false, a status 403 forbidden page is displayed instead.
* @return true, if the user has access
* @throws IOException
* Signals that an I/O exception has occurred.
* @throws ServletException
* On other errors
*/
public boolean checkAccess(HttpServletRequest req, HttpServletResponse res, NodeRef nodeRef, String permission,
boolean allowLogIn) throws IOException, ServletException
{
ServletContext sc = getServletContext();
ServiceRegistry serviceRegistry = getServiceRegistry(sc);
PermissionService permissionService = serviceRegistry.getPermissionService();
// check that the user has the permission
if (permissionService.hasPermission(nodeRef, permission) == AccessStatus.DENIED)
{
if (logger.isDebugEnabled())
logger.debug("User does not have " + permission + " permission for NodeRef: " + nodeRef.toString());
if (allowLogIn && serviceRegistry.getAuthorityService().hasGuestAuthority())
{
if (logger.isDebugEnabled())
logger.debug("Redirecting to login page...");
redirectToLoginPage(req, res, sc);
}
else
{
if (logger.isDebugEnabled())
logger.debug("Forwarding to error page...");
Application
.handleSystemError(sc, req, res, MSG_ERROR_PERMISSIONS, HttpServletResponse.SC_FORBIDDEN, logger);
}
return false;
}
return true;
}
/**
* Redirect to the Login page - saving the current URL which can be redirected back later
* once the user has successfully completed the authentication process.
*/
public static void redirectToLoginPage(HttpServletRequest req, HttpServletResponse res, ServletContext sc)
throws IOException
{
redirectToLoginPage(req, res, sc, AuthenticationHelper.getRemoteUserMapper(sc) == null);
}
/**
* Redirect to the Login page - saving the current URL which can be redirected back later
* once the user has successfully completed the authentication process.
* @param sendRedirect allow a redirect status code to be set? If false redirect
* will be via markup rather than status code (to allow the status code to be used for handshake
* responses etc.
*/
public static void redirectToLoginPage(HttpServletRequest req, HttpServletResponse res, ServletContext sc, boolean sendRedirect)
throws IOException
{
// authentication failed - so end servlet execution and redirect to login page
StringBuilder redirectURL = new StringBuilder(1024).append(req.getContextPath()).append(FACES_SERVLET).append(
Application.getLoginPage(sc));
// Pass the full requested URL as a parameter so the login page knows where to redirect to later
String uri = req.getRequestURI();
// if we find a JSF servlet reference in the URI then we need to check if the rest of the
// JSP specified is valid for a redirect operation after Login has occured.
int jspIndex;
if (uri.indexOf(req.getContextPath() + FACES_SERVLET) == -1
|| uri.length() > (jspIndex = uri.indexOf(BaseServlet.FACES_SERVLET) + BaseServlet.FACES_SERVLET.length())
&& BaseServlet.validRedirectJSP(uri.substring(jspIndex)))
{
if (redirectURL.indexOf("?") == -1)
{
redirectURL.append('?');
}
else
{
redirectURL.append('&');
}
redirectURL.append(LoginOutcomeBean.PARAM_REDIRECT_URL);
redirectURL.append('=');
String url = uri;
// Append the query string if necessary
String queryString = req.getQueryString();
if (queryString != null)
{
// Strip out leading ticket arguments
queryString = queryString.replaceAll("(?<=^|&)" + ARG_TICKET + "(=[^&=]*)?&", "");
// Strip out trailing ticket arguments
queryString = queryString.replaceAll("(^|&)" + ARG_TICKET + "(=[^&=]*)?(?=&|$)", "");
if (queryString.length() != 0)
{
url += "?" + queryString;
}
}
redirectURL.append(URLEncoder.encode(url, "UTF-8"));
}
// If external authentication isn't in use (e.g. proxied share authentication), it's safe to return a redirect to the client
if (sendRedirect)
{
res.sendRedirect(redirectURL.toString());
}
// Otherwise, we must signal to the client with an unauthorized status code and rely on a browser refresh to do
// the redirect for failover login (as we do with NTLM, Kerberos)
else
{
res.setContentType("text/html; charset=UTF-8");
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
final PrintWriter out = res.getWriter();
out.println("");
out.println("");
out.println("Please log in.
"); out.println(""); out.close(); } } /** * Apply the headers required to disallow caching of the response in the browser */ public static void setNoCacheHeaders(HttpServletResponse res) { res.setHeader("Cache-Control", "no-cache"); res.setHeader("Pragma", "no-cache"); } /** * Returns true if the specified JSP file is valid for a redirect after login. * Only a specific sub-set of the available JSPs are valid to jump directly too after a * clean login attempt - e.g. those that do not require JSF bean context setup. This is * a limitation of the JSP architecture. The ExternalAccessServlet provides a mechanism to * setup the JSF bean context directly for some specific cases. * * @param jsp Filename of JSP to check, for example "/jsp/browse/browse.jsp" * * @return true if the JSP is in the list of valid direct URLs, false otherwise */ public static boolean validRedirectJSP(String jsp) { return validRedirectJSPs.contains(jsp); } /** * Resolves the given path elements to a NodeRef in the current repository * * @param context Faces context * @param args The elements of the path to lookup */ public static NodeRef resolveWebDAVPath(FacesContext context, String[] args) { WebApplicationContext wc = FacesContextUtils.getRequiredWebApplicationContext(context); return resolveWebDAVPath(wc, args, true); } /** * Resolves the given path elements to a NodeRef in the current repository * * @param context Faces context * @param args The elements of the path to lookup * @param decode True to decode the arg from UTF-8 format, false for no decoding */ public static NodeRef resolveWebDAVPath(FacesContext context, String[] args, boolean decode) { WebApplicationContext wc = FacesContextUtils.getRequiredWebApplicationContext(context); return resolveWebDAVPath(wc, args, decode); } /** * Resolves the given path elements to a NodeRef in the current repository * * @param context ServletContext context * @param args The elements of the path to lookup */ public static NodeRef resolveWebDAVPath(ServletContext context, String[] args) { WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context); return resolveWebDAVPath(wc, args, true); } /** * Resolves the given path elements to a NodeRef in the current repository * * @param context ServletContext context * @param args The elements of the path to lookup * @param decode True to decode the arg from UTF-8 format, false for no decoding */ public static NodeRef resolveWebDAVPath(ServletContext context, String[] args, boolean decode) { WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context); return resolveWebDAVPath(wc, args, decode); } /** * Resolves the given path elements to a NodeRef in the current repository * * @param WebApplicationContext Context * @param args The elements of the path to lookup * @param decode True to decode the arg from UTF-8 format, false for no decoding */ private static NodeRef resolveWebDAVPath(final WebApplicationContext wc, final String[] args, final boolean decode) { return AuthenticationUtil.runAs(new RunAsWork