[Yanel-commits] rev 41507 - public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet

michi at wyona.com michi at wyona.com
Wed Feb 11 12:50:15 CET 2009


Author: michi
Date: 2009-02-11 12:50:15 +0100 (Wed, 11 Feb 2009)
New Revision: 41507

Modified:
   public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
Log:
extra authorization check re toolbar

Modified: public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
===================================================================
--- public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java	2009-02-11 11:38:19 UTC (rev 41506)
+++ public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java	2009-02-11 11:50:15 UTC (rev 41507)
@@ -1880,7 +1880,17 @@
                         if (toolbarMasterSwitch.equals("on")) {
                             OutputStream os = response.getOutputStream();
                             try {
-                                yanelUI.mergeToolbarWithContent(request, response, res, view);
+                                Usecase usecase = new Usecase(TOOLBAR_USECASE);
+                                Identity identity = getIdentity(request, map);
+                                Realm realm = map.getRealm(request.getServletPath());
+                                String path = map.getPath(realm, request.getServletPath());
+                                // NOTE: This extra authorization check is necessary within a multi-realm environment, because after activating the toolbar with a query string, the toolbar flag attached to the session will be ignored by doAccessControl(). One could possibly do this check within doAccessControl(), but could be a peformance issue! Or as an alternative one could refactor the code, such that the toolbar session flag is realm aware.
+                                if(realm.getPolicyManager().authorize(path, identity, usecase)) {
+                                    yanelUI.mergeToolbarWithContent(request, response, res, view);
+                                    return response;
+                                } else {
+                                    log.warn("Toolbar authorization denied (Realm: '" + realm.getName() + "', User: '" + identity.getUsername() + "', Path: '" + path + "')!");
+                                }
                             } catch (Exception e) {
                                 log.error(e, e);
                                 String message = "Error merging toolbar into content: " + e.toString();
@@ -1890,7 +1900,6 @@
                                 setYanelOutput(request, response, doc);
                                 return response;
                             }
-                            return response;
                         } else {
                             log.info("Toolbar has been disabled. Please check web.xml!");
                         }



More information about the Yanel-commits mailing list