package security.filter;

import java.io.IOException;
import java.lang.reflect.Method;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.context.SecurityContextImpl;
import org.springframework.util.Assert;
import org.springframework.util.ReflectionUtils;

import security.SecUser;

public class HttpSessionContextIntegrationFilter implements Filter {
	private static final Logger logger=LoggerFactory.getLogger(HttpSessionContextIntegrationFilter.class);
	private boolean forceEagerSessionCreation = false;
	private boolean cloneFromHttpSession = false;
	public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
	private Class contextClass = SecurityContextImpl.class;

	@Override
	public void destroy() {
		// TODO Auto-generated method stub

	}

	private static final String FILTER_APPLIED = "_security_userContextFilter_filterApplied";

	private boolean observeOncePerRequest = true;

	@Override
	public void doFilter(ServletRequest req, ServletResponse res,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpSession httpSession = safeGetSession(request,
				forceEagerSessionCreation);
		SecurityContext contextBeforeChainExecution = readSecurityContextFromSession(httpSession);

		httpSession = null;

		if (contextBeforeChainExecution == null) {
			contextBeforeChainExecution = generateNewContext();

			if (logger.isDebugEnabled()) {
				logger.debug("New SecurityContext instance will be associated with SecurityContextHolder");
			}
		} else {
			if (logger.isDebugEnabled()) {
				logger.debug("Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to "
						+ "associate with SecurityContextHolder: '"
						+ contextBeforeChainExecution + "'");
			}
		}

		try {
			// This is the only place in this class where
			// SecurityContextHolder.setContext() is called
			SecurityContextHolder.setContext(contextBeforeChainExecution);
			if ((request != null)
					&& (request.getAttribute(FILTER_APPLIED) == null)
					&& observeOncePerRequest) {
				if (request != null) {
					request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
				}
				Object principal = security.SecurityAppUserHolder.getCurrentUser();
				if (principal instanceof SecUser) {
					// 把用户放入request
					request.setAttribute("_currentUser", principal);
				}
			}

			chain.doFilter(request, res);
		} finally {
			// Crucial removal of SecurityContextHolder contents - do this
			// before anything else.
			SecurityContextHolder.clearContext();
		}

	}

	public SecurityContext generateNewContext() throws ServletException {
		try {
			return (SecurityContext) this.contextClass.newInstance();
		} catch (InstantiationException ie) {
			throw new ServletException(ie);
		} catch (IllegalAccessException iae) {
			throw new ServletException(iae);
		}
	}

	private SecurityContext readSecurityContextFromSession(
			HttpSession httpSession) {
		if (httpSession == null) {
			if (logger.isDebugEnabled()) {
				logger.debug("No HttpSession currently exists");
			}

			return null;
		}

		// Session exists, so try to obtain a context from it.

		Object contextFromSessionObject = httpSession
				.getAttribute(SPRING_SECURITY_CONTEXT_KEY);

		if (contextFromSessionObject == null) {
			if (logger.isDebugEnabled()) {
				logger.debug("HttpSession returned null object for SPRING_SECURITY_CONTEXT");
			}

			return null;
		}

		// We now have the security context object from the session.

		// Clone if required (see SEC-356)
		if (cloneFromHttpSession) {
			Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
					"Context must implement Clonable and provide a Object.clone() method");
			try {
				Method m = contextFromSessionObject.getClass().getMethod(
						"clone", new Class[] {});
				if (!m.isAccessible()) {
					m.setAccessible(true);
				}
				contextFromSessionObject = m.invoke(contextFromSessionObject,
						new Object[] {});
			} catch (Exception ex) {
				ReflectionUtils.handleReflectionException(ex);
			}
		}

		if (!(contextFromSessionObject instanceof SecurityContext)) {
			logger.warn("SPRING_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
					+ contextFromSessionObject
					+ "'; are you improperly modifying the HttpSession directly "
					+ "(you should always use SecurityContextHolder) or using the HttpSession attribute "
					+ "reserved for this class?");

			return null;
		}

		// Everything OK. The only non-null return from this method.

		return (SecurityContext) contextFromSessionObject;
	}

	private HttpSession safeGetSession(HttpServletRequest request,
			boolean allowCreate) {
		try {
			return request.getSession(allowCreate);
		} catch (IllegalStateException ignored) {
			return null;
		}
	}

	@Override
	public void init(FilterConfig arg0) throws ServletException {
		// TODO Auto-generated method stub

	}

}