Saturday 6 June 2015

snFilterWrapper for Selective Filtering

snFilterWrapper
(v24.0 dtd. 06-Jun-2015)

I had been posted sometime back with one of my colleagues about a use case wherein a single application might require to have web-pages that are accessed by different sections of users.  While not much time could be devoted earlier, it couldn't be left to the wild either.  Developing on it further, one could even think of the scenario of having a single application being accessed on the intranet and internet simultaneously.  As to the question why at all that application should be single, the answer would be that the code, functionality as well as the database is common to the intranet users and the internet users.  There might however be only some web-pages which are not to be accessed by few identified groups.  

Let us take the example of a web-application like the Complaint / Feedback system which has an engine that is to primarily serve

  • The internet users who might not need to login at all (with any user id or password) into the system.  
  • Another section of users who are from the department designated to handling the complaint/feedback and who are authorized to reply to the feedback could be intranet users of the organization. 
  • Yet another group of users could be the like of a Call Centre users who accept and record the feedback and have separate authentication credentials. 
  • Another group are the secondary users of the extranet (say the organization's business partners) who could also be required to access and handle the feedbacks.
  • There could still be another group which are application users who interact not through any GUI, but through servlets directly from other applications through encrypted/non-encrypted mode. (See snInduceParamsScreenApprover filter for encrypted application level communication).
Sat-on therefore, last few days to develop this feature through a FilterWrapper wherein more than one standard filters could be wrapped - at the same time providing exclusion and inclusion options. The specifications of the implementation is given below for any earnest implementer. 

A simple sample could be the CAS implementation as given below.  In the former part, the traditional methodology is given and in the latter part, the modified methodology is shown. 

Traditional Methodology for JASIG-CAS example:-

  <filter>
      <filter-name>CAS Authentication Filter</filter-name>
      <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
      <init-param>
          <param-name>casServerLoginUrl</param-name>
          <param-value>https://spandan.indianoil.co.in/JaanasiMaamVaa/login</param-value>
      </init-param>
      <init-param>
          <param-name>serverName</param-name>
          <param-value>http://localhost:8084</param-value>
      </init-param>
  </filter>
  <filter>
      <filter-name>CAS Validation Filter</filter-name>
      <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
      <init-param>
          <param-name>casServerUrlPrefix</param-name>
          <param-value>https://spandan.indianoil.co.in/JaanasiMaamVaa/</param-value>
      </init-param>
      <init-param>
          <param-name>serverName</param-name>
          <param-value>http://localhost:8084</param-value>
      </init-param>
      <init-param>
          <param-name>redirectAfterValidation</param-name>
          <param-value>true</param-value>
      </init-param>
  </filter>
  <filter>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>
  <filter-mapping>
      <filter-name>CAS Authentication Filter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>


Modified Methodology for the same JASIG-CAS given above with Exclusion & Inclusion Options example:-


<filter>
    <filter-name>CAS Authentication Combined-Filter</filter-name>
    <filter-class>org.sun.raibmanus.filters.snFilterWrapper</filter-class>
    <init-param>
      <param-name>ENABLED</param-name>
      <param-value>1</param-value>
    </init-param>
    <init-param>
      <param-name>FilterClassName-1</param-name>
      <param-value>org.jasig.cas.client.authentication.AuthenticationFilter</param-value>
    </init-param>
    <init-param>
      <param-name>FilterClassName-2</param-name>
      <param-value>org.jasig.cas.client.validation.Cas10TicketValidationFilter</param-value>
    </init-param>
    <init-param>
      <param-name>FilterClassName-3</param-name>
      <param-value>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</param-value>
    </init-param>   
    <init-param>
      <param-name>casServerLoginUrl</param-name>
      <param-value>https://spandan.indianoil.co.in/JaanasiMaamVaa/login</param-value>
    </init-param>
    <init-param>
      <param-name>casServerUrlPrefix</param-name>
      <param-value>https://spandan.indianoil.co.in/JaanasiMaamVaa/</param-value>
    </init-param>
    <init-param>
      <param-name>serverName</param-name>
      <param-value>http://localhost:8084</param-value>
    </init-param>     

    <init-param>
      <param-name>exclude_url-2</param-name>
      <param-value>/folder/index_[3-5].jsp</param-value>
    </init-param>  
    <init-param>
      <param-name>exclude_url-ABC</param-name>
      <param-value>index.jsp</param-value>
    </init-param>   
    <init-param>
      <param-name>exclude_url-1</param-name>
      <param-value>index_2.jsp</param-value>
    </init-param>      
    <init-param>
      <param-name>exclude_url-4</param-name>
      <param-value>([\w||\-||/])+\.([gG][iI][fF]|[pP][dD][fF]|[pP][nN][gG]|[jJ][pP][gG]|[jJ][pP][eE][gG]|[bB][mM][pP]|[jJ][sS]|[cC][sS][sS]|[sS][wW][fF]|[iI][cC][oO])</param-value>
    </init-param>        
    <init-param>
      <param-name>include_url-2</param-name>
      <param-value>/folder/index_4.jsp</param-value>
    </init-param>  
  </filter>
  <filter-mapping>
    <filter-name>CAS Authentication Combined-Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

As can be seen above, the standard filters have been passed as parameter to the snFilterWrapper for its consumption.  The order of the chain is governed by the param-name which should necessarily begin with the characters 'FilterClassName'.  By convention it could be named 
  • FilterClassName00, FilterClassName01, FilterClassName02 etc.  
 or
  • FilterClassName_1, FilterClassName_2, FilterClassName_3 etc. 
or even 
  • FilterClassName_A, FilterClassName_B, FilterClassName_C etc.  

However, it should be noted that the name is case-insensitive so that 'FilterClassName_A' and 'filterclassName_a'  are identified to the same.

The regular expressions under the param-names exclude-url and include-url with appropriate suffixes shall govern the permeability of the filter.  They are optional and are needed only if the use-case mentioned in the beginning have to be implemented.

A new parameter call 'Enabled' has been introduced with version 25.2 (dtd. 28.09.2015).  This can come in handy especially along with JASIG-CAS where the CAS Filter could be disabled easily while in Developer mode.  0 or FALSE value indicates that the filter should be switched off.  1 or TRUE shall indicate that the filter be switched On.   The default mode is ON.

Ideally, the above could be combined with snInduceParamsScreenApprover  to improve the robustness of the application in terms of Application Security.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)