use of com.serotonin.m2m2.module.ControllerMappingDefinition in project ma-core-public by infiniteautomation.
the class UrlSecurityFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
// Assume an http request.
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
boolean foundMapping = false;
User user = Common.getHttpUser();
String msg;
String uri = request.getRequestURI();
for (UriMappingDefinition uriDef : ModuleRegistry.getDefinitions(UriMappingDefinition.class)) {
if (matcher.match(uriDef.getPath(), uri)) {
boolean allowed = true;
foundMapping = true;
switch(uriDef.getPermission()) {
case ADMINISTRATOR:
if ((user == null) || (!Permissions.hasAdmin(user)))
allowed = false;
break;
case DATA_SOURCE:
if ((user == null) || (!user.isDataSourcePermission()))
allowed = false;
break;
case USER:
if (user == null) {
allowed = false;
}
break;
case CUSTOM:
try {
allowed = uriDef.hasCustomPermission(user);
} catch (PermissionException e) {
allowed = false;
}
break;
case ANONYMOUS:
break;
}
if (!allowed) {
if (user == null) {
msg = "Denying access to page where user isn't logged in, uri=" + uri + ", remote host ip= " + request.getRemoteHost();
} else {
msg = "Denying access to page where user hasn't sufficient permission, user=" + user.getUsername() + ", uri=" + uri + ", remote host ip= " + request.getRemoteHost();
}
LOG.warn(msg);
throw new AccessDeniedException(msg);
}
break;
}
}
// if not set then check our other definitions
if (!foundMapping) {
for (ControllerMappingDefinition uriDef : ModuleRegistry.getDefinitions(ControllerMappingDefinition.class)) {
if (matcher.match(uriDef.getPath(), uri)) {
boolean allowed = true;
foundMapping = true;
switch(uriDef.getPermission()) {
case ADMINISTRATOR:
if ((user == null) || (!Permissions.hasAdmin(user)))
allowed = false;
break;
case DATA_SOURCE:
if ((user == null) || (!user.isDataSourcePermission()))
allowed = false;
break;
case USER:
if (user == null) {
allowed = false;
}
break;
case CUSTOM:
try {
allowed = uriDef.hasCustomPermission(user);
} catch (PermissionException e) {
allowed = false;
}
break;
case ANONYMOUS:
break;
}
if (!allowed) {
if (user == null) {
msg = "Denying access to page where user isn't logged in, uri=" + uri + ", remote host ip= " + request.getRemoteHost();
} else {
msg = "Denying access to page where user hasn't sufficient permission, user=" + user.getUsername() + ", uri=" + uri + ", remote host ip= " + request.getRemoteHost();
}
LOG.info(msg);
throw new AccessDeniedException(msg);
}
break;
}
}
}
// if not set then check our other definitions
if (!foundMapping) {
for (UrlMappingDefinition uriDef : ModuleRegistry.getDefinitions(UrlMappingDefinition.class)) {
if (matcher.match(uriDef.getUrlPath(), uri)) {
boolean allowed = true;
foundMapping = true;
switch(uriDef.getPermission()) {
case ADMINISTRATOR:
if ((user == null) || (!Permissions.hasAdmin(user)))
allowed = false;
break;
case DATA_SOURCE:
if ((user == null) || (!user.isDataSourcePermission()))
allowed = false;
break;
case USER:
if (user == null) {
allowed = false;
}
break;
case ANONYMOUS:
break;
}
if (!allowed) {
if (user == null) {
msg = "Denying access to page where user isn't logged in, uri=" + uri + ", remote host ip= " + request.getRemoteHost();
} else {
msg = "Denying access to page where user hasn't sufficient permission, user=" + user.getUsername() + ", uri=" + uri + ", remote host ip= " + request.getRemoteHost();
}
LOG.info(msg);
throw new AccessDeniedException(msg);
}
break;
}
}
}
filterChain.doFilter(servletRequest, servletResponse);
}
Aggregations