001    package tinlizard.web;
002    
003    import java.lang.reflect.Method;
004    
005    import org.aspectj.lang.reflect.MethodSignature;
006    import java.lang.reflect.*;
007    
008    import javax.servlet.http.HttpServletResponse;
009    
010    import org.aspectj.lang.annotation.*;
011    import org.aspectj.lang.*;
012    
013    import org.kohsuke.stapler.StaplerRequest;
014    import org.kohsuke.stapler.StaplerResponse;
015    
016    import java.io.IOException;
017    
018    import tinlizard.annotation.security.RolesAllowed;
019    import tinlizard.util.Messages;
020    import tinlizard.model.CurrentUser;
021    
022    @Aspect
023    public class RolesAllowedAspect {
024    
025            @Pointcut("@annotation(tinlizard.annotation.security.RolesAllowed) && "+
026                  "execution(public void tinlizard.web.*.do*(org.kohsuke.stapler.StaplerRequest, org.kohsuke.stapler.StaplerResponse)) && " +
027                  "args(request, response)")
028        public void securedDoMethod(StaplerRequest request, StaplerResponse response, ProceedingJoinPoint jp) {
029            
030            }
031        
032            @Around("securedDoMethod(request, response, jp)")
033        public Object beforeAdviceIsUserInRole(StaplerRequest request, StaplerResponse response, ProceedingJoinPoint jp) {
034                    Object rval = null;
035            
036                    MethodSignature signature = (MethodSignature) jp.getSignature();
037                    Method method = signature.getMethod();
038                    RolesAllowed annotation = method.getAnnotation(RolesAllowed.class);
039                    String[] roles = annotation.value();        
040                    try {
041                            if (request.getUserPrincipal() != null) {
042                    CurrentUser.setUsername(request.getUserPrincipal().getName());
043                                    boolean isUserInRole = false;
044                                    for (int i = 0; i < roles.length && !isUserInRole; i++) {
045                                            isUserInRole = request.isUserInRole(roles[i]);
046                                    }
047                    
048                                    if (isUserInRole) {
049                                            rval = jp.proceed();
050                                    } else {
051                                            response.sendError(HttpServletResponse.SC_FORBIDDEN);
052                                    }
053                            } else {
054                    CurrentUser.setUsername("ANONYMOUS"); //XXX consider getting IP address.
055                                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
056                            }
057                    } catch (Exception e) { //Catch + Throw checked exceptions?
058                            throw new IllegalStateException(Messages.error_0502(), e);
059                    }
060                    return rval;
061            }
062    }