Skip to content
Permalink
Browse files
Adding parameter references in authorization resource
In certain cases the resource must be dynamically set by parameter values.
This patch allows to add a reference into the resource field of the redback
annotation '{parameterName}' that fills the resource of the permission dynamically
with the parameter value, if found.
  • Loading branch information
effrafax committed Sep 9, 2016
1 parent c02519d commit 796af57be2dda6f5b4c5b27f57157ecc0a33aff1
Showing 1 changed file with 57 additions and 2 deletions.
@@ -30,6 +30,8 @@
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.system.SecuritySystem;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.model.OperationResourceInfo;
import org.apache.cxf.jaxrs.model.Parameter;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.slf4j.Logger;
@@ -39,10 +41,17 @@
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.List;

/**
* @author Olivier Lamy
@@ -132,10 +141,16 @@ public void filter( ContainerRequestContext containerRequestContext )
}
try
{
String resource = redbackAuthorization.resource();
if (resource.startsWith("{") && resource.endsWith("}") && resource.length()>2) {
resource = getMethodParameter(containerRequestContext, message, resource.substring(1,resource.length()-1));
log.debug("Found resource from annotated parameter: {}",resource);
}

AuthorizationResult authorizationResult =
securitySystem.authorize( authenticationResult.getUser(), permission, //
StringUtils.isBlank( redbackAuthorization.resource() ) //
? null : redbackAuthorization.resource() );
StringUtils.isBlank( resource ) //
? null : resource );
if ( authenticationResult != null && authorizationResult.isAuthorized() )
{
log.debug( "isAuthorized for permission {}", permission );
@@ -188,4 +203,44 @@ public void filter( ContainerRequestContext containerRequestContext )
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );

}

/*
* Extracts a request parameter value from the message. Currently checks only path and query parameter.
*/
private String getMethodParameter(final ContainerRequestContext requestContext, final Message message, final String parameterName) {
OperationResourceInfo operationResourceInfo = message.getExchange().get( OperationResourceInfo.class );
if ( operationResourceInfo == null )
{
return "";
}
Annotation[][] annotations = operationResourceInfo.getInParameterAnnotations();

for(int i = 0; i< annotations.length; i++) {
for (int k = 0; k < annotations[i].length; k++) {
if (annotations[i][k] instanceof PathParam && parameterName.equals(((PathParam) annotations[i][k]).value())) {
log.debug("Found PathParam annotation");
UriInfo uriInfo = requestContext.getUriInfo();
MultivaluedMap<String, String> pathParameters = uriInfo.getPathParameters();
if (pathParameters.containsKey(parameterName)) {
return pathParameters.getFirst(parameterName);
} else {
break;
}
} else if (annotations[i][k] instanceof QueryParam && parameterName.equals(((QueryParam) annotations[i][k]).value())) {
log.debug("Found QueryParam annotation");
UriInfo uriInfo = requestContext.getUriInfo();
MultivaluedMap<String, String> pathParameters = uriInfo.getQueryParameters();
if (pathParameters.containsKey(parameterName)) {
return pathParameters.getFirst(parameterName);
} else {
break;
}
}
}
}
log.warn("No matching request parameter value found: {}", parameterName);
return "";
}


}

0 comments on commit 796af57

Please sign in to comment.