001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.wicket.authorization.strategies.page;
018
019import java.lang.ref.WeakReference;
020
021import org.apache.wicket.Application;
022import org.apache.wicket.Component;
023import org.apache.wicket.Page;
024import org.apache.wicket.RestartResponseAtInterceptPageException;
025import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
026import org.apache.wicket.authorization.UnauthorizedInstantiationException;
027
028/**
029 * A very simple authorization strategy that takes a supertype (a base class or tagging interface)
030 * and performs a simple authorization check by calling the abstract method isAuthorized() whenever
031 * a Page class that extends or implements the supertype is about to be instantiated. If that method
032 * returns true, page instantiation proceeds normally. If it returns false, the user is
033 * automatically directed to the specified sign-in page for authentication, which will presumably
034 * allow authorization to succeed once they have signed in.
035 * <p>
036 * In your Application.init() method do something like the following:
037 * 
038 * <pre>
039 * SimplePageAuthorizationStrategy authorizationStrategy = new SimplePageAuthorizationStrategy(
040 *      MySecureWebPage.class, MySignInPage.class)
041 * {
042 *      protected boolean isAuthorized()
043 *      {
044 *              // Authorize access based on user authentication in the session
045 *              return (((MySession)Session.get()).isSignedIn());
046 *      }
047 * };
048 * 
049 * getSecuritySettings().setAuthorizationStrategy(authorizationStrategy);
050 * </pre>
051 * 
052 * @author Eelco Hillenius
053 * @author Jonathan Locke
054 */
055public abstract class SimplePageAuthorizationStrategy extends AbstractPageAuthorizationStrategy
056{
057        /**
058         * The super type (class or interface) of Pages that require authorization to be instantiated.
059         */
060        private final WeakReference<Class<?>> securePageSuperTypeRef;
061
062        /**
063         * Construct.
064         * 
065         * @param <S>
066         * 
067         * @param securePageSuperType
068         *            The class or interface supertype that indicates that a given Page requires
069         *            authorization
070         * @param signInPageClass
071         *            The sign in page class
072         */
073        public <S extends Page> SimplePageAuthorizationStrategy(final Class<?> securePageSuperType,
074                final Class<S> signInPageClass)
075        {
076                if (securePageSuperType == null)
077                {
078                        throw new IllegalArgumentException("Secure page super type must not be null");
079                }
080
081                securePageSuperTypeRef = new WeakReference<Class<?>>(securePageSuperType);
082
083                // Handle unauthorized access to pages
084                Application.get().getSecuritySettings().setUnauthorizedComponentInstantiationListener(
085                        new IUnauthorizedComponentInstantiationListener()
086                        {
087                                @Override
088                                public void onUnauthorizedInstantiation(final Component component)
089                                {
090                                        // If there is a sign in page class declared, and the
091                                        // unauthorized component is a page, but it's not the
092                                        // sign in page
093                                        if (component instanceof Page)
094                                        {
095                                                // Redirect to page to let the user sign in
096                                                throw new RestartResponseAtInterceptPageException(signInPageClass);
097                                        }
098                                        else
099                                        {
100                                                // The component was not a page, so throw exception
101                                                throw new UnauthorizedInstantiationException(component.getClass());
102                                        }
103                                }
104                        });
105        }
106
107        /**
108         * @see org.apache.wicket.authorization.strategies.page.AbstractPageAuthorizationStrategy#isPageAuthorized(java.lang.Class)
109         */
110        @Override
111        protected <T extends Page> boolean isPageAuthorized(final Class<T> pageClass)
112        {
113                if (instanceOf(pageClass, securePageSuperTypeRef.get()))
114                {
115                        return isAuthorized();
116                }
117
118                // Allow construction by default
119                return true;
120        }
121
122        /**
123         * Gets whether the current user/session is authorized to instantiate a page class which extends
124         * or implements the supertype (base class or tagging interface) passed to the constructor.
125         * 
126         * @return True if the instantiation should be allowed to proceed. False, if the user should be
127         *         directed to the application's sign-in page.
128         */
129        protected abstract boolean isAuthorized();
130}