www.pudn.com > SecurityFilter.rar > AbstractAuthenticator.java
package dev.trade.common.securityfilter.authenticator; import java.io.*; import java.security.*; import javax.servlet.*; import javax.servlet.http.*; import dev.trade.common.securityfilter.config.*; import dev.trade.common.securityfilter.filter.*; import dev.trade.common.securityfilter.util.RequestUtils; import java.util.List; import java.util.Iterator; import java.util.Collection; /** *Title: 权限过滤器
* *Description: 通用权限验证器的抽象类(实现了大部分方法)
* *Copyright: Copyright (c) 2006
* *Company:
* * @author Zheng YanNan * @version 1.0 */ public abstract class AbstractAuthenticator implements Authenticator{ protected String AUTH_METHOD = "FORM"; protected String KEY_USER_NAME = "user_name"; protected String KEY_USER_PWD = "user_pwd"; protected String loginPage; protected URLPattern loginPagePattern; protected String loginSubmitPage; protected URLPattern loginSubmitPagePattern; protected String loginErrorPage; protected URLPattern loginErrorPagePattern; protected String authErrorPage; protected URLPattern authErrorPagePattern; protected URLPattern logoutPagePattern; protected String defaultPage; protected List constraints; public AbstractAuthenticator(){ } public AbstractAuthenticator(String authMethod, String keyUserName, String keyUserPwd){ this.AUTH_METHOD = authMethod; this.KEY_USER_NAME = keyUserName; this.KEY_USER_PWD = keyUserPwd; } /** * 初始化 * @param filterConfig 过滤器配置(web.xml中的filter配置) * @param securityConfig 安全配置(securityfilter-config.xml) * @throws Exception */ public void init(FilterConfig filterConfig, SecurityConfig securityConfig) throws Exception{ constraints = securityConfig.getSecurityConstraints(); // default page defaultPage = securityConfig.getDefaultPage(); URLPatternFactory patternFactory = new URLPatternFactory(); // login page loginPage = securityConfig.getLoginPage(); if(loginPage != null) loginPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString(loginPage), null, null, 0); // login submit page loginSubmitPage = securityConfig.getLoginSubmitPage(); if(loginSubmitPage != null) loginSubmitPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString( loginSubmitPage), null, null, 0); // loginError page loginErrorPage = securityConfig.getLoginErrorPage(); if(loginErrorPage != null) loginErrorPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString( loginErrorPage), null, null, 0); // authError page authErrorPage = securityConfig.getAuthErrorPage(); if(authErrorPage != null) authErrorPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString( authErrorPage), null, null, 0); // logout page String logoutPage = securityConfig.getLogoutPage(); if(logoutPage != null){ logoutPagePattern = patternFactory.createURLPattern(RequestUtils.stripQueryString( logoutPage), null, null, 0); } } /** * 登录处理流程, 一般流程:验证是否为登录提交页面,否返回false, true进行验证处理最后返回true; * @param request SecurityRequestWrapper * @param response HttpServletResponse * @param patternMatcher URLPatternMatcher * @return boolean 如果过滤器需要跳过返回true,否则返回 false * @throws Exception */ public boolean checkAndDoLogin(SecurityRequest request, HttpServletResponse response, URLPatternMatcher patternMatcher) throws Exception{ String requestURL = request.getMatchableURL(); // check if this is a login submit request if(RequestUtils.matchesPattern(requestURL, loginSubmitPagePattern, patternMatcher)){ String username = request.getParameter(KEY_USER_NAME); String password = request.getParameter(KEY_USER_PWD); Principal principal = authenticate(username, password); if(principal != null){ // login successful if(request.getUserPrincipal() != null && !username.equals(request.getRemoteUser())){ request.getSession().invalidate(); } request.setUserPrincipal(principal); String continueToURL = RequestUtils.getContinueToURL(request, defaultPage); // This is the url that the user was initially accessing before being prompted for login. response.sendRedirect(response.encodeRedirectURL(continueToURL)); } else{ // login failed, set response status and forward to error page request.getSession().invalidate(); if(loginErrorPage != null){ String urlH = loginErrorPage.substring(0, 7).toLowerCase(); if("http://".equals(urlH) || "https:/".equals(urlH)) response.sendRedirect(loginErrorPage); else request.getRequestDispatcher(loginErrorPage).forward(request, response); } else response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } return true; } return false; } /** * 登录跳转流程, 用于处理需要用户登录时的跳转 * @param request HttpServletRequest * @param response HttpServletResponse * @throws IOException */ public void showLogin(HttpServletRequest request, HttpServletResponse response) throws Exception{ // save this request RequestUtils.saveRequestInformation(request); // redirect to login page String redirectURL = request.getContextPath(); if(loginPage != null){ String urlH = loginPage.substring(0, 7).toLowerCase(); if("http://".equals(urlH) || "https:/".equals(urlH)) redirectURL = loginPage; else redirectURL += loginPage; } else{ redirectURL += "/"; } response.sendRedirect(response.encodeRedirectURL(redirectURL)); return; } /** * 登录验证失败流程, 用于处理需要没有权限访问指定资源时的跳转 * @param request HttpServletRequest * @param response HttpServletResponse * @throws IOException */ public void showForbidden(HttpServletRequest request, HttpServletResponse response) throws Exception{ if(authErrorPage != null){ String urlH = authErrorPage.substring(0, 7).toLowerCase(); if("http://".equals(urlH) || "https:/".equals(urlH)) response.sendRedirect(authErrorPage); else request.getRequestDispatcher(authErrorPage).forward(request, response); } else response.sendError(HttpServletResponse.SC_FORBIDDEN); return; } /** * 登出处理流程,一般流程:验证是否为登出操作页面,否返回false, true进行处理最后返回true; * @param request SecurityRequestWrapper * @param response HttpServletResponse * @param patternMatcher URLPatternMatcher * @return boolean * @throws Exception */ public boolean checkAndDoLogout(SecurityRequest request, HttpServletResponse response, URLPatternMatcher patternMatcher) throws Exception{ String requestURL = request.getMatchableURL(); // check if this is a logout request if(RequestUtils.matchesPattern(requestURL, logoutPagePattern, patternMatcher)){ return true; } return false; } /** * 忽略URL验证, 如果当前URL无需权限验证,返回true(默认跳过login,loginSubmit,error,logout页面) * @param request SecurityRequestWrapper * @param patternMatcher URLPatternMatcher * @return boolean * @throws Exception */ public boolean bypassSecurityForThisRequest(SecurityRequest request, URLPatternMatcher patternMatcher) throws Exception{ String requestURL = request.getMatchableURL(); return( RequestUtils.matchesPattern(requestURL, loginPagePattern, patternMatcher) || RequestUtils.matchesPattern(requestURL, loginSubmitPagePattern, patternMatcher) || RequestUtils.matchesPattern(requestURL, loginErrorPagePattern, patternMatcher) || RequestUtils.matchesPattern(requestURL, authErrorPagePattern, patternMatcher) || RequestUtils.matchesPattern(requestURL, logoutPagePattern, patternMatcher) ); } /** * 检测指定的URI当前用户是否有权限访问 * @param resName String securityfilter-config.xml中配置的资源名称 * @param principal Principal * @return boolean */ public boolean isResourceAuthorized(Principal principal, String resName){ if(resName!=null){ Collection roles = null; for(Iterator cIter = constraints.iterator(); cIter.hasNext(); ){ SecurityConstraint constraint = (SecurityConstraint)cIter.next(); roles = constraint.getRolesByResourceName(resName); if(roles != null) break; } if(roles != null && !roles.isEmpty()){ //配置了角色要求 boolean authorized = false; for(Iterator it = roles.iterator(); it.hasNext() && principal != null && !authorized; ){ String role = (String)it.next(); if("*".equals(role) || isUserInRole(principal, role)){ authorized = true; } } return authorized; } } return true; } /** * 验证用户名与密码,返回一个Principal对象 * @param username String * @param password String * @return Principal */ public abstract Principal authenticate(String username, String password); public void setAuthMethod(String authMethod){ this.AUTH_METHOD = authMethod; } public String getAuthMethod(){ return AUTH_METHOD; } public void setUserNameKey(String key){ this.KEY_USER_NAME = key; } public String getUserNameKey(){ return this.KEY_USER_NAME; } public void setUserPwdKey(String key){ this.KEY_USER_PWD = key; } public String getUserPwdKey(){ return this.KEY_USER_PWD; } }