#396 feature - Added security management methods for REST API

Roberto Sánchez

2014-01-17 441c660af706fd3c6d0e06b36b8f25a808fcdf5f

 securis/src/main/java/net/curisit/securis/services/SecurityInterceptor.java
..
..
@@ -2,11 +2,20 @@
2
2
 
3
3
 import java.io.IOException;
4
4
 import java.lang.reflect.Method;
5
+import java.util.List;
5
6
 
7
+import javax.inject.Inject;
8
+import javax.persistence.EntityManager;
6
9
 import javax.servlet.http.HttpServletRequest;
7
10
 import javax.ws.rs.container.ContainerRequestContext;
8
11
 import javax.ws.rs.core.Context;
12
+import javax.ws.rs.core.Response;
13
+import javax.ws.rs.core.Response.Status;
9
14
 import javax.ws.rs.ext.Provider;
15
+
16
+import net.curisit.securis.db.User;
17
+import net.curisit.securis.utils.CacheTTL;
18
+import net.curisit.securis.utils.TokenHelper;
10
19
 
11
20
 import org.jboss.resteasy.core.ResourceMethodInvoker;
12
21
 import org.slf4j.Logger;
..
..
@@ -17,33 +26,60 @@
17
26
 
18
27
 	private static final Logger log = LoggerFactory.getLogger(SecurityInterceptor.class);
19
28
 
29
+	@Inject
30
+	private TokenHelper tokenHelper;
31
+
20
32
 	@Context
21
33
 	private HttpServletRequest servletRequest;
34
+
35
+	@Inject
36
+	CacheTTL cache;
37
+
38
+	@Inject
39
+	com.google.inject.Provider<EntityManager> emProvider;
22
40
 
23
41
 	@Override
24
42
 	public void filter(ContainerRequestContext containerRequestContext) throws IOException {
25
43
 		log.info("filter using REST interceptor, method: {}", containerRequestContext.getMethod());
44
+
26
45
 		log.info("filter using REST interceptor, ResourceMethodInvoker: {}", containerRequestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"));
27
46
 		ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) containerRequestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker");
28
47
 		Method method = methodInvoker.getMethod();
29
48
 
30
49
 		if (!method.isAnnotationPresent(Securable.class))
31
50
 			return;
51
+		String token = servletRequest.getHeader(TokenHelper.TOKEN_HEADER_PÀRAM);
52
+		if (token == null || !tokenHelper.isTokenValid(token))
53
+			containerRequestContext.abortWith(Response.status(Status.UNAUTHORIZED).build());
54
+		Securable sec = method.getAnnotation(Securable.class);
55
+
56
+		// If roles == 0 we only need to validate the token
57
+		if (sec.roles() != 0) {
58
+			String username = tokenHelper.extractUserFromToken(token);
59
+			int userRoles = getUserRoles(username);
60
+			if ((sec.roles() & userRoles) == 0) {
61
+				log.info("User {} has no necessary role to access url: {}", username, servletRequest.getPathInfo());
62
+				containerRequestContext.abortWith(Response.status(Status.UNAUTHORIZED).build());
63
+			}
64
+		}
32
65
 	}
33
66
 
34
-	// @Override
35
-	// public ServerResponse preProcess(HttpRequest httpRequest, ResourceMethod resourceMethod) throws Failure, WebApplicationException {
36
-	//
37
-	// Securable securable = resourceMethod.getMethod().getAnnotation(Securable.class);
38
-	// String headerValue = servletRequest.getHeader(securable.header());
39
-	//
40
-	// if (headerValue == null) {
41
-	// return (ServerResponse) Response.status(Status.BAD_REQUEST).entity("Invalid Session").build();
42
-	// } else {
43
-	// // Validatation logic goes here
44
-	// }
45
-	//
46
-	// return null;
47
-	// }
67
+	private int getUserRoles(String username) {
68
+		Integer userRoles = cache.get("roles_" + username, Integer.class);
69
+		if (userRoles == null) {
70
+			EntityManager em = emProvider.get();
71
+			User user = em.find(User.class, username);
72
+			if (user != null) {
73
+				userRoles = 0;
74
+				List<Integer> roles = user.getRoles();
75
+				for (Integer rol : roles) {
76
+					userRoles += rol;
77
+				}
78
+				// We store user roles in cache only for one hour
79
+				cache.set("roles_" + username, userRoles, 3600);
80
+			}
81
+		}
82
+		return userRoles == null ? 0 : userRoles.intValue();
83
+	}
48
84
 
49
85
 }