AuthorizationFeature.java example

Explorer
candlepin-master
/**
 * Copyright (c) 2009 - 2012 Red Hat, Inc.
 *
 * This software is licensed to you under the GNU General Public License,
 * version 2 (GPLv2). There is NO WARRANTY for this software, express or
 * implied, including the implied warranties of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
 * along with this software; if not, see
 * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
 *
 * Red Hat trademarks are not licensed under GPLv2. No permission is
 * granted to use or replicate Red Hat trademarks that are incorporated
 * in this software or its documentation.
 */
package org.candlepin.resteasy.filter;

import org.candlepin.auth.Verify;
import org.candlepin.common.auth.SecurityHole;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.lang.annotation.Annotation;
import java.lang.reflect.Method;

import javax.inject.Inject;
import javax.ws.rs.container.DynamicFeature;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.FeatureContext;
import javax.ws.rs.ext.Provider;


/**
 * DynamicFeature implementation that determines when to apply the
 * security interceptor.  This Feature is run as part of the JAX-RS
 * bootstrap process not on every request.
 *
 * Guice will throw a ProvisionException if nothing is bound to the
 * AuthorizationFilter annotation.
 */
@Provider
public class AuthorizationFeature implements DynamicFeature {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationFeature.class);

    private AbstractAuthorizationFilter authorizationFilter;
    private AbstractAuthorizationFilter superAdminFilter;
    private AbstractAuthorizationFilter securityHoleFilter;

    @Inject
    public AuthorizationFeature(VerifyAuthorizationFilter authorizationFilter,
        SuperAdminAuthorizationFilter superAdminFilter,
        SecurityHoleAuthorizationFilter securityHoleFilter) {
        this.authorizationFilter = authorizationFilter;
        this.superAdminFilter = superAdminFilter;
        this.securityHoleFilter = securityHoleFilter;
    }

    @Override
    public void configure(ResourceInfo resourceInfo, FeatureContext context) {
        Method method = resourceInfo.getResourceMethod();

        SecurityHole securityHole = method.getAnnotation(SecurityHole.class);

        String name = method.getDeclaringClass().getName() + "." + method.getName();
        if (securityHole != null) {
            log.debug("Not registering authorization filter on {}", name);
            context.register(securityHoleFilter);
        }
        else {
            if (isSuperAdminOnly(method)) {
                log.debug("Registering superadmin only on {}", name);
                context.register(superAdminFilter);
            }
            else {
                log.debug("Registering standard authorization on {}", name);
                context.register(authorizationFilter);
            }
        }
    }

    protected boolean isSuperAdminOnly(Method method) {
        Annotation[][] allAnnotations = method.getParameterAnnotations();

        // Any occurrence of the Verify annotation means the method is not superadmin exclusive.
        for (int i = 0; i < allAnnotations.length; i++) {
            for (Annotation a : allAnnotations[i]) {
                if (a instanceof Verify) {
                    return false;
                }
            }
        }
        return true;
    }
}