[jboss-cvs] jboss-seam/examples/wiki/src/main/org/jboss/seam/wiki/core/ui ...

Christian Bauer christian at hibernate.org
Fri Nov 9 10:02:07 EST 2007


  User: cbauer  
  Date: 07/11/09 10:02:07

  Modified:    examples/wiki/src/main/org/jboss/seam/wiki/core/ui 
                        FeedServlet.java
  Log:
  Access control for feeds and feed entries, JBSEAM-2114
  
  Revision  Changes    Path
  1.10      +28 -3     jboss-seam/examples/wiki/src/main/org/jboss/seam/wiki/core/ui/FeedServlet.java
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: FeedServlet.java
  ===================================================================
  RCS file: /cvsroot/jboss/jboss-seam/examples/wiki/src/main/org/jboss/seam/wiki/core/ui/FeedServlet.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -b -r1.9 -r1.10
  --- FeedServlet.java	12 Oct 2007 16:31:28 -0000	1.9
  +++ FeedServlet.java	9 Nov 2007 15:02:07 -0000	1.10
  @@ -10,8 +10,11 @@
   import com.sun.syndication.io.SyndFeedOutput;
   import org.jboss.seam.Component;
   import org.jboss.seam.wiki.core.dao.FeedDAO;
  +import org.jboss.seam.wiki.core.dao.UserRoleAccessFactory;
   import org.jboss.seam.wiki.core.model.Feed;
   import org.jboss.seam.wiki.core.model.FeedEntry;
  +import org.jboss.seam.wiki.core.model.User;
  +import org.jboss.seam.wiki.core.action.Authenticator;
   
   import javax.servlet.ServletException;
   import javax.servlet.http.HttpServlet;
  @@ -51,10 +54,26 @@
                   userTx.begin();
               }
   
  -
               FeedDAO feedDAO = (FeedDAO)Component.getInstance("feedDAO");
               Feed feed = feedDAO.findFeed(Long.valueOf(feedId));
  -            if (feed == null) return;
  +            if (feed == null) {
  +                response.sendError(HttpServletResponse.SC_NOT_FOUND);
  +                if (startedTx) userTx.commit();
  +                return;
  +            }
  +
  +            // Authenticate and authorize, first with current user (session) then with basic HTTP authentication
  +            Integer currentAccessLevel = (Integer)Component.getInstance("currentAccessLevel");
  +            if (feed.getDirectory().getReadAccessLevel() > currentAccessLevel) {
  +                boolean loggedIn = ((Authenticator)Component.getInstance("authenticator")).authenticateBasicHttp(request);
  +                currentAccessLevel = (Integer)Component.getInstance("currentAccessLevel");
  +                if (!loggedIn || feed.getDirectory().getReadAccessLevel() > currentAccessLevel) {
  +                    response.setHeader("WWW-Authenticate", "Basic realm=\"" + feed.getTitle().replace("\"", "'") + "\"");
  +                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  +                    if (startedTx) userTx.commit();
  +                    return;
  +                }
  +            }
   
               // Create feed
               SyndFeed syndFeed = new SyndFeedImpl();
  @@ -84,7 +103,13 @@
                   description.setType(entry.getDescriptionType());
                   description.setValue(entry.getDescriptionValue());
                   syndEntry.setDescription(description);
  +                if (entry.getDocument() != null && entry.getDocument().getReadAccessLevel() <= currentAccessLevel) {
  +                    // Only add entry if the associated document has the right access level
                   syndEntries.add(syndEntry);
  +                } else if (entry.getDocument() == null) {
  +                    // or if there is no document associated with it, then everyone can read it who can read the feed
  +                    syndEntries.add(syndEntry);
  +                }
               }
               syndFeed.setEntries(syndEntries);
   
  
  
  



More information about the jboss-cvs-commits mailing list