Java tutorial
/** * Abiquo community edition * cloud management application for hybrid clouds * Copyright (C) 2008-2010 - Abiquo Holdings S.L. * * This application is free software; you can redistribute it and/or * modify it under the terms of the GNU LESSER GENERAL PUBLIC * LICENSE as published by the Free Software Foundation under * version 3 of the License * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * LESSER GENERAL PUBLIC LICENSE v.3 for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the * Free Software Foundation, Inc., 59 Temple Place - Suite 330, * Boston, MA 02111-1307, USA. */ package com.abiquo.api.spring.security; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import javax.annotation.PostConstruct; import org.apache.commons.lang.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.Authentication; import org.springframework.security.ConfigAttributeDefinition; import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource; import org.springframework.security.intercept.web.FilterSecurityInterceptor; import org.springframework.security.vote.AccessDecisionVoter; import org.springframework.security.vote.AffirmativeBased; import org.springframework.security.vote.RoleVoter; import org.springframework.stereotype.Service; import com.abiquo.model.rest.RESTLink; /** * This class eliminates from the dto the links that the user who made the request have no * permission to see. * * @author sergi.castro@abiquo.com * @author serafin.sedano@abiquo.com * @author ignasi.barrera@abiquo.com */ @Service public class URLAuthenticator { @Autowired private AffirmativeBased accessManager; private RoleVoter roleVoter; @Autowired private FilterSecurityInterceptor filterSecurityInterceptor; private enum methods { GET, POST, PUT, DELETE, OPTIONS }; @PostConstruct private void setRoleVoter() { for (Object o : accessManager.getDecisionVoters()) { if (o instanceof RoleVoter) { roleVoter = (RoleVoter) o; break; } } } /** * Return only links allowed for logged user * * @param links to check * @return links allowed for logged user */ public List<RESTLink> checkAuthLinks(final List<RESTLink> links, final String baseUri) { List<RESTLink> authslinks = null; if (links != null) { authslinks = new ArrayList<RESTLink>(); for (RESTLink link : links) { if (checkPermissions(new StringBuffer(link.getHref()), baseUri)) { authslinks.add(link); } } } return authslinks; } /** * Check if a url is allowed for logged user. If there is no roleVoter then always show the * links. * * @param url to check * @return true if is allowed, else false */ public boolean checkPermissions(final StringBuffer url, final String baseUri) { if (roleVoter == null) // No role based security { return Boolean.TRUE; } Authentication auth = SecurityContextHolder.getContext().getAuthentication(); DefaultFilterInvocationDefinitionSource fids = (DefaultFilterInvocationDefinitionSource) filterSecurityInterceptor .getObjectDefinitionSource(); String path = parse(url, baseUri); if (StringUtils.isBlank(path)) // The uri is not Abiquo { return Boolean.TRUE; } OUTER_LOOP: for (methods m : methods.values()) { ConfigAttributeDefinition config = fids.lookupAttributes(path, m.name()); if (config != null) { int result = roleVoter.vote(auth, new Object(), config); switch (result) { case AccessDecisionVoter.ACCESS_GRANTED: return Boolean.TRUE; case AccessDecisionVoter.ACCESS_DENIED: default: continue OUTER_LOOP; } } } return Boolean.FALSE; } private static String parse(final StringBuffer url, final String baseUri) { return StringUtils.substringAfterLast(url.toString(), baseUri); } }