/* | |
* Copyright 2005-2008 Les Hazlewood | |
* | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software | |
* distributed under the License is distributed on an "AS IS" BASIS, | |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
* See the License for the specific language governing permissions and | |
* limitations under the License. | |
*/ | |
package org.jsecurity.web; | |
import org.jsecurity.mgt.DefaultSecurityManager; | |
import org.jsecurity.realm.Realm; | |
import org.jsecurity.session.Session; | |
import org.jsecurity.session.mgt.SessionManager; | |
import org.jsecurity.subject.PrincipalCollection; | |
import org.jsecurity.subject.Subject; | |
import org.jsecurity.util.ThreadContext; | |
import org.jsecurity.web.session.DefaultWebSessionManager; | |
import org.jsecurity.web.session.ServletContainerSessionManager; | |
import org.jsecurity.web.session.WebSessionManager; | |
import javax.servlet.ServletRequest; | |
import javax.servlet.ServletResponse; | |
import java.net.InetAddress; | |
import java.util.Collection; | |
/** | |
* SecurityManager implementation that should be used in web-based applications or any application that requires | |
* HTTP connectivity (SOAP, http remoting, etc). | |
* | |
* @author Les Hazlewood | |
* @since 0.2 | |
*/ | |
public class DefaultWebSecurityManager extends DefaultSecurityManager implements WebSecurityManager { | |
public static final String HTTP_SESSION_MODE = "http"; | |
public static final String JSECURITY_SESSION_MODE = "jsecurity"; | |
/** The key that is used to store subject principals in the session. */ | |
public static final String PRINCIPALS_SESSION_KEY = DefaultWebSecurityManager.class.getName() + "_PRINCIPALS_SESSION_KEY"; | |
/** The key that is used to store whether or not the user is authenticated in the session. */ | |
public static final String AUTHENTICATED_SESSION_KEY = DefaultWebSecurityManager.class.getName() + "_AUTHENTICATED_SESSION_KEY"; | |
private String sessionMode = HTTP_SESSION_MODE; //default | |
public DefaultWebSecurityManager() { | |
super(); | |
} | |
public DefaultWebSecurityManager(Realm singleRealm) { | |
super(singleRealm); | |
} | |
public DefaultWebSecurityManager(Collection<Realm> realms) { | |
super(realms); | |
} | |
protected void afterSessionManagerSet() { | |
WebRememberMeManager rmm = new WebRememberMeManager(); | |
setRememberMeManager(rmm); | |
} | |
public String getSessionMode() { | |
return sessionMode; | |
} | |
public void setSessionMode(String sessionMode) { | |
if ( sessionMode == null || | |
(!sessionMode.equals(HTTP_SESSION_MODE) && !sessionMode.equals(JSECURITY_SESSION_MODE ) ) ) { | |
String msg = "Invalid sessionMode [" + sessionMode + "]. Allowed values are " + | |
"public static final String constants in the " + getClass().getName() + " class: '" | |
+ HTTP_SESSION_MODE + "' or '" + JSECURITY_SESSION_MODE + "', with '" + | |
HTTP_SESSION_MODE + "' being the default."; | |
throw new IllegalArgumentException(msg ); | |
} | |
this.sessionMode = sessionMode; | |
} | |
public boolean isHttpSessionMode() { | |
return this.sessionMode.equals(HTTP_SESSION_MODE); | |
} | |
protected SessionManager createSessionManager() { | |
if (isHttpSessionMode()) { | |
if ( log.isInfoEnabled() ) { | |
log.info( HTTP_SESSION_MODE + " mode - enabling ServletContainerSessionManager (Http Sessions)" ); | |
} | |
ServletContainerSessionManager scsm = new ServletContainerSessionManager(); | |
scsm.setSessionEventListeners(getSessionEventListeners()); | |
return scsm; | |
} else { | |
if ( log.isInfoEnabled() ) { | |
log.info( JSECURITY_SESSION_MODE + " mode - enabling WebSessionManager (JSecurity heterogenous sessions)"); | |
} | |
DefaultWebSessionManager wsm = new DefaultWebSessionManager(); | |
wsm.setCacheManager(getCacheManager()); | |
wsm.setSessionEventListeners(getSessionEventListeners()); | |
wsm.init(); | |
return wsm; | |
} | |
} | |
protected PrincipalCollection getPrincipals(Session session) { | |
PrincipalCollection principals = null; | |
if (session != null) { | |
principals = (PrincipalCollection)session.getAttribute(PRINCIPALS_SESSION_KEY); | |
} | |
return principals; | |
} | |
protected PrincipalCollection getPrincipals(Session existing, ServletRequest servletRequest, ServletResponse servletResponse) { | |
PrincipalCollection principals = getPrincipals(existing); | |
if (principals == null) { | |
//check remember me: | |
principals = getRememberedIdentity(); | |
if (principals != null && existing != null) { | |
existing.setAttribute(PRINCIPALS_SESSION_KEY, principals); | |
} | |
} | |
return principals; | |
} | |
protected boolean isAuthenticated(Session session) { | |
Boolean value = null; | |
if (session != null) { | |
value = (Boolean) session.getAttribute(AUTHENTICATED_SESSION_KEY); | |
} | |
return value != null && value; | |
} | |
protected boolean isAuthenticated(ServletRequest servletRequest, ServletResponse servletResponse, Session existing) { | |
return isAuthenticated(existing); | |
} | |
public Subject getSubject(ServletRequest request, ServletResponse response) { | |
return getSubject(); | |
} | |
public Subject createSubject() { | |
ServletRequest request = ThreadContext.getServletRequest(); | |
ServletResponse response = ThreadContext.getServletResponse(); | |
return createSubject(request, response); | |
} | |
public Subject createSubject(ServletRequest request, ServletResponse response) { | |
Session session = ((WebSessionManager)getSessionManager()).getSession(request, response); | |
if ( session == null ) { | |
if ( log.isTraceEnabled() ) { | |
log.trace( "No session found for the incoming request. The Subject instance created for " + | |
"the incoming request will not have an associated Session." ); | |
} | |
} | |
return createSubject(session, request, response); | |
} | |
public Subject createSubject(Session existing, ServletRequest request, ServletResponse response) { | |
PrincipalCollection principals = getPrincipals(existing, request, response); | |
boolean authenticated = isAuthenticated(request, response, existing); | |
return createSubject(request, response, existing, principals, authenticated); | |
} | |
protected Subject createSubject(ServletRequest request, | |
ServletResponse response, | |
Session existing, | |
PrincipalCollection principals, | |
boolean authenticated) { | |
InetAddress inetAddress = SecurityWebSupport.getInetAddress(request); | |
return createSubject(principals, existing, authenticated, inetAddress); | |
} | |
protected void bind(Subject subject) { | |
super.bind(subject); | |
ServletRequest request = ThreadContext.getServletRequest(); | |
ServletResponse response = ThreadContext.getServletResponse(); | |
bind(subject, request, response); | |
} | |
protected void bind(Subject subject, ServletRequest request, ServletResponse response) { | |
PrincipalCollection principals = subject.getPrincipals(); | |
if (principals != null && !principals.isEmpty()) { | |
Session session = subject.getSession(); | |
session.setAttribute(PRINCIPALS_SESSION_KEY, principals); | |
} else { | |
Session session = subject.getSession(false); | |
if (session != null) { | |
session.removeAttribute(PRINCIPALS_SESSION_KEY); | |
} | |
} | |
if (subject.isAuthenticated()) { | |
Session session = subject.getSession(); | |
session.setAttribute(AUTHENTICATED_SESSION_KEY, subject.isAuthenticated()); | |
} else { | |
Session session = subject.getSession(false); | |
if (session != null) { | |
session.removeAttribute(AUTHENTICATED_SESSION_KEY); | |
} | |
} | |
} | |
} |