org.slc.sli.dashboard.web.interceptor.SessionCheckInterceptor.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.slc.sli.dashboard.web.interceptor.SessionCheckInterceptor.java

Introduction

Here is the source code for org.slc.sli.dashboard.web.interceptor.SessionCheckInterceptor.java

Source

/*
 * Copyright 2012 Shared Learning Collaborative, LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.slc.sli.dashboard.web.interceptor;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import com.google.gson.JsonObject;

import org.slc.sli.dashboard.client.RESTClient;
import org.slc.sli.dashboard.security.SLIAuthenticationEntryPoint;
import org.slc.sli.dashboard.util.Constants;
import org.slc.sli.dashboard.util.SecurityUtil;
import org.slc.sli.dashboard.web.controller.ErrorController;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/**
 * Intercepts all incoming requests and ensures user is authenticated against api
 * @author svankina
 * @author rbloh
 *
 */
public class SessionCheckInterceptor extends HandlerInterceptorAdapter {

    private RESTClient restClient;

    public RESTClient getRestClient() {
        return restClient;
    }

    public void setRestClient(RESTClient restClient) {
        this.restClient = restClient;
    }

    /**
     * Prehandle performs a session check on all incoming requests to ensure a user with an active spring security session,
     *  is still authenticated against the api.
     */
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        String token = SecurityUtil.getToken();

        JsonObject json = restClient.sessionCheck(token);

        // If the user is not authenticated, expire the cookie and set oauth_token to null
        if (!json.get(Constants.ATTR_AUTHENTICATED).getAsBoolean()) {
            SecurityContextHolder.getContext().setAuthentication(null);
            HttpSession session = request.getSession();
            session.setAttribute(SLIAuthenticationEntryPoint.OAUTH_TOKEN, null);
            for (Cookie c : request.getCookies()) {
                if (c.getName().equals(SLIAuthenticationEntryPoint.DASHBOARD_COOKIE)) {
                    c.setMaxAge(0);
                }
            }

            // Only redirect if not error page
            if (!(request.getServletPath().equalsIgnoreCase(ErrorController.EXCEPTION_URL)
                    || request.getServletPath().equalsIgnoreCase(ErrorController.TEST_EXCEPTION_URL))) {
                response.sendRedirect(request.getRequestURI());
                return false;
            }
        }

        return true;
    }

}