This project has retired. For details please refer to its
Attic page.
PermissionsInterceptor xref
1 package org.apache.archiva.redback.rest.services.interceptors;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 import org.apache.archiva.redback.authentication.AuthenticationResult;
23 import org.apache.archiva.redback.authorization.AuthorizationException;
24 import org.apache.archiva.redback.authorization.RedbackAuthorization;
25 import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
26 import org.apache.archiva.redback.system.SecuritySession;
27 import org.apache.archiva.redback.system.SecuritySystem;
28 import org.apache.commons.lang.StringUtils;
29 import org.apache.cxf.jaxrs.ext.RequestHandler;
30 import org.apache.cxf.jaxrs.model.ClassResourceInfo;
31 import org.apache.cxf.message.Message;
32 import org.slf4j.Logger;
33 import org.slf4j.LoggerFactory;
34 import org.springframework.stereotype.Service;
35
36 import javax.inject.Inject;
37 import javax.inject.Named;
38 import javax.servlet.http.HttpServletRequest;
39 import javax.ws.rs.core.Response;
40
41
42
43
44
45 @Service ("permissionInterceptor#rest")
46 public class PermissionsInterceptor
47 extends AbstractInterceptor
48 implements RequestHandler
49 {
50
51 @Inject
52 @Named (value = "securitySystem")
53 private SecuritySystem securitySystem;
54
55 @Inject
56 @Named (value = "httpAuthenticator#basic")
57 private HttpBasicAuthentication httpAuthenticator;
58
59 private Logger log = LoggerFactory.getLogger( getClass() );
60
61 public Response handleRequest( Message message, ClassResourceInfo classResourceInfo )
62 {
63 RedbackAuthorization redbackAuthorization = getRedbackAuthorization( message );
64
65 if ( redbackAuthorization != null )
66 {
67 if ( redbackAuthorization.noRestriction() )
68 {
69
70 return null;
71 }
72 String[] permissions = redbackAuthorization.permissions();
73
74 if ( permissions != null && permissions.length > 0 && !( permissions.length == 1 && StringUtils.isEmpty(
75 permissions[0] ) ) )
76 {
77 HttpServletRequest request = getHttpServletRequest( message );
78 SecuritySession session = httpAuthenticator.getSecuritySession( request.getSession() );
79 AuthenticationResult authenticationResult = message.get( AuthenticationResult.class );
80 if ( authenticationResult != null && authenticationResult.isAuthenticated() )
81 {
82 for ( String permission : permissions )
83 {
84 if ( StringUtils.isBlank( permission ) )
85 {
86 continue;
87 }
88 try
89 {
90 if ( securitySystem.isAuthorized( session, permission,
91 StringUtils.isBlank( redbackAuthorization.resource() )
92 ? null
93 : redbackAuthorization.resource() ) )
94 {
95 return null;
96 }
97 else
98 {
99 log.debug( "user {} not authorized for permission {}", session.getUser().getUsername(),
100 permission );
101 }
102 }
103 catch ( AuthorizationException e )
104 {
105 log.debug( e.getMessage(), e );
106 return Response.status( Response.Status.FORBIDDEN ).build();
107 }
108 }
109
110 }
111 else
112 {
113 log.debug( "user {} not authenticated", session.getUser().getUsername() );
114 }
115 }
116 else
117 {
118 if ( redbackAuthorization.noPermission() )
119 {
120 log.debug( "path {} doesn't need special permission", message.get( Message.REQUEST_URI ) );
121 return null;
122 }
123 return Response.status( Response.Status.FORBIDDEN ).build();
124 }
125 }
126 log.warn( "http path {} doesn't contain any informations regarding permissions ",
127 message.get( Message.REQUEST_URI ) );
128
129
130 return Response.status( Response.Status.FORBIDDEN ).build();
131 }
132 }