aboutsummaryrefslogtreecommitdiffstats
path: root/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java
diff options
context:
space:
mode:
Diffstat (limited to 'core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java')
-rw-r--r--core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java305
1 files changed, 0 insertions, 305 deletions
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java
deleted file mode 100644
index 0b8bb8f..0000000
--- a/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java
+++ /dev/null
@@ -1,305 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.filter;
-
-import java.io.IOException;
-import java.lang.reflect.Constructor;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.CadiWrap;
-import org.onap.aaf.cadi.Lur;
-import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.ServletContextAccess;
-import org.onap.aaf.cadi.TrustChecker;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.config.Get;
-import org.onap.aaf.cadi.taf.TafResp;
-import org.onap.aaf.cadi.taf.TafResp.RESP;
-
-/**
- * CadiFilter
- *
- * This class implements Servlet Filter, and ties together CADI implementations
- *
- * This class can be used in a standard J2EE Servlet manner. Optimal usage is for POJO operations, where
- * one can enforce this Filter being first and primary. Depending on the Container, it
- * may be more effective, in some cases, to utilize features that allow earlier determination of
- * AUTHN (Authorization). An example would be "Tomcat Valve". These implementations, however, should
- * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes.
- *
- *
- *
- */
-public class CadiFilter implements Filter {
- private static CadiHTTPManip httpChecker;
- private static String[] pathExceptions;
- private static List<Pair> mapPairs;
- private Access access;
- private Object[] additionalTafLurs;
- private static int count=0;
-
- public Lur getLur() {
- return httpChecker.getLur();
- }
-
- /**
- * Construct a viable Filter
- *
- * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on
- * them at a later time. Therefore, this object creates with an object that denies all access
- * until appropriate Init happens, just in case the container lets something slip by in the meantime.
- *
- */
- public CadiFilter() {
- additionalTafLurs = CadiHTTPManip.noAdditional;
- }
-
- /**
- * This constructor to be used when directly constructing and placing in HTTP Engine
- *
- * @param access
- * @param moreTafLurs
- * @throws ServletException
- */
- public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException {
- additionalTafLurs = moreTafLurs;
- init(new AccessGetter(this.access = access));
- }
-
-
- /**
- * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it
- * @param init
- * @param access
- * @param moreTafLurs
- * @throws ServletException
- */
- public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException {
- this.access = access;
- if(init) {
- init(new AccessGetter(access));
- }
- additionalTafLurs = moreTafLurs;
- }
-
- /**
- * Init
- *
- * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a
- * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
- * mechanism already.
- */
- //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions
- public void init(FilterConfig filterConfig) throws ServletException {
- // need the Context for Logging, instantiating ClassLoader, etc
- ServletContextAccess sca=new ServletContextAccess(filterConfig);
- if(access==null) {
- access = sca;
- }
-
- // Set Protected getter with base Access, for internal class instantiations
- init(new FCGet(access, sca.context(), filterConfig));
- }
-
-
- private void init(Get getter) throws ServletException {
- // Start with the assumption of "Don't trust anyone".
- TrustChecker tc = TrustChecker.NOTRUST; // default position
- try {
- @SuppressWarnings("unchecked")
- Class<TrustChecker> ctc = (Class<TrustChecker>) Class.forName("com.att.cadi.aaf.v2_0.AAFTrustChecker");
- if(ctc!=null) {
- Constructor<TrustChecker> contc = ctc.getConstructor(Access.class);
- if(contc!=null) {
- tc = contc.newInstance(access);
- }
- }
- } catch (Exception e) {
- access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
- }
-
-
- // Synchronize, because some instantiations call init several times on the same object
- // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.
- synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {
- ++count;
- if(httpChecker == null) {
- if(access==null) {
- access = new PropAccess();
- }
- try {
- httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs);
- } catch (CadiException e1) {
- throw new ServletException(e1);
- }
- } else if(access==null) {
- access= httpChecker.getAccess();
- }
-
- /*
- * Setup Authn Path Exceptions
- */
- if(pathExceptions==null) {
- String str = getter.get(Config.CADI_NOAUTHN, null, true);
- if(str!=null) {
- pathExceptions = str.split("\\s*:\\s*");
- }
- }
-
- /*
- * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions
- */
- if(mapPairs==null) {
- String str = getter.get(Config.AAF_PERM_MAP, null, true);
- if(str!=null) {
- String mstr = getter.get(Config.AAF_PERM_MAP, null, true);
- if(mstr!=null) {
- String map[] = mstr.split("\\s*:\\s*");
- if(map.length>0) {
- MapPermConverter mpc=null;
- int idx;
- mapPairs = new ArrayList<Pair>();
- for(String entry : map) {
- if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
- access.log(Level.INIT,"Loading Perm Conversions for:",entry);
- mapPairs.add(new Pair(entry,mpc=new MapPermConverter()));
- } else {
- if(mpc!=null) {
- mpc.map().put(entry.substring(0,idx),entry.substring(idx+1));
- } else {
- access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped");
- }
- }
- }
- }
- }
- }
- }
- }
-
- // Remove Getter
- getter = Get.NULL;
- }
-
- /**
- * Containers call "destroy" when time to cleanup
- */
- public void destroy() {
- // Synchronize, in case multiCadiFilters are used.
- synchronized(CadiHTTPManip.noAdditional) {
- if(--count<=0 && httpChecker!=null) {
- httpChecker.destroy();
- httpChecker=null;
- access=null;
- pathExceptions=null;
- }
- }
- }
-
- /**
- * doFilter
- *
- * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and
- * only call the next item in the filterChain if request is suitably Authenticated.
- */
- //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- try {
- HttpServletRequest hreq = (HttpServletRequest)request;
- if(noAuthn(hreq)) {
- chain.doFilter(request, response);
- } else {
- HttpServletResponse hresp = (HttpServletResponse)response;
- TafResp tresp = httpChecker.validate(hreq, hresp);
- if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
- CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));
- if(httpChecker.notCadi(cw, hresp)) {
- chain.doFilter(cw,response);
- }
- }
- }
- } catch (ClassCastException e) {
- throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e);
- }
- }
-
-
- /**
- * If PathExceptions exist, report if these should not have Authn applied.
- * @param hreq
- * @return
- */
- private boolean noAuthn(HttpServletRequest hreq) {
- if(pathExceptions!=null) {
- String pi = hreq.getPathInfo();
- if(pi==null) return false; // JBoss sometimes leaves null
- for(String pe : pathExceptions) {
- if(pi.startsWith(pe))return true;
- }
- }
- return false;
- }
-
- /**
- * Get Converter by Path
- */
- private PermConverter getConverter(HttpServletRequest hreq) {
- if(mapPairs!=null) {
- String pi = hreq.getPathInfo();
- if(pi!=null) {
- for(Pair p: mapPairs) {
- if(pi.startsWith(p.name))return p.pc;
- }
- }
- }
- return NullPermConverter.singleton();
- }
-
- /**
- * store PermConverters by Path prefix
- *
- */
- private class Pair {
- public Pair(String key, PermConverter pc) {
- name = key;
- this.pc = pc;
- }
- public String name;
- public PermConverter pc;
- }
-
-}
-