Package org.zkoss.spring.security.intercept.zkevent

Source Code of org.zkoss.spring.security.intercept.zkevent.ZkEventProcessListener

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
/* ZkEventProcessListener.java

{{IS_NOTE
  Purpose:
   
  Description:
   
  History:
    Oct 1, 2008 6:17:08 PM, Created by henrichen
}}IS_NOTE

Copyright (C) 2008 Potix Corporation. All Rights Reserved.

{{IS_RIGHT
  This program is distributed under GPL Version 2.0 in the hope that
  it will be useful, but WITHOUT ANY WARRANTY.
}}IS_RIGHT
*/
package org.zkoss.spring.security.intercept.zkevent;

import java.util.List;

import javax.servlet.Filter;
import javax.servlet.http.HttpServletRequest;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.config.http.ZkEventSecurityBeanDefinitionParser;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.SecurityFilterChain;
import org.zkoss.spring.SpringUtil;
import org.zkoss.spring.security.config.ZkBeanIds;
import org.zkoss.spring.security.ui.ZkError403Filter;
import org.zkoss.spring.security.ui.ZkExceptionTranslationListener;
import org.zkoss.zk.ui.Executions;
import org.zkoss.zk.ui.event.Event;
import org.zkoss.zk.ui.util.EventInterceptor;

/**
* <p>
* Intercept ZK event processing and pass to {@link ZkEventProcessInterceptor} which inherits Spring Security's interceptor
* in order to secure ZK event objects.
* </p>
* <p>
* If you configure custom filter ZK_DESKTOP_REUSE_FILTER in &lt;http&gt;, {@link org.zkoss.spring.init.SecurityWebAppInit} will add this listener
* to ZK configuration dynamically.
* </p>
*
* @author henrichen
* @since 1.0
*/
public class ZkEventProcessListener implements EventInterceptor {
  private static final String DEFAULT_EVENT_PROCESS_INTERCEPTOR_NAME = "zkEventProcessInterceptor";
  private final Log logger = LogFactory.getLog(getClass());
 
  private ZkEventProcessInterceptor _interceptor;
  private boolean skip = false;
 
  public void afterProcessEvent(Event event) {
    if (!skip){
      _interceptor.afterInvocation(event);
    }
  }

  public Event beforeProcessEvent(Event event) {
   
    if (skipInterceptionCheck()) {
      return event;
    }
   
    //if in ZK event exception translation, then ignore any further events
    if (Executions.getCurrent().getAttribute(ZkExceptionTranslationListener.ZK_EXCEPTION_TRANSLATION) != null) {
      return event;
    }
   
    if (_interceptor == null) {
      _interceptor = (ZkEventProcessInterceptor)SpringUtil.getBean(DEFAULT_EVENT_PROCESS_INTERCEPTOR_NAME, ZkEventProcessInterceptor.class);
      if (_interceptor == null) {
        _interceptor = new ZkEventProcessInterceptor();
      }
    }
    if (logger.isDebugEnabled()) {
      logger.debug("intercept before "+event);
    }
    return _interceptor.beforeInvocation(event);
  }

  /**
   * <p>
   * All intercepted events will invoke this listener but some of them are not secure objects, we should skip them to avoid Spring Security throwing exceptions.
   * </p>
   * Since Spring Security 3.1.0, configuration file can have multiple &lt;http&gt; tags. Each &lt;http&gt; creates a DefaultSecurityFilterChain
   * with a request path matcher. we should skip events sent from zuls and do not pass it to {@link ZkEventProcessInterceptor} under the following conditions:<br/>
   * <li>zuls inside &lt;http security="none"&gt;. If no skip, Spring Security will throw AuthenticationCredentialsNotFoundException.</li>
   * <li>zuls inside &lt;http&gt; tag without ZK custom filters.</li>
   *
   * @return true - skip current event.
   */
  private boolean skipInterceptionCheck(){
    skip = false;
    if (SecurityContextHolder.getContext().getAuthentication() == null) { //pages without access control
      skip = true;
    }else{
      List<SecurityFilterChain> filterChains = (List<SecurityFilterChain>) SpringUtil.getBean(ZkEventSecurityBeanDefinitionParser.SPRING_SECURITY_31_FILTER_CHAIN);
      if (filterChains == null){
        skip = false;
      }else{
        HttpServletRequest request = (HttpServletRequest) Executions.getCurrent().getNativeRequest();

        for (int i = 0; i < filterChains.size(); i++) {
          if (filterChains.get(i).matches(request)) {
            List<Filter> matchingFilters = filterChains.get(i).getFilters();
            // check if there is a ZK filter installed in the matching chain
            ZkError403Filter zkError403Filter = (ZkError403Filter) SpringUtil.getBean(ZkBeanIds.ZK_ERROR_403_FILTER);
            if (!matchingFilters.contains(zkError403Filter)) {
              skip = true;
              break;
            }
          }
        }
      }
    }
    return skip;
  }

  public Event beforePostEvent(Event event) {
    //do nothing
    return event;
  }

  public Event beforeSendEvent(Event event) {
    //do nothing
    return event;
  }
}
TOP

Related Classes of org.zkoss.spring.security.intercept.zkevent.ZkEventProcessListener

  • org.zkoss.spring.security.ui.ZkError403Filter
  • javax.servlet.http.HttpServletRequest
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.