From 441c660af706fd3c6d0e06b36b8f25a808fcdf5f Mon Sep 17 00:00:00 2001
From: Roberto Sánchez <roberto.sanchez@curisit.net>
Date: Fri, 17 Jan 2014 17:35:50 +0000
Subject: [PATCH] #396 feature - Added security management methods for REST API
---
securis/src/main/java/net/curisit/securis/services/SecurityInterceptor.java | 64 +++++++++++++++++++++++++-------
1 files changed, 50 insertions(+), 14 deletions(-)
diff --git a/securis/src/main/java/net/curisit/securis/services/SecurityInterceptor.java b/securis/src/main/java/net/curisit/securis/services/SecurityInterceptor.java
index 16e2444..0516435 100644
--- a/securis/src/main/java/net/curisit/securis/services/SecurityInterceptor.java
+++ b/securis/src/main/java/net/curisit/securis/services/SecurityInterceptor.java
@@ -2,11 +2,20 @@
import java.io.IOException;
import java.lang.reflect.Method;
+import java.util.List;
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
import javax.ws.rs.ext.Provider;
+
+import net.curisit.securis.db.User;
+import net.curisit.securis.utils.CacheTTL;
+import net.curisit.securis.utils.TokenHelper;
import org.jboss.resteasy.core.ResourceMethodInvoker;
import org.slf4j.Logger;
@@ -17,33 +26,60 @@
private static final Logger log = LoggerFactory.getLogger(SecurityInterceptor.class);
+ @Inject
+ private TokenHelper tokenHelper;
+
@Context
private HttpServletRequest servletRequest;
+
+ @Inject
+ CacheTTL cache;
+
+ @Inject
+ com.google.inject.Provider<EntityManager> emProvider;
@Override
public void filter(ContainerRequestContext containerRequestContext) throws IOException {
log.info("filter using REST interceptor, method: {}", containerRequestContext.getMethod());
+
log.info("filter using REST interceptor, ResourceMethodInvoker: {}", containerRequestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"));
ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) containerRequestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker");
Method method = methodInvoker.getMethod();
if (!method.isAnnotationPresent(Securable.class))
return;
+ String token = servletRequest.getHeader(TokenHelper.TOKEN_HEADER_PÀRAM);
+ if (token == null || !tokenHelper.isTokenValid(token))
+ containerRequestContext.abortWith(Response.status(Status.UNAUTHORIZED).build());
+ Securable sec = method.getAnnotation(Securable.class);
+
+ // If roles == 0 we only need to validate the token
+ if (sec.roles() != 0) {
+ String username = tokenHelper.extractUserFromToken(token);
+ int userRoles = getUserRoles(username);
+ if ((sec.roles() & userRoles) == 0) {
+ log.info("User {} has no necessary role to access url: {}", username, servletRequest.getPathInfo());
+ containerRequestContext.abortWith(Response.status(Status.UNAUTHORIZED).build());
+ }
+ }
}
- // @Override
- // public ServerResponse preProcess(HttpRequest httpRequest, ResourceMethod resourceMethod) throws Failure, WebApplicationException {
- //
- // Securable securable = resourceMethod.getMethod().getAnnotation(Securable.class);
- // String headerValue = servletRequest.getHeader(securable.header());
- //
- // if (headerValue == null) {
- // return (ServerResponse) Response.status(Status.BAD_REQUEST).entity("Invalid Session").build();
- // } else {
- // // Validatation logic goes here
- // }
- //
- // return null;
- // }
+ private int getUserRoles(String username) {
+ Integer userRoles = cache.get("roles_" + username, Integer.class);
+ if (userRoles == null) {
+ EntityManager em = emProvider.get();
+ User user = em.find(User.class, username);
+ if (user != null) {
+ userRoles = 0;
+ List<Integer> roles = user.getRoles();
+ for (Integer rol : roles) {
+ userRoles += rol;
+ }
+ // We store user roles in cache only for one hour
+ cache.set("roles_" + username, userRoles, 3600);
+ }
+ }
+ return userRoles == null ? 0 : userRoles.intValue();
+ }
}
--
Gitblit v1.3.2