Hello
I created a annotation for the project servlet that checks if a user
logged can perform a function.
The use is simply. Place the annotation Permission in a function.
Without arguments it checks whether there is any user logged in to perform a
function.
This note has two parameters the principals is an array of strings
containing the names of users who can execute the method and roles a
array of strings containing the roles of users who can perform the
function.
This implementation has not been well tested. I hope someone help me
testing.
--
You received this message because you are subscribed to the Google Groups
"google-guice" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-guice?hl=en.
Index: extensions/servlet/src/com/google/inject/servlet/ServletModule.java
===================================================================
--- extensions/servlet/src/com/google/inject/servlet/ServletModule.java (revisão 1367)
+++ extensions/servlet/src/com/google/inject/servlet/ServletModule.java (cópia de trabalho)
@@ -21,6 +21,7 @@
import com.google.inject.AbstractModule;
import com.google.inject.Key;
import com.google.inject.internal.util.Lists;
+import com.google.inject.matcher.Matchers;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.ServletContext;
@@ -53,6 +54,9 @@
configureServlets();
install(filtersModuleBuilder);
install(servletsModuleBuilder);
+ SecurityInterceptor roleInterceptor = new SecurityInterceptor();
+ bindInterceptor(Matchers.any(), Matchers.annotatedWith(Permission.class),
+ roleInterceptor);
} finally {
filtersModuleBuilder = null;
servletsModuleBuilder = null;
Index: extensions/servlet/src/com/google/inject/servlet/SecurityInterceptor.java
===================================================================
--- extensions/servlet/src/com/google/inject/servlet/SecurityInterceptor.java (revisão 0)
+++ extensions/servlet/src/com/google/inject/servlet/SecurityInterceptor.java (revisão 0)
@@ -0,0 +1,54 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package com.google.inject.servlet;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import javax.servlet.http.HttpServletRequest;
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+
+/**
+ * The interceptor restrics some users to execute a function.
+ * @author gui [email protected]
+ */
+...@singleton
+public class SecurityInterceptor implements MethodInterceptor {
+
+
+ public Object invoke(MethodInvocation invocation) throws Throwable {
+ Permission roleAnnotation = invocation.getMethod().getAnnotation(Permission.class);
+ String[] roles = roleAnnotation.roles();
+ String[] principals = roleAnnotation.principals();
+ boolean ok = false;
+ HttpServletRequest request = GuiceFilter.getRequest();
+ if (roles.length == 0 && principals.length == 0) {
+ if (request.getRemoteUser() != null) {
+ ok = true;
+ }
+ } else {
+ for (String role : roles) {
+ if (request.isUserInRole(role)) {
+ ok = true;
+ break;
+ }
+ }
+ if (!ok) {
+ for (String principal : principals) {
+ if (request.getRemoteUser().equals(principal)) {
+ ok = true;
+ break;
+ }
+ }
+ }
+ }
+ if (ok) {
+ return invocation.proceed();
+ } else {
+ throw new SecurityException("Method invocation is not allow. The user don't have permissions");
+ }
+ }
+}
Index: extensions/servlet/src/com/google/inject/servlet/Permission.java
===================================================================
--- extensions/servlet/src/com/google/inject/servlet/Permission.java (revisão 0)
+++ extensions/servlet/src/com/google/inject/servlet/Permission.java (revisão 0)
@@ -0,0 +1,22 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package com.google.inject.servlet;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * A annotation for restric some users to execute some functions.
+ * @author gui [email protected]
+ */
+...@retention(RetentionPolicy.RUNTIME)
+...@target(ElementType.METHOD)
+public @interface Permission {
+
+ String[] roles() default {};
+ String[] principals() default {};
+}
