org.apache.wiki.auth.authorize

Class WebContainerAuthorizer

java.lang.Object

org.apache.wiki.auth.authorize.WebContainerAuthorizer

All Implemented Interfaces:

WebAuthorizer, Authorizer

public class WebContainerAuthorizer
extends Object
implements WebAuthorizer

Authorizes users by delegating role membership checks to the servlet container. In addition to implementing methods for the Authorizer interface, this class also provides a convenience method isContainerAuthorized() that queries the web application descriptor to determine if the container manages authorization.

Since:

2.3

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	WebContainerAuthorizer.LocalEntityResolver XML entity resolver that redirects resolution requests by JDOM, JAXP and other XML parsers to locally-cached copies of the resources.

Field Summary

Fields

Modifier and Type	Field and Description
protected static org.apache.log4j.Logger	log
protected boolean	m_containerAuthorized Lazily-initialized boolean flag indicating whether the web container protects JSPWiki resources.
protected Role[]	m_containerRoles A lazily-initialized array of Roles that the container knows about.
protected WikiEngine	m_engine

Constructor Summary

Constructors

Constructor and Description
WebContainerAuthorizer() Constructs a new instance of the WebContainerAuthorizer class.

Method Summary

Modifier and Type	Method and Description
Principal	findRole(String role) Looks up and returns a Role Principal matching a given String.
Principal[]	getRoles() Returns an array of role Principals this Authorizer knows about.
protected Role[]	getRoles(org.jdom2.Document webxml) Protected method that extracts the roles from JSPWiki's web application deployment descriptor.
protected org.jdom2.Document	getWebXml() Returns an Document representing JSPWiki's web application deployment descriptor.
void	initialize(WikiEngine engine, Properties props) Initializes the authorizer for.
boolean	isConstrained(String url, Role role) Protected method that identifies whether a particular webapp URL is constrained to a particular Role.
boolean	isContainerAuthorized() Returns true if the web container is configured to protect certain JSPWiki resources by requiring authentication.
boolean	isUserInRole(javax.servlet.http.HttpServletRequest request, Principal role) Determines whether a user associated with an HTTP request possesses a particular role.
boolean	isUserInRole(WikiSession session, Principal role) Determines whether the Subject associated with a WikiSession is in a particular role.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected static final org.apache.log4j.Logger log

m_engine

protected WikiEngine m_engine

m_containerRoles

protected Role[] m_containerRoles

A lazily-initialized array of Roles that the container knows about. These are parsed from JSPWiki's web.xml web application deployment descriptor. If this file cannot be read for any reason, the role list will be empty. This is a hack designed to get around the fact that we have no direct way of querying the web container about which roles it manages.

m_containerAuthorized

protected boolean m_containerAuthorized

Lazily-initialized boolean flag indicating whether the web container protects JSPWiki resources.

Constructor Detail

WebContainerAuthorizer

public WebContainerAuthorizer()

Constructs a new instance of the WebContainerAuthorizer class.

Method Detail

initialize

public void initialize(WikiEngine engine,
                       Properties props)

Initializes the authorizer for.

Specified by:

initialize in interface Authorizer

Parameters:

engine - the current wiki engine

props - the wiki engine initialization properties

isUserInRole

public boolean isUserInRole(javax.servlet.http.HttpServletRequest request,
                            Principal role)

Determines whether a user associated with an HTTP request possesses a particular role. This method simply delegates to HttpServletRequest.isUserInRole(String) by converting the Principal's name to a String.

Specified by:

isUserInRole in interface WebAuthorizer

Parameters:

request - the HTTP request

role - the role to check

Returns:

true if the user is considered to be in the role, false otherwise

isUserInRole

public boolean isUserInRole(WikiSession session,
                            Principal role)

Determines whether the Subject associated with a WikiSession is in a particular role. This method takes two parameters: the WikiSession containing the subject and the desired role ( which may be a Role or a Group). If either parameter is null, this method must return false. This method simply examines the WikiSession subject to see if it possesses the desired Principal. We assume that the method WikiServletFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) previously executed, and that it has set the WikiSession subject correctly by logging in the user with the various login modules, in particular WebContainerLoginModule}. This is definitely a hack, but it eliminates the need for WikiSession to keep dangling references to the last WikiContext hanging around, just so we can look up the HttpServletRequest.

Specified by:

isUserInRole in interface Authorizer

Parameters:

session - the current WikiSession

role - the role to check

Returns:

true if the user is considered to be in the role, false otherwise

See Also:

Authorizer.isUserInRole(org.apache.wiki.WikiSession, java.security.Principal)

findRole

public Principal findRole(String role)

Looks up and returns a Role Principal matching a given String. If the Role does not match one of the container Roles identified during initialization, this method returns null.

Specified by:

findRole in interface Authorizer

Parameters:

role - the name of the Role to retrieve

Returns:

a Role Principal, or null

See Also:

Authorizer.initialize(WikiEngine, Properties)

isConstrained

public boolean isConstrained(String url,
                             Role role)

Protected method that identifies whether a particular webapp URL is constrained to a particular Role. The resource is considered constrained if:

• the web application deployment descriptor contains a security-constraint with a child web-resource-collection/url-pattern element matching the URL, and:
• this constraint also contains an auth-constraint/role-name element equal to the supplied Role's getName() method. If the supplied Role is Role.ALL, it matches all roles

Parameters:

url - the web resource

role - the role

Returns:

true if the resource is constrained to the role, false otherwise

isContainerAuthorized

public boolean isContainerAuthorized()

Returns true if the web container is configured to protect certain JSPWiki resources by requiring authentication. Specifically, this method parses JSPWiki's web application descriptor (web.xml) and identifies whether the string representation of Role.AUTHENTICATED is required to access /Delete.jsp and LoginRedirect.jsp. If the administrator has uncommented the large <security-constraint> section of web.xml, this will be true. This is admittedly an indirect way to go about it, but it should be an accurate test for default installations, and also in 99% of customized installs.

Returns:

true if the container protects resources, false otherwise

getRoles

public Principal[] getRoles()

Returns an array of role Principals this Authorizer knows about. This method will return an array of Role objects corresponding to the logical roles enumerated in the web.xml. This method actually returns a defensive copy of an internally stored array.

Specified by:

getRoles in interface Authorizer

Returns:

an array of Principals representing the roles

getRoles

protected Role[] getRoles(org.jdom2.Document webxml)

Protected method that extracts the roles from JSPWiki's web application deployment descriptor. Each Role is constructed by using the String representation of the Role, for example new Role("Administrator").

Parameters:

webxml - the web application deployment descriptor

Returns:

an array of Role objects

getWebXml

protected org.jdom2.Document getWebXml()
                                throws org.jdom2.JDOMException,
                                       IOException

Returns an Document representing JSPWiki's web application deployment descriptor. The document is obtained by calling the servlet context's getResource() method and requesting /WEB-INF/web.xml. For non-servlet applications, this method calls this class' ClassLoader.getResource(java.lang.String) and requesting WEB-INF/web.xml.

Returns:

the descriptor

Throws:

IOException - if the deployment descriptor cannot be found or opened

org.jdom2.JDOMException - if the deployment descriptor cannot be parsed correctly