use of org.jbei.auth.hmac.HmacSignature in project ice by JBEI.
the class RestResource method getUserId.
/**
* Extract the User ID from a query parameter value or header values in the resource request.
*/
protected String getUserId(String sessionId) {
if (StringUtils.isEmpty(sessionId) && !StringUtils.isEmpty(querySessionId))
sessionId = querySessionId;
String userId = UserSessions.getUserIdBySession(sessionId);
if (!StringUtils.isEmpty(userId))
return userId;
// check api key
if (!StringUtils.isEmpty(apiToken)) {
String clientId = !StringUtils.isEmpty(apiClientId) ? apiClientId : request.getRemoteHost();
try {
TokenVerification tokenVerification = new TokenVerification();
userId = tokenVerification.verifyAPIKey(apiToken, clientId, apiUser);
} catch (PermissionException pe) {
throw new WebApplicationException(Response.Status.UNAUTHORIZED);
}
// being a bit generous in terms of allowing other auth methods to be attempted even though apiToken is set
if (userId != null)
return userId;
}
// check hmac signature
final Object hmac = request.getAttribute(AuthenticationInterceptor.HMAC_SIGNATURE);
final Object valid = request.getAttribute(AuthenticationInterceptor.EXPECTED_SIGNATURE);
if (hmac != null && hmac instanceof HmacSignature) {
final HmacSignature generated = (HmacSignature) hmac;
if (generated.generateSignature().equals(valid)) {
// TODO validation of meaningful userId
// e.g. "admin" account on EDD won't mean anything to ICE
userId = generated.getUserId();
}
}
return userId;
}
Aggregations