jee-modules/jsf-module/impl/src/main/java/org/apache/myfaces/extensions/cdi/jsf/impl/security/SecurityViewListener.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.myfaces.extensions.cdi.jsf.impl.security;

import org.apache.myfaces.extensions.cdi.core.api.config.view.ViewConfig;
import org.apache.myfaces.extensions.cdi.core.api.security.AccessDecisionVoterContext;
import org.apache.myfaces.extensions.cdi.core.impl.util.CodiUtils;
import org.apache.myfaces.extensions.cdi.jsf.api.listener.phase.AfterPhase;
import org.apache.myfaces.extensions.cdi.jsf.api.listener.phase.BeforePhase;
import static org.apache.myfaces.extensions.cdi.jsf.api.listener.phase.JsfPhaseId.*;
import static org.apache.myfaces.extensions.cdi.jsf.impl.util.SecurityUtils.tryToHandleSecurityViolation;
import org.apache.myfaces.extensions.cdi.jsf.impl.config.view.ViewConfigCache;
import org.apache.myfaces.extensions.cdi.jsf.api.config.view.ViewConfigDescriptor;
import static org.apache.myfaces.extensions.cdi.core.impl.util.SecurityUtils.invokeVoters;
import org.apache.myfaces.extensions.cdi.core.api.security.AccessDeniedException;
import org.apache.myfaces.extensions.cdi.jsf.impl.config.view.spi.EditableViewConfigDescriptor;

import javax.enterprise.event.Observes;
import javax.enterprise.inject.spi.BeanManager;
import javax.faces.event.PhaseEvent;
import javax.faces.context.FacesContext;
import java.util.Map;

/**
 * If you don't need it or there is any issue, deactivate it via a CDI extension via
 * {@link javax.enterprise.inject.spi.ProcessAnnotatedType#veto()} .
 */
public class SecurityViewListener
{
    private static final String LAZY_SECURITY_CHECK_KEY = "LAZY_SECURITY_CHECK";

    /**
     * Checks the permission based on the
     * {@link org.apache.myfaces.extensions.cdi.core.api.security.AccessDecisionVoter}s
     * which are configured for the current view.
     * @param event current phase-event
     * @param beanManager current bean-manager
     */
    public void checkPermission(@Observes @AfterPhase(RESTORE_VIEW) PhaseEvent event, BeanManager beanManager)
    {
        FacesContext facesContext = event.getFacesContext();

        if(facesContext.getViewRoot() == null)
        {
            triggerFallback(facesContext);
            return;
        }

        checkPermission(beanManager, facesContext);
    }

    /**
     * Checks the permission based on the
     * {@link org.apache.myfaces.extensions.cdi.core.api.security.AccessDecisionVoter}s
     * which are configured for the current view.
     * @param event current phase-event
     * @param beanManager current bean-manager
     */
    public void checkPermissionBeforeRendering(
            @Observes @BeforePhase(RENDER_RESPONSE) PhaseEvent event, BeanManager beanManager)
    {
        FacesContext facesContext = event.getFacesContext();

        if(facesContext.getViewRoot() == null)
        {
            //TODO log warning
            return;
        }

        Map<String, Object> requestMap = getRequestMap(facesContext);

        if(requestMap != null && Boolean.TRUE.equals(requestMap.get(LAZY_SECURITY_CHECK_KEY)))
        {
            checkPermission(beanManager, facesContext);
        }
    }

    private void checkPermission(BeanManager beanManager, FacesContext facesContext)
    {
        ViewConfigDescriptor entry = ViewConfigCache.getViewConfigDescriptor(facesContext.getViewRoot().getViewId());

        if(entry == null)
        {
            return;
        }

        try
        {
            Class<? extends ViewConfig> errorView = null;

            AccessDecisionVoterContext voterContext =
                    CodiUtils.getContextualReferenceByClass(beanManager, AccessDecisionVoterContext.class, true);

            if(entry instanceof EditableViewConfigDescriptor)
            {
                errorView = ((EditableViewConfigDescriptor)entry).getErrorView();
            }
            invokeVoters(null, beanManager, voterContext, entry.getAccessDecisionVoters(), errorView);
        }
        catch (AccessDeniedException accessDeniedException)
        {
            tryToHandleSecurityViolation(accessDeniedException);
            facesContext.renderResponse();
        }
    }

    private void triggerFallback(FacesContext facesContext)
    {
        Map<String, Object> requestMap = getRequestMap(facesContext);

        if(requestMap != null)
        {
            requestMap.put(LAZY_SECURITY_CHECK_KEY, Boolean.TRUE);
        }
    }

    private Map<String, Object> getRequestMap(FacesContext facesContext)
    {
        if(facesContext.getExternalContext() == null || facesContext.getExternalContext().getRequestMap() == null)
        {
            //TODO log warning
            return null;
        }

        return facesContext.getExternalContext().getRequestMap();
    }
}