AuthzManager.java

/*
 * Copyright 2013 eXo Platform SAS
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package juzu.plugin.authz;

import juzu.Response;
import juzu.impl.request.Request;
import juzu.impl.request.RequestFilter;
import juzu.impl.request.Stage;
import juzu.request.SecurityContext;

import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import java.lang.reflect.Method;

/**
 * @author Julien Viet
 */
public class AuthzManager implements RequestFilter<Stage.Handler> {

  @Override
  public Class<Stage.Handler> getStageType() {
    return Stage.Handler.class;
  }

  @Override
  public Response handle(Stage.Handler argument) {
    Request request = argument.getRequest();

    // Search for annotation on the method
    Method method = request.getHandler().getMethod();
    RolesAllowed rolesAllowed = method.getAnnotation(RolesAllowed.class);
    PermitAll permitAll = method.getAnnotation(PermitAll.class);
    DenyAll denyAll = method.getAnnotation(DenyAll.class);

    // Look at parent if nothing found at method level
    if (rolesAllowed == null && permitAll == null && denyAll == null) {
      Class<?> controllerClass = method.getDeclaringClass();
      rolesAllowed = controllerClass.getAnnotation(RolesAllowed.class);
      denyAll = controllerClass.getAnnotation(DenyAll.class);
    }

    //
    boolean ok = false;
    if (denyAll != null) {
      ok = false;
    } else if (rolesAllowed != null) {
      SecurityContext securityContext = request.getSecurityContext();
      for (String role : rolesAllowed.value()) {
        if (securityContext.isUserInRole(role)) {
          ok = true;
          break;
        }
      }
    } else {
      ok = true;
    }

    //
    if (!ok) {
      return new Response.Error.Forbidden("Access denied");
    } else {
      return argument.invoke();
    }
  }
}