compared. Evaluation * proceeds as follows: *

The subclass extracts the request property to be filtered, and * calls the common process() method. *
If there are any deny expressions configured, the property will * be compared to each such expression. If a match is found, this * request will be rejected with a "Forbidden" HTTP response.
If there are any allow expressions configured, the property will * be compared to each such expression. If a match is found, this * request will be allowed to pass through to the next Valve in the * current pipeline.
If one or more deny expressions was specified but no allow expressions, * allow this request to pass through (because none of the deny * expressions matched it). *
The request will be rejected with a "Forbidden" HTTP response.

* This Valve may be attached to any Container, depending on the granularity * of the filtering you wish to perform. * * @author Craig R. McClanahan * @version $Id: RequestFilterValve.java 939353 2010-04-29 15:50:43Z kkolinko $ */ public abstract class CommunityAccessControlCatalinaValve extends ValveBase { // ----------------------------------------------------- Class Variables /** * The descriptive information related to this implementation. */ private static final String info = "org.apache.catalina.valves.RequestFilterValve/1.0"; // ----------------------------------------------------- Instance Variables /** * The comma-delimited set of allow expressions. */ protected String allow = null; /** * The set of allow regular expressions we will evaluate. */ protected Pattern allows[] = new Pattern[0]; /** * The set of deny regular expressions we will evaluate. */ protected Pattern denies[] = new Pattern[0]; /** * The comma-delimited set of deny expressions. */ protected String deny = null; // ------------------------------------------------------------- Properties /** * Return a comma-delimited set of the allow expressions * configured for this Valve, if any; otherwise, return null. */ public String getAllow() { return (this.allow); } /** * Set the comma-delimited set of the allow expressions * configured for this Valve, if any. * * @param allow The new set of allow expressions */ public void setAllow(String allow) { this.allow = allow; allows = precalculate(allow); } /** * Return a comma-delimited set of the deny expressions * configured for this Valve, if any; otherwise, return null. */ public String getDeny() { return (this.deny); } /** * Set the comma-delimited set of the deny expressions * configured for this Valve, if any. * * @param deny The new set of deny expressions */ public void setDeny(String deny) { this.deny = deny; denies = precalculate(deny); } /** * Return descriptive information about this Valve implementation. */ public String getInfo() { return (info); } // --------------------------------------------------------- Public Methods /** * Extract the desired request property, and pass it (along with the * specified request and response objects) to the protected * process() method to perform the actual filtering. * This method must be implemented by a concrete subclass. * * @param request The servlet request to be processed * @param response The servlet response to be created * * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ public void invoke(Request request, Response response) throws IOException, ServletException { ServletContext sc = request.getContext().getServletContext(); sc.getRealPath("/"); StringBuffer url = request.getRequestURL(); if (url.toString().startsWith("/projects/itsee/library")) { /* XMLRepo repo = XMLRepo.instance(sc); Project project = (Project)repo.get(new Project("itsee"), false); User user = (User) request.getSession().getAttribute("user"); if (!project.getPermission("Image Dropbox").isAuthorized(user)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); } */ } } // ------------------------------------------------------ Protected Methods /** * Return an array of regular expression objects initialized from the * specified argument, which must be null or a comma-delimited * list of regular expression patterns. * * @param list The comma-separated list of patterns * * @exception IllegalArgumentException if one of the patterns has * invalid syntax */ protected Pattern[] precalculate(String list) { if (list == null) return (new Pattern[0]); list = list.trim(); if (list.length() < 1) return (new Pattern[0]); list += ","; ArrayList reList = new ArrayList(); while (list.length() > 0) { int comma = list.indexOf(','); if (comma < 0) break; String pattern = list.substring(0, comma).trim(); try { reList.add(Pattern.compile(pattern)); } catch (PatternSyntaxException e) { IllegalArgumentException iae = new IllegalArgumentException (sm.getString("requestFilterValve.syntax", pattern)); iae.initCause(e); throw iae; } list = list.substring(comma + 1); } Pattern reArray[] = new Pattern[reList.size()]; return ((Pattern[]) reList.toArray(reArray)); } /** * Perform the filtering that has been configured for this Valve, matching * against the specified request property. * * @param property The request property on which to filter * @param request The servlet request to be processed * @param response The servlet response to be processed * * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ protected void process(String property, Request request, Response response) throws IOException, ServletException { // Check the deny patterns, if any for (int i = 0; i < denies.length; i++) { if (denies[i].matcher(property).matches()) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; } } // Check the allow patterns, if any for (int i = 0; i < allows.length; i++) { if (allows[i].matcher(property).matches()) { getNext().invoke(request, response); return; } } // Allow if denies specified but not allows if ((denies.length > 0) && (allows.length == 0)) { getNext().invoke(request, response); return; } // Deny this request response.sendError(HttpServletResponse.SC_FORBIDDEN); } }