use of io.vertigo.vega.webservice.exception.SessionException in project vertigo by KleeGroup.
the class SessionWebServiceHandlerPlugin method handle.
/**
* {@inheritDoc}
*/
@Override
public Object handle(final Request request, final Response response, final WebServiceCallContext routeContext, final HandlerChain chain) throws SessionException {
// obtain session (create if needed)
final Session session = request.session(true);
final UserSession user = obtainUserSession(session);
try {
// Bind userSession to SecurityManager
securityManager.startCurrentUserSession(user);
return chain.handle(request, response, routeContext);
} catch (final VSecurityException e) {
if (session.isNew()) {
// If a new session is badly use, we invalid it (light protection against DDOS)
session.invalidate();
// If session was just created, we translate securityException as a Session expiration.
throw (SessionException) new SessionException("Session has expired").initCause(e);
}
throw e;
} finally {
// Unbind userSession to SecurityManager
securityManager.stopCurrentUserSession();
}
}
use of io.vertigo.vega.webservice.exception.SessionException in project vertigo by KleeGroup.
the class RestfulServiceWebServiceHandlerPlugin method handle.
/**
* {@inheritDoc}
*/
@Override
public Object handle(final Request request, final Response response, final WebServiceCallContext routeContext, final HandlerChain chain) throws SessionException {
final WebServiceDefinition webServiceDefinition = routeContext.getWebServiceDefinition();
final Object[] serviceArgs = makeArgs(routeContext);
final Method method = webServiceDefinition.getMethod();
final WebServices webServices = (WebServices) Home.getApp().getComponentSpace().resolve(method.getDeclaringClass());
if (method.getName().startsWith("create")) {
// by convention, if method starts with 'create', an http 201 status code is returned (if ok)
response.status(HttpServletResponse.SC_CREATED);
}
try {
return ClassUtil.invoke(webServices, method, serviceArgs);
} catch (final RuntimeException e) {
// If throwed exception was ValidationUserException, VUserException, SessionException, VSecurityException, RuntimeException
// we re throw it
final Throwable cause = e.getCause();
if (cause instanceof InvocationTargetException) {
final Throwable targetException = ((InvocationTargetException) cause).getTargetException();
if (targetException instanceof ValidationUserException) {
throw (ValidationUserException) targetException;
} else if (targetException instanceof VUserException) {
throw (VUserException) targetException;
} else if (targetException instanceof SessionException) {
throw (SessionException) targetException;
} else if (targetException instanceof VSecurityException) {
throw (VSecurityException) targetException;
} else if (targetException instanceof RuntimeException) {
throw (RuntimeException) targetException;
}
}
throw e;
}
}
use of io.vertigo.vega.webservice.exception.SessionException in project vertigo by KleeGroup.
the class AnalyticsWebServiceHandlerPlugin method handle.
/**
* {@inheritDoc}
*/
@Override
public Object handle(final Request request, final Response response, final WebServiceCallContext webServiceCallContext, final HandlerChain chain) throws SessionException {
final WebServiceDefinition webServiceDefinition = webServiceCallContext.getWebServiceDefinition();
// On ne prend pas request.pathInfo qui peut contenir des paramètres : on en veut pas ca dans les stats
final String name = "/" + webServiceDefinition.getVerb().name() + "/" + webServiceDefinition.getPath();
return analyticsManager.traceWithReturn("webservices", name, tracer -> {
try {
return chain.handle(request, response, webServiceCallContext);
} catch (final SessionException e) {
throw WrappedException.wrap(e);
}
});
}
use of io.vertigo.vega.webservice.exception.SessionException in project vertigo by KleeGroup.
the class SecurityFilter method doSecurityFilter.
private void doSecurityFilter(final boolean needsAuthentification, final HttpServletRequest httpRequest, final HttpServletResponse httpResponse, final FilterChain chain) throws IOException, ServletException {
final boolean hasSession = httpRequest.getSession(false) != null;
// On récupère la session de l'utilisateur
final UserSession user = obtainUserSession(httpRequest);
try {
// on place la session en ThreadLocal
securityManager.startCurrentUserSession(user);
// 1. Persistance de UserSession dans la session HTTP.
bindUser(httpRequest, user);
// 2. Vérification que l'utilisateur est authentifié si l'adresse demandée l'exige
if (needsAuthentification && !user.isAuthenticated()) {
/*
* Lance des exceptions - si la session a expiré - ou si aucune session utilisateur n'existe.
*/
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
// il ne faut pas continuer
if (!hasSession) {
// Par défaut on considère que la session a expirer
throw new ServletException(new SessionException("Session expirée"));
}
} else if (checkRequestAccess && needsAuthentification && !securityManager.isAuthorized("HttpServletRequest", httpRequest, "OP_READ")) {
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
} else {
chain.doFilter(httpRequest, httpResponse);
}
} finally {
// On retire le user du ThreadLocal (il est déjà en session)
securityManager.stopCurrentUserSession();
}
}
Aggregations