use of org.xdi.service.security.InterceptSecure in project oxTrust by GluuFederation.
the class UmaSecureInterceptor method invoke.
@AroundInvoke
public Object invoke(InvocationContext ctx) throws Exception {
HttpServletResponse response = null;
Object[] parameters = ctx.getParameters();
log.trace("REST method call security check. " + ctx.getMethod().getName() + "()");
for (Object parameter : parameters) {
if (parameter instanceof HttpServletResponse)
response = (HttpServletResponse) parameter;
}
InterceptSecure is = securityExtension.getInterceptSecure(ctx.getMethod());
// SecurityChecking restrictions
Secure[] constraints = (is == null) ? new Secure[0] : is.value();
// Getting the parameter values
Map<String, Object> secureVars = computeParameterValues(ctx);
for (Secure constraint : constraints) {
Boolean expressionValue = expressionEvaluator.evaluateValueExpression(constraint.value(), Boolean.class, secureVars);
if ((expressionValue == null) || !expressionValue) {
log.debug("Method: '{}' constrain '{}' evaluation is null or false!", ctx.getMethod(), constraint);
throw new SecurityEvaluationException();
}
}
try {
// the method call
return ctx.proceed();
} catch (Exception e) {
log.error("Error calling ctx.proceed in UmaSecureInterceptor");
// REST call error report
if (response != null) {
try {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "INTERNAL SERVER ERROR");
} catch (Exception ex) {
}
} else if (Response.class.isAssignableFrom(ctx.getMethod().getReturnType())) {
return Response.serverError().entity("INTERNAL SERVER ERROR").build();
}
return null;
}
}
Aggregations