SecurityConstraint.java example

Explorer
everrest-master
/*******************************************************************************
 * Copyright (c) 2012-2016 Codenvy, S.A.
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at
 * http://www.eclipse.org/legal/epl-v10.html
 *
 * Contributors:
 *   Codenvy, S.A. - initial API and implementation
 *******************************************************************************/
package org.everrest.core.impl.method.filter;

import org.everrest.core.ApplicationContext;
import org.everrest.core.Filter;
import org.everrest.core.method.MethodInvokerFilter;
import org.everrest.core.resource.GenericResourceMethod;

import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import java.lang.annotation.Annotation;

import static javax.ws.rs.core.MediaType.TEXT_PLAIN;
import static javax.ws.rs.core.Response.Status.FORBIDDEN;

/**
 * Contract of this class is constraint access to the resource method that use JSR-250 security common annotations. See also
 * https://jsr250.dev.java.net
 *
 * @author andrew00x
 */
@Filter
public class SecurityConstraint implements MethodInvokerFilter {
    /**
     * Check does <tt>method</tt> contains one on of security annotations PermitAll, DenyAll, RolesAllowed.
     *
     * @see PermitAll
     * @see DenyAll
     * @see RolesAllowed
     */
    @Override
    public void accept(GenericResourceMethod method, Object[] params) throws WebApplicationException {
        for (Annotation annotation : method.getAnnotations()) {
            Class<?> annotationType = annotation.annotationType();
            if (annotationType == PermitAll.class) {
                return;
            } else if (annotationType == DenyAll.class) {
                throw new WebApplicationException(Response.status(FORBIDDEN)
                                                          .entity("User not authorized to call this method").type(TEXT_PLAIN)
                                                          .build());
            } else if (annotationType == RolesAllowed.class) {
                SecurityContext security = ApplicationContext.getCurrent().getSecurityContext();
                for (String role : ((RolesAllowed)annotation).value()) {
                    if (security.isUserInRole(role)) {
                        return;
                    }
                }
                throw new WebApplicationException(Response.status(FORBIDDEN)
                                                          .entity("User not authorized to call this method").type(TEXT_PLAIN)
                                                          .build());
            }
        }
    }
}