com.neurosys.filters

Class AjaxSiteSessionSecurityFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.web.filter.OncePerRequestFilter

com.neurosys.amorphous.security.filter.AjaxSecurityFilter

com.neurosys.filters.AjaxSiteSessionSecurityFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

public class AjaxSiteSessionSecurityFilter
extends AjaxSecurityFilter

AjaxSecurityFilter for our framework & security strategies aligned with the "site" module.
Ties the security mechanism with the sites session; so a user logged in automatically can avail and the one not logged in is blocked.

Author:

Arjun Dhar

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	AjaxSiteSessionSecurityFilter.KeyAsSessionIdTransformer Check request for query param authKeyParamName. By default will compare to a valid session id. BY DEFAULT THIS LOOPS THROUGH ALL SESSIONS SO NOT IDEAL FOR PRODUCTION.

Field Summary

Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
AjaxSiteSessionSecurityFilter()

Method Summary

Modifier and Type	Method and Description
protected Principal	getPrincipal(javax.servlet.http.HttpServletRequest request) There can be many methods, session, cookie etc..
Class<Principal>	getPrincipalTypeRequired() If Principal user derived is not of type principalTypeRequired then IAuthorizationService.AuthState.DENY
void	initFilterBean()
protected boolean	isRequestForAuthKeyValid(javax.servlet.http.HttpServletRequest request) Check request for query param authKeyParamName. By default will compare to a valid session id. BY DEFAULT THIS LOOPS THROUGH ALL SESSIONS SO NOT IDEAL FOR PRODUCTION.
protected boolean	isRequestForSessionValid(javax.servlet.http.HttpServletRequest request) Check if the request targeted to the Service, is bound to a valid session.
protected boolean	isRequestValid(javax.servlet.http.HttpServletRequest request) Check if the request is valid based on the user logged in, or authentication/authorized to use this service.
void	setAuthKeyParamName(String authKeyParamName) Allow a request param called that can pass in auth key, instead of relying on session. This represents the name of the query param.
void	setAuthorizations(String authorizatonSetJSONString) Any/Atleast-one of the authorizations should be with the user
void	setKeyValidationTransformerBeanName(String keyValidationTransformerBeanName) Bean name of the Spring instantiated FunctionTransformer keyValidationTransformer.
void	setModuleName(String moduleName)
void	setPrincipalTypeRequired(Class<Principal> principalTypeRequired) If Principal user derived is not of type principalTypeRequired then IAuthorizationService.AuthState.DENY

Methods inherited from class com.neurosys.amorphous.security.filter.AjaxSecurityFilter

doFilterInternal, isAjaxRequest, setAjaxRequestTokens, setLoginPageRedirectUrl, setRejectIfNotAjax

Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AjaxSiteSessionSecurityFilter

public AjaxSiteSessionSecurityFilter()

Method Detail

setAuthKeyParamName

public void setAuthKeyParamName(String authKeyParamName)

Allow a request param called that can pass in auth key, instead of relying on session.
This represents the name of the query param.

See Also:

isRequestForAuthKeyValid(HttpServletRequest)

Default value:

null

initFilterBean

public void initFilterBean()
                    throws javax.servlet.ServletException

Overrides:

initFilterBean in class org.springframework.web.filter.GenericFilterBean

Throws:

javax.servlet.ServletException

setAuthorizations

public void setAuthorizations(String authorizatonSetJSONString)

Any/Atleast-one of the authorizations should be with the user

Parameters:

config -

setModuleName

public void setModuleName(String moduleName)

isRequestForSessionValid

protected boolean isRequestForSessionValid(javax.servlet.http.HttpServletRequest request)
                                    throws org.springframework.security.access.AuthorizationServiceException

Check if the request targeted to the Service, is bound to a valid session.

Returns:

boolean

Throws:

org.springframework.security.access.AuthorizationServiceException

isRequestForAuthKeyValid

protected boolean isRequestForAuthKeyValid(javax.servlet.http.HttpServletRequest request)
                                    throws org.springframework.security.access.AuthorizationServiceException

Check request for query param authKeyParamName.
By default will compare to a valid session id.
BY DEFAULT THIS LOOPS THROUGH ALL SESSIONS SO NOT IDEAL FOR PRODUCTION. CONFIGURE ONLY FOR TEST SERVER(S)

Parameters:

request - as HttpServletRequest

Returns:

boolean

Throws:

org.springframework.security.access.AuthorizationServiceException

See Also:

authKeyParamName

isRequestValid

protected boolean isRequestValid(javax.servlet.http.HttpServletRequest request)
                          throws org.springframework.security.access.AuthorizationServiceException

Description copied from class: AjaxSecurityFilter

Check if the request is valid based on the user logged in, or authentication/authorized to use this service.
How the validity is defined is based on the implementation class. It maybe session related or service token dependent.

Specified by:

isRequestValid in class AjaxSecurityFilter

Returns:

Throws:

org.springframework.security.access.AuthorizationServiceException

getPrincipal

protected Principal getPrincipal(javax.servlet.http.HttpServletRequest request)

Description copied from class: AjaxSecurityFilter

There can be many methods, session, cookie etc.. ways to determine the principal. Determine the principal (user)

Specified by:

getPrincipal in class AjaxSecurityFilter

Returns:

@nullable true

getPrincipalTypeRequired

public Class<Principal> getPrincipalTypeRequired()

If Principal user derived is not of type principalTypeRequired then IAuthorizationService.AuthState.DENY

Can be null:

true implies no preference

Default value:

null

setPrincipalTypeRequired

public void setPrincipalTypeRequired(Class<Principal> principalTypeRequired)

If Principal user derived is not of type principalTypeRequired then IAuthorizationService.AuthState.DENY

Can be null:

true implies no preference

Default value:

null

setKeyValidationTransformerBeanName

public void setKeyValidationTransformerBeanName(String keyValidationTransformerBeanName)

Bean name of the Spring instantiated FunctionTransformer keyValidationTransformer.

See Also:

keyValidationTransformer

Can be null:

true

Default value:

If authKeyParamName is deinfed then this defaults to AjaxSiteSessionSecurityFilter.KeyAsSessionIdTransformer