I have the following code for an access filter. If I log in with the
role of "admin" everything works as expected. If I try to log in with
the role of "user" I immediately get a permissions error that denies access.
I've added ${sessionScope.USER} to the jsp pages as well as adding
entries for PWD and ROLE. The correct information is in the session
variables.
I'd appreciate any help in finding the error and fixing it.
Thanks,
Jack
public class AccessControlFilter
implements Filter
{
public static final String NO_ACCESS_PAGE = "no-access-page";
public static final String NO_AUTH_PAGE = "no-auth-page";
private FilterConfig fc;
private String noAccessPage;
private String notLoggedInPage;
public AccessControlFilter()
{
fc = null;
}
/**
* Destroy the Access Control Filter
*/
public void destroy()
{
fc = null;
}
/**
* Initialize the Access Control Filter
*/
public void init(FilterConfig config)
throws ServletException
{
fc = config;
noAccessPage = fc.getInitParameter("no-access-page");
if(noAccessPage == null)
noAccessPage = "noaccess.jsp";
notLoggedInPage = fc.getInitParameter("no-auth-page");
if(notLoggedInPage == null)
notLoggedInPage = "notloggedin.jsp";
}
public void doFilter(ServletRequest req,
ServletResponse resp,
FilterChain chain)
throws IOException, ServletException
{
HttpServletRequest httpReq = (HttpServletRequest)req;
HttpServletResponse httpResp = (HttpServletResponse)resp;
String servletPath = httpReq.getServletPath();
String username = (String)httpReq.getSession().getAttribute("USER");
if(username == null)
{
httpResp.sendRedirect(notLoggedInPage);
return;
}
String role = (String)httpReq.getSession().getAttribute("ROLE");
if(role == null)
{
httpResp.sendRedirect(notLoggedInPage);
return;
}
if(role.equals("admin"))
{
chain.doFilter(req, resp);
return;
}
if(role.equals("user"))
{
if(servletPath.startsWith("/secure/updateDb/add") ||
servletPath.startsWith("/secure/updateDb/delete") ||
servletPath.startsWith("/secure/updateDb/update") ||
servletPath.startsWith("/secure/updateDb/move") ||
servletPath.equals("/secure/updateDb/sectionAdd") ||
servletPath.equals("/secure/updateDb/sectionDelete"))
{
Integer id = new Integer(httpReq.getParameter("company"));
if(id.equals(getAuthToken(username)))
{
chain.doFilter(req, resp);
return;
}
} else
if(servletPath.equals("/secure/updateDb/changePassword"))
{
if(username.equals(httpReq.getParameter("userName")))
{
chain.doFilter(req, resp);
return;
}
} else
if(servletPath.equals("/secure/index.jsp"))
{
ServletContext servletcontext = fc.getServletContext();
RequestDispatcher requestdispatcher =
servletcontext.getRequestDispatcher("/secure/ControlPanel.jsp?company="
+ getAuthToken(username));
if(requestdispatcher == null)
httpResp.sendError(500, "Ccontrol panel doesn't exist.");
requestdispatcher.forward(req, resp);
return;
}
} else {
httpResp.sendRedirect(notLoggedInPage);
return;
}
httpResp.sendRedirect(noAccessPage);
}
private Integer getAuthToken(String servletPath)
{
Integer id = new Integer(-1);
try
{
Context ctx = null;
DataSource ds = null;
Connection conn = null;
Result result = null;
SQLCommandBean sql = new SQLCommandBean();
try {
String envBase = "java:comp/env/";
ctx = new InitialContext();
String dataSourceName = (String)ctx.lookup(envBase +
"dataSource");
ds = (DataSource) ctx.lookup(envBase + dataSourceName);
} catch (Exception e) {
System.out.println("DataSource context lookup failed: " + e);
}
try {
conn = ds.getConnection();
} catch (SQLException se) {
System.out.println("DataSource getConnection failed: " + se);
se.printStackTrace();
}
try {
sql.setConnection(conn);
} catch (Exception e) {
System.out.println("DataSource setConnection failed: " + e);
}
sql.setSqlValue("SELECT CompanyID FROM Company WHERE UserID =
?");
ArrayList arraylist = new ArrayList();
arraylist.add(servletPath);
sql.setValues(arraylist);
result = sql.executeQuery();
if(result != null && result.getRowCount() > 0) {
id = (Integer)result.getRows()[0].get("CompanyID");
}
conn.close();
}
catch(SQLException se) {
System.out.println(se);
}
return id;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
