Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @WebFilter(filterName = "AuthFilter",urlPatterns = "/secret")
- public class AuthFilter implements Filter {...}
- @WebFilter(filterName = "SecurityWarningFilter",urlPatterns = "/secret")
- public class SecurityWarningFilter implements Filter { ... }
- <filter-mapping>
- <filter-name>SecurityWarningFilter</filter-name>
- <url-pattern />
- </filter-mapping>
- <filter-mapping>
- <filter-name>AuthFilter</filter-name>
- <url-pattern />
- </filter-mapping>
- <filter>
- <filter-name>AuthFilter</filter-name>
- <filter-class>[...].webapp.filters.AuthFilter</filter-class>
- </filter>
- <filter>
- <filter-name>SecurityWarningFilter</filter-name>
- <filter-class>[...].webapp.filters.SecurityWarningFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>SecurityWarningFilter</filter-name>
- <url-pattern>/secret</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>AuthFilter</filter-name>
- <url-pattern>/secret</url-pattern>
- </filter-mapping>
- <html>
- <body>
- <form action='/webapp101/secret' method='post'>
- username: <input type='text' name ='username'><br>
- password: <input type='password' name ='password'><br>
- <input type='submit', value='login'>
- </form>
- </body>
- </html>
- <!DOCTYPE web-app PUBLIC
- "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
- "http://java.sun.com/dtd/web-app_2_3.dtd" >
- <web-app>
- <display-name>Webapp</display-name>
- <filter-mapping>
- <filter-name>SecurityWarningFilter</filter-name>
- <url-pattern />
- </filter-mapping>
- <filter-mapping>
- <filter-name>AuthFilter</filter-name>
- <url-pattern />
- </filter-mapping>
- <!-- other servlets here -->
- </web-app>
- package [...].webapp.filters;
- import [...].security.Credentials;
- import [...].webapp.consts.AuthConstants;
- import javax.servlet.*;
- import javax.servlet.annotation.WebFilter;
- import java.io.IOException;
- import java.io.PrintWriter;
- import java.util.HashSet;
- import java.util.Set;
- @WebFilter(filterName = "AuthFilter",urlPatterns = "/secret")
- public class AuthFilter implements Filter {
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {}
- @Override
- public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
- String username = req.getParameter("username");
- String password = req.getParameter("password");
- if(username == null || password == null){
- PrintWriter out = resp.getWriter();
- out.println("access denied");
- return;
- }
- Credentials creds = new Credentials(username,password, false);
- if(validate(creds)){
- req.setAttribute(AuthConstants.ATTR_ACTIVE_USER,creds);
- chain.doFilter(req,resp);
- } else{
- PrintWriter out = resp.getWriter();
- out.println("username or pasword is incorrect");
- }
- }
- private boolean validate(Credentials creds){
- Set<Credentials> acceptedUsers = getAcceptedUsers();
- return acceptedUsers.contains(creds);
- }
- private Set<Credentials> getAcceptedUsers(){
- //imagine a proper fetch, e.g. from DB or some cache, here
- return new HashSet<Credentials>(){{add(new Credentials("foo","bar", false));}};
- }
- @Override
- public void destroy() {}
- }
- package [...].webapp.filters;
- import [...].security.Credentials;
- import [...].webapp.consts.AuthConstants;
- import javax.servlet.*;
- import javax.servlet.annotation.WebFilter;
- import java.io.IOException;
- import java.util.Date;
- @WebFilter(filterName = "SecurityWarningFilter",urlPatterns = "/secret")
- public class SecurityWarningFilter implements Filter {
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {}
- @Override
- public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
- Credentials accessingUser = (Credentials)req.getAttribute(AuthConstants.ATTR_ACTIVE_USER);
- doSecurityWarning(accessingUser);
- chain.doFilter(req,resp);
- }
- private void doSecurityWarning(Credentials accessingUser) {
- String timestamp = new Date().toString();
- //imagine some proper logging, here
- System.err.println(String.format("WARNING[%s] access to secured resource by user '%s'",timestamp,accessingUser.username));
- }
- @Override
- public void destroy() {}
- }
- package [...].webapp.servlets;
- import [...].security.Credentials;
- import [...].webapp.consts.AuthConstants;
- import javax.servlet.ServletException;
- import javax.servlet.annotation.WebServlet;
- import javax.servlet.http.*;
- import java.io.IOException;
- @WebServlet("/secret")
- public class SecretServlet extends HttpServlet {
- @Override
- public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- serveRequest(req,resp);
- }
- @Override
- protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- serveRequest(req, resp);
- }
- private void serveRequest(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- Credentials authorisedUser = (Credentials)req.getAttribute(AuthConstants.ATTR_ACTIVE_USER);
- resp.getWriter().println(String.format("You are authorised. Welcome.",authorisedUser.username));
- }
- }
- package [...].security;
- import javax.xml.bind.annotation.adapters.HexBinaryAdapter;
- import java.security.MessageDigest;
- import java.security.NoSuchAlgorithmException;
- import java.util.Objects;
- public class Credentials{
- public final String username;
- final String password;
- public Credentials(String username, String password, boolean isPasswordHashed) {
- this.username = username;
- if(isPasswordHashed) this.password = password;
- else {
- MessageDigest md;
- try {
- md = MessageDigest.getInstance("SHA-256");
- } catch (NoSuchAlgorithmException e) {
- throw new IllegalStateException(e);
- }
- md.update(password.getBytes());
- byte[] hash = md.digest();
- this.password = (new HexBinaryAdapter()).marshal(hash);
- }
- }
- @Override
- public boolean equals(Object obj) {
- if(obj == null) return false;
- if(!(obj instanceof Credentials)) return false;
- Credentials other = (Credentials)obj;
- return this.username.equals(other.username) && this.password.equals(other.password);
- }
- @Override
- public int hashCode() {
- return Objects.hash(username,password);
- }
- @Override
- public String toString() {
- return String.format("[nt%snt%sn]", username,password);
- }
- }
Add Comment
Please, Sign In to add comment