API tools faq
paste
Guest User

Untitled

a guest
Dec 24th, 2018
155
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.72 KB | None | 0 0
raw download clone embed print report
  1. @WebFilter(filterName = "AuthFilter",urlPatterns = "/secret")
  2. public class AuthFilter implements Filter {...}
  3.  
  4. @WebFilter(filterName = "SecurityWarningFilter",urlPatterns = "/secret")
  5. public class SecurityWarningFilter implements Filter { ... }
  6.  
  7. <filter-mapping>
  8. <filter-name>SecurityWarningFilter</filter-name>
  9. <url-pattern />
  10. </filter-mapping>
  11.  
  12. <filter-mapping>
  13. <filter-name>AuthFilter</filter-name>
  14. <url-pattern />
  15. </filter-mapping>
  16.  
  17. <filter>
  18. <filter-name>AuthFilter</filter-name>
  19. <filter-class>[...].webapp.filters.AuthFilter</filter-class>
  20. </filter>
  21. <filter>
  22. <filter-name>SecurityWarningFilter</filter-name>
  23. <filter-class>[...].webapp.filters.SecurityWarningFilter</filter-class>
  24. </filter>
  25.  
  26. <filter-mapping>
  27. <filter-name>SecurityWarningFilter</filter-name>
  28. <url-pattern>/secret</url-pattern>
  29. </filter-mapping>
  30.  
  31. <filter-mapping>
  32. <filter-name>AuthFilter</filter-name>
  33. <url-pattern>/secret</url-pattern>
  34. </filter-mapping>
  35.  
  36. <html>
  37. <body>
  38. <form action='/webapp101/secret' method='post'>
  39. username: <input type='text' name ='username'><br>
  40. password: <input type='password' name ='password'><br>
  41. <input type='submit', value='login'>
  42. </form>
  43. </body>
  44. </html>
  45.  
  46. <!DOCTYPE web-app PUBLIC
  47. "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  48. "http://java.sun.com/dtd/web-app_2_3.dtd" >
  49.  
  50. <web-app>
  51. <display-name>Webapp</display-name>
  52. <filter-mapping>
  53. <filter-name>SecurityWarningFilter</filter-name>
  54. <url-pattern />
  55. </filter-mapping>
  56.  
  57. <filter-mapping>
  58. <filter-name>AuthFilter</filter-name>
  59. <url-pattern />
  60. </filter-mapping>
  61. <!-- other servlets here -->
  62. </web-app>
  63.  
  64. package [...].webapp.filters;
  65.  
  66. import [...].security.Credentials;
  67. import [...].webapp.consts.AuthConstants;
  68.  
  69. import javax.servlet.*;
  70. import javax.servlet.annotation.WebFilter;
  71. import java.io.IOException;
  72. import java.io.PrintWriter;
  73. import java.util.HashSet;
  74. import java.util.Set;
  75.  
  76. @WebFilter(filterName = "AuthFilter",urlPatterns = "/secret")
  77. public class AuthFilter implements Filter {
  78. @Override
  79. public void init(FilterConfig filterConfig) throws ServletException {}
  80.  
  81. @Override
  82. public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
  83. String username = req.getParameter("username");
  84. String password = req.getParameter("password");
  85.  
  86. if(username == null || password == null){
  87. PrintWriter out = resp.getWriter();
  88. out.println("access denied");
  89. return;
  90. }
  91.  
  92. Credentials creds = new Credentials(username,password, false);
  93. if(validate(creds)){
  94. req.setAttribute(AuthConstants.ATTR_ACTIVE_USER,creds);
  95. chain.doFilter(req,resp);
  96. } else{
  97. PrintWriter out = resp.getWriter();
  98. out.println("username or pasword is incorrect");
  99. }
  100. }
  101.  
  102. private boolean validate(Credentials creds){
  103. Set<Credentials> acceptedUsers = getAcceptedUsers();
  104. return acceptedUsers.contains(creds);
  105. }
  106.  
  107. private Set<Credentials> getAcceptedUsers(){
  108. //imagine a proper fetch, e.g. from DB or some cache, here
  109. return new HashSet<Credentials>(){{add(new Credentials("foo","bar", false));}};
  110. }
  111.  
  112. @Override
  113. public void destroy() {}
  114.  
  115. }
  116.  
  117. package [...].webapp.filters;
  118.  
  119. import [...].security.Credentials;
  120. import [...].webapp.consts.AuthConstants;
  121.  
  122. import javax.servlet.*;
  123. import javax.servlet.annotation.WebFilter;
  124. import java.io.IOException;
  125. import java.util.Date;
  126.  
  127. @WebFilter(filterName = "SecurityWarningFilter",urlPatterns = "/secret")
  128. public class SecurityWarningFilter implements Filter {
  129. @Override
  130. public void init(FilterConfig filterConfig) throws ServletException {}
  131.  
  132. @Override
  133. public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
  134. Credentials accessingUser = (Credentials)req.getAttribute(AuthConstants.ATTR_ACTIVE_USER);
  135. doSecurityWarning(accessingUser);
  136. chain.doFilter(req,resp);
  137. }
  138.  
  139. private void doSecurityWarning(Credentials accessingUser) {
  140. String timestamp = new Date().toString();
  141.  
  142. //imagine some proper logging, here
  143. System.err.println(String.format("WARNING[%s] access to secured resource by user '%s'",timestamp,accessingUser.username));
  144. }
  145.  
  146. @Override
  147. public void destroy() {}
  148. }
  149.  
  150. package [...].webapp.servlets;
  151.  
  152. import [...].security.Credentials;
  153. import [...].webapp.consts.AuthConstants;
  154.  
  155. import javax.servlet.ServletException;
  156. import javax.servlet.annotation.WebServlet;
  157. import javax.servlet.http.*;
  158. import java.io.IOException;
  159.  
  160. @WebServlet("/secret")
  161. public class SecretServlet extends HttpServlet {
  162. @Override
  163. public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
  164. serveRequest(req,resp);
  165. }
  166.  
  167. @Override
  168. protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
  169. serveRequest(req, resp);
  170. }
  171.  
  172. private void serveRequest(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
  173. Credentials authorisedUser = (Credentials)req.getAttribute(AuthConstants.ATTR_ACTIVE_USER);
  174. resp.getWriter().println(String.format("You are authorised. Welcome.",authorisedUser.username));
  175. }
  176. }
  177.  
  178. package [...].security;
  179.  
  180. import javax.xml.bind.annotation.adapters.HexBinaryAdapter;
  181. import java.security.MessageDigest;
  182. import java.security.NoSuchAlgorithmException;
  183. import java.util.Objects;
  184.  
  185. public class Credentials{
  186. public final String username;
  187. final String password;
  188.  
  189. public Credentials(String username, String password, boolean isPasswordHashed) {
  190. this.username = username;
  191.  
  192. if(isPasswordHashed) this.password = password;
  193. else {
  194. MessageDigest md;
  195. try {
  196. md = MessageDigest.getInstance("SHA-256");
  197. } catch (NoSuchAlgorithmException e) {
  198. throw new IllegalStateException(e);
  199. }
  200.  
  201. md.update(password.getBytes());
  202. byte[] hash = md.digest();
  203.  
  204. this.password = (new HexBinaryAdapter()).marshal(hash);
  205. }
  206. }
  207.  
  208. @Override
  209. public boolean equals(Object obj) {
  210. if(obj == null) return false;
  211. if(!(obj instanceof Credentials)) return false;
  212. Credentials other = (Credentials)obj;
  213. return this.username.equals(other.username) && this.password.equals(other.password);
  214. }
  215.  
  216. @Override
  217. public int hashCode() {
  218. return Objects.hash(username,password);
  219. }
  220.  
  221. @Override
  222. public String toString() {
  223. return String.format("[nt%snt%sn]", username,password);
  224. }
  225. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!