Google Git
Sign in
apache / jsecurity / refs/heads/tags/0.9.0-beta / . / src / org / jsecurity / web / servlet / SecurityManagerLoader.java
blob: 5d0c3b74f995c4e72b5b916ec4d8d9b470b3e298 [file] [log] [blame]
/*
* Copyright 2005-2008 Les Hazlewood
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jsecurity.web.servlet;
import org.jsecurity.mgt.SecurityManager;
import org.jsecurity.realm.Realm;
import org.jsecurity.util.LifecycleUtils;
import org.jsecurity.web.DefaultWebSecurityManager;
import java.util.List;
/**
* Utility superclass for a web application that consolidates SecurityManager acquisition and/or creation logic during
* application startup. Subclasses are expected to utilize startup mechanisms/APIs supported by the Servlet Container
* (for example, <tt>ServletContextListener</tt>, <tt>Servlet</tt>, etc), and call the methods in this class to
* reduce the amount of code required.
* <p/>
* <p><b>Clean Architecture Note:</b> A JSecurity <tt>SecurityManager</tt> is really considered a business-tier
* component and should be created in the application's business-tier configuration (e.g. Spring, Pico, Guice, JBoss,
* etc) if such a configuration exists. If this business-tier does exist, subclasses of this one should acquire and
* return that instance by overriding the {@link #getSecurityManager() getSecurityManager()} method.</p>
* <p/>
* <p>If there is no business-tier, i.e. this is a 'pure' web application, then a <tt>SecurityManager</tt> instance
* needs to be created (instantiated) explicitly. This implementation will do this automatically by default, but if
* you wish to change the default logic, you'll need to override the
* {@link #createSecurityManager() createSecurityManager()} method.
*
* @see #getSecurityManager
* @see #createSecurityManager
* @author Les Hazlewood
* @since 0.2
*/
public class SecurityManagerLoader extends ServletContextSupport {
public static final String SECURITY_MANAGER_CONTEXT_KEY = SecurityManagerLoader.class.getName() + "_SECURITY_MANAGER";
private SecurityManager securityManager = null;
public void init() {
if (getServletContext() == null) {
throw new IllegalStateException("servletContext property must be set.");
}
applySessionMode();
ensureSecurityManager();
}
public SecurityManager getSecurityManager() {
return this.securityManager;
}
protected List<Realm> getRealms() {
return null;
}
protected Realm getRealm() {
return null;
}
protected void bind(SecurityManager securityManager) {
bind("securityManager", SECURITY_MANAGER_CONTEXT_KEY, securityManager);
}
protected SecurityManager createSecurityManager() {
DefaultWebSecurityManager defaultSecMgr = new DefaultWebSecurityManager();
String mode = getSessionMode();
if ( mode != null ) {
defaultSecMgr.setSessionMode( mode );
}
List<Realm> realms = getRealms();
if (realms != null && !realms.isEmpty()) {
defaultSecMgr.setRealms(realms);
} else {
Realm realm = getRealm();
if (realm != null) {
defaultSecMgr.setRealm(realm);
}
}
defaultSecMgr.init();
return defaultSecMgr;
}
public void ensureSecurityManager() {
SecurityManager securityManager = getSecurityManager();
if (securityManager == null) {
securityManager = createSecurityManager();
if (securityManager == null) {
String msg = "securityManager instance returned from createSecurityManager() call cannot " +
"be null.";
throw new IllegalStateException(msg);
}
this.securityManager = securityManager;
}
bind(securityManager);
}
public void destroy() {
removeAttribute( SECURITY_MANAGER_CONTEXT_KEY );
LifecycleUtils.destroy( this.securityManager );
this.securityManager = null;
}
}