Examples with EntandoBearerTokenExtractor org.entando.entando.web.common.interceptor.EntandoBearerTokenExtractor used on opensource projects

Example 1 with EntandoBearerTokenExtractor

use of org.entando.entando.web.common.interceptor.EntandoBearerTokenExtractor in project entando-core by entando.

the class ApiRestServer method extractOAuthParameters.

protected void extractOAuthParameters(HttpServletRequest request, ApiMethod apiMethod, Properties properties) throws ApiException {
    IUserManager userManager = (IUserManager) ApsWebApplicationUtils.getBean(SystemConstants.USER_MANAGER, request);
    IAuthorizationManager authManager = (IAuthorizationManager) ApsWebApplicationUtils.getBean(SystemConstants.AUTHORIZATION_SERVICE, request);
    try {
        properties.put(SystemConstants.API_REQUEST_PARAMETER, request);
        UserDetails user = null;
        String permission = apiMethod.getRequiredPermission();
        _logger.debug("Permission required: {}", permission);
        String accessToken = new EntandoBearerTokenExtractor().extractToken(request);
        IApiOAuth2TokenManager tokenManager = (IApiOAuth2TokenManager) ApsWebApplicationUtils.getBean(SystemConstants.OAUTH_TOKEN_MANAGER, request);
        final OAuth2AccessTokenImpl token = (OAuth2AccessTokenImpl) tokenManager.readAccessToken(accessToken);
        if (token != null) {
            // Validate the access token
            if (!token.getValue().equals(accessToken)) {
                throw new ApiException(IApiErrorCodes.API_AUTHENTICATION_REQUIRED, "Token does not match", Response.Status.UNAUTHORIZED);
            } else // check if access token is expired
            if (token.isExpired()) {
                throw new ApiException(IApiErrorCodes.API_AUTHENTICATION_REQUIRED, "Token expired", Response.Status.UNAUTHORIZED);
            }
            String username = token.getLocalUser();
            user = userManager.getUser(username);
            if (user != null) {
                user.addAuthorizations(authManager.getUserAuthorizations(username));
                properties.put(SystemConstants.API_USER_PARAMETER, user);
                _logger.info("User {} requesting resource that requires {} permission ", username, permission);
                UserDetails userOnSession = (UserDetails) request.getSession().getAttribute(SystemConstants.SESSIONPARAM_CURRENT_USER);
                if (null == userOnSession || userOnSession.getUsername().equals(SystemConstants.GUEST_USER_NAME)) {
                    user.setAccessToken(accessToken);
                    request.getSession().setAttribute(SystemConstants.SESSIONPARAM_CURRENT_USER, user);
                }
            }
        } else if (accessToken != null) {
            _logger.warn("Token not found from access token");
        }
        if (null != user) {
            String username = user.getUsername();
            if (permission != null) {
                if (!authManager.isAuthOnPermission(user, permission)) {
                    List<Role> roles = authManager.getUserRoles(user);
                    for (Role role : roles) {
                        _logger.debug("User {} requesting resource has {} permission ", username, (null != role.getPermissions()) ? role.getPermissions().toString() : "");
                    }
                    throw new ApiException(IApiErrorCodes.API_AUTHORIZATION_REQUIRED, "Authorization Required", Response.Status.UNAUTHORIZED);
                }
            }
        } else if (apiMethod.getRequiredAuth()) {
            throw new ApiException(IApiErrorCodes.API_AUTHENTICATION_REQUIRED, "Authentication Required", Response.Status.UNAUTHORIZED);
        }
    } catch (ApsSystemException ex) {
        _logger.error("System exception {}", ex);
        throw new ApiException(IApiErrorCodes.SERVER_ERROR, ex.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
    }
}