Search in sources :

Example 1 with HmacSignature

use of org.jbei.auth.hmac.HmacSignature in project ice by JBEI.

the class RestResource method getUserId.

/**
     * Extract the User ID from a query parameter value or header values in the resource request.
     */
protected String getUserId(String sessionId) {
    if (StringUtils.isEmpty(sessionId) && !StringUtils.isEmpty(querySessionId))
        sessionId = querySessionId;
    String userId = UserSessions.getUserIdBySession(sessionId);
    if (!StringUtils.isEmpty(userId))
        return userId;
    // check api key
    if (!StringUtils.isEmpty(apiToken)) {
        String clientId = !StringUtils.isEmpty(apiClientId) ? apiClientId : request.getRemoteHost();
        try {
            TokenVerification tokenVerification = new TokenVerification();
            userId = tokenVerification.verifyAPIKey(apiToken, clientId, apiUser);
        } catch (PermissionException pe) {
            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
        }
        // being a bit generous in terms of allowing other auth methods to be attempted even though apiToken is set
        if (userId != null)
            return userId;
    }
    // check hmac signature
    final Object hmac = request.getAttribute(AuthenticationInterceptor.HMAC_SIGNATURE);
    final Object valid = request.getAttribute(AuthenticationInterceptor.EXPECTED_SIGNATURE);
    if (hmac != null && hmac instanceof HmacSignature) {
        final HmacSignature generated = (HmacSignature) hmac;
        if (generated.generateSignature().equals(valid)) {
            // TODO validation of meaningful userId
            // e.g. "admin" account on EDD won't mean anything to ICE
            userId = generated.getUserId();
        }
    }
    return userId;
}
Also used : PermissionException(org.jbei.ice.lib.access.PermissionException) WebApplicationException(javax.ws.rs.WebApplicationException) HmacSignature(org.jbei.auth.hmac.HmacSignature) TokenVerification(org.jbei.ice.lib.access.TokenVerification)

Aggregations

WebApplicationException (javax.ws.rs.WebApplicationException)1 HmacSignature (org.jbei.auth.hmac.HmacSignature)1 PermissionException (org.jbei.ice.lib.access.PermissionException)1 TokenVerification (org.jbei.ice.lib.access.TokenVerification)1