How does it work?

How does it work?

The net.sf.jguard.filters.AccessFilter class is the main integration between the web application and jGuard. Access control is done through the AccessFilter. The AccessFilter is a servlet filter (javax.servlet.Filter) and has the follow duties:

• Configure the access control of web application;
• Authenticate the users;
• Deny unauthorized access to a URL;
• Logoff the user (The user needs to login again);

The resources protected by jGuard are set in the filter configuration. This is done by setting the url-pattern attribute on filter-mapping tag. You can make jGuard protect the entire application or components (like struts action).

When the web application is loaded, the AccessFilter verifies if the jGuardPolicy is the current security policy. If jGuard is not the current security policy then the AccessFilter sets the jGuardPolicy as current security policy. jGuard will not make all security decisions, it will secure just the web applications that are configured to use jGuard, other security decisions are made by the last security policy.

When the AccessFilter is loaded it reads all configurations in the web.xml and register the PermissionProvider to the current ClassLoader. The picture shows the executed flow of AccessFilter when a user tries to access a protected URL as explained below:

1. The user tries to access a protected URL. If the AccessFilter intercepts the request and verifies that the URL is a special URL, that it is not controlled (logonURI, authenticationFailedURI, accessDeniedURI), then go to the setp 2, else go to step 3;
2. The request continues and user goes to the desired URL;
3. The AccessFilter verifies if the user is authenticated. If the user is not authenticated then go to the step 4, otherwise go to step 8;
4. The filter verifies if there the request contains the login and password data. If not, the jGuard uses GUEST/GUEST to authenticate as a guest. Now go to step 5;
5. The filter tries to authenticate the user by the application's LoginModule(s). If authentication is sucessful go to step 6, else go to step 7;
6. The authenticated Subject is stored in the session and the user redirected to indexURI page;
7. The user is redirected to authenticationFailedURI because the authentication failed;
8. The filter checks if the URL is logoffURI, meaning that the user wants to logoff. If so go to step 9, else go to step 10;
9. The Subject is removed from the session and the session is invalidated. The user is redirected to the logoffURI;
10. jGuard checks if the user has permission to access the URL, meaning, the user has one permission that implies the current permission associated to one user's principals. If the user has access, go to step 11, else, go to step 12;
11. The user is redirected to the desired page;
12. The user is redirected to the accessDeniedURI because has not access to the URL;

Like the picture shows, all access control work is done by the filter. The main advantage is that user has the flexibility to enable or disable the access control by mapping the filter or not mapping it.