DefaultSecurityCheckResourceServletInterceptor (Oracle Fusion Middleware Java API for Oracle WebLogic Portal)

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.bea.wsrp.consumer.resource
Class DefaultSecurityCheckResourceServletInterceptor

java.lang.Object com.bea.wsrp.consumer.resource.DefaultSecurityCheckResourceServletInterceptor

All Implemented Interfaces: IResourceServletInterceptor

Direct Known Subclasses:: WsrpResourceServletInterceptor

public abstract class DefaultSecurityCheckResourceServletInterceptor

extends Object

implements IResourceServletInterceptor

The default base interceptor class for WSRP and Clipper resources. The class is responsible for checking security via white & black lists and the security token. Additionally, this class will handle error codes & messages and set response headers.

Constructor Summary
`DefaultSecurityCheckResourceServletInterceptor()`

Method Summary
`protected Pattern`	`createPattern(javax.servlet.ServletConfig config, String initParamName)` Create a RE Pattern
`protected abstract void`	`filterResponseHeaders(Map<String,List<String>> headers)` Filter the headers sent to the client on the response
`protected PortletParameters`	`getAdditionalSecurityParameters()` Get any additional security parameters to pass to SecurityTokenUtils.isSecurityTokenValid()
`String`	`getErrorMessage()` Get the error message if set
`static Set<Pattern>`	`getForwardBlackList()` Get the list or forward black-list patterns
`protected Set<Pattern>`	`getForwardWhiteList()` Get the list or forward white-list patterns
`int`	`getStatusCode()` Get the response's status code
`protected Set<Pattern>`	`getTargetUrlBlackList()` Get the list or target-URL black-list patterns
`protected Set<Pattern>`	`getTargetUrlWhiteList()` Get the list or target-URL white-list patterns
`protected boolean`	`isForwardPathAllowed(IResourceServletRequestContext requestContext)` Is the forward path allowed by the white & black lists
`protected boolean`	`isSecurityTokenValid(IResourceServletRequestContext requestContext)` Check if the security token in URL is valid
`protected boolean`	`isTargetUrlAllowed(IResourceServletRequestContext requestContext)` Do a security check (white & black list) on a target URL
`protected boolean`	`isTargetUrlNotMatchedByListsAllowed(IResourceServletRequestContext requestContext)` This method is called when a target URL (not called on forward) is in neither the white-list nor the black-list.
`protected boolean`	`matchesPatterns(Collection<Pattern> patterns, String input)` Does input match one of patterns
`Status.OnIOFailure`	`onIOFailure(IResourceServletRequestContext requestContext, IResourceServletResponseContext responseContext, Throwable t)` Handle and IOFailure
`void`	`onServletDestroy()` Cleans up the white & black lists
`void`	`onServletInit(javax.servlet.ServletConfig config)` Sets up the white and black lists
`Status.PostInvoke`	`postInvoke(IResourceServletRequestContext requestContext, IResourceServletResponseContext responseContext)` Called after the forward or target URL has happened Set the response contexts's status code error message headers
`Status.PreInvoke`	`preInvoke(IResourceServletRequestContext requestContext)` Setup the request context & do security checks
`protected Status.PreInvoke`	`preInvokeSecurityCheck(IResourceServletRequestContext requestContext)` Check the security token, white and black lists
`protected abstract Status.PreInvoke`	`preInvokeSetupRequestContext(IResourceServletRequestContext requestContext)` Setup the request context
`void`	`setErrorMessage(String errorMessage)` Set the response's error message
`void`	`setStatusCode(int statusCode)` Set the response's status code

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

DefaultSecurityCheckResourceServletInterceptor

public DefaultSecurityCheckResourceServletInterceptor()

Method Detail

onIOFailure

public Status.OnIOFailure onIOFailure(IResourceServletRequestContext requestContext,
                                      IResourceServletResponseContext responseContext,
                                      Throwable t)

Handle and IOFailure

Specified by:: onIOFailure in interface IResourceServletInterceptor

Parameters: requestContext - The current request context; responseContext - The current response context; t - the error or exception
Returns: OnIOFailure.CONTINUE_CHAIN

onServletDestroy

public void onServletDestroy()

Cleans up the white & black lists

Specified by:: onServletDestroy in interface IResourceServletInterceptor

onServletInit

public void onServletInit(javax.servlet.ServletConfig config)
                   throws javax.servlet.ServletException

Sets up the white and black lists

Specified by:: onServletInit in interface IResourceServletInterceptor

Parameters: config - the servlet config for getting init-params
Throws: javax.servlet.ServletException - If the interceptor throws an ServletException it will be handled by the servlet container.

createPattern

protected Pattern createPattern(javax.servlet.ServletConfig config,
                                String initParamName)

Create a RE Pattern

Parameters: config - the servlet's config to get the initParam from; initParamName - the initParam's name
Returns: the compiled Pattern or null if its not set

postInvoke

public Status.PostInvoke postInvoke(IResourceServletRequestContext requestContext,
                                    IResourceServletResponseContext responseContext)
                             throws IOException

Called after the forward or target URL has happened Set the response contexts's status code error message headers

Specified by:: postInvoke in interface IResourceServletInterceptor

Parameters: requestContext - The request context; responseContext - The response context
Returns: PostInvoke.CONTINUE_CHAIN
Throws: IOException - If there's an issue getting data from the URL connection
See Also: filterResponseHeaders(Map)

preInvoke

public Status.PreInvoke preInvoke(IResourceServletRequestContext requestContext)
                           throws IOException

Setup the request context & do security checks

Specified by:: preInvoke in interface IResourceServletInterceptor

Parameters: requestContext - The request context
Returns: CONTINUE_CHAIN or SKIP_REQUEST_ABORT_CHAIN if security checks fail
Throws: IOException - If there's a problem setting up the URL Connection

preInvokeSetupRequestContext

protected abstract Status.PreInvoke preInvokeSetupRequestContext(IResourceServletRequestContext requestContext)
                                                          throws IOException

Setup the request context

Parameters: requestContext - the existing un-set (other than request, response and servlet context) request context
Returns: A PreEnvoke appropriate for this request
Throws: IOException - If there's a problem setting up the request context

preInvokeSecurityCheck

protected Status.PreInvoke preInvokeSecurityCheck(IResourceServletRequestContext requestContext)
                                           throws IOException

Check the security token, white and black lists

Parameters: requestContext - The request context
Returns: CONTINUE_CHAIN if OK or SKIP_REQUEST_ABORT_CHAIN if not (also set the response code to SC_FORBIDDEN and an apropriate error message)
Throws: IOException - If there's an error checking the security token

isSecurityTokenValid

protected boolean isSecurityTokenValid(IResourceServletRequestContext requestContext)
                                throws IOException

Check if the security token in URL is valid

Parameters: requestContext - The request token
Returns: true if its valid
Throws: IOException - If there's an error checking the security token

getAdditionalSecurityParameters

protected PortletParameters getAdditionalSecurityParameters()

Get any additional security parameters to pass to SecurityTokenUtils.isSecurityTokenValid()

Returns: null or a PortletParameters object

isTargetUrlAllowed

protected boolean isTargetUrlAllowed(IResourceServletRequestContext requestContext)

Do a security check (white & black list) on a target URL

Parameters: requestContext - The request context
Returns: true if the URL is allowed
See Also: isTargetUrlNotMatchedByListsAllowed(IResourceServletRequestContext)

isTargetUrlNotMatchedByListsAllowed

protected boolean isTargetUrlNotMatchedByListsAllowed(IResourceServletRequestContext requestContext)

This method is called when a target URL (not called on forward) is in neither the white-list nor the black-list. This allows a subclass to allow additional URLs based on its needs. This method will be called during preInvoke().

Parameters: requestContext - the request's context to get the URL from.
Returns: by default false. Is intended to be overridden to allow additional URLs.
See Also: preInvoke(IResourceServletRequestContext), IResourceServletRequestContext.getTargetURL()

isForwardPathAllowed

protected boolean isForwardPathAllowed(IResourceServletRequestContext requestContext)

Is the forward path allowed by the white & black lists

Parameters: requestContext - the request contexyt
Returns: true if the forward path is allowed

matchesPatterns

protected boolean matchesPatterns(Collection<Pattern> patterns,
                                  String input)

Does input match one of patterns

Parameters: patterns - The patterns to check against; input - the string to check
Returns: true if input matches any pattern

getTargetUrlWhiteList

protected Set<Pattern> getTargetUrlWhiteList()

Get the list or target-URL white-list patterns

Returns: the patterns

getTargetUrlBlackList

protected Set<Pattern> getTargetUrlBlackList()

Get the list or target-URL black-list patterns

Returns: the patterns

getForwardWhiteList

protected Set<Pattern> getForwardWhiteList()

Get the list or forward white-list patterns

Returns: the patterns

getErrorMessage

public String getErrorMessage()

Get the error message if set

Returns: the error message or null

setErrorMessage

public void setErrorMessage(String errorMessage)

Set the response's error message

Parameters: errorMessage -

getForwardBlackList

public static Set<Pattern> getForwardBlackList()

Get the list or forward black-list patterns

Returns: the patterns

getStatusCode

public int getStatusCode()

Get the response's status code

Returns: the status code (200 by default)

setStatusCode

public void setStatusCode(int statusCode)

Set the response's status code

Parameters: statusCode -

filterResponseHeaders

protected abstract void filterResponseHeaders(Map<String,List<String>> headers)

Filter the headers sent to the client on the response

Parameters: headers - a mutable set of HTTP headers