Source Code of org.apache.myfaces.extensions.cdi.jsf.impl.util.SecurityUtils

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.myfaces.extensions.cdi.jsf.impl.util;

import org.apache.myfaces.extensions.cdi.core.api.config.view.DefaultErrorView;
import org.apache.myfaces.extensions.cdi.core.api.security.AccessDeniedException;
import org.apache.myfaces.extensions.cdi.core.api.security.SecurityViolation;
import org.apache.myfaces.extensions.cdi.core.api.config.view.ViewConfig;
import org.apache.myfaces.extensions.cdi.core.api.tools.DefaultAnnotation;
import static org.apache.myfaces.extensions.cdi.core.impl.util.CodiUtils.getContextualReferenceByClass;

import org.apache.myfaces.extensions.cdi.jsf.api.config.view.ViewConfigDescriptor;
import org.apache.myfaces.extensions.cdi.message.api.MessageContext;
import org.apache.myfaces.extensions.cdi.message.api.payload.MessageSeverity;
import org.apache.myfaces.extensions.cdi.jsf.api.Jsf;
import org.apache.myfaces.extensions.cdi.jsf.impl.config.view.ViewConfigCache;

import javax.faces.context.FacesContext;
import javax.enterprise.inject.Typed;
import java.util.Set;

/**
 * @author Gerhard Petracek
 */
@Typed()
public abstract class SecurityUtils
{
    private static final Jsf JSF_QUALIFIER = DefaultAnnotation.of(Jsf.class);

    /**
     * Constructor which prevents the instantiation of this class
     */
    private SecurityUtils()
    {
        // prevent instantiation
    }

    /**
     * Processes a security violation without triggering the navigation to the error page
     * @param runtimeException current exception
     * @return error view which can be used e.g. for manual navigation
     */
    public static Class<? extends ViewConfig> handleSecurityViolationWithoutNavigation(
            RuntimeException runtimeException)
    {
        return tryToHandleSecurityViolation(runtimeException, false);
    }

    /**
     * Processes a security violation including the navigation to the error page
     * @param runtimeException current exception
     */
    public static void tryToHandleSecurityViolation(RuntimeException runtimeException)
    {
        tryToHandleSecurityViolation(runtimeException, true);
    }

    private static Class<? extends ViewConfig> tryToHandleSecurityViolation(RuntimeException runtimeException,
                                                                            boolean allowNavigation)
    {
        AccessDeniedException exception = extractException(runtimeException);

        if(exception == null)
        {
            throw runtimeException;
        }

        Class<? extends ViewConfig> errorView = null;

        Class<? extends ViewConfig> inlineErrorView = exception.getErrorView();

        if(inlineErrorView != null && !DefaultErrorView.class.getName().equals(inlineErrorView.getName()))
        {
            errorView = inlineErrorView;
        }

        if(errorView == null)
        {
            ViewConfigDescriptor errorPageEntry = ViewConfigCache.getDefaultErrorView();

            if(errorPageEntry != null)
            {
                errorView = errorPageEntry.getViewConfig();
            }
        }

        if(errorView == null)
        {
            throw exception;
        }

        processApplicationSecurityException(exception, errorView, allowNavigation);
        return errorView;
    }

    private static AccessDeniedException extractException(Throwable exception)
    {
        if(exception == null)
        {
            return null;
        }

        if(exception instanceof AccessDeniedException)
        {
            return (AccessDeniedException)exception;
        }

        return extractException(exception.getCause());
    }

    private static void processApplicationSecurityException(AccessDeniedException exception,
                                                            Class<? extends ViewConfig> errorPage,
                                                            boolean allowNavigation)
    {
        FacesContext facesContext = FacesContext.getCurrentInstance();

        addViolationsAsMessage(exception.getViolations());

        if(allowNavigation)
        {
            facesContext.getApplication().getNavigationHandler()
                    .handleNavigation(facesContext, null, errorPage.getName());
        }
    }

    private static void addViolationsAsMessage(Set<SecurityViolation> violations)
    {
        MessageContext messageContext = getContextualReferenceByClass(
                MessageContext.class, true, JSF_QUALIFIER);

        if(messageContext == null)
        {
            return;
        }

        for(SecurityViolation violation : violations)
        {
            messageContext.message().text(violation.getReason()).payload(MessageSeverity.ERROR).add();
        }
    }
}