package com.ecyrd.jspwiki.plugin; import com.ecyrd.jspwiki.*; import java.util.*; import javax.servlet.http.*; /** * Implements the Auth plugin to allow authorization using the container * managed security *

* Parameters: allow = list of allowed users or roles * deny = list of users or roles to deny access to * edit = list of users or roles that can edit this page * * By using this plugin the user is saying that they want to deny access to * this page. (By default, view access is allowed) * If there is content in the body, this plugin will only allow or * deny access to that content. * If there is no content in the body then this effects the entire page * Any _body content gets appended between brackets. * * This plugin only works with the 2.0.x release. The edit control also * requires a change to edit.jsp. * * Orginal code 1 May to 16 June 2004 * * Update 3 August 2004 * fixed a problem with many roles in a list * moved null tests to inside userInList * moved check for '*' wildcard to inside userInList * now pass the request as a parameter to userInList * (All of this is to support calling userInList from other places, * for example I call it in a number of places to verify that * this person can get to a page, like Diff.jsp. It should * be a tag that accepts a body. On the Todo list * ) * code cleanup (some day I should really learn how to program) * * @author Foster Schucker */ public class Auth implements WikiPlugin { HttpServletRequest request = null; public void initialize( WikiEngine engine ) throws PluginException { } public static boolean userInList(HttpServletRequest req, String access, String user) { /* * Implements a user check. * req is the request that has the user container credentials * access is the access list - it can be a wildcard * which accepts any * user / role. * user is the users name. It would come from the user container credentials * but it is possible that it could come from the JSPWiki user cookie. * * This method can be called from outside the plugin framework - Be careful of * Be careful of changes you make to it. */ String entry; if (access != null) { if (access.equalsIgnoreCase("*")) return true; //accept everything String accesslist[] = access.split(","); for (int i=0; i < accesslist.length; i++ ) { entry = accesslist[i]; // check each one in order // debug System.out.println("user="+user+" Accesslist["+i+"]="+entry); if (user != null) { if (user.equalsIgnoreCase(entry)) { return true; // we found the user in the access list } else { // see if the user is in a role if (req != null){ if (req.isUserInRole(entry)) { return true; // we found a role match in the access list } } } } } // end of for loop } return false; // no matching user or role or it was a null list or request } public boolean userInList(String access,String user) // just for here { return userInList(request,access,user); } public String execute( WikiContext context, Map params ) throws PluginException { StringBuffer sb = new StringBuffer(); String user = " "; //default user; Map editpage = new HashMap(); Map viewpage = new HashMap(); WikiEngine engine = context.getEngine(); Object tempObject = new Object(); // for testing later on String allow = (String) params.get("allow"); String deny = (String) params.get("deny"); String edit = (String) params.get("edit"); boolean view = false; // default is no view //System.out.println("Testing Auth"); request = context.getHttpRequest(); if (request != null) user = request.getRemoteUser(); HttpSession session = context.getHttpRequest().getSession(); //System.out.println("Before Object check"); if ((tempObject = session.getAttribute("pageedit")) != null) editpage = (Map)session.getAttribute("pageedit"); if ((tempObject = session.getAttribute("pageview")) != null) viewpage = (Map)session.getAttribute("pageview"); //System.out.println("Checking Allow List"); // look at the allow list to see if they are there. if (userInList(request,allow,user)) { view = true; // he is allowed; } // look at the deny list to see if they are there. (Deny overrides allow) //System.out.println("Checking Deny List"); if (userInList(deny,user)) { view = false; // no he's not, sorry Charlie } // look at the edit list to see if they are there. if (edit == null && view) { // if you can see it and there is not an explicit edit set you can edit it editpage.put(context.getPage().getName(),"edit-implicit"); } else { if (userInList(edit,user)) { // set edit session variable to allow it editpage.put(context.getPage().getName(),"edit-explicit"); } else { // clear edit session variable to not allow it editpage.remove(context.getPage().getName()); } } session.setAttribute("pageedit",editpage); //System.out.println("Dealing with Body"); String body = (String)params.get("_body"); if( body != null ) // something in the body if (view) { //System.out.println("Fixing contex"); // viewpage.remove(context.getPage().getName()); // they can only see // part of the page, so it's iffy to show them everything // you could get tricky and do this instead viewpage.put(context.getPage().getName(),"view-partial-allow"); sb.append( engine.textToHTML( context, body ) ); // make it pretty session.setAttribute("pageview",viewpage); } else { viewpage.put(context.getPage().getName(),"view-partial-deny"); session.setAttribute("pageview",viewpage); } if ( body == null) // deal with the page if (view) { viewpage.put(context.getPage().getName(),"view-all"); // view the entire page session.setAttribute("pageview",viewpage); } else { //put maps back into the session and then throw security exception viewpage.remove(context.getPage().getName()); session.setAttribute("pageview",viewpage); throw new AssertionError("Not allowed to see this page"); //throw new PluginException("authorization error"); } return sb.toString(); } }