tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jack Lauman <jlau...@nwcascades.com>
Subject Filter problem
Date Thu, 23 Jun 2005 20:30:48 GMT
I have the following code for an access filter.  If I log in with the 
role of "admin" everything works as expected.  If I try to log in with 
the role of "user" I immediately get a permissions error that denies access.

I've added ${sessionScope.USER} to the jsp pages as well as adding 
entries for PWD and ROLE.  The correct information is in the session 
variables.

I'd appreciate any help in finding the error and fixing it.

Thanks,

Jack

public class AccessControlFilter
	implements Filter
{
   public static final String NO_ACCESS_PAGE = "no-access-page";
   public static final String NO_AUTH_PAGE = "no-auth-page";
   private FilterConfig fc;
   private String noAccessPage;
   private String notLoggedInPage;
   public AccessControlFilter()
     {
       fc = null;
     }

     /**
      * Destroy the Access Control Filter
      */
     public void destroy()
     {
       fc = null;
     }

     /**
      * Initialize the Access Control Filter
      */
     public void init(FilterConfig config)
       throws ServletException
     {
       fc = config;
       noAccessPage = fc.getInitParameter("no-access-page");
       if(noAccessPage == null)
         noAccessPage = "noaccess.jsp";

       notLoggedInPage = fc.getInitParameter("no-auth-page");
         if(notLoggedInPage == null)
         notLoggedInPage = "notloggedin.jsp";
     }

     public void doFilter(ServletRequest req,
                          ServletResponse resp,
                          FilterChain chain)
       throws IOException, ServletException
     {
       HttpServletRequest httpReq = (HttpServletRequest)req;
       HttpServletResponse httpResp = (HttpServletResponse)resp;

       String servletPath = httpReq.getServletPath();

       String username = (String)httpReq.getSession().getAttribute("USER");
       if(username == null)
       {
         httpResp.sendRedirect(notLoggedInPage);
         return;
       }
         String role = (String)httpReq.getSession().getAttribute("ROLE");
         if(role == null)
         {
           httpResp.sendRedirect(notLoggedInPage);
           return;
         }
         if(role.equals("admin"))
         {
           chain.doFilter(req, resp);
           return;
         }
         if(role.equals("user"))
         {
           if(servletPath.startsWith("/secure/updateDb/add") ||
             servletPath.startsWith("/secure/updateDb/delete") ||
             servletPath.startsWith("/secure/updateDb/update") ||
             servletPath.startsWith("/secure/updateDb/move") ||
             servletPath.equals("/secure/updateDb/sectionAdd") ||
             servletPath.equals("/secure/updateDb/sectionDelete")) 
        {
             Integer id = new Integer(httpReq.getParameter("company"));
             if(id.equals(getAuthToken(username)))
             {
               chain.doFilter(req, resp);
               return;
             }
             } else
               if(servletPath.equals("/secure/updateDb/changePassword"))
             {
               if(username.equals(httpReq.getParameter("userName")))
                 {
                   chain.doFilter(req, resp);
                   return;
                 }
               } else
                 if(servletPath.equals("/secure/index.jsp"))
               {
               ServletContext servletcontext = fc.getServletContext();
               RequestDispatcher requestdispatcher = 
servletcontext.getRequestDispatcher("/secure/ControlPanel.jsp?company=" 
+ getAuthToken(username));
               if(requestdispatcher == null)
               httpResp.sendError(500, "Ccontrol panel doesn't exist.");
               requestdispatcher.forward(req, resp);
               return;
             }
         } else {
             httpResp.sendRedirect(notLoggedInPage);
             return;
         }
         httpResp.sendRedirect(noAccessPage);
     }

     private Integer getAuthToken(String servletPath)
     {
         Integer id = new Integer(-1);
         try
         {
     	Context ctx = null;
         DataSource ds = null;
         Connection conn = null;
         Result result = null;
     	SQLCommandBean sql = new SQLCommandBean();
     	try {
     	  String envBase = "java:comp/env/";
           ctx = new InitialContext();
           String dataSourceName = (String)ctx.lookup(envBase + 
"dataSource");
           ds = (DataSource) ctx.lookup(envBase + dataSourceName);

           } catch (Exception e) {
             System.out.println("DataSource context lookup failed: " + e);
           }

           try {
             conn = ds.getConnection();
             } catch (SQLException se) {
               System.out.println("DataSource getConnection failed: " + se);
               se.printStackTrace();
             }

           try {
       	    sql.setConnection(conn);

           } catch (Exception e) {
             System.out.println("DataSource setConnection failed: " + e);
           }

           sql.setSqlValue("SELECT CompanyID FROM Company WHERE UserID = 
?");
           ArrayList arraylist = new ArrayList();
           arraylist.add(servletPath);
           sql.setValues(arraylist);
           result = sql.executeQuery();
           if(result != null && result.getRowCount() > 0) {
           id = (Integer)result.getRows()[0].get("CompanyID");
           }
           conn.close();
         }
         catch(SQLException se) {
           System.out.println(se);
         }
         return id;
     }
}


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message