Java tutorial
/* Copyright (c) 2001 - 2013 OpenPlans - www.openplans.org. All rights reserved. * This code is licensed under the GPL 2.0 license, available at the root * application directory. */ package org.geoserver.security; import java.io.BufferedReader; import java.io.IOException; import java.io.StringReader; import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; import java.util.List; import java.util.Arrays; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.geoserver.security.impl.RESTAccessRuleDAO; import org.springframework.util.StringUtils; /** * * @author Chris Berry * http://opensource.atlassian.com/projects/spring/browse/SEC-531 * */ public class RESTfulDefinitionSource implements FilterInvocationSecurityMetadataSource { static private Log log = LogFactory.getLog(RESTfulDefinitionSource.class); static private final String[] validMethodNames = { "GET", "PUT", "DELETE", "POST" }; /** * Underlying SecurityMetedataSource object */ private RESTfulPathBasedFilterInvocationDefinitionMap delegate = null; /** * rest access rules dao */ private RESTAccessRuleDAO dao; /** * Override the method in FilterInvocationSecurityMetadataSource */ public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { if ((object == null) || !this.supports(object.getClass())) { throw new IllegalArgumentException("Object must be a FilterInvocation"); } String url = ((FilterInvocation) object).getRequestUrl(); String method = ((FilterInvocation) object).getHttpRequest().getMethod(); return delegate().lookupAttributes(cleanURL(url), method); } /** * this form is invalid for this implementation */ public Collection<ConfigAttribute> lookupAttributes(String url) { throw new IllegalArgumentException("lookupAttributes(String url) is INVALID for RESTfulDefinitionSource"); } public Collection<ConfigAttribute> lookupAttributes(String url, String method) { return delegate().lookupAttributes(cleanURL(url), method); } public Collection<ConfigAttribute> getAllConfigAttributes() { return delegate().getAllConfigAttributes(); } public boolean supports(Class clazz) { return FilterInvocation.class.isAssignableFrom(clazz); } /** * Creates a proxy to a PathBasedFilterInvocationDefinitionMap to delegate calls. * Initializations of the delegate is done here. * * @deprecated This is not longer used (JD) */ public RESTfulDefinitionSource(String pathToRoleList) throws IllegalArgumentException { delegate = new RESTfulPathBasedFilterInvocationDefinitionMap(); processPathList(pathToRoleList); } public RESTfulDefinitionSource(RESTAccessRuleDAO dao) { this.dao = dao; //force a read of the property file at startup dao.reload(); } public void reload() { delegate = null; } RESTfulPathBasedFilterInvocationDefinitionMap delegate() { if (delegate == null || dao.isModified()) { synchronized (this) { delegate = new RESTfulPathBasedFilterInvocationDefinitionMap(); for (String rule : dao.getRules()) { processPathList(rule); } } } return delegate; } private void processPathList(String pathToRoleList) throws IllegalArgumentException { /* FilterInvocationDefinitionDecorator source = new FilterInvocationDefinitionDecorator(); source.setDecorated( delegate ); source.setConvertUrlToLowercaseBeforeComparison( true ); */ delegate.setConvertUrlToLowercaseBeforeComparison(true); BufferedReader br = new BufferedReader(new StringReader(pathToRoleList)); int counter = 0; String line; List<RESTfulDefinitionSourceMapping> mappings = new ArrayList<RESTfulDefinitionSourceMapping>(); while (true) { counter++; try { line = br.readLine(); } catch (IOException ioe) { throw new IllegalArgumentException(ioe.getMessage()); } if (line == null) { break; } line = line.trim(); if (log.isDebugEnabled()) { log.debug("Line " + counter + ": " + line); } if (line.startsWith("//")) { continue; } // Skip lines that are not directives if (line.lastIndexOf('=') == -1) { continue; } if (line.lastIndexOf("==") != -1) { throw new IllegalArgumentException("Only single equals should be used in line " + line); } // Tokenize the line into its name/value tokens // As per SEC-219, use the LAST equals as the delimiter between LHS and RHS String name = substringBeforeLast(line, "="); String value = substringAfterLast(line, "="); if (!StringUtils.hasText(name) || !StringUtils.hasText(value)) { throw new IllegalArgumentException("Failed to parse a valid name/value pair from " + line); } String antPath = name; String methods = null; int firstColonIndex = name.indexOf(":"); if (log.isDebugEnabled()) log.debug("~~~~~~~~~~ name= " + name + " firstColonIndex= " + firstColonIndex); if (firstColonIndex != -1) { antPath = name.substring(0, firstColonIndex); methods = name.substring((firstColonIndex + 1), name.length()); } if (log.isDebugEnabled()) log.debug("~~~~~~~~~~ name= " + name + " antPath= " + antPath + " methods= " + methods); String[] methodList = null; if (methods != null) { methodList = methods.split(","); // Verify methodList is valid for (int ii = 0; ii < methodList.length; ii++) { boolean matched = false; for (int jj = 0; jj < validMethodNames.length; jj++) { if (methodList[ii].equals(validMethodNames[jj])) { matched = true; break; } } if (!matched) { throw new IllegalArgumentException("The HTTP Method Name (" + methodList[ii] + " does NOT equal a valid name (GET,PUT,POST,DELETE)"); } } } if (log.isDebugEnabled()) { log.debug("methodList = " + Arrays.toString(methodList)); } // Should all be lowercase; check each character // We only do this for Ant (regexp have control chars) for (int i = 0; i < antPath.length(); i++) { String character = antPath.substring(i, i + 1); if (!character.toLowerCase().equals(character)) { throw new IllegalArgumentException( "You are using Ant Paths, yet you have specified an uppercase character in line: " + line + " (character '" + character + "')"); } } RESTfulDefinitionSourceMapping mapping = new RESTfulDefinitionSourceMapping(); mapping.setUrl(antPath); mapping.setHttpMethods(methodList); String[] tokens = StringUtils.commaDelimitedListToStringArray(value); for (int i = 0; i < tokens.length; i++) { mapping.addConfigAttribute(new SecurityConfig(tokens[i].trim())); } mappings.add(mapping); } // This will call the addSecureUrl in RESTfulPathBasedFilterInvocationDefinitionMap // which is how this whole convoluted beast gets wired together //source.setMappings(mappings); setMappings(mappings); } public void setMappings(List<RESTfulDefinitionSourceMapping> mappings) { Iterator<RESTfulDefinitionSourceMapping> it = mappings.iterator(); while (it.hasNext()) { RESTfulDefinitionSourceMapping mapping = it.next(); delegate.addSecureUrl(mapping.getUrl(), mapping.getHttpMethods(), mapping.getConfigAttributes()); } // Iterator it = mappings.iterator(); // while (it.hasNext()) { // RESTfulDefinitionSourceMapping mapping = (RESTfulDefinitionSourceMapping)it.next(); // ConfigAttributeDefinition configDefinition = new ConfigAttributeDefinition(); // // Iterator configAttributesIt = mapping.getConfigAttributes().iterator(); // while (configAttributesIt.hasNext()) { // String s = (String) configAttributesIt.next(); // configDefinition.addConfigAttribute( new SecurityConfig(s) ); // } // delegate.addSecureUrl(mapping.getUrl(), mapping.getHttpMethods(), configDefinition); // } } /** * Hacks an incoming url to help with matching. */ String cleanURL(String url) { //remove any trailing slashes url = url.replaceAll("/+$", ""); return url; } private String substringBeforeLast(String str, String separator) { if (str == null || separator == null || str.length() == 0 || separator.length() == 0) { return str; } int pos = str.lastIndexOf(separator); if (pos == -1) { return str; } return str.substring(0, pos); } private String substringAfterLast(String str, String separator) { if (str == null || str.length() == 0) { return str; } if (separator == null || separator.length() == 0) { return ""; } int pos = str.lastIndexOf(separator); if (pos == -1 || pos == (str.length() - separator.length())) { return ""; } return str.substring(pos + separator.length()); } //++++++++++++++++++++++++ static public class RESTfulDefinitionSourceMapping { private String url = null; private Collection<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>(); private String[] httpMethods = null; public void setHttpMethods(String[] httpMethods) { this.httpMethods = httpMethods; } /** * A null httpMethods implies that ALL methods are accepted */ public String[] getHttpMethods() { return httpMethods; } public void setUrl(String url) { this.url = url; } public String getUrl() { return url; } public void setConfigAttributes(Collection<ConfigAttribute> roles) { this.configAttributes = roles; } public Collection<ConfigAttribute> getConfigAttributes() { return configAttributes; } public void addConfigAttribute(ConfigAttribute configAttribute) { configAttributes.add(configAttribute); } } }