Search in sources :

Example 6 with ResourceInfo

use of javax.ws.rs.container.ResourceInfo in project candlepin by candlepin.

the class VerifyAuthorizationFilterTest method setUp.

@Before
public void setUp() throws NoSuchMethodException, SecurityException {
    // Turn logger to INFO level to disable HttpServletRequest logging.
    LoggerContext lc = (LoggerContext) LoggerFactory.getILoggerFactory();
    Logger logger = lc.getLogger(AbstractAuthorizationFilter.class);
    logger.setLevel(Level.INFO);
    ResteasyProviderFactory.getInstance().registerProvider(StubInjectorFactoryImpl.class);
    StubInjectorFactoryImpl factory = (StubInjectorFactoryImpl) ResteasyProviderFactory.getInstance().getInjectorFactory();
    methodInjector = new StubMethodInjector();
    factory.setMethodInjector(methodInjector);
    ResourceInfo mockInfo = mock(ResourceInfo.class);
    Method method = FakeResource.class.getMethod("someMethod", String.class);
    when(mockInfo.getResourceMethod()).thenReturn(method);
    Class clazz = FakeResource.class;
    when(mockInfo.getResourceClass()).thenReturn(clazz);
    ResteasyProviderFactory.pushContext(ResourceInfo.class, mockInfo);
    ResteasyProviderFactory.pushContext(HttpRequest.class, mockReq);
    when(mockRequestContext.getSecurityContext()).thenReturn(mockSecurityContext);
    when(mockRequestContext.getUriInfo()).thenReturn(mock(UriInfo.class));
    resourceMap.init();
    interceptor = new VerifyAuthorizationFilter(i18nProvider, storeFactory, resourceMap);
}
Also used : ResourceInfo(javax.ws.rs.container.ResourceInfo) Method(java.lang.reflect.Method) Logger(ch.qos.logback.classic.Logger) LoggerContext(ch.qos.logback.classic.LoggerContext) UriInfo(javax.ws.rs.core.UriInfo) Before(org.junit.Before)

Example 7 with ResourceInfo

use of javax.ws.rs.container.ResourceInfo in project instrumentation-java by census-instrumentation.

the class JaxrsContainerExtractorTest method testExtraction.

@Test
@SuppressWarnings("unchecked")
public void testExtraction() throws Exception {
    UriInfo uriInfo = mock(UriInfo.class);
    when(uriInfo.getPath()).thenReturn("mypath");
    when(uriInfo.getMatchedURIs()).thenReturn(Collections.singletonList("/resource/{route}"));
    when(uriInfo.getRequestUri()).thenReturn(URI.create("https://myhost/resource/1"));
    ContainerRequestContext requestContext = mock(ContainerRequestContext.class);
    when(requestContext.getHeaderString("host")).thenReturn("myhost");
    when(requestContext.getMethod()).thenReturn("GET");
    when(requestContext.getUriInfo()).thenReturn(uriInfo);
    when(requestContext.getHeaderString("user-agent")).thenReturn("java/1.8");
    ResourceInfo info = mock(ResourceInfo.class);
    when(info.getResourceClass()).thenReturn((Class) MyResource.class);
    when(info.getResourceMethod()).thenReturn(MyResource.class.getMethod("route"));
    ExtendedContainerRequest extendedRequest = new ExtendedContainerRequest(requestContext, info);
    ContainerResponseContext responseContext = mock(ContainerResponseContext.class);
    when(responseContext.getStatus()).thenReturn(200);
    JaxrsContainerExtractor extractor = new JaxrsContainerExtractor();
    assertEquals("myhost", extractor.getHost(extendedRequest));
    assertEquals("GET", extractor.getMethod(extendedRequest));
    assertEquals("mypath", extractor.getPath(extendedRequest));
    assertEquals("/resource/{route}", extractor.getRoute(extendedRequest));
    assertEquals("https://myhost/resource/1", extractor.getUrl(extendedRequest));
    assertEquals("java/1.8", extractor.getUserAgent(extendedRequest));
    assertEquals(200, extractor.getStatusCode(responseContext));
}
Also used : ResourceInfo(javax.ws.rs.container.ResourceInfo) ContainerRequestContext(javax.ws.rs.container.ContainerRequestContext) ContainerResponseContext(javax.ws.rs.container.ContainerResponseContext) UriInfo(javax.ws.rs.core.UriInfo) Test(org.junit.Test)

Example 8 with ResourceInfo

use of javax.ws.rs.container.ResourceInfo in project tomee by apache.

the class Contexts method bind.

/**
 * Using a set ensures we don't set the thread local twice or more,
 * there may be super classes with injection points of identical types
 *
 * Also allows us to get context references from other sources such as interceptors
 *
 * @param exchange Exchange
 * @param types    Collection
 */
public static void bind(final Exchange exchange, final Collection<Class<?>> types) {
    // used in lazy mode by RESTResourceFinder if cdi beans uses @Context, === initThreadLocal
    EXCHANGE.set(exchange);
    CdiAppContextsService.pushRequestReleasable(CleanUpThreadLocal.INSTANCE);
    for (final Class<?> type : types) {
        if (Request.class.equals(type)) {
            final Request binding = JAXRSUtils.createContextValue(exchange.getInMessage(), null, Request.class);
            ThreadLocalContextManager.REQUEST.set(binding);
        } else if (UriInfo.class.equals(type)) {
            final UriInfo binding = JAXRSUtils.createContextValue(exchange.getInMessage(), null, UriInfo.class);
            ThreadLocalContextManager.URI_INFO.set(binding);
        } else if (HttpHeaders.class.equals(type)) {
            final HttpHeaders binding = JAXRSUtils.createContextValue(exchange.getInMessage(), null, HttpHeaders.class);
            ThreadLocalContextManager.HTTP_HEADERS.set(binding);
        } else if (SecurityContext.class.equals(type)) {
            final SecurityContext binding = JAXRSUtils.createContextValue(exchange.getInMessage(), null, SecurityContext.class);
            ThreadLocalContextManager.SECURITY_CONTEXT.set(binding);
        } else if (ContextResolver.class.equals(type)) {
            final ContextResolver<?> binding = JAXRSUtils.createContextValue(exchange.getInMessage(), type, ContextResolver.class);
            ThreadLocalContextManager.CONTEXT_RESOLVER.set(binding);
        } else if (Providers.class.equals(type)) {
            final Providers providers = JAXRSUtils.createContextValue(exchange.getInMessage(), null, Providers.class);
            ThreadLocalContextManager.PROVIDERS.set(providers);
        } else if (ServletRequest.class.equals(type)) {
            ServletRequest servletRequest = JAXRSUtils.createContextValue(exchange.getInMessage(), null, ServletRequest.class);
            if (servletRequest == null) {
                // probably the case with CXF
                servletRequest = JAXRSUtils.createContextValue(exchange.getInMessage(), null, HttpServletRequest.class);
            }
            ThreadLocalContextManager.SERVLET_REQUEST.set(servletRequest);
        } else if (HttpServletRequest.class.equals(type)) {
            final HttpServletRequest httpServletRequest = JAXRSUtils.createContextValue(exchange.getInMessage(), null, HttpServletRequest.class);
            ThreadLocalContextManager.HTTP_SERVLET_REQUEST.set(httpServletRequest);
        } else if (HttpServletResponse.class.equals(type)) {
            final HttpServletResponse httpServletResponse = JAXRSUtils.createContextValue(exchange.getInMessage(), null, HttpServletResponse.class);
            ThreadLocalContextManager.HTTP_SERVLET_RESPONSE.set(httpServletResponse);
        } else if (ServletConfig.class.equals(type)) {
            final ServletConfig servletConfig = JAXRSUtils.createContextValue(exchange.getInMessage(), null, ServletConfig.class);
            ThreadLocalContextManager.SERVLET_CONFIG.set(servletConfig);
        } else if (Configuration.class.equals(type)) {
            final Configuration config = JAXRSUtils.createContextValue(exchange.getInMessage(), null, Configuration.class);
            ThreadLocalContextManager.CONFIGURATION.set(config);
        } else if (ResourceInfo.class.equals(type)) {
            final ResourceInfo config = JAXRSUtils.createContextValue(exchange.getInMessage(), null, ResourceInfo.class);
            ThreadLocalContextManager.RESOURCE_INFO.set(config);
        } else if (ResourceContext.class.equals(type)) {
            final ResourceContext config = JAXRSUtils.createContextValue(exchange.getInMessage(), null, ResourceContext.class);
            ThreadLocalContextManager.RESOURCE_CONTEXT.set(config);
        } else if (Application.class.equals(type)) {
            final Application config = JAXRSUtils.createContextValue(exchange.getInMessage(), null, Application.class);
            ThreadLocalContextManager.APPLICATION.set(config);
        } else {
            final Message message = exchange.getInMessage();
            final ContextProvider<?> provider = ProviderFactory.getInstance(message).createContextProvider(type, message);
            if (provider != null) {
                final Object value = provider.createContext(message);
                Map<String, Object> map = ThreadLocalContextManager.OTHERS.get();
                if (map == null) {
                    map = new HashMap<>();
                    ThreadLocalContextManager.OTHERS.set(map);
                }
                map.put(type.getName(), value);
            }
        }
    }
}
Also used : HttpHeaders(javax.ws.rs.core.HttpHeaders) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletRequest(javax.servlet.ServletRequest) OperationResourceInfo(org.apache.cxf.jaxrs.model.OperationResourceInfo) ResourceInfo(javax.ws.rs.container.ResourceInfo) ClassResourceInfo(org.apache.cxf.jaxrs.model.ClassResourceInfo) ResourceContext(javax.ws.rs.container.ResourceContext) Configuration(javax.ws.rs.core.Configuration) Message(org.apache.cxf.message.Message) HashMap(java.util.HashMap) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletRequest(javax.servlet.ServletRequest) Request(javax.ws.rs.core.Request) ServletConfig(javax.servlet.ServletConfig) HttpServletResponse(javax.servlet.http.HttpServletResponse) ContextProvider(org.apache.cxf.jaxrs.ext.ContextProvider) Providers(javax.ws.rs.ext.Providers) HttpServletRequest(javax.servlet.http.HttpServletRequest) SecurityContext(javax.ws.rs.core.SecurityContext) Application(javax.ws.rs.core.Application) HashMap(java.util.HashMap) Map(java.util.Map) UriInfo(javax.ws.rs.core.UriInfo)

Example 9 with ResourceInfo

use of javax.ws.rs.container.ResourceInfo in project graylog2-server by Graylog2.

the class ShiroSecurityBinding method configure.

@Override
public void configure(ResourceInfo resourceInfo, FeatureContext context) {
    final Class<?> resourceClass = resourceInfo.getResourceClass();
    final Method resourceMethod = resourceInfo.getResourceMethod();
    if (resourceMethod.isAnnotationPresent(RequiresAuthentication.class) || resourceClass.isAnnotationPresent(RequiresAuthentication.class)) {
        if (resourceMethod.isAnnotationPresent(RequiresGuest.class)) {
            LOG.debug("Resource method {}#{} is marked as unauthenticated, skipping setting filter.");
        } else {
            LOG.debug("Resource method {}#{} requires an authenticated user.", resourceClass.getCanonicalName(), resourceMethod.getName());
            context.register(new ShiroAuthenticationFilter());
        }
    }
    if (resourceMethod.isAnnotationPresent(RequiresPermissions.class) || resourceClass.isAnnotationPresent(RequiresPermissions.class)) {
        RequiresPermissions requiresPermissions = resourceClass.getAnnotation(RequiresPermissions.class);
        if (requiresPermissions == null) {
            requiresPermissions = resourceMethod.getAnnotation(RequiresPermissions.class);
        }
        LOG.debug("Resource method {}#{} requires an authorization checks.", resourceClass.getCanonicalName(), resourceMethod.getName());
        context.register(new ShiroAuthorizationFilter(requiresPermissions));
    }
    // TODO this is the wrong approach, we should have an Environment and proper request wrapping
    context.register((ContainerResponseFilter) (requestContext, responseContext) -> ThreadContext.unbindSubject());
}
Also used : DynamicFeature(javax.ws.rs.container.DynamicFeature) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) FeatureContext(javax.ws.rs.core.FeatureContext) Logger(org.slf4j.Logger) ResourceInfo(javax.ws.rs.container.ResourceInfo) ThreadContext(org.apache.shiro.util.ThreadContext) LoggerFactory(org.slf4j.LoggerFactory) RequiresGuest(org.apache.shiro.authz.annotation.RequiresGuest) RequiresAuthentication(org.apache.shiro.authz.annotation.RequiresAuthentication) Method(java.lang.reflect.Method) ContainerResponseFilter(javax.ws.rs.container.ContainerResponseFilter) RequiresPermissions(org.apache.shiro.authz.annotation.RequiresPermissions) RequiresAuthentication(org.apache.shiro.authz.annotation.RequiresAuthentication) Method(java.lang.reflect.Method)

Example 10 with ResourceInfo

use of javax.ws.rs.container.ResourceInfo in project candlepin by candlepin.

the class SuperAdminAuthorizationFilter method runFilter.

@Override
public void runFilter(ContainerRequestContext requestContext) {
    log.debug("Authorization check for {}", requestContext.getUriInfo().getPath());
    Principal principal = (Principal) requestContext.getSecurityContext().getUserPrincipal();
    ResourceInfo resourceInfo = ResteasyProviderFactory.getContextData(ResourceInfo.class);
    Method method = resourceInfo.getResourceMethod();
    if (!principal.hasFullAccess()) {
        denyAccess(principal, method);
    }
}
Also used : ResourceInfo(javax.ws.rs.container.ResourceInfo) Method(java.lang.reflect.Method) Principal(org.candlepin.auth.Principal)

Aggregations

ResourceInfo (javax.ws.rs.container.ResourceInfo)14 UriInfo (javax.ws.rs.core.UriInfo)8 Method (java.lang.reflect.Method)6 ContainerRequestContext (javax.ws.rs.container.ContainerRequestContext)6 Test (org.junit.Test)6 FF4jAuthorizationFilter (org.ff4j.web.api.security.FF4jAuthorizationFilter)5 FF4jSecurityContext (org.ff4j.web.api.security.FF4jSecurityContext)5 Principal (org.candlepin.auth.Principal)4 SecurityContext (javax.ws.rs.core.SecurityContext)2 Span (brave.Span)1 SpanInScope (brave.Tracer.SpanInScope)1 Logger (ch.qos.logback.classic.Logger)1 LoggerContext (ch.qos.logback.classic.LoggerContext)1 ApiListingResource (io.swagger.jaxrs.listing.ApiListingResource)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 ServletConfig (javax.servlet.ServletConfig)1 ServletRequest (javax.servlet.ServletRequest)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1