1 /*
2  * JBoss, Home of Professional Open Source.
3  * Copyright 2014 Red Hat, Inc., and individual contributors
4  * as indicated by the @author tags.
5  *
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at
9  *
10  *     http://www.apache.org/licenses/LICENSE-2.0
11  *
12  *  Unless required by applicable law or agreed to in writing, software
13  *  distributed under the License is distributed on an "AS IS" BASIS,
14  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  *  See the License for the specific language governing permissions and
16  *  limitations under the License.
17  */
18 package io.undertow.servlet.handlers.security;
19
20 import io.undertow.security.api.SecurityContext;
21 import io.undertow.server.HttpHandler;
22 import io.undertow.server.HttpServerExchange;
23 import io.undertow.servlet.api.AuthorizationManager;
24 import io.undertow.servlet.api.SingleConstraintMatch;
25 import io.undertow.servlet.handlers.ServletRequestContext;
26 import io.undertow.util.StatusCodes;
27
28 import javax.servlet.DispatcherType;
29 import javax.servlet.ServletRequest;
30 import javax.servlet.http.HttpServletResponse;
31 import java.util.List;
32
33 /**
34  * Servlet role handler
35  *
36  * @author Stuart Douglas
37  */
38 public class ServletSecurityRoleHandler implements HttpHandler {
39
40     private final HttpHandler next;
41     private final AuthorizationManager authorizationManager;
42
43     public ServletSecurityRoleHandler(final HttpHandler next, AuthorizationManager authorizationManager) {
44         this.next = next;
45         this.authorizationManager = authorizationManager;
46     }
47
48     @Override
49     public void handleRequest(final HttpServerExchange exchange) throws Exception {
50         final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
51         ServletRequest request = servletRequestContext.getServletRequest();
52         if (request.getDispatcherType() == DispatcherType.REQUEST) {
53             List<SingleConstraintMatch> constraints = servletRequestContext.getRequiredConstrains();
54             SecurityContext sc = exchange.getSecurityContext();
55             if (!authorizationManager.canAccessResource(constraints, sc.getAuthenticatedAccount(), servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo(), servletRequestContext.getOriginalRequest(), servletRequestContext.getDeployment())) {
56
57                 HttpServletResponse response = (HttpServletResponse) servletRequestContext.getServletResponse();
58                 response.sendError(StatusCodes.FORBIDDEN);
59                 return;
60             }
61         }
62         next.handleRequest(exchange);
63     }
64
65
66 }
67