View Javadoc
1   /*******************************************************************************
2    *   Gisgraphy Project 
3    * 
4    *   This library is free software; you can redistribute it and/or
5    *   modify it under the terms of the GNU Lesser General Public
6    *   License as published by the Free Software Foundation; either
7    *   version 2.1 of the License, or (at your option) any later version.
8    * 
9    *   This library is distributed in the hope that it will be useful,
10   *   but WITHOUT ANY WARRANTY; without even the implied warranty of
11   *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12   *   Lesser General Public License for more details.
13   * 
14   *   You should have received a copy of the GNU Lesser General Public
15   *   License along with this library; if not, write to the Free Software
16   *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA
17   * 
18   *  Copyright 2008  Gisgraphy project 
19   *  David Masclet <davidmasclet@gisgraphy.com>
20   *  
21   *  
22   *******************************************************************************/
23  package com.gisgraphy.webapp.interceptor;
24  
25  import java.io.IOException;
26  
27  import javax.servlet.ServletException;
28  import javax.servlet.http.HttpServletRequest;
29  import javax.servlet.http.HttpServletResponse;
30  
31  import org.apache.struts2.ServletActionContext;
32  
33  import com.opensymphony.xwork2.ActionInvocation;
34  import com.opensymphony.xwork2.interceptor.Interceptor;
35  
36  /**
37   * Security interceptor checks to see if users are in the specified roles before
38   * proceeding. Similar to Spring's UserRoleAuthorizationInterceptor. see
39   * org.springframework.web.servlet.handler.UserRoleAuthorizationInterceptor
40   * 
41   * @author <a href="mailto:matt@raibledesigns.com">Matt Raible</a>
42   */
43  public class UserRoleAuthorizationInterceptor implements Interceptor {
44      private static final long serialVersionUID = 5067790608840427509L;
45  
46      private String[] authorizedRoles;
47  
48      /**
49       * Intercept the action invocation and check to see if the user has the
50       * proper role.
51       * 
52       * @param invocation
53       *                the current action invocation
54       * @return the method's return value, or null after setting
55       *         HttpServletResponse.SC_FORBIDDEN
56       * @throws Exception
57       *                 when setting the error on the response fails
58       */
59      public String intercept(ActionInvocation invocation) throws Exception {
60  	HttpServletRequest request = ServletActionContext.getRequest();
61  
62  	if (this.authorizedRoles != null) {
63  	    for (String authorizedRole : this.authorizedRoles) {
64  		if (request.isUserInRole(authorizedRole)) {
65  		    return invocation.invoke();
66  		}
67  	    }
68  	}
69  
70  	HttpServletResponse response = ServletActionContext.getResponse();
71  	handleNotAuthorized(request, response);
72  	return null;
73      }
74  
75      /**
76       * Set the roles that this interceptor should treat as authorized.
77       * 
78       * @param authorizedRoles
79       *                array of role names
80       */
81      public final void setAuthorizedRoles(String[] authorizedRoles) {
82  	this.authorizedRoles = authorizedRoles;
83      }
84  
85      /**
86       * Handle a request that is not authorized according to this interceptor.
87       * Default implementation sends HTTP status code 403 ("forbidden").
88       * <p>
89       * This method can be overridden to write a custom message, forward or
90       * redirect to some error page or login page, or throw a ServletException.
91       * 
92       * @param request
93       *                current HTTP request
94       * @param response
95       *                current HTTP response
96       * @throws javax.servlet.ServletException
97       *                 if there is an internal error
98       * @throws java.io.IOException
99       *                 in case of an I/O error when writing the response
100      */
101     protected void handleNotAuthorized(HttpServletRequest request,
102 	    HttpServletResponse response) throws ServletException, IOException {
103 	response.sendError(HttpServletResponse.SC_FORBIDDEN);
104     }
105 
106     /**
107      * This method currently does nothing.
108      */
109     public void destroy() {
110     }
111 
112     /**
113      * This method currently does nothing.
114      */
115     public void init() {
116     }
117 }