AuthenticationFilter.java - This Java code implements an au…

/src/main/java/com/google/ie/web/filter/AuthenticationFilter.java

http://thoughtsite.googlecode.com/ · Java · 151 lines · 82 code · 25 blank · 44 comment · 17 complexity · d8b417ed4f0339f2b643ce515beed212 MD5 · raw file


/* Copyright 2010 Google Inc.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS.
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License
 */

package com.google.ie.web.filter;

import com.google.ie.common.constants.IdeaExchangeConstants;

import org.apache.log4j.Logger;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Temporary class to allow site access based on access code
 * 
 * @author adahiya
 * 
 */
public class AuthenticationFilter implements Filter {

    private static final Logger LOGGER = Logger.getLogger(AuthenticationFilter.class);
    private FilterConfig filterConfig;

    private String accessCode;
    private String exclusionUrls;

    private static String FORM = "<HTML> <HEAD>  <TITLE> Access Token </TITLE> </HEAD> <BODY>  <FORM METHOD=\"POST\" ACTION=\"Service_URL\">  <TABLE> <TR>        <TD>Enter Access Code</TD>      <TD>            <INPUT TYPE=\"password\" NAME=\"accessToken\">      </TD>   </TR>   <TR>        <TD></TD>       <TD><INPUT TYPE=\"submit\" value=\"Submit\"></TD>   </TR>   </TABLE>  </FORM> </BODY></HTML>";

    public static final String ACCESS_TOKEN = "accessToken";
    private static final String EXCLUSION_URL = "exclusionURLs";

    /**
     * Default constructor.
     */
    public AuthenticationFilter() {
    }

    /**
     * @see Filter#destroy()
     */
    public void destroy() {
        this.filterConfig = null;
    }

    /**
     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
     */
    public void doFilter(ServletRequest request, ServletResponse response,
                    FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;

        if (!isAccessCookiePresent(httpServletRequest)) {

            String accessCodeFromUSer = httpServletRequest.getParameter(ACCESS_TOKEN);

            if (accessCodeFromUSer != null && accessCodeFromUSer.equalsIgnoreCase(this.accessCode)) {
                /*
                 * Create cookie and set it in response
                 */
                Cookie cookie = new Cookie(ACCESS_TOKEN, ACCESS_TOKEN);
                // Max age of 12 hours
                cookie.setMaxAge(43200);
                ((HttpServletResponse) response).addCookie(cookie);
            } else {
                if (!urlForExclusion(httpServletRequest.getRequestURI(), exclusionUrls)) {

                    PrintWriter writer = response.getWriter();
                    String updatedForm = FORM.replaceAll("Service_URL", httpServletRequest
                                    .getRequestURI());
                    writer.print(updatedForm);
                    LOGGER.debug("Access token not found");
                    return;
                }
            }

        }
        LOGGER.debug("Access token found");
        // pass the request along the filter chain
        chain.doFilter(request, response);
    }

    private boolean urlForExclusion(String requestURL, String exclusionURLs) {
        boolean flag = false;
        if (exclusionURLs != null && exclusionURLs.contains(IdeaExchangeConstants.COMMA)) {
            String[] urls = exclusionURLs.split(IdeaExchangeConstants.COMMA);
            for (int i = 0; i < urls.length; i++) {
                if (requestURL.contains(urls[i])) {
                    flag = true;
                    LOGGER.debug("Allowing URL without access tocken due to exclusion policy");
                    break;
                }
            }
        }

        return flag;
    }

    /**
     * Checks if the access token cookie is present with a non empty value
     * 
     * @param request
     * @return true if a valid access token cookie is present in the request,
     *         else false
     */
    private boolean isAccessCookiePresent(HttpServletRequest request) {
        Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            for (int i = 0; i < cookies.length; i++) {
                Cookie cookie = cookies[i];
                if (cookie != null && cookie.getName().equals(ACCESS_TOKEN)) {
                    return true;
                }
            }
        }
        return false;
    }

    /**
     * @see Filter#init(FilterConfig)
     */
    public void init(FilterConfig fConfig) throws ServletException {
        this.filterConfig = fConfig;

        this.accessCode = filterConfig.getInitParameter(ACCESS_TOKEN);
        this.exclusionUrls = filterConfig.getInitParameter(EXCLUSION_URL);
    }

}

Summary ✨

This Java code implements an authentication filter for a web application. It checks if an access token cookie is present in incoming requests, and if not, displays a form to enter the token. If the entered token matches the expected value, it sets a cookie with the token’s value. The filter also allows certain URLs to bypass the authentication process based on exclusion URLs provided in the filter configuration.

Tech Fingerprint

Alerts (8)

'HttpServletRequest' Security Warning: Ensure input size from HttpServletRequest is limited (e.g., via server config like maxPostSize, framework limits like Spring's @Size, or filter/interceptor) to prevent Denial of Service through large requests.
32 72 127
Complexity hotspot; line 78 (total complexity: 3)
78
Complexity hotspot; line 106 (total complexity: 3)
106
Complexity hotspot; lines 129 to 130 (total complexity: 3)
129 130
Complexity hotspot; line 132 (total complexity: 3)
132