Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Received-SPF: pass (hermes.apache.org: local policy)
Message-ID: <41A36797.9030409@nwcascades.com>
Date: Tue, 23 Nov 2004 08:38:47 -0800
From: Jack Lauman <jlauman@nwcascades.com>
Organization: nwcascades.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.7.3) Gecko/20040910
MIME-Version: 1.0
To: SERVLET-INTEREST@JAVA.SUN.COM,
   Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Filter Problem
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-nwcascades.com-MailScanner-Information: Please contact the ISP for more
 information
X-nwcascades.com-MailScanner: Found to be clean
X-nwcascades.com-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.46,
	required 7, autolearn=not spam, AWL 0.34, BAYES_00 -4.90,
	HTML_MESSAGE 0.10)
X-MailScanner-From: jlauman@nwcascades.com
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

I have an access control filter that is supposed to grant all access to 
users wirh the role of 'admin' and limited access to those with the role 
of  'user.  Specifically a 'user' can only manipulate the data that 
belongs to them.  It uses 'contextPath.startsWith' and the users 'id' 
(int) from the database appended to it to access their records.

If I logon as an 'admin' user it works fine.  If I login using a bad 
password it forwards to the notLoggedInPage.  It I login as a 'user' 
with a correct password it forwards to the noAccessPage.

I'm not sure what's wrong here and would appreciate any help in 
resolving this matter,

TIA,

Jack


import java.io.IOException;
import java.sql.Connection;
import java.util.ArrayList;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.jstl.sql.Result;
import javax.sql.DataSource;

import com.nwc.SQLCommandBean;

/**
 *  Referenced classes of package com.nwc:
 *     sql : SQLCommandBean
 */

/**
 * @web.filter
 *     name="AccessControlFilter"
 *     display-name="JAAS Access Control Filter"
 * @web.filter-init-param
 *     name="no-access-page"
 *     value="/restaurants/noaccess.jsp"
 * @web.filter-init-param
 *     name="no-auth-page"
 *     value="/restaurants/notloggedin.jsp"
 * @web.filter-mapping
 *     url-pattern="/secure/*"
 * @version 1.17 11/21/2004
 */
public class AccessControlFilter
    implements Filter
{
   
    /**
     * Comment for <code>NO_ACCESS_PAGE</code>
     * Value: {@value NO_ACCESS_PAGE}
     */
    public static final String NO_ACCESS_PAGE = "no-access-page";
   
    /**
     * Comment for <code>NO_AUTH_PAGE</code>
     * Value: {@value NO_AUTH_PAGE}
     */
    public static final String NO_AUTH_PAGE = "no-auth-page";
   
    /**
     * Field config
     */
    private FilterConfig fc;
   
    /**
     * Field noAccessPage
     */
    private String noAccessPage;
   
    /**
     * Field notLoggedInPage
     */
    private String notLoggedInPage;
   
    /**
     *
     */
    public AccessControlFilter()
    {
        fc = null;
    }
   
    /**
     * Initialize the Access Control Filter
     *
     *  (non-Javadoc)
     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
     */
    public void init(FilterConfig config)
        throws ServletException
    {
        fc = config;
        noAccessPage = fc.getInitParameter("no-access-page");
        if(noAccessPage == null)
            noAccessPage = "noaccess.jsp";
       
        notLoggedInPage = fc.getInitParameter("no-auth-page");
        if(notLoggedInPage == null)
            notLoggedInPage = "notloggedin.jsp";
    }
   
    /**
     * Destroy the Access Control Filter
     *
     *  (non-Javadoc)
     * @see javax.servlet.Filter#destroy()
     */
    public void destroy()
    {
        fc = null;
    }
   
    /**
     * Implements javx.servlet.Filter.doFilter
     *
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, 
javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
    public void doFilter(ServletRequest req,
                         ServletResponse resp,
                         FilterChain chain)
        throws IOException, ServletException
    {
        HttpServletRequest httpReq = (HttpServletRequest)req;
        HttpServletResponse httpResp = (HttpServletResponse)resp;
/////       
          String contextPath = httpReq.getContextPath();
/////
        String username = (String)httpReq.getSession().getAttribute("USER");
        if(username == null)
        {
            httpResp.sendRedirect(notLoggedInPage);
            return;
        }
        String role = (String)httpReq.getSession().getAttribute("ROLE");
        if(role == null)
        {
            httpResp.sendRedirect(notLoggedInPage);
            return;
        }
        if(role.equals("admin"))
        {
            chain.doFilter(req, resp);
            return;
        }
        if(role.equals("user"))
        {
            if(contextPath.startsWith("/secure/updateDb/add") ||
                    contextPath.startsWith("/secure/updateDb/delete") ||
                    contextPath.startsWith("/secure/updateDb/update") ||
                    contextPath.startsWith("/secure/updateDb/move") ||
                    contextPath.equals("/secure/updateDb/sectionAdd") ||
                    contextPath.equals("/secure/updateDb/sectionDelete") ||
                    
contextPath.startsWith("/secure/updateDb/sectionMove") ||
                    contextPath.equals("/secure/updateDb/validTimes") ||
                    contextPath.equals("/secure/updateDb/menuDelete") ||
                    contextPath.equals("/secure/updateDb/menuAdd") ||
                    contextPath.startsWith("/secure/updateDb/menuMove") ||
                    
contextPath.equals("/secure/updateDb/restaurantUpdate") ||
                    contextPath.equals("/secure/editMenu.jsp") ||
                    
contextPath.equals("/secure/restaurantControlPanel.jsp") ||
                    contextPath.equals("/secure/viewMenu.jsp") ||
                    contextPath.equals("/secure/updateRestaurant.jsp"))
            {
                Integer id = new 
Integer(httpReq.getParameter("restaurant"));
                if(id.equals(getAuthToken(username)))
                {
                    chain.doFilter(req, resp);
                    return;
                }
            } else
                if(contextPath.equals("/secure/updateDb/changePassword"))
                {
                    if(username.equals(httpReq.getParameter("userName")))
                    {
                        chain.doFilter(req, resp);
                        return;
                    }
                } else
                    if(contextPath.equals("/secure/index.jsp"))
                    {
                        ServletContext servletcontext = 
fc.getServletContext();
                        RequestDispatcher requestdispatcher = 
servletcontext.getRequestDispatcher("/secure/restaurantControlPanel.jsp?restaurant=" 
+ getAuthToken(username));
                        if(requestdispatcher == null)
                            httpResp.sendError(500, "Restaurant control 
panel doesn't exist.");
                        requestdispatcher.forward(req, resp);
                        return;
            }
        } else
        {
            httpResp.sendRedirect(notLoggedInPage);
            return;
        }
        httpResp.sendRedirect(noAccessPage);
    }
   
    /**
     * Method getAuthToken
     * @param contextPath String
     * @return Integer
     */
    private Integer getAuthToken(String contextPath)
    {
        Integer id = new Integer(-1);
        try
        {
                Context ctx = null;
            DataSource ds = null;
            Connection conn = null;
            Result result = null;
                SQLCommandBean sql = new SQLCommandBean();
                try {
                ctx = new InitialContext();
                ds = (DataSource) 
ctx.lookup("java:comp/env/jdbc/RestaurantDS");
            } catch (Exception e) {
                System.out.println("DataSource context lookup failed: " 
+ e);
            }
            try {
                conn = ds.getConnection();
            } catch (Exception e) {
                System.out.println("DataSource getConnection failed: " + e);
                e.printStackTrace();
            }
           
            try {
                  sql.setConnection(conn);

            } catch (Exception e) {
                System.out.println("DataSource setConnection failed: " + e);
            }
   
            sql.setSqlValue("SELECT RestaurantID FROM Restaurant WHERE 
UserID = ?");
            ArrayList arraylist = new ArrayList();
            arraylist.add(contextPath);
            sql.setValues(arraylist);
            result = sql.executeQuery();
            if(result != null && result.getRowCount() > 0) {
                id = (Integer)result.getRows()[0].get("RestaurantID");
            }
            conn.close();
        }
        catch(Exception e) {
            System.out.println(e);
        }
        return id;
    }
}


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org