Search in sources :

Example 1 with UriMappingDefinition

use of com.serotonin.m2m2.module.UriMappingDefinition in project ma-core-public by infiniteautomation.

the class UrlSecurityFilter method doFilter.

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    // Assume an http request.
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;
    boolean foundMapping = false;
    User user = Common.getHttpUser();
    String msg;
    String uri = request.getRequestURI();
    for (UriMappingDefinition uriDef : ModuleRegistry.getDefinitions(UriMappingDefinition.class)) {
        if (matcher.match(uriDef.getPath(), uri)) {
            boolean allowed = true;
            foundMapping = true;
            switch(uriDef.getPermission()) {
                case ADMINISTRATOR:
                    if ((user == null) || (!Permissions.hasAdmin(user)))
                        allowed = false;
                    break;
                case DATA_SOURCE:
                    if ((user == null) || (!user.isDataSourcePermission()))
                        allowed = false;
                    break;
                case USER:
                    if (user == null) {
                        allowed = false;
                    }
                    break;
                case CUSTOM:
                    try {
                        allowed = uriDef.hasCustomPermission(user);
                    } catch (PermissionException e) {
                        allowed = false;
                    }
                    break;
                case ANONYMOUS:
                    break;
            }
            if (!allowed) {
                if (user == null) {
                    msg = "Denying access to page where user isn't logged in, uri=" + uri + ", remote host ip= " + request.getRemoteHost();
                } else {
                    msg = "Denying access to page where user hasn't sufficient permission, user=" + user.getUsername() + ", uri=" + uri + ", remote host ip= " + request.getRemoteHost();
                }
                LOG.warn(msg);
                throw new AccessDeniedException(msg);
            }
            break;
        }
    }
    // if not set then check our other definitions
    if (!foundMapping) {
        for (ControllerMappingDefinition uriDef : ModuleRegistry.getDefinitions(ControllerMappingDefinition.class)) {
            if (matcher.match(uriDef.getPath(), uri)) {
                boolean allowed = true;
                foundMapping = true;
                switch(uriDef.getPermission()) {
                    case ADMINISTRATOR:
                        if ((user == null) || (!Permissions.hasAdmin(user)))
                            allowed = false;
                        break;
                    case DATA_SOURCE:
                        if ((user == null) || (!user.isDataSourcePermission()))
                            allowed = false;
                        break;
                    case USER:
                        if (user == null) {
                            allowed = false;
                        }
                        break;
                    case CUSTOM:
                        try {
                            allowed = uriDef.hasCustomPermission(user);
                        } catch (PermissionException e) {
                            allowed = false;
                        }
                        break;
                    case ANONYMOUS:
                        break;
                }
                if (!allowed) {
                    if (user == null) {
                        msg = "Denying access to page where user isn't logged in, uri=" + uri + ", remote host ip= " + request.getRemoteHost();
                    } else {
                        msg = "Denying access to page where user hasn't sufficient permission, user=" + user.getUsername() + ", uri=" + uri + ", remote host ip= " + request.getRemoteHost();
                    }
                    LOG.info(msg);
                    throw new AccessDeniedException(msg);
                }
                break;
            }
        }
    }
    // if not set then check our other definitions
    if (!foundMapping) {
        for (UrlMappingDefinition uriDef : ModuleRegistry.getDefinitions(UrlMappingDefinition.class)) {
            if (matcher.match(uriDef.getUrlPath(), uri)) {
                boolean allowed = true;
                foundMapping = true;
                switch(uriDef.getPermission()) {
                    case ADMINISTRATOR:
                        if ((user == null) || (!Permissions.hasAdmin(user)))
                            allowed = false;
                        break;
                    case DATA_SOURCE:
                        if ((user == null) || (!user.isDataSourcePermission()))
                            allowed = false;
                        break;
                    case USER:
                        if (user == null) {
                            allowed = false;
                        }
                        break;
                    case ANONYMOUS:
                        break;
                }
                if (!allowed) {
                    if (user == null) {
                        msg = "Denying access to page where user isn't logged in, uri=" + uri + ", remote host ip= " + request.getRemoteHost();
                    } else {
                        msg = "Denying access to page where user hasn't sufficient permission, user=" + user.getUsername() + ", uri=" + uri + ", remote host ip= " + request.getRemoteHost();
                    }
                    LOG.info(msg);
                    throw new AccessDeniedException(msg);
                }
                break;
            }
        }
    }
    filterChain.doFilter(servletRequest, servletResponse);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) PermissionException(com.serotonin.m2m2.vo.permission.PermissionException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) User(com.serotonin.m2m2.vo.User) UriMappingDefinition(com.serotonin.m2m2.module.UriMappingDefinition) HttpServletResponse(javax.servlet.http.HttpServletResponse) ControllerMappingDefinition(com.serotonin.m2m2.module.ControllerMappingDefinition) UrlMappingDefinition(com.serotonin.m2m2.module.UrlMappingDefinition)

Aggregations

ControllerMappingDefinition (com.serotonin.m2m2.module.ControllerMappingDefinition)1 UriMappingDefinition (com.serotonin.m2m2.module.UriMappingDefinition)1 UrlMappingDefinition (com.serotonin.m2m2.module.UrlMappingDefinition)1 User (com.serotonin.m2m2.vo.User)1 PermissionException (com.serotonin.m2m2.vo.permission.PermissionException)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 AccessDeniedException (org.springframework.security.access.AccessDeniedException)1