Source code: mill/a3/AuthSession.java
1 package mill.a3;
2
3 import java.sql.SQLException;
4 import java.sql.PreparedStatement;
5 import java.sql.ResultSet;
6
7 import javax.servlet.http.HttpSession;
8 import javax.servlet.http.HttpServletRequest;
9 import javax.servlet.http.HttpServletResponse;
10
11 import java.util.Enumeration;
12
13 import mill.tools.StringTools;
14 import mill.db.DBconnect;
15 import mill.main.Constants;
16 import mill.main.MainUserInfo;
17
18 public class AuthSession
19 {
20 public String userLogin = "";
21 public String userPassword = "";
22 public MainUserInfo userInfo = null;
23
24 // public AuthInfo authInfo = null;
25
26 protected AuthSession() {}
27
28 /**
29 @deprecated use getUserLogin()
30 */
31 public String getUserName() {
32 return userLogin;
33 }
34
35 public String getUserLogin()
36 {
37 return userLogin;
38 }
39
40 public AuthSession(String l_, String p_)
41 throws AuthException
42 {
43 userLogin = l_;
44 userPassword = p_;
45 try{
46 userInfo = new MainUserInfo( DBconnect.getInstance(), userLogin );
47 // authInfo = AuthInfo.getInstance(db_, login_, pass_);
48 } catch(Exception e)
49 {
50 throw new AuthException( e.toString() );
51 }
52 }
53
54 public static AuthInfo getAuthInfo( HttpServletRequest request )
55 throws AuthException
56 {
57 AuthSession authSession = AuthSession.getAuthSession(request);
58 if (authSession == null )
59 return null;
60
61 return authSession.getAuthInfo();
62 }
63
64 public AuthInfo getAuthInfo()
65 throws AuthException
66 {
67 try
68 {
69 return AuthInfo.getInstance(
70 DBconnect.getInstance(false), userLogin, userPassword);
71 }
72 catch(Exception e){
73 throw new AuthException( e.toString() );
74 }
75 }
76
77 public static AuthSession check(HttpServletRequest request, HttpServletResponse response)
78 throws AuthException
79 {
80 String redir = Constants.JSP_LOGIN_CHECK_PAGE;
81 //"/member/auth/j_secure_check.jsp";
82
83 if (request.getMethod().toUpperCase().equals("GET"))
84 {
85 String param="";
86 Enumeration e = request.getParameterNames();
87 boolean isFirst = true;
88 String addStr = "";
89 for (; e.hasMoreElements() ;)
90 {
91 String n = (String)e.nextElement();
92 String[] s = request.getParameterValues( n );
93 for (int i=0; i<s.length; i++)
94 {
95 if (!isFirst)
96 addStr = "&";
97 else
98 isFirst = false;
99
100 // System.out.println("param: "+addStr+n+" value: "+s[i]);
101
102 param += StringTools.rewriteURL( addStr+ n + "=" + s[i] );
103 }
104 }
105 redir += "?tourl=" +
106 StringTools.rewriteURL(request.getRequestURI()+"?"+param);
107 }
108 return check(request, response, redir);
109 }
110
111 public static AuthSession check(HttpServletRequest request, HttpServletResponse response, String defURL)
112 throws AuthException
113 {
114 AuthSession authSession = getAuthSession(request);
115 if (authSession == null)
116 {
117 try{
118 response.sendRedirect(defURL);
119 }
120 catch(Exception e){
121 throw new AuthException( e.toString() );
122 }
123 return null;
124 }
125
126 if (!authSession.getLoginStatusSite( request.getServerName() ))
127 {
128 try{
129 response.sendRedirect( defURL );
130 }
131 catch(Exception e){
132 throw new AuthException( e.toString() );
133 }
134 return null;
135 }
136 return authSession;
137 }
138
139 public static AuthSession getAuthSession(HttpServletRequest request)
140 {
141 return (AuthSession)request.getSession(true).getAttribute( Constants.AUTH_SESSION );
142 }
143
144 public boolean getLoginStatusSite(String serverName)
145 throws AuthException
146 {
147 PreparedStatement ps = null;
148 ResultSet rs = null;
149 boolean isValid = false;
150
151 String sql_ =
152 "select id_user "+
153 "from auth_user a "+
154 "where user_login=? and user_password=? and "+
155 " exists "+
156 " ( select null "+
157 " from v$_read_list_firm z1, "+
158 " v$_site_read_list_firm x1, "+
159 " site_virtual_host v1 "+
160 " where z1.user_login = a.user_login and "+
161 " x1.id_site = v1.id_site and "+
162 " z1.id_firm = x1.id_firm and "+
163 " v1.name_virtual_host=? "+
164 " union "+
165 " select null from auth_user y1 "+
166 " where y1.is_root=1 and "+
167 " y1.user_login = a.user_login "+
168 ")";
169
170 try
171 {
172 DBconnect db_ = DBconnect.getInstance( false );
173 ps = db_.conn.prepareStatement( sql_ );
174
175 ps.setString(1, StringTools.toDB( userLogin ) );
176 ps.setString(2, StringTools.toDB( userPassword ) );
177 ps.setString(3, StringTools.toDB( serverName ) );
178
179 rs = ps.executeQuery();
180 if ( rs.next() )
181 isValid = true;
182
183 }
184 catch (Exception e1)
185 {
186 throw new AuthException( e1.toString() );
187 }
188 finally
189 {
190 if (rs != null)
191 {
192 try{
193 rs.close();
194 rs = null;
195 }catch(Exception e01){}
196 }
197 if (ps != null)
198 {
199 try{
200 ps.close();
201 ps = null;
202 }catch(Exception e02){}
203 }
204 }
205 return isValid;
206 }
207
208 private void ad(String s_)
209 {
210 // System.out.print(s_+"\n");
211 }
212
213 public boolean getRight(String arm_,String m_, String r_)
214 throws AuthException
215 {
216 return getRight(arm_,m_,r_, false);
217 }
218
219
220 /**
221 Этот метод возвращает статус возможности работы пользователя
222 с определенными модулями АРМов.
223 Параметры:
224 <blockquote>
225 String arm_ - код проверяемого АРМа<br>
226 String m_ - код проверяемого модуля АРМа<br>
227 String r_ - запрашиваемые права для данного пользователя<br>
228 <blockquote>
229 S - права на чтение в рамках данного модуля<br>
230 U - права на изменение в рамках данного модуля<br>
231 I - права на вставку в рамках данного модуля<br>
232 D - права на удаление в рамках данного модуля<br>
233 A - права на администрирование данного модуля<br>
234 ВНИМАНИЕ! Все запрашиваемые права должны быть в верхнем регистре<br>
235 </blockquote>
236 boolean l_ - проверка прав доступа с использованием уровня доступа (дорожный, служба, предприятие)
237 <blockquote>
238 true - использовать провурку по уровню доступа. Имеет смысл для ограничения
239 прав доступа "снизу".<br>
240 false - не использовать проверку по уровню доступа
241 </blockquote>
242 </blockquote>
243 Возвращаемое значение:
244 <blockquote>
245 true - данные права есть<br>
246 false - прав нет или авторизация не пройдена или произошла ошибка доступа к базе данных
247 </blockquote>
248 */
249 public boolean getRight(String arm_,String m_, String r_, boolean l_)
250 throws AuthException
251 {
252 PreparedStatement ps = null;
253 ResultSet rset = null;
254 boolean result = false;
255 DBconnect db_ = null;
256 AuthInfo authInfo = null;
257 try{
258 db_ = DBconnect.getInstance( false );
259 authInfo = AuthInfo.getInstance(db_, userLogin, userPassword);
260
261 if (authInfo == null)
262 return false;
263 ad(userLogin);
264 ad(arm_);
265 ad(m_);
266 ad(r_);
267
268 if (authInfo.isRoot == 1)
269 return true;
270 ad("#1.005");
271 String sql_ =
272 "select count(*) count_rec "+
273 "from ("+
274 "select distinct nvl(code_right, '') "+
275 "from auth_user a, auth_relate_accgroup b, v_relate_right_full c "+
276 "where a.user_login = ? and "+
277 " a.id_auth_user = b.id_auth_user and "+
278 " b.id_access_group = c.id_access_group and "+
279 " c.code_arm = ? and "+
280 " c.code_object_arm = ? "+
281 ")";
282
283 ps = db_.conn.prepareStatement( sql_ );
284 ad("#1.006");
285 ps.setString(1, StringTools.toDB( userLogin ) );
286 ps.setString(2, StringTools.toDB( arm_ ) );
287 ps.setString(3, StringTools.toDB( m_ ) );
288 ad("#1.007");
289 rset = ps.executeQuery();
290 ad("#1.008");
291 rset.next();
292 ad("#1.009");
293 int count_rec = rset.getInt("COUNT_REC");
294 rset.close();
295 rset = null;
296 ps.close();
297 ps = null;
298
299 if (count_rec == 0)
300 {
301 ad("#1.010");
302 return false;
303 }
304 ad("#1.011");
305 String right_ = "";
306
307 ps = db_.conn.prepareStatement(
308 "select distinct nvl(code_right, '') code_right "+
309 "from auth_user a, auth_relate_accgroup b, v_relate_right_full c "+
310 "where a.user_login = ? and "+
311 " a.id_auth_user = b.id_auth_user and "+
312 " b.id_access_group = c.id_access_group and "+
313 " c.code_arm = ? and "+
314 " c.code_object_arm = ? ");
315 ad("#1.012");
316 ps.setString(1, StringTools.toDB( userLogin ) );
317 ps.setString(2, StringTools.toDB( arm_ ) );
318 ps.setString(3, StringTools.toDB( m_ ) );
319
320 rset = ps.executeQuery();
321 ad("#1.013");
322 while ( rset.next() )
323 {
324 right_ += rset.getString("CODE_RIGHT");
325 }
326 ad("#1.014");
327 rset.close();
328 rset = null;
329 ps.close();
330 ps = null;
331
332 ad("#1.015 "+right_);
333
334 for (int i=0;i<r_.length(); i++)
335 {
336 String v_str = r_.substring(i, i+1);
337 ad("#1.0151 "+v_str);
338 int v_ptr = right_.indexOf(v_str);
339 ad("#1.0152 "+v_ptr);
340 if (v_ptr == -1)
341 return false;
342 }
343 ad("#1.016");
344 result = true;
345 if (l_)
346 {
347 ad("#1.017");
348 ps = db_.conn.prepareStatement(
349 "select max(c.is_road) is_road, "+
350 " max(c.is_service) is_service, "+
351 " max(c.is_firm) is_firm "+
352 "from auth_user a, auth_relate_accgroup b, v_relate_right_full c "+
353 "where a.user_login = ? and "+
354 " a.id_user = b.id_auth_user and "+
355 " b.id_access_group = c.id_access_group and "+
356 " c.code_arm = ? and "+
357 " c.code_object_arm = ? "
358 );
359 ad("#1.018");
360 ps.setString(1, StringTools.toDB( userLogin ) );
361 ps.setString(2, StringTools.toDB( arm_ ) );
362 ps.setString(3, StringTools.toDB( m_ ) );
363 ad("#1.019");
364 rset = ps.executeQuery();
365 boolean v_flag = !rset.next();
366 if ( v_flag )
367 {
368 ad("#1.020");
369 rset.close();
370 rset = null;
371 ps.close();
372 ps = null;
373 return false;
374 }
375 ad("#1.021");
376 int l_is_service_ = rset.getInt("IS_SERVICE");
377 int l_is_road_ = rset.getInt("IS_ROAD");
378 int l_is_firm_ = rset.getInt("IS_FIRM");
379
380 rset.close();
381 rset = null;
382 ps.close();
383 ps = null;
384 ad("#1.022");
385 /*
386 ps = db_.conn.prepareStatement(
387 "select is_service, is_road, is_use_current_firm "+
388 "from auth_user a "+
389 "where a.user_login = ?"
390 );
391
392 ps.setString(1, StringTools.toDB( userLogin ) );
393 rset = ps.executeQuery();
394 v_flag = !rset.next();
395 if ( v_flag )
396 {
397 ad("#1.023");
398 rset.close();
399 rset = null;
400 prepStatement.close();
401 prepStatement = null;
402 return false;
403 }
404
405
406 ad("#1.024");
407 int u_is_service_ = rset.getInt("IS_SERVICE");
408 ad("#1.0241 "+u_is_service_);
409 int u_is_road_ = rset.getInt("IS_ROAD");
410 ad("#1.0242 "+u_is_road_);
411 int u_is_firm_ = rset.getInt("IS_USE_CURRENT_FIRM");
412 ad("#1.0243 "+u_is_firm_);
413 rset.close();
414 rset = null;
415 ps.close();
416 ps = null;
417 */
418 int u_is_service_ = authInfo.isService;
419 int u_is_road_ = authInfo.isRoad;
420 int u_is_firm_ = authInfo.isUseCurrentFirm;
421
422 ad("#1.024");
423 ad("#1.0241 "+u_is_service_);
424 ad("#1.0242 "+u_is_road_);
425 ad("#1.0243 "+u_is_firm_);
426
427 ad("#1.025");
428 ad("#1.0251 "+l_is_service_);
429 ad("#1.0252 "+l_is_road_);
430 ad("#1.0253 "+l_is_firm_);
431
432 if ( (l_is_road_ == 1) && (l_is_road_ != u_is_road_) )
433 {
434 ad("#1.026");
435 return false;
436 }
437
438 if ( (l_is_service_ == 1) && (l_is_service_ != u_is_service_) )
439 {
440 ad("#1.027");
441 return false;
442 }
443
444 if ( (l_is_firm_ == 1) && (l_is_firm_ != u_is_firm_) )
445 {
446 ad("#1.028");
447 return false;
448 }
449 ad("#1.029");
450 return true;
451 }
452 ad("#1.030");
453
454 }
455 catch (Exception e)
456 {
457 throw new AuthException( e.toString() );
458 }
459 finally
460 {
461 if (rset != null)
462 {
463 try{
464 rset.close();
465 rset = null;
466 }catch(Exception e01){}
467 }
468 if (ps != null)
469 {
470 try{
471 ps.close();
472 ps = null;
473 }catch(Exception e02){}
474 }
475 }
476 return result;
477 }
478
479
480
481 }