TokenTargetFilter.java example

Explorer
ORCID-Source-master
/**
 * =============================================================================
 *
 * ORCID (R) Open Source
 * http://orcid.org
 *
 * Copyright (c) 2012-2014 ORCID, Inc.
 * Licensed under an MIT-Style License (MIT)
 * http://orcid.org/open-source-license
 *
 * This copyright and license information (including a link to the full license)
 * shall be included in its entirety in all copies or substantial portion of
 * the software.
 *
 * =============================================================================
 */
package org.orcid.core.web.filters;

import java.security.AccessControlException;
import java.util.regex.Matcher;

import javax.annotation.Resource;
import javax.ws.rs.ext.Provider;

import org.orcid.core.exception.OrcidUnauthorizedException;
import org.orcid.core.oauth.OrcidOauth2TokenDetailService;
import org.orcid.persistence.jpa.entities.ProfileEntity;
import org.orcid.utils.OrcidStringUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.OAuth2Authentication;

import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;

@Provider
public class TokenTargetFilter implements ContainerRequestFilter {

    @Resource
    private OrcidOauth2TokenDetailService orcidOauth2TokenService;

    @Override
    public ContainerRequest filter(ContainerRequest request) {
        Matcher m = OrcidStringUtils.orcidPattern.matcher(request.getPath());
        if (m.find()) {
            validateTargetRecord(m.group(), request);
        }
        return request;
    }

    private void validateTargetRecord(String targetOrcid, ContainerRequest request) {
        // Verify if it is the owner of the token
        SecurityContext context = SecurityContextHolder.getContext();
        if (context != null && context.getAuthentication() != null) {
            Authentication authentication = context.getAuthentication();
            if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
                OAuth2Authentication oauth2Auth = (OAuth2Authentication) authentication;
                Authentication userAuthentication = oauth2Auth.getUserAuthentication();
                if (userAuthentication != null) {
                    Object principal = userAuthentication.getPrincipal();
                    if (principal instanceof ProfileEntity) {
                        ProfileEntity tokenOwner = (ProfileEntity) principal;
                        if (!targetOrcid.equals(tokenOwner.getId())) {
                            throwException(request);                            
                        }
                    }
                }
            }
        }
    }
    
    private void throwException(ContainerRequest request) {        
        String apiVersion = request.getHeaderValue(ApiVersionFilter.API_VERSION_REQUEST_ATTRIBUTE_NAME);
        if(apiVersion.equals("1.2")) {
            throw new AccessControlException("You do not have the required permissions.");
        } else {
            throw new OrcidUnauthorizedException("Access token is for a different record");
        }
    }
}