SecureAuthorizedSession.java from redshed at Krugle
Show SecureAuthorizedSession.java syntax highlighted
// SecureAuthorizedSession.java
//
// Copyright (c) 2001-2002 Red Shed Software. All rights reserved.
// by Jonathan 'Wolf' Rentzsch (jon at redshed dot net)
//
// Sun Oct 28 2001 wolf: Created.
// Wed Mar 27 2002 wolf: Rolled in unauthorized invokeAction protection
// from another codebase.
// Fri Mar 29 2002 wolf: Now will look for server_port for SSL connection
// detection if the https header isn't found.
// Wed Apr 10 2002 wolf: Added pageIsAuthorized().
// WO <= 4.5 imports:
//import com.webobjects.foundation.*;
//import com.webobjects.appserver.*;
// WO 5 imports:
import com.webobjects.foundation.*;
import com.webobjects.appserver.*;
import org.apache.log4j.Category;
public class SecureAuthorizedSession extends WOSession {
private static Category log = Category.getInstance( SecureAuthorizedSession.class.getName() );
public SecureAuthorizedSession() {
super();
log.debug( "created with session ID of " + sessionID() );
}
public SecureAuthorizedSession( String aSessionID ) {
super( aSessionID );
log.debug( "created with session ID of " + aSessionID );
}
public WOActionResults invokeAction( WORequest request, WOContext context ) {
log.debug( "entering invokeAction, headers: "+request.headers() );
WOResponse response = new WOResponse();
if( ShowAuthorizedPageOrInvokeAuthorizedAction( response, context ) ) {
log.info( "ShowAuthorizedPageOrInvokeAuthorizedAction passed, invoking action on page " + context.page().name() );
return super.invokeAction( request, context );
} else
log.info( "ShowAuthorizedPageOrInvokeAuthorizedAction failed on page " + context.page().name() );
return response;
}
public void appendToResponse( WOResponse response, WOContext context ) {
log.debug( "entering appendToResponse, headers: "+context.request().headers() );
if( ShowSecurePage( response, context ) && ShowAuthorizedPageOrInvokeAuthorizedAction( response, context ) ) {
log.info( "ShowSecurePage and ShowAuthorizedPageOrInvokeAuthorizedAction passed, showing page " + context.page().name() );
super.appendToResponse( response, context );
} else
log.info( "either ShowSecurePage or ShowAuthorizedPageOrInvokeAuthorizedAction failed on page " + context.page().name() );
}
private boolean ShowSecurePage( WOResponse response, WOContext context ) {
log.debug( "entering ShowSecurePage" );
// Does this page want to be secure?
boolean isSecurePage = getBooleanKeyValue( context.page(), "isSecure" );
// Is this page being accessed securely?
boolean secureMode = false;
String header = context.request().headerForKey("https");
if( header == null ) {
log.debug( "no https header, looking for server_port" );
header = context.request().headerForKey( "server_port" );
if( header == null ) {
log.debug( "no server_port header found, assuming insecure connection" );
} else {
log.debug( "server_port header found, using it" );
secureMode = header.equals( "443" );
}
} else {
log.debug( "https header found, using it" );
secureMode = header.equals( "on" );
}
log.debug( "secure mode set to " + secureMode );
if( secureMode == isSecurePage ) {
// The page is being accessed like it wants to be, show it now.
return true;
} else {
// The page is NOT being accessed like it wants to be.
// Redirect to change into the desired mode and show it later.
log.info( "redirecting to " + (isSecurePage ? "secure" : "insecure") + " page" );
String redirect = (isSecurePage ? "https://" : "http://")
+ context.request().headerForKey("host")
+ context.request().uri();
log.debug( "redirecting from "
+ (isSecurePage ? "http://" : "https://")
+ context.request().headerForKey("host")
+ context.request().uri()
+ " to "
+ redirect );
response.setHeader( redirect, "location" );
setResponse( response, 302, "Redirect" );
return false;
}
}
protected Boolean pageIsAuthorized( WOContext context, WOComponent page ) {
return null;
}
private boolean ShowAuthorizedPageOrInvokeAuthorizedAction( WOResponse response, WOContext context ) {
log.debug( "entering ShowAuthorizedPageOrInvokeAuthorizedAction" );
// Does this session have anything to say about this page?
Boolean pageIsAuthorized = pageIsAuthorized( context, context.page() );
boolean isAuthorizedPage;
if( pageIsAuthorized == null ) {
// Session is mum. Does the page want authentication?
isAuthorizedPage = getBooleanKeyValue( context.page(), "isAuthorized" );
} else {
isAuthorizedPage = pageIsAuthorized.booleanValue();
}
if( isAuthorizedPage ) {
String encodedAuthorization = context.request().headerForKey( "authorization" );
if( encodedAuthorization == null ) {
log.info( "authorization header is missing, requesting creditials" );
setResponse( response, 401, "Unauthorized" );
response.setHeader( "Basic realm=\"" + WOApplication.application().name() + "\"", "WWW-Authenticate" );
return false;
} else {
if( lookupUserFromEncodedAuthorization( encodedAuthorization ) ) {
log.info( "authorized user, allowing page generation" );
return true;
} else {
log.info( "unauthorized user, returning error" );
setResponse( response, 403, "Forbidden" );
return false;
}
}
} else {
return true;
}
}
private boolean lookupUserFromEncodedAuthorization( String encodedAuthorization ) {
encodedAuthorization = encodedAuthorization.substring( encodedAuthorization.indexOf( " " ) + 1 );
sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
String decodedAuthorization = null;
try {
decodedAuthorization = new String( decoder.decodeBuffer( encodedAuthorization ));
} catch( java.io.IOException exception ) {
log.error( exception );
}
if( decodedAuthorization != null ) {
int colonIndex = decodedAuthorization.indexOf( ":" );
String user = decodedAuthorization.substring( 0, colonIndex );
String password = decodedAuthorization.substring( colonIndex + 1 );
return lookupUser( WOApplication.application().name(), user, password );
} else {
return false;
}
}
protected boolean lookupUser( String application, String user, String password ) {
return user.equals( password );
/*NSMutableDictionary accessFetchSpecBindings = new NSMutableDictionary();
accessFetchSpecBindings.setObjectForKey( application, "application" );
accessFetchSpecBindings.setObjectForKey( user, "user" );
accessFetchSpecBindings.setObjectForKey( password, "password" );
EOEnterpriseObject eo = null;
try {
eo = EOUtilities.objectWithFetchSpecificationAndBindings( session().defaultEditingContext(), "Access", "accessFetchSpec", accessFetchSpecBindings );
} catch( Exception e ){}
return eo != null;*/
}
private boolean getBooleanKeyValue( WOComponent page, String key ) {
Object value = null;
boolean result = false;
try {
value = page.valueForKey( key );
} catch( Throwable e ) {}
if( value == null ) {
log.debug( "Component " + page.name() + " doesn't have key " + key );
} else {
if( value instanceof Boolean ) {
// WebObjects 5 wraps booleans in Booleans.
result = ((Boolean) value).booleanValue();
} else {
// WebObjects 4.5 and eariler wrap booleans in Integers.
result = ((Integer) value).intValue() != 0;
}
log.debug( "Component " + page.name() + " key: " + key + " value: " + result );
}
return result;
}
private void setResponse( WOResponse aResponse, int statusInt, String statusString ) {
String contentString = "HTTP/1.0 " + statusInt + " " + statusString;
NSData content = new NSData( contentString.getBytes() );
aResponse.setContent( content );
aResponse.setHeader( new Integer( content.length()).toString(), "content-length" );
aResponse.setHeader( "text/html", "content-type" );
aResponse.setStatus( statusInt );
}
};
See more files for this project here