Implementation
Three files are key to the implementation of an access control
filter in the FBS:
ibfbs/etc/web.xmlibfbs/src/public_html/xml/Control.xmlibfbs/src/oracle/otnsamples/ibfbs/control/AccessControlFilter.java
Here is the part of web.xml that defines the
class and URL mapping for the access control filter. The filter named AccessControlFilter
is implemented by the oracle.otnsamples.ibfbs.control.AccessControlFilter
class. It is invoked each time a user requests a resource from a URI containing
the /controllerservlet pattern (example: http://www.mydomain.com/controllerservlet/foo.jsp).
<filter>
<filter-name>AccessControlFilter</filter-name>
<filter-class>oracle.otnsamples.ibfbs.control.AccessControlFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AccessControlFilter</filter-name>
<url-pattern>/controllerservlet</url-pattern>
</filter-mapping>
Here are some entries from ibfbs/src/public_html/xml/Control.xml
that associate events, user roles, and JSPs. An Individual User can buy stock,
but only a Corporate User can access the JSP that displays the Corporate Upload
screen, and only an Administrator can upload news. However, any user can login.
<Event>
<Name>BUYSTOCK</Name>
<Class>oracle.otnsamples.ibfbs.trademanagement.helper.TradeManagementHelper</Class>
<Method>buyStock</Method>
<Screen>jsps/BuyStock.jsp</Screen>
<Roles>
<Role>USER</Role>
</Roles>
</Event>
...
<Event>
<Name>CORPUPLOAD</Name>
<Class></Class>
<Method></Method>
<Screen>jsps/CorporateUpload.jsp</Screen>
<Roles>
<Role>CORP</Role>
</Roles>
</Event>
...
<Event>
<Name>CONFIGNEWSUPLOAD</Name>
<Class>oracle.otnsamples.ibfbs.admin.helper.AdminHelper</Class>
<Method>configNewsUpload</Method>
<Screen>jsps/UploadData.jsp</Screen>
<Roles>
<Role>ADMIN</Role>
</Roles>
</Event>
...
<Event>
<Name>LOGIN</Name>
<Class>oracle.otnsamples.ibfbs.usermanagement.helper.UserManagementHelper</Class>
<Method>checkPassword</Method>
<Screen>jsps/MyHome.jsp</Screen>
<Roles>
<Role>DEFAULT</Role>
<Role>USER</Role>
<Role>CORP</Role>
<Role>ADMIN</Role>
</Roles>
</Event>
The FBS reads from the mapping file when the Access Control
filter is initialized, and the AccessControlFilter.doFilter method
handles the filtering chores. After getting the user's role and the URL of the
requested page, doFilter then checks these values against the mapping
data. If the requested page is appropriate for the user's role, the code calls
chain.doFilter to invoke the page and continue with normal processing.
Otherwise, the code calls request.setAttribute before chain.doFilter,
and as a result, the Controller Servlet redirects the user to a login page.
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
String eventName = request.getParameter("EVENTNAME");
if (eventName != null && urlMap != null ) {
String role = (String) session.getAttribute("ROLE");
if (role == null) role = "DEFAULT";
URLMapping event = (URLMapping) urlMap.get(eventName);
if ((event != null) && (event.getRoles() != null)
&& (event.getRoles().length > 0)) {
// New session so not logged in yet. Redirect to login page
if (session.isNew())
request.setAttribute("EVENTNAME", "FIRSTPAGE");
// If invalid access, redirect to login page
else if (!event.isValidRole(role))
request.setAttribute("EVENTNAME", "LOGINPAGE");
}
}
else {
request.setAttribute("EVENTNAME", "FIRSTPAGE");
}
// The privileges are sufficient to invoke this URL, continue normal
// processing of the request
chain.doFilter(request, response);
}
| 
Bookmark
