001 /* 002 * Copyright (c) 2009 The openGion Project. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, 013 * either express or implied. See the License for the specific language 014 * governing permissions and limitations under the License. 015 */ 016 package org.opengion.hayabusa.filter; 017 018 import org.opengion.hayabusa.common.HybsSystem; 019 020 import java.io.File; // 5.7.3.2 (2014/02/28) Tomcat8 対å¿? 021 import java.io.IOException; 022 import java.io.PrintWriter; 023 024 import javax.servlet.Filter; 025 import javax.servlet.FilterChain; 026 import javax.servlet.FilterConfig; 027 import javax.servlet.ServletContext; 028 import javax.servlet.ServletException; 029 import javax.servlet.ServletRequest; 030 import javax.servlet.ServletResponse; 031 import javax.servlet.RequestDispatcher; 032 import javax.servlet.http.HttpServletResponse; 033 import javax.servlet.http.HttpServletRequest; 034 035 import org.opengion.fukurou.security.URLHashMap; 036 import org.opengion.fukurou.util.StringUtil; 037 import org.opengion.fukurou.util.FileString; 038 039 /** 040 * URLHashFilter ã¯ã€Filter インターフェースを継承ã—㟠URLãƒã‚§ãƒ?‚¯ã‚¯ãƒ©ã‚¹ã§ã™ã? 041 * web.xml ã§ filter è¨å®šã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€å?ç?‚’é–‹å§‹ã—ã¾ã™ã? 042 * filter 処ç??ã€è¨å®šãƒ¬ãƒ™ãƒ«ã¨URLã®é£›ã?å…ˆã«ã‚ˆã‚Šå‡¦ç?–¹æ³•ãŒç•°ãªã‚Šã¾ã™ã? 043 * ã“ã?フィルターã§ã¯ã€ãƒãƒ?‚·ãƒ¥åŒ?æš—å·åŒ–ã§ã¯ãªãã?ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æˆ»ã™ä½œæ¥ã«ãªã‚Šã¾ã™ã? 044 * å†?ƒ¨URLã®å ´åˆã?ãƒãƒƒã‚·ãƒ¥åŒ–ã?外部URLã®å ´åˆã?æš—å·åŒ–ã«é©ç”¨ã•れã¾ã™ã? 045 * 046 * 基本çš?«ã¯ã€å¤–部ã¸ã®URLã§ã‚¨ãƒ³ã‚¸ãƒ³ã‚·ã‚¹ãƒ?ƒ ã¸é£›ã?ã™å?åˆã?ã€æš—å·åŒ–ã«ãªã‚Šã¾ã™ã? 047 * å†?ƒ¨ã¸ã®URLã¯ã€åŸºæœ¬çš?«ã€ãƒ‘ラメータã®ã¿æš—å·åŒ–を行ã„ã¾ã™ã?ãªãŠã?直接画é¢IDã‚? 048 * æŒ?®šã—ã¦é£›ã?ã™å?åˆã‚’ã€æ¢ã‚ã‚‹ã‹ã©ã?‹ã¯ã€è¨å®šãƒ¬ãƒ™ãƒ«ã«ä¾å˜ã—ã¾ã™ã? 049 * 050 * フィルターã®è¨å®šãƒ¬ãƒ™ãƒ«ã¯ã€ã‚·ã‚¹ãƒ?ƒ リソース㮠URL_ACCESS_SECURITY_LEVEL 変数㧠051 * è¨å®šã—ã¾ã™ã? 052 * ãªãŠã?å?ƒ¬ãƒ™ãƒ«å…±é€šã§ã€æˆ»ã—å?ç??レベルã«é–¢ä¿‚ãªã実行ã•れã¾ã™ã? 053 * レベル?:ãªã«ã‚‚制é™ã?ã‚りã¾ã›ã‚“ã€? 054 * レベル?‘:Referer ãƒã‚§ãƒ?‚¯ã‚’行ã„ã¾ã™ã?ã¤ã¾ã‚Šã?URLを直接入力ã—ã¦ã‚‚動作ã—ã¾ã›ã‚“ã€? 055 * ãŸã ã—ã?RefererãŒä»˜ã„ã¦ã•ãˆã?‚Œã°ã€ã‚¢ã‚¯ã‚»ã‚¹è¨±å¯ã‚’与ãˆã¾ã™ã? 056 * Referer ç„¡ã—ã?å ´åˆã§ã‚‚ã?URLã«ãƒ‘ラメータãŒå˜åœ¨ã—ãªã??ã¾ãŸã?ã€? 057 * アドレスãŒãƒãƒ?‚·ãƒ¥åŒ?æš—å·åŒ–ã•れã¦ã?‚‹å ´åˆã?ã€ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã—ã¾ã™ã? 058 * レベル?‘ã?å ´åˆã?ãƒãƒƒã‚·ãƒ¥æˆ»ã?è¤?ˆåŒ–å?ç??行ã„ã¾ã™ã?ã‚ãã¾ã§ã€ãƒãƒ?‚·ãƒ¥åŒ? 059 * æš—å·åŒ–ã•れã¦ã?ªã??åˆã§ã‚‚ã?Refererã•ãˆã‚れã°ã€è¨±å¯ã™ã‚‹ã¨ã?†ã“ã¨ã§ã™ã? 060 * (パラメータãªã?or ãƒãƒƒã‚·ãƒ¥ã‚り or Refererã‚り ã®å ´åˆã?許å¯) 061 * レベル?’:フィルター処ç?¨ã—ã¦ã¯ã€ãƒ¬ãƒ™ãƒ«?‘ã¨åŒã˜ã§ã™ã? 062 * ç•°ãªã‚‹ã?ã¯ã€URLã®ãƒãƒƒã‚·ãƒ¥åŒ?æš—å·åŒ–å?ç?‚’ã€å¤–部URLã«å¯¾ã—ã¦ã®ã¿è¡Œã„ã¾ã™ã? 063 * (パラメータãªã?or ãƒãƒƒã‚·ãƒ¥ã‚り or Refererã‚り ã®å ´åˆã?許å¯) 064 * レベル?“:URLã®ãƒ‘ラメータãŒãƒãƒ?‚·ãƒ¥åŒ?æš—å·åŒ–ã•れã¦ã?‚‹å¿?¦ãŒã‚りã¾ã™ã? 065 * レベル?‘åŒæ§˜ã?URLã«ãƒ‘ラメータãŒå˜åœ¨ã—ãªã??åˆã?ã€ã‚¢ã‚¯ã‚»ã‚¹ã‚’許å¯ã—ã¾ã™ã? 066 * レベル?‘ã¨ç•°ãªã‚‹ã?ã¯ã€ãƒ‘ラメータã¯å¿?šãƒãƒƒã‚·ãƒ¥åŒ–ã‹ã€æš—å·åŒ–ã•れã¦ã?‚‹ 067 * å¿?¦ãŒã‚ã‚‹ã¨ã?†ã“ã¨ã§ã™ã?(å†?ƒ¨/外部å•ã‚ã? 068 * (パラメータãªã?or ãƒãƒƒã‚·ãƒ¥ã‚り ã®å ´åˆã?許å¯) 069 * ãã‚Œä»¥å¤–ï¼šã‚¢ã‚¯ã‚»ã‚¹ã‚’åœæ¢ã—ã¾ã™ã? 070 * 071 * フィルターã«å¯¾ã—ã¦web.xml ã§ãƒ‘ラメータをè¨å®šã—ã¾ã™ã? 072 * ・filename :åœæ¢æ™‚メãƒ?‚»ãƒ¼ã‚¸è¡¨ç¤ºãƒ•ァイルå?ä¾?/jsp/custom/refuseAccess.html) 073 * ・initPage :æœ??ã«ã‚¢ã‚¯ã‚»ã‚¹ã•れるå?期画é¢ã‚¢ãƒ‰ãƒ¬ã‚¹(åˆæœŸå€¤:/jsp/index.jsp) 074 * ・debug :ãƒ?ƒãƒ?‚°ãƒ¡ãƒ?‚»ãƒ¼ã‚¸ã®è¡¨ç¤º(åˆæœŸå€¤:false) 075 * 076 * ã€WEB-INF/web.xmlã€? 077 * <filter> 078 * <filter-name>URLHashFilter</filter-name> 079 * <filter-class>org.opengion.hayabusa.filter.URLHashFilter</filter-class> 080 * <init-param> 081 * <param-name>filename</param-name> 082 * <param-value>/jsp/custom/refuseAccess.html</param-value> 083 * </init-param> 084 * <init-param> 085 * <param-name>initPage</param-name> 086 * <param-value>/jsp/index.jsp</param-value> 087 * </init-param> 088 * <init-param> 089 * <param-name>debug</param-name> 090 * <param-value>false</param-value> 091 * </init-param> 092 * </filter> 093 * 094 * <filter-mapping> 095 * <filter-name>URLHashFilter</filter-name> 096 * <url-pattern>*.jsp</url-pattern> 097 * </filter-mapping> 098 * 099 * @og.group フィルター処ç? 100 * 101 * @og.rev 5.2.2.0 (2010/11/01) æ–°è¦è¿½åŠ? 102 * 103 * @version 5.2.2.0 (2010/11/01) 104 * @author Kazuhiko Hasegawa 105 * @since JDK1.6, 106 */ 107 public final class URLHashFilter implements Filter { 108 private static final String REQ_KEY = HybsSystem.URL_HASH_REQ_KEY ; 109 110 private static final int ACCS_LVL = HybsSystem.sysInt( "URL_ACCESS_SECURITY_LEVEL" ); 111 112 private String initPage = "/jsp/index.jsp"; 113 // private String filename = null; // ã‚¢ã‚¯ã‚»ã‚¹æ‹’å¦æ™‚メãƒ?‚»ãƒ¼ã‚¸è¡¨ç¤ºãƒ•ァイルå? 114 private FileString refuseMsg = null; // ã‚¢ã‚¯ã‚»ã‚¹æ‹’å¦æ™‚メãƒ?‚»ãƒ¼ã‚¸ãƒ•ァイルã®å†?®¹(ã‚ャãƒ?‚·ãƒ¥) 115 private boolean isDebug = false; 116 117 /** 118 * フィルター処ç?œ¬ä½“ã?メソãƒ?ƒ‰ã§ã™ã? 119 * 120 * @og.rev 5.3.0.0 (2010/12/01) æ–?—化ã‘対ç–ã¨ã—ã¦ã€setCharacterEncoding を実行ã™ã‚‹ã? 121 * 122 * @param request ServletRequestオブジェクãƒ? 123 * @param response ServletResponseオブジェクãƒ? 124 * @param chain FilterChainオブジェクãƒ? 125 * @throws IOException 入出力エラーãŒç™ºç”Ÿã—ãŸã¨ã? 126 * @throws ServletException サーブレãƒ?ƒˆé–¢ä¿‚ã?エラーãŒç™ºç”Ÿã—ãŸå?åˆã?throw ã•れã¾ã™ã? 127 */ 128 public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain ) throws IOException, ServletException { 129 HttpServletRequest req = (HttpServletRequest)request ; 130 req.setCharacterEncoding( "UTF-8" ); // 5.3.0.0 (2010/12/01) 131 132 if( isValidAccess( req ) ) { 133 String h_r = req.getParameter( REQ_KEY ); 134 // ãƒãƒƒã‚·ãƒ¥åŒ–ã‚ーãŒå˜åœ¨ã™ã‚‹ã€? 135 if( h_r != null ) { 136 HttpServletResponse resp = ((HttpServletResponse)response); 137 String qu = URLHashMap.getValue( h_r ); 138 // ã‚ーã«å¯¾ã™ã‚‹å®Ÿã‚¢ãƒ‰ãƒ¬ã‚¹ãŒå˜åœ¨ã™ã‚‹ã€? 139 if( qu != null ) { 140 String requestURI = req.getRequestURI(); // /gf/jsp/index.jsp ãªã© 141 String cntxPath = req.getContextPath(); // /gf ãªã© 142 // 自åˆ??身ã®ã‚³ãƒ³ãƒ?‚ストã¨åŒã˜ãªã®ã§ã€forward ã§ãã‚‹ã€? 143 if( requestURI.startsWith( cntxPath ) ) { 144 String url = requestURI.substring(cntxPath.length()) + "?" + qu ; 145 RequestDispatcher rd = request.getRequestDispatcher( url ); 146 rd.forward( request,response ); 147 } 148 // ãã†ã§ãªã??åˆã?リãƒ?‚¤ãƒ¬ã‚¯ãƒˆã™ã‚‹ã? 149 else { 150 String url = resp.encodeRedirectURL( requestURI + "?" + qu ); 151 resp.sendRedirect( url ); 152 } 153 } 154 // ã‚ーã«å¯¾ã™ã‚‹å®Ÿã‚¢ãƒ‰ãƒ¬ã‚¹ãŒå˜åœ¨ã—ãªã??(行ã先無ã—ã?ケース) 155 else { 156 String url = resp.encodeRedirectURL( initPage ); 157 resp.sendRedirect( url ); 158 } 159 } 160 // ãƒãƒƒã‚·ãƒ¥åŒ–ã‚ーãŒå˜åœ¨ã—ãªã?? 161 else { 162 chain.doFilter(request, response); 163 } 164 } 165 else { 166 // アクセス拒å¦ã‚’示ã™ãƒ¡ãƒ?‚»ãƒ¼ã‚¸ãƒ•ァイルã®å†?®¹ã‚’å?力ã™ã‚‹ã? 167 response.setContentType( "text/html; charset=UTF-8" ); 168 PrintWriter out = response.getWriter(); 169 out.println( refuseMsg.getValue() ); 170 out.flush(); 171 } 172 } 173 174 /** 175 * フィルターã®åˆæœŸå‡¦ç?ƒ¡ã‚½ãƒ?ƒ‰ã§ã™ã? 176 * 177 * フィルターã«å¯¾ã—ã¦web.xml ã§åˆæœŸãƒ‘ラメータをè¨å®šã—ã¾ã™ã? 178 * ・filename :åœæ¢æ™‚メãƒ?‚»ãƒ¼ã‚¸è¡¨ç¤ºãƒ•ァイルå? 179 * ・initPage :æœ??ã«ã‚¢ã‚¯ã‚»ã‚¹ã•れるå?期画é¢ã‚¢ãƒ‰ãƒ¬ã‚¹(åˆæœŸå€¤:/jsp/index.jsp) 180 * ・debug :ãƒ?ƒãƒ?‚°ãƒ¡ãƒ?‚»ãƒ¼ã‚¸ã®è¡¨ç¤º(åˆæœŸå€¤:false) 181 * 182 * @og.rev 5.7.3.2 (2014/02/28) Tomcat8 対応ã?getRealPath( "/" ) ã®äº’æ›æ€§ã®ãŸã‚ã®ä¿®æ£ã€? 183 * 184 * @param config FilterConfigオブジェクãƒ? 185 */ 186 public void init( final FilterConfig config ) { 187 initPage = StringUtil.nval( config.getInitParameter("initPage"), initPage ); 188 isDebug = StringUtil.nval( config.getInitParameter("debug") , isDebug ); 189 190 ServletContext context = config.getServletContext(); 191 // String realPath = context.getRealPath( "/" ); 192 String realPath = context.getRealPath( "" ) + File.separator; // 5.7.3.2 (2014/02/28) Tomcat8 対å¿? 193 194 // アクセス拒å¦ã‚’示ã™ãƒ¡ãƒ?‚»ãƒ¼ã‚¸ãƒ•ァイルã®å†?®¹ã‚’管ç?™ã‚?FileString オブジェクトを構築ã™ã‚‹ã? 195 String filename = realPath + config.getInitParameter("filename"); 196 refuseMsg = new FileString(); 197 refuseMsg.setFilename( filename ); 198 refuseMsg.setEncode( "UTF-8" ); 199 } 200 201 /** 202 * フィルターã®çµ‚äº??ç?ƒ¡ã‚½ãƒ?ƒ‰ã§ã™ã? 203 * 204 */ 205 public void destroy() { 206 // ã“ã“ã§ã¯å‡¦ç?‚’行ã„ã¾ã›ã‚“ã€? 207 } 208 209 /** 210 * フィルターã®å†?ƒ¨çŠ¶æ…‹ã‚’ãƒã‚§ãƒ?‚¯ã™ã‚‹ãƒ¡ã‚½ãƒ?ƒ‰ã§ã™ã? 211 * 212 * 判定æ¡ä»¶ã¯ã€URL_ACCESS_SECURITY_LEVEL 変数 ã«å¿œã˜ã¦ç•°ãªã‚Šã¾ã™ã? 213 * レベル?:ãªã«ã‚‚制é™ã?ã‚りã¾ã›ã‚“ã€? 214 * レベル?‘:Referer ãƒã‚§ãƒ?‚¯ã‚’行ã„ã¾ã™ã?ã¤ã¾ã‚Šã?URLを直接入力ã—ã¦ã‚‚動作ã—ã¾ã›ã‚“ã€? 215 * レベル?’:URLã®ãƒãƒƒã‚·ãƒ¥åŒ?æš—å·åŒ–å?ç?‚’ã€å¤–部URLã«å¯¾ã—ã¦ã®ã¿è¡Œã„ã¾ã™ã?(ãƒã‚§ãƒ?‚¯ã¯ã€ãƒ¬ãƒ™ãƒ«?‘ã¨åŒç? 216 * レベル?“:URLã®ãƒ‘ラメータãŒãƒãƒ?‚·ãƒ¥åŒ?æš—å·åŒ–ã•れã¦ã?‚‹å¿?¦ãŒã‚りã¾ã™ã? 217 * ãã‚Œä»¥å¤–ï¼šã‚¢ã‚¯ã‚»ã‚¹ã‚’åœæ¢ã—ã¾ã™ã? 218 * 219 * @param request HttpServletRequestオブジェクãƒ? 220 * 221 * @return (true:è¨±å¯ false:æ‹’å¦) 222 */ 223 private boolean isValidAccess( final HttpServletRequest request ) { 224 if( ACCS_LVL == 0 ) { return true; } // レベル?:無æ¡ä»¶ã‚¢ã‚¯ã‚»ã‚¹ 225 226 String httpReferer = request.getHeader( "Referer" ); 227 String requestURI = request.getRequestURI(); 228 String queryString = request.getQueryString(); 229 String hashVal = request.getParameter( REQ_KEY ); 230 231 if( isDebug ) { 232 System.out.println( "URLHashFilter#httpReferer = " + httpReferer ); 233 System.out.println( "URLHashFilter#requestURI = " + requestURI ); 234 } 235 236 // 基準ã¨ãªã‚‹è¨±å¯?šãƒ‘ラメータãªã?or ãƒãƒƒã‚·ãƒ¥ã‚りã®å ´å? 237 boolean flag2 = ( queryString == null || hashVal != null ) ; 238 239 // レベル???’:パラメータãªã?or ãƒãƒƒã‚·ãƒ¥ã‚り or Refererã‚り ã®å ´åˆã?è¨±å¯ 240 if( ACCS_LVL == 1 || ACCS_LVL == 2 ) { 241 return ( flag2 || httpReferer != null ); 242 } 243 244 // レベル?“:パラメータãªã?or ãƒãƒƒã‚·ãƒ¥ã‚りã®å ´åˆã?è¨±å¯ 245 if( ACCS_LVL == 3 ) { 246 String cntxPath = request.getContextPath(); // /gf ãªã© 247 // 特別処置 248 return flag2 || 249 requestURI.equalsIgnoreCase( initPage ) || 250 requestURI.startsWith( cntxPath + "/jsp/menu/" ) || 251 requestURI.startsWith( cntxPath + "/jsp/custom/" ) || 252 requestURI.startsWith( cntxPath + "/jsp/common/" ) ; 253 } 254 255 return false; // ãれ以外:無æ¡ä»¶æ‹’å¦ 256 } 257 258 /** 259 * å†?ƒ¨çŠ¶æ…‹ã‚’æ–?—å?ã§è¿”ã—ã¾ã™ã? 260 * 261 * @return ã“ã?ã‚¯ãƒ©ã‚¹ã®æ–?—å?表示 262 */ 263 @Override 264 public String toString() { 265 StringBuilder sb = new StringBuilder() 266 .append( this.getClass().getCanonicalName() ).append( " : ") 267 .append( "initPage = [" ).append( initPage ).append( "] , ") 268 // .append( "filename = [" ).append( filename ).append( "] , ") 269 .append( "isDebug = [" ).append( isDebug ).append( "]"); 270 return (sb.toString()); 271 } 272 }