[Yanel-commits] rev 41507 -
public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet
michi at wyona.com
michi at wyona.com
Wed Feb 11 12:50:15 CET 2009
Author: michi
Date: 2009-02-11 12:50:15 +0100 (Wed, 11 Feb 2009)
New Revision: 41507
Modified:
public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
Log:
extra authorization check re toolbar
Modified: public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
===================================================================
--- public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java 2009-02-11 11:38:19 UTC (rev 41506)
+++ public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java 2009-02-11 11:50:15 UTC (rev 41507)
@@ -1880,7 +1880,17 @@
if (toolbarMasterSwitch.equals("on")) {
OutputStream os = response.getOutputStream();
try {
- yanelUI.mergeToolbarWithContent(request, response, res, view);
+ Usecase usecase = new Usecase(TOOLBAR_USECASE);
+ Identity identity = getIdentity(request, map);
+ Realm realm = map.getRealm(request.getServletPath());
+ String path = map.getPath(realm, request.getServletPath());
+ // NOTE: This extra authorization check is necessary within a multi-realm environment, because after activating the toolbar with a query string, the toolbar flag attached to the session will be ignored by doAccessControl(). One could possibly do this check within doAccessControl(), but could be a peformance issue! Or as an alternative one could refactor the code, such that the toolbar session flag is realm aware.
+ if(realm.getPolicyManager().authorize(path, identity, usecase)) {
+ yanelUI.mergeToolbarWithContent(request, response, res, view);
+ return response;
+ } else {
+ log.warn("Toolbar authorization denied (Realm: '" + realm.getName() + "', User: '" + identity.getUsername() + "', Path: '" + path + "')!");
+ }
} catch (Exception e) {
log.error(e, e);
String message = "Error merging toolbar into content: " + e.toString();
@@ -1890,7 +1900,6 @@
setYanelOutput(request, response, doc);
return response;
}
- return response;
} else {
log.info("Toolbar has been disabled. Please check web.xml!");
}
More information about the Yanel-commits
mailing list