View Javadoc

1   package org.appfuse.webapp.interceptor;
2   
3   import com.opensymphony.xwork2.ActionInvocation;
4   import com.opensymphony.xwork2.interceptor.Interceptor;
5   import org.apache.struts2.ServletActionContext;
6   
7   import javax.servlet.ServletException;
8   import javax.servlet.http.HttpServletRequest;
9   import javax.servlet.http.HttpServletResponse;
10  import java.io.IOException;
11  
12  /**
13   * Security interceptor checks to see if users are in the specified roles
14   * before proceeding.  Similar to Spring's UserRoleAuthorizationInterceptor.
15   *
16   * @author <a href="mailto:matt@raibledesigns.com">Matt Raible</a>
17   * @see org.springframework.web.servlet.handler.UserRoleAuthorizationInterceptor
18   */
19  public class UserRoleAuthorizationInterceptor implements Interceptor {
20      private static final long serialVersionUID = 5067790608840427509L;
21      private String[] authorizedRoles;
22  
23      /**
24       * Intercept the action invocation and check to see if the user has the proper role.
25       * @param invocation the current action invocation
26       * @return the method's return value, or null after setting HttpServletResponse.SC_FORBIDDEN
27       * @throws Exception when setting the error on the response fails
28       */
29      public String intercept(ActionInvocation invocation) throws Exception {
30          HttpServletRequest request = ServletActionContext.getRequest();
31  
32          if (this.authorizedRoles != null) {
33              for (String authorizedRole : this.authorizedRoles) {
34                  if (request.isUserInRole(authorizedRole)) {
35                      return invocation.invoke();
36                  }
37              }
38          }
39  
40          HttpServletResponse response = ServletActionContext.getResponse();
41          handleNotAuthorized(request, response);
42          return null;
43      }
44  
45      /**
46       * Set the roles that this interceptor should treat as authorized.
47       * @param authorizedRoles array of role names
48       */
49      public final void setAuthorizedRoles(String[] authorizedRoles) {
50          this.authorizedRoles = authorizedRoles;
51      }
52  
53      /**
54       * Handle a request that is not authorized according to this interceptor.
55       * Default implementation sends HTTP status code 403 ("forbidden").
56       *
57       * <p>This method can be overridden to write a custom message, forward or
58       * redirect to some error page or login page, or throw a ServletException.
59       * 
60       * @param request current HTTP request
61       * @param response current HTTP response
62       * @throws javax.servlet.ServletException if there is an internal error
63       * @throws java.io.IOException in case of an I/O error when writing the response
64       */
65      protected void handleNotAuthorized(HttpServletRequest request,
66                                         HttpServletResponse response)
67      throws ServletException, IOException {
68          response.sendError(HttpServletResponse.SC_FORBIDDEN);
69      }
70  
71      /**
72       * This method currently does nothing.
73       */
74      public void destroy() {
75      }
76  
77      /**
78       * This method currently does nothing.
79       */
80      public void init() {
81      }
82  }