com.ecyrd.jspwiki.auth.authorize
Class WebContainerAuthorizer

java.lang.Object
  extended by com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer
All Implemented Interfaces:
WebAuthorizer, Authorizer

public class WebContainerAuthorizer
extends Object
implements WebAuthorizer

Authorizes users by delegating role membership checks to the servlet container. In addition to implementing methods for the Authorizer interface, this class also provides a convenience method isContainerAuthorized() that queries the web application descriptor to determine if the container manages authorization.

Since:
2.3
Author:
Andrew Jaquith

Nested Class Summary
 class WebContainerAuthorizer.LocalEntityResolver
          XML entity resolver that redirects resolution requests by JDOM, JAXP and other XML parsers to locally-cached copies of the resources.
 
Field Summary
protected static org.apache.log4j.Logger log
           
protected  boolean m_containerAuthorized
          Lazily-initialized boolean flag indicating whether the web container protects JSPWiki resources.
protected  Role[] m_containerRoles
          A lazily-initialized array of Roles that the container knows about.
protected  WikiEngine m_engine
           
 
Constructor Summary
WebContainerAuthorizer()
          Constructs a new instance of the WebContainerAuthorizer class.
 
Method Summary
 Principal findRole(String role)
          Looks up and returns a Role Principal matching a given String.
 Principal[] getRoles()
          Returns an array of role Principals this Authorizer knows about.
protected  Role[] getRoles(Document webxml)
          Protected method that extracts the roles from JSPWiki's web application deployment descriptor.
protected  Document getWebXml()
          Returns an Document representing JSPWiki's web application deployment descriptor.
 void initialize(WikiEngine engine, Properties props)
          Initializes the authorizer for.
 boolean isConstrained(String url, Role role)
           Protected method that identifies whether a particular webapp URL is constrained to a particular Role.
 boolean isContainerAuthorized()
          Returns true if the web container is configured to protect certain JSPWiki resources by requiring authentication.
 boolean isUserInRole(HttpServletRequest request, Principal role)
          Determines whether a user associated with an HTTP request possesses a particular role.
 boolean isUserInRole(WikiSession session, Principal role)
          Determines whether the Subject associated with a WikiSession is in a particular role.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

log

protected static final org.apache.log4j.Logger log

m_engine

protected WikiEngine m_engine

m_containerRoles

protected Role[] m_containerRoles
A lazily-initialized array of Roles that the container knows about. These are parsed from JSPWiki's web.xml web application deployment descriptor. If this file cannot be read for any reason, the role list will be empty. This is a hack designed to get around the fact that we have no direct way of querying the web container about which roles it manages.


m_containerAuthorized

protected boolean m_containerAuthorized
Lazily-initialized boolean flag indicating whether the web container protects JSPWiki resources.

Constructor Detail

WebContainerAuthorizer

public WebContainerAuthorizer()
Constructs a new instance of the WebContainerAuthorizer class.

Method Detail

initialize

public void initialize(WikiEngine engine,
                       Properties props)
Initializes the authorizer for.

Specified by:
initialize in interface Authorizer
Parameters:
engine - the current wiki engine
props - the wiki engine initialization properties

isUserInRole

public boolean isUserInRole(HttpServletRequest request,
                            Principal role)
Determines whether a user associated with an HTTP request possesses a particular role. This method simply delegates to HttpServletRequest.isUserInRole(String) by converting the Principal's name to a String.

Specified by:
isUserInRole in interface WebAuthorizer
Parameters:
request - the HTTP request
role - the role to check
Returns:
true if the user is considered to be in the role, false otherwise

isUserInRole

public boolean isUserInRole(WikiSession session,
                            Principal role)
Determines whether the Subject associated with a WikiSession is in a particular role. This method takes two parameters: the WikiSession containing the subject and the desired role ( which may be a Role or a Group). If either parameter is null, this method must return false. This method simply examines the WikiSession subject to see if it possesses the desired Principal. We assume that the method WikiServletFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) previously executed, and that it has set the WikiSession subject correctly by logging in the user with the various login modules, in particular WebContainerLoginModule}. This is definitely a hack, but it eliminates the need for WikiSession to keep dangling references to the last WikiContext hanging around, just so we can look up the HttpServletRequest.

Specified by:
isUserInRole in interface Authorizer
Parameters:
session - the current WikiSession
role - the role to check
Returns:
true if the user is considered to be in the role, false otherwise
See Also:
Authorizer.isUserInRole(com.ecyrd.jspwiki.WikiSession, java.security.Principal)

findRole

public Principal findRole(String role)
Looks up and returns a Role Principal matching a given String. If the Role does not match one of the container Roles identified during initialization, this method returns null.

Specified by:
findRole in interface Authorizer
Parameters:
role - the name of the Role to retrieve
Returns:
a Role Principal, or null
See Also:
Authorizer.initialize(WikiEngine, Properties)

isConstrained

public boolean isConstrained(String url,
                             Role role)
                      throws JDOMException

Protected method that identifies whether a particular webapp URL is constrained to a particular Role. The resource is considered constrained if:

Parameters:
url - the web resource
role - the role
Returns:
true if the resource is constrained to the role, false otherwise
Throws:
JDOMException - if elements cannot be parsed correctly

isContainerAuthorized

public boolean isContainerAuthorized()
Returns true if the web container is configured to protect certain JSPWiki resources by requiring authentication. Specifically, this method parses JSPWiki's web application descriptor (web.xml) and identifies whether the string representation of Role.AUTHENTICATED is required to access /Delete.jsp and LoginRedirect.jsp. If the administrator has uncommented the large <security-constraint> section of web.xml, this will be true. This is admittedly an indirect way to go about it, but it should be an accurate test for default installations, and also in 99% of customized installs.

Returns:
true if the container protects resources, false otherwise

getRoles

public Principal[] getRoles()
Returns an array of role Principals this Authorizer knows about. This method will return an array of Role objects corresponding to the logical roles enumerated in the web.xml. This method actually returns a defensive copy of an internally stored array.

Specified by:
getRoles in interface Authorizer
Returns:
an array of Principals representing the roles

getRoles

protected Role[] getRoles(Document webxml)
                   throws JDOMException
Protected method that extracts the roles from JSPWiki's web application deployment descriptor. Each Role is constructed by using the String representation of the Role, for example new Role("Administrator").

Parameters:
webxml - the web application deployment descriptor
Returns:
an array of Role objects
Throws:
JDOMException - if elements cannot be parsed correctly

getWebXml

protected Document getWebXml()
                      throws JDOMException,
                             IOException
Returns an Document representing JSPWiki's web application deployment descriptor. The document is obtained by calling the servlet context's getResource() method and requesting /WEB-INF/web.xml. For non-servlet applications, this method calls this class' ClassLoader.getResource(java.lang.String) and requesting WEB-INF/web.xml.

Returns:
the descriptor
Throws:
IOException - if the deployment descriptor cannot be found or opened
JDOMException - if the deployment descriptor cannot be parsed correctly