001/* 002 * Copyright 2002-2014 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.portlet.handler; 018 019import java.io.IOException; 020import javax.portlet.PortletException; 021import javax.portlet.PortletRequest; 022import javax.portlet.PortletResponse; 023import javax.portlet.PortletSecurityException; 024 025/** 026 * Interceptor that checks the authorization of the current user via the 027 * user's roles, as evaluated by PortletRequest's isUserInRole method. 028 * 029 * @author John A. Lewis 030 * @author Juergen Hoeller 031 * @since 2.0 032 * @see javax.portlet.PortletRequest#isUserInRole 033 */ 034public class UserRoleAuthorizationInterceptor extends HandlerInterceptorAdapter { 035 036 private String[] authorizedRoles; 037 038 039 /** 040 * Set the roles that this interceptor should treat as authorized. 041 * @param authorizedRoles array of role names 042 */ 043 public final void setAuthorizedRoles(String... authorizedRoles) { 044 this.authorizedRoles = authorizedRoles; 045 } 046 047 048 @Override 049 public final boolean preHandle(PortletRequest request, PortletResponse response, Object handler) 050 throws PortletException, IOException { 051 052 if (this.authorizedRoles != null) { 053 for (String role : this.authorizedRoles) { 054 if (request.isUserInRole(role)) { 055 return true; 056 } 057 } 058 } 059 handleNotAuthorized(request, response, handler); 060 return false; 061 } 062 063 /** 064 * Handle a request that is not authorized according to this interceptor. 065 * Default implementation throws a new PortletSecurityException. 066 * <p>This method can be overridden to write a custom message, forward or 067 * redirect to some error page or login page, or throw a PortletException. 068 * @param request current portlet request 069 * @param response current portlet response 070 * @param handler chosen handler to execute, for type and/or instance evaluation 071 * @throws javax.portlet.PortletException if there is an internal error 072 * @throws java.io.IOException in case of an I/O error when writing the response 073 */ 074 protected void handleNotAuthorized(PortletRequest request, PortletResponse response, Object handler) 075 throws PortletException, IOException { 076 077 throw new PortletSecurityException("Request not authorized"); 078 } 079 080}