shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lhazlew...@apache.org
Subject svn commit: r745117 - in /incubator/jsecurity/trunk: ./ samples/quickstart/ samples/standalone/ web/src/org/jsecurity/web/ web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Date Tue, 17 Feb 2009 15:24:08 GMT
Author: lhazlewood
Date: Tue Feb 17 15:24:02 2009
New Revision: 745117

URL: http://svn.apache.org/viewvc?rev=745117&view=rev
Log:
removing project files for now (seeing errors in my IDE) - will re-add them after cleanup.
 Also added some utility methods to reduce method complexity

Removed:
    incubator/jsecurity/trunk/jsecurity.iml
    incubator/jsecurity/trunk/jsecurity.ipr
    incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
    incubator/jsecurity/trunk/samples/standalone/standalone.iml
Modified:
    incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
    incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
    incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
    incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
    incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java

Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java Tue
Feb 17 15:24:02 2009
@@ -75,7 +75,7 @@
         this();
         setRealms(realms);
     }
-
+    
     /**
      * Sets the path used to store the remember me cookie.  This determines which paths
      * are able to view the remember me cookie.
@@ -149,7 +149,6 @@
             LifecycleUtils.destroy(getSessionManager());
             WebSessionManager sessionManager = createSessionManager(mode);
             setSessionManager(sessionManager);
-            setSubjectFactory(new WebSubjectFactory(this, sessionManager));
         }
     }
 

Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java Tue Feb 17
15:24:02 2009
@@ -85,9 +85,14 @@
     }
 
     protected Session getWebSession() {
-        ServletRequest request = WebUtils.getRequiredServletRequest();
-        ServletResponse response = WebUtils.getRequiredServletResponse();
-        return getWebSessionManager().getSession(request, response);
+        ServletRequest request = WebUtils.getServletRequest();
+        ServletResponse response = WebUtils.getServletResponse();
+        if ( request == null || response == null ) {
+            //no current web request - probably a remote method invocation that didn't come
in via a servlet request:
+            return null;
+        } else {
+            return getWebSessionManager().getSession(request, response);
+        }
     }
 
     @Override
@@ -110,7 +115,10 @@
 
         InetAddress inet = inetAddress;
         if (inet == null) {
-            inet = WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
+            ServletRequest request = WebUtils.getServletRequest();
+            if ( request != null ) {
+                inet = WebUtils.getInetAddress(request);
+            }
         }
 
         return super.createSubject(pc, session, authc, inet);

Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java Tue Feb 17 15:24:02
2009
@@ -305,6 +305,29 @@
     }
 
     /**
+     * Returns the current thread-bound {@code ServletRequest} or {@code null} if there is
not one bound.
+     * <p/>
+     * It is the case in certain enterprise environments where a web-enabled SecurityManager
(and its internal mechanisms)
+     * is the primary SecurityManager but also serves as a 'central' coordinator for security
operations in a cluster.
+     * In these environments, it is possible for a web-enabled SecurityManager to receive
remote method invocations that
+     * are not HTTP based.
+     * <p/>
+     * In these environments, we need to acquire a thread-bound ServletRequest if it exists,
but
+     * not throw an exception if one is not found (with the assumption that the incoming
call is not a web request but
+     * instead a remote method invocation).  This method exists to support these environments,
whereas the
+     * {@link #getRequiredServletRequest() getRequiredServletRequest()} method always assumes
a
+     * servlet-only environment.
+     * <p/>
+     * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b>  It exists for JSecurity
implementation requirements only.
+     * 
+     * @return the current thread-bound {@code ServletRequest} or {@code null} if there is
not one bound.
+     * @since 1.0
+     */
+    public static ServletRequest getServletRequest() {
+        return (ServletRequest) ThreadContext.get(SERVLET_REQUEST_KEY);
+    }
+
+    /**
      * Convenience method that simplifies retrieval of a required thread-bound ServletRequest.
 If there is no
      * ServletRequest bound to the thread when this method is called, an <code>IllegalStateException</code>
is
      * thrown.
@@ -368,6 +391,29 @@
     }
 
     /**
+     * Returns the current thread-bound {@code ServletResponse} or {@code null} if there
is not one bound.
+     * <p/>
+     * It is the case in certain enterprise environments where a web-enabled SecurityManager
(and its internal mechanisms)
+     * is the primary SecurityManager but also serves as a 'central' coordinator for security
operations in a cluster.
+     * In these environments, it is possible for a web-enabled SecurityManager to receive
remote method invocations that
+     * are not HTTP based.
+     * <p/>
+     * In these environments, we need to acquire a thread-bound ServletResponse if it exists,
but
+     * not throw an exception if one is not found (with the assumption that the incoming
call is not a web request but
+     * instead a remote method invocation).  This method exists to support these environments,
whereas the
+     * {@link #getRequiredServletResponse() getRequiredServletResponse()} method always assumes
a
+     * servlet-only environment.
+     * <p/>
+     * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b>  It exists for JSecurity
implementation requirements only.
+     *
+     * @return the current thread-bound {@code ServletResponse} or {@code null} if there
is not one bound.
+     * @since 1.0
+     */
+    public static ServletResponse getServletResponse() {
+        return (ServletResponse) ThreadContext.get(SERVLET_RESPONSE_KEY);
+    }
+
+    /**
      * Convenience method that simplifies retrieval of a required thread-bound ServletResponse.
 If there is no
      * ServletResponse bound to the thread when this method is called, an <code>IllegalStateException</code>
is
      * thrown.

Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java Tue Feb
17 15:24:02 2009
@@ -42,21 +42,21 @@
 
 /**
  * Main ServletFilter that configures and enables all JSecurity functions within a web application.
- *
+ * <p/>
  * The following is a fully commented example that documents how to configure it:
- *
+ * <p/>
  * <pre>&lt;filter&gt;
  * &lt;filter-name&gt;JSecurityFilter&lt;/filter-name&gt;
  * &lt;filter-class&gt;org.jsecurity.web.servlet.JSecurityFilter&lt;/filter-class&gt;
  * &lt;init-param&gt;&lt;param-name&gt;config&lt;/param-name&gt;&lt;param-value&gt;
- *
+ * <p/>
  * #NOTE:  This config looks pretty long - but its not - its only 5 lines of actual config.
  * #       Everything else is just heavily commented to explain things in-depth. Feel free
to delete any
  * #       comments that you don't want to read from your own configuration ;)
  * #
  * # Any commented values below are JSecurity's defaults.  If you want to change any values,
you only
  * # need to uncomment the lines you want to change.
- *
+ * <p/>
  * [main]
  * # The 'main' section defines JSecurity-wide configuration.
  * #
@@ -69,7 +69,7 @@
  * #
  * #securityManager = {@link org.jsecurity.web.DefaultWebSecurityManager org.jsecurity.web.DefaultWebSecurityManager}
  * #securityManager.{@link org.jsecurity.web.DefaultWebSecurityManager#setSessionMode(String)
sessionMode} = http
- *
+ * <p/>
  * [filters]
  * # This section defines the 'pool' of all Filters available to the url path definitions
in the [urls] section below.
  * #
@@ -112,7 +112,7 @@
  * #
  * # Define your own filters here.  To properly handle url path matching (see the [urls]
section below), your
  * # filter should extend the {@link org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter}
abstract class.
- *
+ * <p/>
  * [urls]
  * # This section defines url path mappings.  Each mapping entry must be on a single line
and conform to the
  * # following representation:
@@ -158,14 +158,14 @@
  * # the text between the brackets as two permissions: 'remote:invoke:lan' and 'wan' instead
of the
  * # single desired 'remote:invoke:lan,wan' token.  So, you can use quotes wherever you need
to escape internal
  * # commas.)
- *
+ * <p/>
  * /account/** = <a href="#authcBasic">authcBasic</a>
  * /remoting/** = <a href="#authcBasic">authcBasic</a>, <a href="#roles">roles</a>[b2bClient],
<a href="#perms">perms</a>[remote:invoke:"lan,wan"]
- *
+ * <p/>
  * &lt;/param-value&gt;&lt;/init-param&gt;
  * &lt;/filter&gt;
- *
- *
+ * <p/>
+ * <p/>
  * &lt;filter-mapping&gt;
  * &lt;filter-name&gt;JSecurityFilter&lt;/filter-name&gt;
  * &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
@@ -185,7 +185,7 @@
     public static final String CONFIG_INIT_PARAM_NAME = "config";
     public static final String CONFIG_URL_INIT_PARAM_NAME = "configUrl";
 
-    private static final Log log = LogFactory.getLog(JSecurityFilter.class);    
+    private static final Log log = LogFactory.getLog(JSecurityFilter.class);
 
     protected String config;
     protected String configUrl;
@@ -238,7 +238,7 @@
         if (sm == null) {
             if (log.isInfoEnabled()) {
                 log.info("Configuration instance [" + config + "] did not provide a SecurityManager.
 No config " +
-                        "specified?  Defaulting to a " + DefaultWebSecurityManager.class.getName()
+ " instance...");
+                    "specified?  Defaulting to a " + DefaultWebSecurityManager.class.getName()
+ " instance...");
             }
             sm = new DefaultWebSecurityManager();
         }
@@ -255,8 +255,8 @@
                 this.configClassName = configCN;
             } else {
                 String msg = "configClassName fully qualified class name value [" + configCN
+ "] is not " +
-                        "available in the classpath.  Please ensure you have typed it correctly
and the " +
-                        "corresponding class or jar is in the classpath.";
+                    "available in the classpath.  Please ensure you have typed it correctly
and the " +
+                    "corresponding class or jar is in the classpath.";
                 throw new ConfigurationException(msg);
             }
         }
@@ -277,7 +277,7 @@
     protected void applyFilterConfig(WebConfiguration conf) {
         if (log.isDebugEnabled()) {
             String msg = "Attempting to inject the FilterConfig (using 'setFilterConfig'
method) into the " +
-                    "instantiated WebConfiguration for any wrapped Filter initialization...";
+                "instantiated WebConfiguration for any wrapped Filter initialization...";
             log.debug(msg);
         }
         try {
@@ -301,9 +301,9 @@
                     PropertyUtils.setProperty(conf, "config", this.config);
                 } else {
                     String msg = "The 'config' filter param was specified, but there is no
" +
-                            "'setConfig(String)' method on the Configuration instance ["
+ conf + "].  If you do " +
-                            "not require the 'config' filter param, please comment it out,
or if you do need it, " +
-                            "please ensure your Configuration instance has a 'setConfig(String)'
method to receive it.";
+                        "'setConfig(String)' method on the Configuration instance [" + conf
+ "].  If you do " +
+                        "not require the 'config' filter param, please comment it out, or
if you do need it, " +
+                        "please ensure your Configuration instance has a 'setConfig(String)'
method to receive it.";
                     throw new ConfigurationException(msg);
                 }
             } catch (Exception e) {
@@ -322,9 +322,9 @@
                     PropertyUtils.setProperty(conf, "configUrl", this.configUrl);
                 } else {
                     String msg = "The 'configUrl' filter param was specified, but there is
no " +
-                            "'setConfigUrl(String)' method on the Configuration instance
[" + conf + "].  If you do " +
-                            "not require the 'configUrl' filter param, please comment it
out, or if you do need it, " +
-                            "please ensure your Configuration instance has a 'setConfigUrl(String)'
method to receive it.";
+                        "'setConfigUrl(String)' method on the Configuration instance [" +
conf + "].  If you do " +
+                        "not require the 'configUrl' filter param, please comment it out,
or if you do need it, " +
+                        "please ensure your Configuration instance has a 'setConfigUrl(String)'
method to receive it.";
                     throw new ConfigurationException(msg);
                 }
             } catch (Exception e) {
@@ -347,26 +347,69 @@
         return WebUtils.getInetAddress(request);
     }
 
-    protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse,
-                                    FilterChain origChain) throws ServletException, IOException
{
+    /**
+     * Wraps the original HttpServletRequest in a {@link JSecurityHttpServletRequest}
+     * @since 1.0
+     */
+    protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
+        return new JSecurityHttpServletRequest(orig, getServletContext(), isHttpSessions());
+    }
 
-        HttpServletRequest request = (HttpServletRequest) servletRequest;
-        HttpServletResponse response = (HttpServletResponse) servletResponse;
+    /** @since 1.0 */
+    protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse
response,
+                                                   FilterChain chain) {
+        ServletRequest toUse = request;
+        if (request instanceof HttpServletRequest) {
+            HttpServletRequest http = (HttpServletRequest) request;
+            toUse = wrapServletRequest(http);
+        }
+        return toUse;
+    }
 
-        ThreadContext.bind(getInetAddress(request));
+    /** @since 1.0 */
+    protected ServletResponse wrapServletResponse(HttpServletResponse orig, JSecurityHttpServletRequest
request) {
+        return new JSecurityHttpServletResponse(orig, getServletContext(), request);
+    }
 
-        boolean httpSessions = isHttpSessions();
-        request = new JSecurityHttpServletRequest(request, getServletContext(), httpSessions);
-        if (!httpSessions) {
+    /** @since 1.0 */
+    protected ServletResponse prepareServletResponse(ServletRequest request, ServletResponse
response,
+                                                     FilterChain chain) {
+        ServletResponse toUse = response;
+        if (isHttpSessions() && (request instanceof JSecurityHttpServletRequest)
&&
+            (response instanceof HttpServletResponse)) {
             //the JSecurityHttpServletResponse exists to support URL rewriting for session
ids.  This is only needed if
             //using JSecurity sessions (i.e. not simple HttpSession based sessions):
-            response = new JSecurityHttpServletResponse(response, getServletContext(), (JSecurityHttpServletRequest)
request);
+            toUse = wrapServletResponse((HttpServletResponse) response, (JSecurityHttpServletRequest)
request);
         }
+        return toUse;
+    }
 
+    /** @since 1.0 */
+    protected void bind(ServletRequest request, ServletResponse response) {
+        WebUtils.bindInetAddressToThread(request);
         WebUtils.bind(request);
         WebUtils.bind(response);
         ThreadContext.bind(getSecurityManager());
         ThreadContext.bind(getSecurityManager().getSubject());
+    }
+
+    /** @since 1.0 */
+    protected void unbind(ServletRequest request, ServletResponse response) {
+        //arguments ignored, just clear the thread:
+        ThreadContext.unbindSubject();
+        ThreadContext.unbindSecurityManager();
+        WebUtils.unbindServletResponse();
+        WebUtils.unbindServletRequest();
+        ThreadContext.unbindInetAddress();
+    }
+
+    protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse,
+                                    FilterChain origChain) throws ServletException, IOException
{
+
+        ServletRequest request = prepareServletRequest(servletRequest, servletResponse, origChain);
+        ServletResponse response = prepareServletResponse(request, servletResponse, origChain);
+
+        bind(request, response);
 
         FilterChain chain = getConfiguration().getChain(request, response, origChain);
         if (chain == null) {
@@ -383,11 +426,7 @@
         try {
             chain.doFilter(request, response);
         } finally {
-            ThreadContext.unbindSubject();
-            ThreadContext.unbindSecurityManager();
-            WebUtils.unbindServletResponse();
-            WebUtils.unbindServletRequest();
-            ThreadContext.unbindInetAddress();
+            unbind(request, response);
         }
     }
 

Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
(original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
Tue Feb 17 15:24:02 2009
@@ -229,7 +229,8 @@
         return sessionId;
     }
 
-    public Session retrieveSession(Serializable sessionId) throws InvalidSessionException,
AuthorizationException {
+    @Override
+    protected Session retrieveSession(Serializable sessionId) throws InvalidSessionException,
AuthorizationException {
         if (sessionId != null) {
             return super.retrieveSession(sessionId);
         } else {



Mime
View raw message