src/org/jsecurity/web/DefaultWebSecurityManager.java - jsecurity - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.jsecurity.web;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.jsecurity.mgt.DefaultSecurityManager;
 import org.jsecurity.realm.Realm;
 import org.jsecurity.session.Session;
 import org.jsecurity.session.mgt.SessionManager;
 import org.jsecurity.subject.PrincipalCollection;
 import org.jsecurity.subject.Subject;
 import org.jsecurity.util.LifecycleUtils;
 import org.jsecurity.web.session.DefaultWebSessionManager;
 import org.jsecurity.web.session.ServletContainerSessionManager;
 import org.jsecurity.web.session.WebSessionManager;

 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import java.net.InetAddress;
 import java.util.Collection;

 /**
  * SecurityManager implementation that should be used in web-based applications or any application that requires
  * HTTP connectivity (SOAP, http remoting, etc).
  *
  * @author Les Hazlewood
  * @since 0.2
  */
 public class DefaultWebSecurityManager extends DefaultSecurityManager {

     private static final Log log = LogFactory.getLog(DefaultWebSecurityManager.class);

     public static final String HTTP_SESSION_MODE = "http";
     public static final String JSECURITY_SESSION_MODE = "jsecurity";

     /**
      * The key that is used to store subject principals in the session.
      */
     public static final String PRINCIPALS_SESSION_KEY = DefaultWebSecurityManager.class.getName() + "_PRINCIPALS_SESSION_KEY";

     /**
      * The key that is used to store whether or not the user is authenticated in the session.
      */
     public static final String AUTHENTICATED_SESSION_KEY = DefaultWebSecurityManager.class.getName() + "_AUTHENTICATED_SESSION_KEY";

     private String sessionMode = HTTP_SESSION_MODE; //default

     public DefaultWebSecurityManager() {
         setRememberMeManager(new WebRememberMeManager());
     }

     public DefaultWebSecurityManager(Realm singleRealm) {
         setRealm(singleRealm);
     }

     public DefaultWebSecurityManager(Collection<Realm> realms) {
         setRealms(realms);
     }

     /**
      * Sets the path used to store the remember me cookie.  This determines which paths
      * are able to view the remember me cookie.
      *
      * @param rememberMeCookiePath the path to use for the remember me cookie.
      */
     public void setRememberMeCookiePath(String rememberMeCookiePath) {
         ((WebRememberMeManager) getRememberMeManager()).setCookiePath(rememberMeCookiePath);
     }

     /**
      * Sets the maximum age allowed for the remember me cookie.  This basically sets how long
      * a user will be remembered by the "remember me" feature.  Used when calling
      * {@link javax.servlet.http.Cookie#setMaxAge(int) maxAge}.  Please see that JavaDoc for the semantics on the
      * repercussions of negative, zero, and positive values for the maxAge.
      *
      * @param rememberMeMaxAge the maximum age for the remember me cookie.
      */
     public void setRememberMeCookieMaxAge(Integer rememberMeMaxAge) {
         ((WebRememberMeManager) getRememberMeManager()).setCookieMaxAge(rememberMeMaxAge);
     }

     private DefaultWebSessionManager getSessionManagerForCookieAttributes() {
         SessionManager sessionManager = getSessionManager();
         if (!(sessionManager instanceof DefaultWebSessionManager)) {
             String msg = "The convenience passthrough methods for setting session id cookie attributes " +
                     "are only available when the underlying SessionManager implementation is " +
                     DefaultWebSessionManager.class.getName() + ", which is enabled by default when the " +
                     "sessionMode is 'jsecurity'.";
             throw new IllegalStateException(msg);
         }
         return (DefaultWebSessionManager) sessionManager;
     }

     public void setSessionIdCookieName(String name) {
         getSessionManagerForCookieAttributes().setSessionIdCookieName(name);
     }

     public void setSessionIdCookiePath(String path) {
         getSessionManagerForCookieAttributes().setSessionIdCookiePath(path);
     }

     public void setSessionIdCookieMaxAge(int maxAge) {
         getSessionManagerForCookieAttributes().setSessionIdCookieMaxAge(maxAge);
     }

     public void setSessionIdCookieSecure(boolean secure) {
         getSessionManagerForCookieAttributes().setSessionIdCookieSecure(secure);
     }

     public String getSessionMode() {
         return sessionMode;
     }

     public void setSessionMode(String sessionMode) {
         if (sessionMode == null ||
                 (!sessionMode.equals(HTTP_SESSION_MODE) && !sessionMode.equals(JSECURITY_SESSION_MODE))) {
             String msg = "Invalid sessionMode [" + sessionMode + "].  Allowed values are " +
                     "public static final String constants in the " + getClass().getName() + " class: '"
                     + HTTP_SESSION_MODE + "' or '" + JSECURITY_SESSION_MODE + "', with '" +
                     HTTP_SESSION_MODE + "' being the default.";
             throw new IllegalArgumentException(msg);
         }
         boolean recreate = this.sessionMode == null || !this.sessionMode.equals(sessionMode);
         this.sessionMode = sessionMode;
         if (recreate) {
             LifecycleUtils.destroy(getSessionManager());
             SessionManager sm = createSessionManager();
             setSessionManager(sm);
         }
     }

     public boolean isHttpSessionMode() {
         return this.sessionMode == null || this.sessionMode.equals(HTTP_SESSION_MODE);
     }

     protected SessionManager newSessionManagerInstance() {
         if (isHttpSessionMode()) {
             if (log.isInfoEnabled()) {
                 log.info(HTTP_SESSION_MODE + " mode - enabling ServletContainerSessionManager (Http Sessions)");
             }
             return new ServletContainerSessionManager();
         } else {
             if (log.isInfoEnabled()) {
                 log.info(JSECURITY_SESSION_MODE + " mode - enabling WebSessionManager (JSecurity heterogenous sessions)");
             }
             return new DefaultWebSessionManager();
         }
     }

     protected PrincipalCollection getPrincipals(Session session) {
         PrincipalCollection principals = null;
         if (session != null) {
             principals = (PrincipalCollection) session.getAttribute(PRINCIPALS_SESSION_KEY);
         }
         return principals;
     }

     protected PrincipalCollection getPrincipals(Session existing, ServletRequest servletRequest, ServletResponse servletResponse) {
         PrincipalCollection principals = getPrincipals(existing);
         if (principals == null) {
             //check remember me:
             principals = getRememberedIdentity();
             if (principals != null && existing != null) {
                 existing.setAttribute(PRINCIPALS_SESSION_KEY, principals);
             }
         }
         return principals;
     }

     protected boolean isAuthenticated(Session session) {
         Boolean value = null;
         if (session != null) {
             value = (Boolean) session.getAttribute(AUTHENTICATED_SESSION_KEY);
         }
         return value != null && value;
     }

     protected boolean isAuthenticated(Session existing, ServletRequest servletRequest, ServletResponse servletResponse) {
         return isAuthenticated(existing);
     }

     public Subject createSubject() {
         ServletRequest request = WebUtils.getRequiredServletRequest();
         ServletResponse response = WebUtils.getRequiredServletResponse();
         return createSubject(request, response);
     }

     public Subject createSubject(ServletRequest request, ServletResponse response) {
         Session session = ((WebSessionManager) getSessionManager()).getSession(request, response);
         if (session == null) {
             if (log.isTraceEnabled()) {
                 log.trace("No session found for the incoming request.  The Subject instance created for " +
                         "the incoming request will not have an associated Session.");
             }
         }
         return createSubject(session, request, response);
     }

     public Subject createSubject(Session existing, ServletRequest request, ServletResponse response) {
         PrincipalCollection principals = getPrincipals(existing, request, response);
         boolean authenticated = isAuthenticated(existing, request, response);
         return createSubject(principals, authenticated, existing, request, response);
     }

     protected Subject createSubject(PrincipalCollection principals,
                                     boolean authenticated,
                                     Session existing,
                                     ServletRequest request,
                                     ServletResponse response) {
         InetAddress inetAddress = WebUtils.getInetAddress(request);
         return createSubject(principals, existing, authenticated, inetAddress);
     }

     protected void bind(Subject subject) {
         super.bind(subject);
         ServletRequest request = WebUtils.getRequiredServletRequest();
         ServletResponse response = WebUtils.getRequiredServletResponse();
         bind(subject, request, response);
     }

     protected void bind(Subject subject, ServletRequest request, ServletResponse response) {

         PrincipalCollection principals = subject.getPrincipals();
         if (principals != null && !principals.isEmpty()) {
             Session session = subject.getSession();
             session.setAttribute(PRINCIPALS_SESSION_KEY, principals);
         } else {
             Session session = subject.getSession(false);
             if (session != null) {
                 session.removeAttribute(PRINCIPALS_SESSION_KEY);
             }
         }

         if (subject.isAuthenticated()) {
             Session session = subject.getSession();
             session.setAttribute(AUTHENTICATED_SESSION_KEY, subject.isAuthenticated());
         } else {
             Session session = subject.getSession(false);
             if (session != null) {
                 session.removeAttribute(AUTHENTICATED_SESSION_KEY);
             }
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.jsecurity.web;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.jsecurity.mgt.DefaultSecurityManager;
	import org.jsecurity.realm.Realm;
	import org.jsecurity.session.Session;
	import org.jsecurity.session.mgt.SessionManager;
	import org.jsecurity.subject.PrincipalCollection;
	import org.jsecurity.subject.Subject;
	import org.jsecurity.util.LifecycleUtils;
	import org.jsecurity.web.session.DefaultWebSessionManager;
	import org.jsecurity.web.session.ServletContainerSessionManager;
	import org.jsecurity.web.session.WebSessionManager;

	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	import java.net.InetAddress;
	import java.util.Collection;

	/**
	* SecurityManager implementation that should be used in web-based applications or any application that requires
	* HTTP connectivity (SOAP, http remoting, etc).
	*
	* @author Les Hazlewood
	* @since 0.2
	*/
	public class DefaultWebSecurityManager extends DefaultSecurityManager {

	private static final Log log = LogFactory.getLog(DefaultWebSecurityManager.class);

	public static final String HTTP_SESSION_MODE = "http";
	public static final String JSECURITY_SESSION_MODE = "jsecurity";

	/**
	* The key that is used to store subject principals in the session.
	*/
	public static final String PRINCIPALS_SESSION_KEY = DefaultWebSecurityManager.class.getName() + "_PRINCIPALS_SESSION_KEY";

	/**
	* The key that is used to store whether or not the user is authenticated in the session.
	*/
	public static final String AUTHENTICATED_SESSION_KEY = DefaultWebSecurityManager.class.getName() + "_AUTHENTICATED_SESSION_KEY";

	private String sessionMode = HTTP_SESSION_MODE; //default

	public DefaultWebSecurityManager() {
	setRememberMeManager(new WebRememberMeManager());
	}

	public DefaultWebSecurityManager(Realm singleRealm) {
	setRealm(singleRealm);
	}

	public DefaultWebSecurityManager(Collection<Realm> realms) {
	setRealms(realms);
	}

	/**
	* Sets the path used to store the remember me cookie. This determines which paths
	* are able to view the remember me cookie.
	*
	* @param rememberMeCookiePath the path to use for the remember me cookie.
	*/
	public void setRememberMeCookiePath(String rememberMeCookiePath) {
	((WebRememberMeManager) getRememberMeManager()).setCookiePath(rememberMeCookiePath);
	}

	/**
	* Sets the maximum age allowed for the remember me cookie. This basically sets how long
	* a user will be remembered by the "remember me" feature. Used when calling
	* {@link javax.servlet.http.Cookie#setMaxAge(int) maxAge}. Please see that JavaDoc for the semantics on the
	* repercussions of negative, zero, and positive values for the maxAge.
	*
	* @param rememberMeMaxAge the maximum age for the remember me cookie.
	*/
	public void setRememberMeCookieMaxAge(Integer rememberMeMaxAge) {
	((WebRememberMeManager) getRememberMeManager()).setCookieMaxAge(rememberMeMaxAge);
	}

	private DefaultWebSessionManager getSessionManagerForCookieAttributes() {
	SessionManager sessionManager = getSessionManager();
	if (!(sessionManager instanceof DefaultWebSessionManager)) {
	String msg = "The convenience passthrough methods for setting session id cookie attributes " +
	"are only available when the underlying SessionManager implementation is " +
	DefaultWebSessionManager.class.getName() + ", which is enabled by default when the " +
	"sessionMode is 'jsecurity'.";
	throw new IllegalStateException(msg);
	}
	return (DefaultWebSessionManager) sessionManager;
	}

	public void setSessionIdCookieName(String name) {
	getSessionManagerForCookieAttributes().setSessionIdCookieName(name);
	}

	public void setSessionIdCookiePath(String path) {
	getSessionManagerForCookieAttributes().setSessionIdCookiePath(path);
	}

	public void setSessionIdCookieMaxAge(int maxAge) {
	getSessionManagerForCookieAttributes().setSessionIdCookieMaxAge(maxAge);
	}

	public void setSessionIdCookieSecure(boolean secure) {
	getSessionManagerForCookieAttributes().setSessionIdCookieSecure(secure);
	}

	public String getSessionMode() {
	return sessionMode;
	}

	public void setSessionMode(String sessionMode) {
	if (sessionMode == null \|\|
	(!sessionMode.equals(HTTP_SESSION_MODE) && !sessionMode.equals(JSECURITY_SESSION_MODE))) {
	String msg = "Invalid sessionMode [" + sessionMode + "]. Allowed values are " +
	"public static final String constants in the " + getClass().getName() + " class: '"
	+ HTTP_SESSION_MODE + "' or '" + JSECURITY_SESSION_MODE + "', with '" +
	HTTP_SESSION_MODE + "' being the default.";
	throw new IllegalArgumentException(msg);
	}
	boolean recreate = this.sessionMode == null \|\| !this.sessionMode.equals(sessionMode);
	this.sessionMode = sessionMode;
	if (recreate) {
	LifecycleUtils.destroy(getSessionManager());
	SessionManager sm = createSessionManager();
	setSessionManager(sm);
	}
	}

	public boolean isHttpSessionMode() {
	return this.sessionMode == null \|\| this.sessionMode.equals(HTTP_SESSION_MODE);
	}

	protected SessionManager newSessionManagerInstance() {
	if (isHttpSessionMode()) {
	if (log.isInfoEnabled()) {
	log.info(HTTP_SESSION_MODE + " mode - enabling ServletContainerSessionManager (Http Sessions)");
	}
	return new ServletContainerSessionManager();
	} else {
	if (log.isInfoEnabled()) {
	log.info(JSECURITY_SESSION_MODE + " mode - enabling WebSessionManager (JSecurity heterogenous sessions)");
	}
	return new DefaultWebSessionManager();
	}
	}

	protected PrincipalCollection getPrincipals(Session session) {
	PrincipalCollection principals = null;
	if (session != null) {
	principals = (PrincipalCollection) session.getAttribute(PRINCIPALS_SESSION_KEY);
	}
	return principals;
	}

	protected PrincipalCollection getPrincipals(Session existing, ServletRequest servletRequest, ServletResponse servletResponse) {
	PrincipalCollection principals = getPrincipals(existing);
	if (principals == null) {
	//check remember me:
	principals = getRememberedIdentity();
	if (principals != null && existing != null) {
	existing.setAttribute(PRINCIPALS_SESSION_KEY, principals);
	}
	}
	return principals;
	}

	protected boolean isAuthenticated(Session session) {
	Boolean value = null;
	if (session != null) {
	value = (Boolean) session.getAttribute(AUTHENTICATED_SESSION_KEY);
	}
	return value != null && value;
	}

	protected boolean isAuthenticated(Session existing, ServletRequest servletRequest, ServletResponse servletResponse) {
	return isAuthenticated(existing);
	}

	public Subject createSubject() {
	ServletRequest request = WebUtils.getRequiredServletRequest();
	ServletResponse response = WebUtils.getRequiredServletResponse();
	return createSubject(request, response);
	}

	public Subject createSubject(ServletRequest request, ServletResponse response) {
	Session session = ((WebSessionManager) getSessionManager()).getSession(request, response);
	if (session == null) {
	if (log.isTraceEnabled()) {
	log.trace("No session found for the incoming request. The Subject instance created for " +
	"the incoming request will not have an associated Session.");
	}
	}
	return createSubject(session, request, response);
	}

	public Subject createSubject(Session existing, ServletRequest request, ServletResponse response) {
	PrincipalCollection principals = getPrincipals(existing, request, response);
	boolean authenticated = isAuthenticated(existing, request, response);
	return createSubject(principals, authenticated, existing, request, response);
	}

	protected Subject createSubject(PrincipalCollection principals,
	boolean authenticated,
	Session existing,
	ServletRequest request,
	ServletResponse response) {
	InetAddress inetAddress = WebUtils.getInetAddress(request);
	return createSubject(principals, existing, authenticated, inetAddress);
	}

	protected void bind(Subject subject) {
	super.bind(subject);
	ServletRequest request = WebUtils.getRequiredServletRequest();
	ServletResponse response = WebUtils.getRequiredServletResponse();
	bind(subject, request, response);
	}

	protected void bind(Subject subject, ServletRequest request, ServletResponse response) {

	PrincipalCollection principals = subject.getPrincipals();
	if (principals != null && !principals.isEmpty()) {
	Session session = subject.getSession();
	session.setAttribute(PRINCIPALS_SESSION_KEY, principals);
	} else {
	Session session = subject.getSession(false);
	if (session != null) {
	session.removeAttribute(PRINCIPALS_SESSION_KEY);
	}
	}

	if (subject.isAuthenticated()) {
	Session session = subject.getSession();
	session.setAttribute(AUTHENTICATED_SESSION_KEY, subject.isAuthenticated());
	} else {
	Session session = subject.getSession(false);
	if (session != null) {
	session.removeAttribute(AUTHENTICATED_SESSION_KEY);
	}
	}
	}
	}