Snippets

Kuldeep Yadav AuthorizationFilter

Created by Kuldeep Yadav
snippet.java
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
@Provider
@Authorization
public class AuthorizationFilter extends SpringApplication implements ContainerRequestFilter, ContainerResponseFilter {

    @Context
    private ResourceInfo resourceInfo;

    @Override
    public void filter(ContainerRequestContext requestContext) {

        // check for @PermitAll
        if (isResourcePubliclyAllowed()) {
            return;
        }

        if (!requestContext.getHeaders().containsKey(Constants.cookieSessionKey)
            || !requestContext.getHeaders().containsKey(Constants.cookieUsernameKey)) {
            requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
                    .entity("You can't access the resource without login").build());
            return;
        }
        String requestSessionId = requestContext.getHeaders().getFirst("SESSION_ID");
        String username = requestContext.getHeaders().getFirst("USERNAME");
        EntityDAO<SessionDO> sessionDAO = getBean(SessionDAOImpl.class);
        Optional<SessionDO> session = sessionDAO.get(requestSessionId);
        if (session.isEmpty() || session.get().getExpiryTimestamp() < System.currentTimeMillis()) {
            requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
                    .entity("The login session has expired,  please login again to access the resource").build());
            return;
        }

        if (!username.equals(session.get().getUser().getUid())) {
            requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
                    .entity("Activity is suspicious, action will be reported to system admin").build());
            return;
        }

        String role = session.get().getUser().getRole();
        if (!isResourcePermitted(role)) {
            requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
                    .entity("User is authenticated successfully, but doesn't have legitimate rights over the resource")
                    .build());
            return;
        }
    }

    @Override
    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {

    }

    /**
     * Check if the role is allowed to access given resource.
     *
     * @param role of the user trying to access the resource
     * @return false if role is not permitted to execute, otherwise true
     */
    private boolean isResourcePermitted(String role) {

        Method method = resourceInfo.getResourceMethod();
        if (method.isAnnotationPresent(DenyAll.class)) {
            return false;
        }

        if (method.isAnnotationPresent(RolesAllowed.class)) {
            HashSet<String> rolesSet = new HashSet<String>(Arrays.asList(method.getAnnotation(RolesAllowed.class).value()));
            if (!rolesSet.contains(role)) {
                return false;
            }
        }

        // @PermitAll will be allowed by default
        return true;
    }

    /**
     * Checks for @PermitAll annotation,
     *
     * @return true if method have @PermitAll annotation, false otherwise
     */
    private boolean isResourcePubliclyAllowed() {

        return resourceInfo.getResourceMethod().isAnnotationPresent(PubliclyAllowed.class);
    }
}

Comments (0)

HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.