1 package com.randomnoun.common.webapp.taglib;
2
3 /* (c) 2013 randomnoun. All Rights Reserved. This work is licensed under a
4 * BSD Simplified License. (http://www.randomnoun.com/bsd-simplified.html)
5 */
6
7 import java.io.*;
8
9 import jakarta.servlet.http.*;
10 import jakarta.servlet.jsp.*;
11 import jakarta.servlet.jsp.tagext.*;
12
13 import org.apache.log4j.Logger;
14
15
16 /**
17 * Custom JSP tag which is used to ensure that the page was generated from within struts.
18 * This is used to prevent users from typing in JSP URLs directly, bypassing
19 * our security mechanisms.
20 *
21 * @author knoxg
22 *
23 */
24 public class AuthCheckTag
25 extends BodyTagSupport
26 {
27
28 /** Generated serialVersionUID */
29 private static final long serialVersionUID = -6531003975186503397L;
30
31 /** Logger instance for this class */
32 private static Logger logger = Logger.getLogger(AuthCheckTag.class);
33
34 /** This variable is set true if the request comes from struts */
35 private boolean isStruts;
36
37 /** doStart tag handler required to fulfill the Tag interface defined in the
38 * <a href="http://java.sun.com/products/jsp/">JSP specification</a>.
39 *
40 * <p>This method determines whether this request has come via the
41 * struts framework, by checking the value of the 'isStrutsRequest'
42 * request attribute. This is set on every request by the
43 * {@link com.randomnoun.common.webapp.struts.RequestProcessor}
44 * class. This tag is always empty, and therefore must always
45 * return BodyTag.SKIP_BODY
46 *
47 * @return BodyTag.SKIP_BODY
48 */
49 public int doStartTag()
50 throws jakarta.servlet.jsp.JspException
51 {
52 isStruts = false;
53
54 String isStrutsString = (String) pageContext.getRequest().getAttribute("isStrutsRequest");
55
56 if ("true".equals(isStrutsString)) {
57 isStruts = true;
58 }
59
60 return BodyTag.SKIP_BODY; // this tag always has an empty body.
61 }
62
63 /** doEnd tag handler required to fulfill the Tag interface defined in the
64 * <a href="http://java.sun.com/products/jsp/">JSP specification</a>.
65 *
66 * <p>This method enforces the presence of the 'isStrutsRequest' request
67 * attribute. If the attribute is present, then processing continues
68 * normally, otherwise an error message is given to the user, and the
69 * requested URL is sent to the logger of this class.
70 *
71 * <p>Note that the output of this tag is *not* internationalised.
72 *
73 * @return BodyTag.SKIP_BODY or BodyTag.SKIP_PAGE
74 */
75 public int doEndTag()
76 throws jakarta.servlet.jsp.JspException
77 {
78 try {
79 if (isStruts) {
80 return BodyTag.EVAL_PAGE;
81 } else {
82 HttpServletRequest httpRequest = (HttpServletRequest)pageContext.getRequest();
83 logger.info("Attempt to access JSP directly via URL: '" + httpRequest.getRequestURL() + "'");
84 try {
85 // try to take back anything buffered to be sent to the client
86 pageContext.getOut().clear();
87 } catch (IOException ioe) {
88 // swallow this exception - it's not that important if content has already been sent
89 }
90 pageContext.getOut().println("<html><body>");
91 pageContext.getOut().println("<p>Direct access to JSPs is denied by policy</p>");
92 pageContext.getOut().println("</body></html>");
93 }
94 return BodyTag.SKIP_PAGE;
95 } catch (IOException ioe) {
96 // may be caused by end-user hitting 'stop' button in browser; ignore
97 return BodyTag.SKIP_PAGE;
98 } catch (Throwable t) {
99 // log and rethrow
100 t.printStackTrace();
101 throw (JspException) new JspException("Exception occurred in AuthCheckTag").initCause(t);
102 }
103 }
104 }