2.12 Access Control
Summary
An application that has been created so far, by directly entering the URL in the browser address
bar, it was able to transition to the screen of "logon screen" since without logging on.
In this section, I want to control the direct access of the "logon screen" and later as shown in the
figure below.
Access Control
Tasks required
Following tasks will be required in this section.
-
Creating and Configuring Access Controller class
Configuring Access filter
Operation check
2.12.1 Creating and Configuring Access Controller class
Access control functionality provided by (Web) Server version controls access by pre-processing
of each request. I show below the flow of access control.
Flow of access control
-
Access filter receives a request from a browser.
Access filter invokes an access controller.
We conducted an access check for the request in the access controller to return to the
access filter the results.
The results are returned and distributed processing in the access filter.
The Server (Web) version, which provides an interface for access controller access filters
following class.
Function
Log on MySpace
Access check
Business blockage check
Check server obstruction
Extension directly Prohibited
Access filter class
AuthenticationControlFilter
AuthorizationControlFilter
BlockageControlFilter
ServerBlockageFilter
ExtensionFilter
Access controller interface
AuthenticationController
AuthorizationController
BlockageController
ServerBlockageController
(Which runs in the filter class
only) None
In this section, I will describe how to configure and create the access controller class of the
logged-on check.
Procedure
Work the following may be required in this section.
(1) Editing of the application resource file.
(2) Creating an access controller class
(3) Editing the Spring configuration file common application
1. Editing of the application resource file.
I set the request path that does not implement the logged-on check.
-
“terasoluna-spring-thin-blank\sources\ApplicationResources.properties” open and add the
following settings.
# Describe a path that does not authenticate
access.control.authenticated.escape.1=/logon/logonSCR.do
access.control.authenticated.escape.2=/logon/logoff.do
access.control.authenticated.escape.3=/error.do
access.control.authenticated.escape.4=/error.jsp
access.control.authenticated.escape.5=/image/terasoluna_logo.gif
access.control.authenticated.escape.6=/welcome.do
access.control.authenticated.escape.7=/logon/logonBL.do
The key name to be careful to be sure the serial number.
2. Creating an access controller class
I want to create an action controller class that implements the check processing.
-
-
I right-click the “terasoluna-spring-thin-blank\sources”.
I choose "New" → "class".
Enter the following, pressing the "Quit" button.
Package: jp.terasoluna.thin.tutorial.web.common.controller
Name: TutorialAuthController
Interface: jp.terasoluna.fw.web.thin.AuthenticationController
I edit as follows TutorialAuthController the generated class.
package jp.terasoluna.thin.tutorial.web.common.controller;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import
import
import
import
jp.terasoluna.fw.util.PropertyUtil;
jp.terasoluna.fw.web.RequestUtil;
jp.terasoluna.fw.web.thin.AuthenticationController;
jp.terasoluna.thin.tutorial.web.common.uvo.TutorialUVO;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* 認証チェックを行う。
*
*/
public class TutorialAuthController implements AuthenticationController
{
/**
-
* Log class
*/
private static Log log =
LogFactory.getLog(TutorialAuthController.class);
/**
* Get the path to the key information list that does not perform
authentication check.
*/
private static final String AUTHENTICATED_NOCHECK_PATH_PREFIX
=
"access.control.authenticated.escape.";
/**
* Get the path to the key information list that does not perform
authentication check.
*/
private List<String> noCheckList = null;
/**
* I determine HTTP session for the path information of the request, the
specified whether or not this is an authenticated.
*
* @param pathInfo Path information
* @param req HTTP Request
*
* @return If the authentication is successful<code>true</code>
*/
public boolean isAuthenticated(String pathInfo, ServletRequest req)
{
if (log.isDebugEnabled()) {
log.debug("call isAuthenticated");
}
//I want to get the UVO from the session.
HttpSession session = ((HttpServletRequest) req).getSession();
TutorialUVO uvo = (TutorialUVO)
session.getAttribute("USER_VALUE_OBJECT");
// I will return false if the ID that is registered in the UVO
or UVO, is null.
if (uvo != null && uvo.getUserId() != null) {
return true;
}
return false;
}
/**
* Path to determine whether or not checked.
*
-
* @param req It is the judgment target <code>ServletRequest</code>
Instance
*
* @return If the check target<code>true</code>
*/
public boolean isCheckRequired(ServletRequest req) {
if (log.isDebugEnabled()) {
log.debug("call isCheckRequired()");
}
//I get the path information.
String pathInfo = RequestUtil.getPathInfo(req);
if (noCheckList == null) {
noCheckList = new ArrayList<String>();
for (int i = 1; ; i++) {
String path = PropertyUtil.getProperty(
AUTHENTICATED_NOCHECK_PATH_PREFIX + i);
if (path == null) {
break;
}
noCheckList.add(path);
}
}
for (String path : noCheckList) {
if (pathInfo.startsWith(path) || "/".equals(pathInfo)) {
return false;
}
}
return true;
}
}
Access controller classes for logged-check, to implement the AuthenticationController
provided by the (Web) version Server. Shows the method to be implemented on the
following.
Method name
Description
isAuthenticated
I implement the logged-on check. I will
return true if already logged on.
isCheckRequired
I request to determine the path to carry out
the check. To return true if a request to be
checked.
The tutorial application is logged on to the UVO is registered in the session.
3. Editing the Spring configuration file common application
Set the access control class that you created.
Open the "terasoluna-spring-thin-blank \ webapps \ WEB-INF \ applicationContext.xml",
to set the access controller class in the following locations.
・・・略・・・
<!-- ======================================== 各種フィルタコントローラ定義 -->
<!-- ログオン済みチェック設定 -->
<bean id="tutorialAuthenticationController"
class="jp.terasoluna.thin.tutorial.web.common.controller.TutorialAuthControll
er"/>
・・・略・・・
2.12.2 Setting access filter
The Web application configuration file, describing the setting to call the access controller
and filter access.
Procedure
Work the following may be required in this section.
(1) Editing Web application configuration file
Open the "terasoluna-spring-thin-blank \ webapps \ WEB-INF \ web.xml", to add
settings and access filter, the setting of the transition destination at the time of the
error in the following locations.
・・・略・・・
<!-- ======================================== フィルタ定義 -->
<!-- アクセス権限チェック -->
<filter>
<filter-name>AuthenticationControlFilter</filter-name>
<filter-class>
jp.terasoluna.fw.web.thin.AuthenticationControlFilter
</filter-class>
<init-param>
<param-name>controller</param-name>
<param-value>tutorialAuthenticationController</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>AuthenticationControlFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
・・・略・・・
======================================
・・・略・・・
<!-- エラーページ定義 -->
<error-page>
<exception-type>
jp.terasoluna.fw.web.thin.UnauthenticatedException
</exception-type>
<location>/error.jsp</location>
</error-page>
・・・略・・・
Open the "terasoluna-spring-thin-blank \ webapps \ WEB-INF \ web.xml", to add
settings and access filter, the setting of the transition destination at the time of the
error in the following locations.
2.12.3 operation check
Start the Web application that you created, you can check its operation.
Procedure
Check the operation of application
-
-
-
-
I start the "terasoluna-spring-thin-blank \ h2db \ h2db_start.bat".
o See the "Setting (6) database maintenance 2.2 tutorial learning environment" for
the setting of H2DB.
See "operation check (5) application development 2.2 tutorial learning environment", to
access it in your browser to launch the Tomcat.
In the address bar of your browser, by typing: "AAA 8080/terasoluna-spring-thinblank/logon/menuSCR.do /", to transition directly.
As shown in the figure below, you confirm that you want to transition to the "error
screen".
o Error screen
o
I will confirm that the console screen, error log contains the following output.
[2009/XX/XX XX:XX:XX][ERROR][[action]] サーブレット action
のServlet.service()が例外を投げました
jp.terasoluna.fw.web.thin.UnauthenticatedException
at
jp.terasoluna.fw.web.thin.AuthenticationControlFilter.doFilter(Authenti
cationControlFilter.java:221)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
ationFilterChain.java:215)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
terChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
ve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
ve.java:174)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
a:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
a:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
.java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
151)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:8
74)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.pro
cessConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoin
t.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollo
werWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
l.java:689)
at java.lang.Thread.run(Thread.java:595)
Make sure that you can transition directly into the path of less than or equal to the set in
"Edit (1) application resource file to create and configure 2.12.1 access controller class".
o AAA:8080/terasoluna-spring-thin-blank/logon/logonSCR.do
o Logon screen
Summary
I learned the following in this section.
-
-
When you use the access control function, the following classes are required.
o Access filter class
o (Extension specified directly prohibited except) access controller class
Server in (Web) version, it provides the access controller interface access filters and
class.
The set of access control, and describe the Web application configuration file and Spring
configuration file common application.
AuthorizationController Interface
public interface AuthorizationController
Interface for access check in Filter.
Class that implements this interface to provide access check function.
In addition, there is a need to be thread safe implementation class of this interface.
※ Setting method of the implementation class of this interface see the
AuthorizationControlFilter.
See Also:
AuthorizationControlFilter, AuthenticationControlFilter, AuthenticationControll
er, BlockageControlFilter, BlockageController,ServerBlockageControlFilter, Server
BlockageController
Summary of Methods
boolean
isAuthorized(String pathInfo,javax.servlet.ServletRequest req)
I do check the authority of the HTTP session for the path information of the
request, the specified.
boolean
isCheckRequired(javax.servlet.ServletRequest req)
I return whether you need to log on MySpace.
Details of the method
isAuthorized
boolean isAuthorized(String pathInfo,
javax.servlet.ServletRequest req)
I do check the authority of the HTTP session for the path information of the request, the
specified.
Parameters:
pathInfo - path information
req - HTTP request
Returns:
True if successful for privilege checking.
isCheckRequired
boolean isCheckRequired(javax.servlet.ServletRequest req)
I return whether you need to log on MySpace.
Parameters:
ServletRequest instance that determination target - req
Returns:
True if should be checked