SecurityContextHolderAwareRequestWrapper xref

View Javadoc

1   /* Copyright 2004, 2005 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.acegisecurity.wrapper;
17  
18  import org.acegisecurity.Authentication;
19  import org.acegisecurity.AuthenticationTrustResolver;
20  import org.acegisecurity.AuthenticationTrustResolverImpl;
21  import org.acegisecurity.context.SecurityContextHolder;
22  import org.acegisecurity.userdetails.UserDetails;
23  
24  import java.security.Principal;
25  
26  import javax.servlet.http.HttpServletRequest;
27  import javax.servlet.http.HttpServletRequestWrapper;
28  
29  
30  /***
31   * An Acegi Security-aware <code>HttpServletRequestWrapper</code>, which uses
32   * the <code>SecurityContext</code>-defined <code>Authentication</code> object
33   * for {@link SecurityContextHolderAwareRequestWrapper#isUserInRole(java.lang.String)}
34   * and {@link javax.servlet.http.HttpServletRequestWrapper#getRemoteUser()}
35   * responses.
36   *
37   * @author Orlando Garcia Carmona
38   * @author Ben Alex
39   * @version $Id: SecurityContextHolderAwareRequestWrapper.java,v 1.3 2005/11/29 13:10:11 benalex Exp $
40   */
41  public class SecurityContextHolderAwareRequestWrapper extends HttpServletRequestWrapper {
42      //~ Instance fields ========================================================
43  
44      private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
45  
46      //~ Constructors ===========================================================
47  
48      public SecurityContextHolderAwareRequestWrapper(HttpServletRequest request) {
49          super(request);
50      }
51  
52      //~ Methods ================================================================
53  
54      /***
55       * Returns the principal's name, as obtained from the
56       * <code>SecurityContextHolder</code>. Properly handles both
57       * <code>String</code>-based and <code>UserDetails</code>-based
58       * principals.
59       *
60       * @return the username or <code>null</code> if unavailable
61       */
62      public String getRemoteUser() {
63          Authentication auth = getAuthentication();
64  
65          if ((auth == null) || (auth.getPrincipal() == null)) {
66              return null;
67          }
68  
69          if (auth.getPrincipal() instanceof UserDetails) {
70              return ((UserDetails) auth.getPrincipal()).getUsername();
71          }
72  
73          return auth.getPrincipal().toString();
74      }
75  
76      /***
77       * Simple searches for an exactly matching {@link
78       * GrantedAuthority#getAuthority()}.
79       * 
80       * <p>
81       * Will always return <code>false</code> if the <code>SecurityContextHolder</code>
82       * contains an <code>Authentication</code> with
83       * <code>null</code><code>principal</code> and/or
84       * <code>GrantedAuthority[]</code> objects.
85       * </p>
86       *
87       * @param role the <code>GrantedAuthority</code><code>String</code>
88       *        representation to check for
89       *
90       * @return <code>true</code> if an <b>exact</b> (case sensitive) matching
91       *         granted authority is located, <code>false</code> otherwise
92       */
93      public boolean isUserInRole(String role) {
94          return isGranted(role);
95      }
96  
97      /***
98       * Returns the <code>Authentication</code> (which is a subclass of
99       * <code>Principal</code>), or <code>null</code> if unavailable.
100      *
101      * @return the <code>Authentication</code>, or <code>null</code>
102      */
103     public Principal getUserPrincipal() {
104         Authentication auth = getAuthentication();
105 
106         if ((auth == null) || (auth.getPrincipal() == null)) {
107             return null;
108         }
109 
110         return auth;
111     }
112 
113     /***
114      * Obtain the current active <code>Authentication</code>
115      *
116      * @return the authentication object or <code>null</code>
117      */
118     private Authentication getAuthentication() {
119         Authentication auth = SecurityContextHolder.getContext()
120                                                    .getAuthentication();
121 
122         if (!authenticationTrustResolver.isAnonymous(auth)) {
123             return auth;
124         }
125 
126         return null;
127     }
128 
129     private boolean isGranted(String role) {
130         Authentication auth = getAuthentication();
131 
132         if ((auth == null) || (auth.getPrincipal() == null)
133             || (auth.getAuthorities() == null)) {
134             return false;
135         }
136 
137         for (int i = 0; i < auth.getAuthorities().length; i++) {
138             if (role.equals(auth.getAuthorities()[i].getAuthority())) {
139                 return true;
140             }
141         }
142 
143         return false;
144     }
145 }