As so many have said before, I'm new to Java and Tomcat. So please
forgive any poor design you see in my code, but please let me know about
it :)
I've created a filter class that handles user authorization. Basically
when a user hits a page the filter is defined for, it checks for a
boolean value in the user's session that describes their access to a
certain auth group.
If the user is not authorized, they are forwarded to a login page
defined as an init-param which handles their authentication for that
group.
This works flawlessly on pages in the root directory, and if I do:
<url-pattern>/*.jsp</url-pattern>
it operates on every file throughout the hierarchy. This isn't what I
wanted so I defined a url exclusion method, that accepts paths and
regular expressions that the filter tests before processing auth.
I setup a new <filter> for each group/directory. It only works on the
root directory though, and using a url-pattern of /admin/*.jsp doesn't
appear to trigger the filter. It's never run. This happens whether or
not the filter on the root of the context exists.
Thank you very much for any advice you can give!
--
Ryan Parr
The pertinent parts of my web.xml:
-----------------------------------------------------------------------
<filter>
<filter-name>AdminSection</filter-name>
<filter-class>com.mysite.filters.UserAuthorization</filter-class>
<init-param>
<param-name>AuthGroup</param-name>
<param-value>Admin</param-value>
</init-param>
<init-param>
<param-name>LoginPage</param-name>
<param-value>/admin/login.jsp</param-value>
</init-param>
</filter>
<!-- Admin Section -->
<filter-mapping>
<filter-name>AdminSection</filter-name>
<url-pattern>/admin/*.jsp</url-pattern>
</filter-mapping>
------------------------------------------------------------------------
And my UserAuthorization source:
------------------------------------------------------------------------
/*
* UserAuthorization.java
*
* Created on October 2, 2003, 8:52 PM
*/
package com.mysite.filters;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.util.regex.Pattern;
/**
* This is the authorization filter. This simply checks to see
* if a user is logged in, and if so whether or not they are allowed
* to access the request resource. Authentication is handled elsewhere,
* in a struts action.
*
* @author Ryan Parr
* @version 0.1
* @see javax.servlet.Filter
*/
public class UserAuthorization implements Filter {
private FilterConfig config;
private String authName; // What's our name yo
private String[] authGroups; // Roles for this resource
private String loginPage; // The login page to forward to
private String[] pageExclusions; // Pages we don't want to filter
private String[] pageExclusionPatterns; // Patterns of pages we
don't want to filter
private boolean loggedIn = false;
private ServletContext context = null;
/**
* This is the first method called when the filter is used.
* The general intention of this method is simply to set
* a private variable to the filterConfig parameter.
*
* @param filterConfig FilterConfig
*/
public void init(FilterConfig filterConfig) throws ServletException
{
config = filterConfig;
authName = config.getFilterName();
loginPage = config.getInitParameter("LoginPage");
// Populate the authGroups array
String authGroupString = config.getInitParameter("AuthGroup");
if(!(authGroupString == null) && !(authGroupString.equals(""))) {
authGroups = authGroupString.split(",");
for(int i = 0; i < authGroups.length; i++)
{
authGroups[i] = authGroups[i].trim();
}
}
// Populate pageExclusions array
String pageExclusionString =
config.getInitParameter("PageExclusions");
if(!(pageExclusionString == null) &&
!(pageExclusionString.equals(""))) {
pageExclusions = pageExclusionString.split(",");
for(int i = 0; i < pageExclusions.length; i++)
{
pageExclusions[i] = pageExclusions[i].trim();
}
}
// Populate pageExclusionPatterns array
String pageExclusionPatternString =
config.getInitParameter("PageExclusionPatterns");
if(!(pageExclusionPatternString == null) &&
!(pageExclusionPatternString.equals(""))) {
pageExclusionPatterns = pageExclusionPatternString.split(",");
for(int i = 0; i < pageExclusionPatterns.length; i++)
{
pageExclusionPatterns[i] =
pageExclusionPatterns[i].trim();
}
}
loggedIn = false;
context = config.getServletContext();
}
/**
* This is the last method called and is used for clean-up.
*
*/
public void destroy()
{
config = null;
loginPage = null;
loggedIn = false;
authName = null;
authGroups = null;
pageExclusions = null;
pageExclusionPatterns = null;
}
/**
* This is the worker method. From here you can forward, redirect,
etc...
*
* @param request ServletRequest
* @param response SerlvetResponse
* @param filterChain FilterChain
* @throws ServletException
* @throws IOException
*/
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain filterChain)
throws ServletException, IOException
{
HttpSession session =
((HttpServletRequest)request).getSession(true);
String servletPath =
((HttpServletRequest)request).getServletPath();
System.err.println("Processing filter " + authName + "for " +
servletPath);
// Do we even need auth?
if(authGroups.length == 0) {
filterChain.doFilter(request,response);
return;
}
// If this is the login page configured for this filter,
// we need to just skip.
if(loginPage.equals(servletPath)) {
filterChain.doFilter(request,response);
return;
}
// If this page is in the list of exclusions, skip
if(pageExclusions.length > 0) {
for(int i = 0; i < pageExclusions.length; i++)
{
System.err.println("Are we going to handle this page:
" +
pageExclusions[i]);
if(servletPath.equals(pageExclusions[i])) {
System.err.println("Yep...");
filterChain.doFilter(request,response);
return;
}
}
}
System.err.println("Not according to our file names we aren't...");
// If this page is in the exclusion patterns, skip
if(pageExclusionPatterns.length > 0) {
for(int i = 0; i < pageExclusionPatterns.length; i++)
{
System.err.println("Are we going to handle this page:
" +
pageExclusionPatterns[i]);
if(Pattern.matches(pageExclusionPatterns[i], servletPath)) {
System.err.println("Yep...");
filterChain.doFilter(request,response);
return;
}
}
}
System.err.println("Not according to our patterns we aren't...");
// See if the user is already authorzied for this role, and
allow if so
for(int i = 0; i < authGroups.length; i++)
{
if(authGroups[i] == null || authGroups[i].equals("")) {
continue;
}
Boolean tLoggedIn =
(Boolean)session.getAttribute(authGroups[i]);
if(tLoggedIn == null) {
continue;
}
loggedIn = tLoggedIn.booleanValue();
if(loggedIn) {
filterChain.doFilter(request,response);
return;
}
}
// If they're not authorized, we have to forward them to a login
page
// We stash the originally requested URL so that we can forward
to that page
// after auth.
request.setAttribute(authName + "RequestedUrl", servletPath);
// Now forward
config.getServletContext().getRequestDispatcher(loginPage).forward(request,response);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
