use of org.jboss.resteasy.spi.HttpRequest in project candlepin by candlepin.
the class AuthenticationFilter method filter.
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
log.debug("Authentication check for {}", requestContext.getUriInfo().getPath());
HttpRequest httpRequest = ResteasyProviderFactory.getContextData(HttpRequest.class);
ResourceInfo resourceInfo = ResteasyProviderFactory.getContextData(ResourceInfo.class);
Method method = resourceInfo.getResourceMethod();
SecurityHole hole = method.getAnnotation(SecurityHole.class);
Principal principal = null;
if (hole != null && hole.anon()) {
principal = new NoAuthPrincipal();
} else if (resourceInfo.getResourceClass().equals(ApiListingResource.class)) {
log.debug("Swagger API request made; no principal required.");
principal = new NoAuthPrincipal();
} else {
for (AuthProvider provider : providers) {
principal = provider.getPrincipal(httpRequest);
if (principal != null) {
log.debug("Establishing principal with {}", provider.getClass().getName());
break;
}
}
}
/* At this point, there is no provider that has given a valid principal,
* so we use the NoAuthPrincipal here if it is allowed. */
if (principal == null) {
if (hole != null && hole.noAuth()) {
log.debug("No auth allowed for resource; setting NoAuth principal");
principal = new NoAuthPrincipal();
} else if (!config.getBoolean(ConfigProperties.AUTH_OVER_HTTP) && !request.isSecure()) {
throw new BadRequestException("Please use SSL when accessing protected resources");
} else {
throw new NotAuthorizedException("Invalid credentials.");
}
}
SecurityContext securityContext = new CandlepinSecurityContext(principal);
requestContext.setSecurityContext(securityContext);
// Push the principal into the context for the PrincipalProvider to access directly
ResteasyProviderFactory.pushContext(Principal.class, principal);
}
use of org.jboss.resteasy.spi.HttpRequest in project candlepin by candlepin.
the class VerifyAuthorizationFilter method runFilter.
@Override
public void runFilter(ContainerRequestContext requestContext) {
HttpRequest request = ResteasyProviderFactory.getContextData(HttpRequest.class);
Principal principal = (Principal) requestContext.getSecurityContext().getUserPrincipal();
ResourceInfo resourceInfo = ResteasyProviderFactory.getContextData(ResourceInfo.class);
Method method = resourceInfo.getResourceMethod();
if (log.isDebugEnabled()) {
log.debug("Authorization check for {} mapping to {}.{}", requestContext.getUriInfo().getPath(), method.getDeclaringClass().getName(), method.getName());
}
Map<Verify, Object> argMap = getArguments(request, method);
// Couldn't find a match in Resteasy for method
if (argMap.isEmpty()) {
/* It would also be possible to get here if a super-admin only method
* were inadvertently being filtered through this filter. Normally the
* AuthorizationFeature takes care of sending methods without any @Verify
* annotations through the SuperAdminAuthorizationFilter */
throw new IseException("Could not get parameters for " + method);
}
Access defaultAccess = getDefaultAccess(method);
if (!hasAccess(argMap, principal, defaultAccess)) {
denyAccess(principal, method);
}
}
Aggregations