1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 package org.apache.struts2.interceptor;
22
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.Collections;
26 import java.util.List;
27
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletResponse;
30
31 import com.opensymphony.xwork2.ActionInvocation;
32 import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
33
34 import org.apache.struts2.ServletActionContext;
35
36 /***
37 * <!-- START SNIPPET: description --> This interceptor ensures that the action
38 * will only be executed if the user has the correct role. <!--
39 * END SNIPPET: description -->
40 *
41 * <p/> <u>Interceptor parameters:</u>
42 *
43 * <!-- START SNIPPET: parameters -->
44 *
45 * <ul>
46 *
47 * <li>allowedRoles - a comma-separated list of roles to allow</li>
48 *
49 * <li>disallowedRoles - a comma-separated list of roles to disallow</li>
50 *
51 * </ul>
52 *
53 * <!-- END SNIPPET: parameters -->
54 *
55 * <!-- START SNIPPET: extending --> There are two extensions to the
56 * existing interceptor:
57 * <ul>
58 * <li>isAllowed(HttpServletRequest,Object) - whether or not to allow
59 * the passed action execution with this request</li>
60 * <li>handleRejection(ActionInvocation) - handles an unauthorized
61 * request.</li>
62 * </ul>
63 * <!-- END SNIPPET: extending -->
64 *
65 * <pre>
66 * <!-- START SNIPPET: example -->
67 * <!-- only allows the admin and member roles -->
68 * <action name="someAction" class="com.examples.SomeAction">
69 * <interceptor-ref name="completeStack"/>
70 * <interceptor-ref name="roles">
71 * <param name="allowedRoles">admin,member</param>
72 * </interceptor-ref>
73 * <result name="success">good_result.ftl</result>
74 * </action>
75 * <!-- END SNIPPET: example -->
76 * </pre>
77 */
78 public class RolesInterceptor extends AbstractInterceptor {
79
80 private List<String> allowedRoles = new ArrayList<String>();
81 private List<String> disallowedRoles = new ArrayList<String>();
82
83 public void setAllowedRoles(String roles) {
84 this.allowedRoles = stringToList(roles);
85 }
86
87 public void setDisallowedRoles(String roles) {
88 this.disallowedRoles = stringToList(roles);
89 }
90
91 public String intercept(ActionInvocation invocation) throws Exception {
92 HttpServletRequest request = ServletActionContext.getRequest();
93 HttpServletResponse response = ServletActionContext.getResponse();
94 String result = null;
95 if (!isAllowed(request, invocation.getAction())) {
96 result = handleRejection(invocation, response);
97 } else {
98 result = invocation.invoke();
99 }
100 return result;
101 }
102
103 /***
104 * Splits a string into a List
105 */
106 protected List<String> stringToList(String val) {
107 if (val != null) {
108 String[] list = val.split("[ ]*,[ ]*");
109 return Arrays.asList(list);
110 } else {
111 return Collections.EMPTY_LIST;
112 }
113 }
114
115 /***
116 * Determines if the request should be allowed for the action
117 *
118 * @param request The request
119 * @param action The action object
120 * @return True if allowed, false otherwise
121 */
122 protected boolean isAllowed(HttpServletRequest request, Object action) {
123 if (allowedRoles.size() > 0) {
124 boolean result = false;
125 for (String role : allowedRoles) {
126 if (request.isUserInRole(role)) {
127 result = true;
128 }
129 }
130 return result;
131 } else if (disallowedRoles.size() > 0) {
132 for (String role : disallowedRoles) {
133 if (request.isUserInRole(role)) {
134 return false;
135 }
136 }
137 }
138 return true;
139 }
140
141 /***
142 * Handles a rejection by sending a 403 HTTP error
143 *
144 * @param invocation The invocation
145 * @return The result code
146 * @throws Exception
147 */
148 protected String handleRejection(ActionInvocation invocation,
149 HttpServletResponse response)
150 throws Exception {
151 response.sendError(HttpServletResponse.SC_FORBIDDEN);
152 return null;
153 }
154 }