@Provider@AuthorizationpublicclassAuthorizationFilterextendsSpringApplicationimplementsContainerRequestFilter,ContainerResponseFilter{@ContextprivateResourceInforesourceInfo;@Overridepublicvoidfilter(ContainerRequestContextrequestContext){// check for @PermitAllif(isResourcePubliclyAllowed()){return;}if(!requestContext.getHeaders().containsKey(Constants.cookieSessionKey)||!requestContext.getHeaders().containsKey(Constants.cookieUsernameKey)){requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("You can't access the resource without login").build());return;}StringrequestSessionId=requestContext.getHeaders().getFirst("SESSION_ID");Stringusername=requestContext.getHeaders().getFirst("USERNAME");EntityDAO<SessionDO>sessionDAO=getBean(SessionDAOImpl.class);Optional<SessionDO>session=sessionDAO.get(requestSessionId);if(session.isEmpty()||session.get().getExpiryTimestamp()<System.currentTimeMillis()){requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("The login session has expired, please login again to access the resource").build());return;}if(!username.equals(session.get().getUser().getUid())){requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("Activity is suspicious, action will be reported to system admin").build());return;}Stringrole=session.get().getUser().getRole();if(!isResourcePermitted(role)){requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User is authenticated successfully, but doesn't have legitimate rights over the resource").build());return;}}@Overridepublicvoidfilter(ContainerRequestContextrequestContext,ContainerResponseContextresponseContext){}/** * Check if the role is allowed to access given resource. * * @param role of the user trying to access the resource * @return false if role is not permitted to execute, otherwise true */privatebooleanisResourcePermitted(Stringrole){Methodmethod=resourceInfo.getResourceMethod();if(method.isAnnotationPresent(DenyAll.class)){returnfalse;}if(method.isAnnotationPresent(RolesAllowed.class)){HashSet<String>rolesSet=newHashSet<String>(Arrays.asList(method.getAnnotation(RolesAllowed.class).value()));if(!rolesSet.contains(role)){returnfalse;}}// @PermitAll will be allowed by defaultreturntrue;}/** * Checks for @PermitAll annotation, * * @return true if method have @PermitAll annotation, false otherwise */privatebooleanisResourcePubliclyAllowed(){returnresourceInfo.getResourceMethod().isAnnotationPresent(PubliclyAllowed.class);}}
Comments (0)
HTTPSSSH
You can clone a snippet to your computer for local editing.
Learn more.