# HG changeset patch
# User Raimund Renkert <raimund.renkert@intevation.de>
# Date 1427129537 -3600
# Node ID a04658486edec8a90dab18c1e9252e3a08700bf1
# Parent  bb76a5d7a98db1f2b238c6d74f3f8050eb00859a
Use authentication info for authorization of requested objects.

diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/query/QueryTools.java
--- a/src/main/java/de/intevation/lada/query/QueryTools.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/query/QueryTools.java	Mon Mar 23 17:52:17 2015 +0100
@@ -24,6 +24,9 @@
 import javax.persistence.Query;
 import javax.ws.rs.core.MultivaluedMap;
 
+import de.intevation.lada.util.auth.Authorization;
+import de.intevation.lada.util.auth.UserInfo;
+
 
 /**
  * Utility class to handle the SQL query configuration.
@@ -159,13 +162,19 @@
 
     public static List<Map<String, Object>> prepareResult(
         List<Object[]> result,
-        List<String> names
+        List<String> names,
+        Authorization authorization,
+        UserInfo userInfo
     ) {
         List<Map<String, Object>> ret = new ArrayList<Map<String, Object>>();
         for (Object[] row: result) {
             Map<String, Object> set = new HashMap<String, Object>();
             for (int i = 0; i < row.length; i++) {
                 set.put(names.get(i), row[i]);
+                if (names.get(i).toString().equals("id")) {
+                    boolean readOnly = authorization.isReadOnly((Integer)row[i]);
+                    set.put("readonly", readOnly);
+                }
             }
             ret.add(set);
         }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/KommentarMService.java
--- a/src/main/java/de/intevation/lada/rest/KommentarMService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -9,6 +9,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -22,42 +23,29 @@
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
 
-import org.apache.log4j.Logger;
-
 import de.intevation.lada.model.land.LKommentarM;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("mkommentar")
 @RequestScoped
 public class KommentarMService {
 
-    /* The logger used in this class.*/
-    @Inject
-    private Logger logger;
-
     /* The data repository granting read/write access.*/
     @Inject
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -70,12 +58,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("messungsId")) {
             return defaultRepo.getAll(LKommentarM.class, "land");
@@ -86,7 +71,10 @@
                 defaultRepo.entityManager("land"),
                 LKommentarM.class);
         builder.and("messungsId", messungId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LKommentarM.class);
     }
 
     /**
@@ -99,16 +87,16 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(
-            LKommentarM.class,
-            Integer.valueOf(id),
-            "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(
+                LKommentarM.class,
+                Integer.valueOf(id),
+                "land"),
+            LKommentarM.class);
     }
 
     @POST
@@ -116,9 +104,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LKommentarM kommentar
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                kommentar,
+                RequestMethod.POST,
+                LKommentarM.class)
+        ) {
             return new Response(false, 699, null);
         }
         /* Persist the new object*/
@@ -135,10 +129,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response update(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LKommentarM kommentar
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+        if (!authorization.isAuthorized(
+                request,
+                kommentar,
+                RequestMethod.PUT,
+                LKommentarM.class)
+        ) {
             return new Response(false, 699, null);
         }
         return defaultRepo.update(kommentar, "land");
@@ -154,16 +153,21 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the object by id*/
         Response kommentar =
             defaultRepo.getById(LKommentarM.class, Integer.valueOf(id), "land");
         LKommentarM kommentarObj = (LKommentarM)kommentar.getData();
+        if (!authorization.isAuthorized(
+                request,
+                kommentarObj,
+                RequestMethod.DELETE,
+                LKommentarM.class)
+        ) {
+            return new Response(false, 699, null);
+        }
         return defaultRepo.delete(kommentarObj, "land");
     }
 }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/KommentarPService.java
--- a/src/main/java/de/intevation/lada/rest/KommentarPService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/KommentarPService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -9,6 +9,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -25,16 +26,14 @@
 import org.apache.log4j.Logger;
 
 import de.intevation.lada.model.land.LKommentarP;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("pkommentar")
@@ -50,14 +49,9 @@
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -70,12 +64,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("probeId")) {
             return defaultRepo.getAll(LKommentarP.class, "land");
@@ -86,7 +77,10 @@
                 defaultRepo.entityManager("land"),
                 LKommentarP.class);
         builder.and("probeId", probeId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LKommentarP.class);
     }
 
     /**
@@ -99,16 +93,13 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(
-            LKommentarP.class,
-            Integer.valueOf(id),
-            "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(LKommentarP.class,Integer.valueOf(id), "land"),
+            LKommentarP.class);
     }
 
     @POST
@@ -116,9 +107,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LKommentarP kommentar
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                kommentar,
+                RequestMethod.POST,
+                LKommentarP.class)
+        ) {
             return new Response(false, 699, null);
         }
         /* Persist the new object*/
@@ -133,9 +130,18 @@
     @PUT
     @Path("/{id}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response update(@Context HttpHeaders headers, LKommentarP kommentar) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+    public Response update(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LKommentarP kommentar
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                kommentar,
+                RequestMethod.PUT,
+                LKommentarP.class)
+        ) {
+            logger.debug("User is not authorized!");
             return new Response(false, 699, null);
         }
         return defaultRepo.update(kommentar, "land");
@@ -151,16 +157,22 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the object by id*/
         Response kommentar =
             defaultRepo.getById(LKommentarP.class, Integer.valueOf(id), "land");
         LKommentarP kommentarObj = (LKommentarP)kommentar.getData();
+        if (!authorization.isAuthorized(
+                request,
+                kommentarObj,
+                RequestMethod.DELETE,
+                LKommentarP.class)
+        ) {
+            logger.debug("User is not authorized!");
+            return new Response(false, 699, null);
+        }
         return defaultRepo.delete(kommentarObj, "land");
     }
 }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/LoginService.java
--- a/src/main/java/de/intevation/lada/rest/LoginService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/LoginService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -5,20 +5,23 @@
  * and comes with ABSOLUTELY NO WARRANTY! Check out 
  * the documentation coming with IMIS-Labordaten-Application for details. 
  */
+package de.intevation.lada.rest;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
 
 import javax.enterprise.context.RequestScoped;
-
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.GET;
 import javax.ws.rs.Path;
-import javax.ws.rs.GET;
-import javax.inject.Inject;
+import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.UriInfo;
-import javax.ws.rs.Produces;
-
-import org.apache.log4j.Logger;
 
 import de.intevation.lada.util.rest.Response;
+
 /**
  * This class serves as a login check service
  */
@@ -26,24 +29,24 @@
 @RequestScoped
 public class LoginService {
 
-    /* The logger used in this class.*/
-    @Inject
-    private Logger logger;
-
     /**
      * Get all probe objects.
      *
      * @return Response object containing all probe objects.
      */
-    @SuppressWarnings("unchecked")
     @GET
     @Path("/")
     @Produces("application/json")
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
+        Map<String, Object> response = new HashMap<String, Object>();
+        response.put("username", request.getAttribute("lada.user.name"));
+        response.put("roles", request.getAttribute("lada.user.roles"));
+        response.put("servertime", new Date().getTime());
         /* This should probably contain the users name and roles. */
-        return new Response(true, 200, "Success");
+        return new Response(true, 200, response);
     }
 }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/MessungService.java
--- a/src/main/java/de/intevation/lada/rest/MessungService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/MessungService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -11,6 +11,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -24,43 +25,30 @@
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
 
-import org.apache.log4j.Logger;
-
 import de.intevation.lada.model.land.LMessung;
 import de.intevation.lada.model.land.MessungTranslation;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("messung")
 @RequestScoped
 public class MessungService {
 
-    /* The logger used in this class.*/
-    @Inject
-    private Logger logger;
-
     /* The data repository granting read/write access.*/
     @Inject
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -73,12 +61,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("probeId")) {
             return defaultRepo.getAll(LMessung.class, "land");
@@ -89,7 +74,10 @@
                 defaultRepo.entityManager("land"),
                 LMessung.class);
         builder.and("probeId", probeId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LMessung.class);
     }
 
     /**
@@ -102,13 +90,13 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(LMessung.class, Integer.valueOf(id), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(LMessung.class, Integer.valueOf(id), "land"),
+            LMessung.class);
     }
 
     @POST
@@ -116,11 +104,18 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LMessung messung
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                messung,
+                RequestMethod.POST,
+                LMessung.class)
+        ) {
             return new Response(false, 699, null);
         }
+
         /* Persist the new messung object*/
         Response response = defaultRepo.create(messung, "land");
         LMessung ret = (LMessung)response.getData();
@@ -142,9 +137,17 @@
     @PUT
     @Path("/{id}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response update(@Context HttpHeaders headers, LMessung messung) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+    public Response update(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LMessung messung
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                messung,
+                RequestMethod.PUT,
+                LMessung.class)
+        ) {
             return new Response(false, 699, null);
         }
         Response response = defaultRepo.update(messung, "land");
@@ -164,16 +167,21 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the messung object by id*/
         Response messung =
             defaultRepo.getById(LMessung.class, Integer.valueOf(id), "land");
         LMessung messungObj = (LMessung)messung.getData();
+        if (!authorization.isAuthorized(
+                request,
+                messung,
+                RequestMethod.DELETE,
+                LMessung.class)
+        ) {
+            return new Response(false, 699, null);
+        }
         /* Create a query and request the messungTranslation object for the
          * messung*/
         QueryBuilder<MessungTranslation> builder =
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/MesswertService.java
--- a/src/main/java/de/intevation/lada/rest/MesswertService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/MesswertService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -9,6 +9,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -25,16 +26,14 @@
 import org.apache.log4j.Logger;
 
 import de.intevation.lada.model.land.LMesswert;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("messwert")
@@ -50,14 +49,9 @@
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -70,12 +64,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("messungsId")) {
             logger.debug("get all");
@@ -87,7 +78,10 @@
                 defaultRepo.entityManager("land"),
                 LMesswert.class);
         builder.and("messungsId", messungId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LMesswert.class);
     }
 
     /**
@@ -100,13 +94,13 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"),
+            LMesswert.class);
     }
 
     @POST
@@ -114,9 +108,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LMesswert messwert
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                messwert,
+                RequestMethod.POST,
+                LMesswert.class)
+        ) {
             return new Response(false, 699, null);
         }
         /* Persist the new messung object*/
@@ -131,9 +131,17 @@
     @PUT
     @Path("/{id}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response update(@Context HttpHeaders headers, LMesswert messwert) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+    public Response update(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LMesswert messwert
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                messwert,
+                RequestMethod.PUT,
+                LMesswert.class)
+        ) {
             return new Response(false, 699, null);
         }
         Response response = defaultRepo.update(messwert, "land");
@@ -153,16 +161,21 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the messwert object by id*/
         Response messwert =
             defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land");
         LMesswert messwertObj = (LMesswert)messwert.getData();
+        if (!authorization.isAuthorized(
+                request,
+                messwertObj,
+                RequestMethod.DELETE,
+                LMesswert.class)
+        ) {
+            return new Response(false, 699, null);
+        }
         /* Delete the messwert object*/
         return defaultRepo.delete(messwertObj, "land");
     }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/OrtService.java
--- a/src/main/java/de/intevation/lada/rest/OrtService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/OrtService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -9,6 +9,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -25,16 +26,14 @@
 import org.apache.log4j.Logger;
 
 import de.intevation.lada.model.land.LOrt;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("ort")
@@ -50,14 +49,9 @@
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -70,12 +64,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("probeId")) {
             logger.debug("get all");
@@ -87,7 +78,10 @@
                 defaultRepo.entityManager("land"),
                 LOrt.class);
         builder.and("probeId", probeId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LOrt.class);
     }
 
     /**
@@ -100,13 +94,13 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(LOrt.class, Integer.valueOf(id), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(LOrt.class, Integer.valueOf(id), "land"),
+            LOrt.class);
     }
 
     @POST
@@ -114,9 +108,14 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LOrt ort
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                ort,
+                RequestMethod.POST,
+                LOrt.class)) {
             return new Response(false, 699, null);
         }
         /* Persist the new object*/
@@ -131,9 +130,16 @@
     @PUT
     @Path("/{id}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response update(@Context HttpHeaders headers, LOrt ort) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+    public Response update(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LOrt ort
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                ort,
+                RequestMethod.PUT,
+                LOrt.class)) {
             return new Response(false, 699, null);
         }
         Response response = defaultRepo.update(ort, "land");
@@ -153,16 +159,20 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the messwert object by id*/
         Response object =
             defaultRepo.getById(LOrt.class, Integer.valueOf(id), "land");
         LOrt ortObj = (LOrt)object.getData();
+        if (!authorization.isAuthorized(
+                request,
+                ortObj,
+                RequestMethod.PUT,
+                LOrt.class)) {
+            return new Response(false, 699, null);
+        }
         /* Delete the messwert object*/
         return defaultRepo.delete(ortObj, "land");
     }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/ProbeService.java
--- a/src/main/java/de/intevation/lada/rest/ProbeService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/ProbeService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -20,6 +20,7 @@
 import javax.json.JsonObject;
 import javax.json.JsonReader;
 import javax.persistence.Query;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -38,16 +39,14 @@
 import de.intevation.lada.model.land.LProbe;
 import de.intevation.lada.model.land.ProbeTranslation;
 import de.intevation.lada.query.QueryTools;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 import de.intevation.lada.validation.Validator;
 import de.intevation.lada.validation.Violation;
@@ -72,14 +71,9 @@
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     @Inject
@@ -97,12 +91,11 @@
     @Produces("application/json")
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
+        logger.debug("user: " + request.getAttribute("lada.user.name"));
+        logger.debug("roles: " + request.getAttribute("lada.user.roles"));
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("qid")) {
             return defaultRepo.getAll(LProbe.class, "land");
@@ -116,11 +109,12 @@
             sql = jsonQuery.getString("sql");
             if (params.containsKey("sort")) {
                 String sort = params.getFirst("sort");
+                logger.debug("Sort parameter: " + sort);
                 JsonReader reader = Json.createReader(new StringReader(sort));
-                JsonObject sortProperties = reader.readObject();
+                JsonObject sortProperties = reader.readArray().getJsonObject(0);
                 sql += " ORDER BY ";
-                sql += sortProperties.getJsonString("property") + " ";
-                sql += sortProperties.getJsonString("direction");
+                sql += sortProperties.getJsonString("property").getString() + " ";
+                sql += sortProperties.getJsonString("direction").getString();
             }
             JsonArray jsonFilters = jsonQuery.getJsonArray("filters");
             JsonArray jsonResults = jsonQuery.getJsonArray("result");
@@ -143,7 +137,7 @@
             params,
             defaultRepo.entityManager("land"));
         List<Map<String, Object>> result =
-            QueryTools.prepareResult(query.getResultList(), results);
+            QueryTools.prepareResult(query.getResultList(), results, authorization, authorization.getInfo(request));
         if (params.containsKey("start") && params.containsKey("limit")) {
             int start = Integer.valueOf(params.getFirst("start"));
             int limit = Integer.valueOf(params.getFirst("limit"));
@@ -163,19 +157,16 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
-        @PathParam("id") String id
+        @PathParam("id") String id,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         Response response =
             defaultRepo.getById(LProbe.class, Integer.valueOf(id), "land");
         Violation violation = validator.validate(response.getData());
         if (violation.hasWarnings()) {
             response.setWarnings(violation.getWarnings());
         }
-        return response;
+        return this.authorization.filter(request, response, LProbe.class);
     }
 
     /**
@@ -186,8 +177,17 @@
     @POST
     @Path("/")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response create(@Context HttpHeaders headers, LProbe probe) {
-        if (!authentication.isAuthenticated(headers)) {
+    public Response create(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LProbe probe
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                probe,
+                RequestMethod.POST,
+                LProbe.class)
+        ) {
             return new Response(false, 699, null);
         }
         Violation violation = validator.validate(probe);
@@ -221,9 +221,17 @@
     @PUT
     @Path("/{id}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response update(@Context HttpHeaders headers, LProbe probe) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+    public Response update(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LProbe probe
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                probe,
+                RequestMethod.PUT,
+                LProbe.class)
+        ) {
             return new Response(false, 699, null);
         }
         Violation violation = validator.validate(probe);
@@ -253,16 +261,21 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the probe object by id*/
         Response probe =
             defaultRepo.getById(LProbe.class, Integer.valueOf(id), "land");
         LProbe probeObj = (LProbe)probe.getData();
+        if (!authorization.isAuthorized(
+                request,
+                probeObj,
+                RequestMethod.DELETE,
+                LProbe.class)
+        ) {
+            return new Response(false, 699, null);
+        }
         /* Create a query and request the probetranslation object for the
          * probe*/
         QueryBuilder<ProbeTranslation> builder =
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/StatusService.java
--- a/src/main/java/de/intevation/lada/rest/StatusService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/StatusService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -9,6 +9,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -22,42 +23,29 @@
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
 
-import org.apache.log4j.Logger;
-
 import de.intevation.lada.model.land.LStatus;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("status")
 @RequestScoped
 public class StatusService {
 
-    /* The logger used in this class.*/
-    @Inject
-    private Logger logger;
-
     /* The data repository granting read/write access.*/
     @Inject
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -70,12 +58,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
-        @Context UriInfo info
+        @Context UriInfo info,
+        @Context HttpServletRequest request
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("messungsId")) {
             return defaultRepo.getAll(LStatus.class, "land");
@@ -86,7 +71,10 @@
                 defaultRepo.entityManager("land"),
                 LStatus.class);
         builder.and("messungsId", messungId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LStatus.class);
     }
 
     /**
@@ -99,13 +87,13 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(LStatus.class, Integer.valueOf(id), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(LStatus.class, Integer.valueOf(id), "land"),
+            LStatus.class);
     }
 
     @POST
@@ -113,9 +101,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LStatus status
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                status,
+                RequestMethod.POST,
+                LStatus.class)
+        ) {
             return new Response(false, 699, null);
         }
         /* Persist the new object*/
@@ -130,9 +124,17 @@
     @PUT
     @Path("/{id}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response update(@Context HttpHeaders headers, LStatus status) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+    public Response update(
+        @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
+        LStatus status
+    ) {
+        if (!authorization.isAuthorized(
+                request,
+                status,
+                RequestMethod.PUT,
+                LStatus.class)
+        ) {
             return new Response(false, 699, null);
         }
         Response response = defaultRepo.update(status, "land");
@@ -152,16 +154,21 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the object by id*/
         Response object =
             defaultRepo.getById(LStatus.class, Integer.valueOf(id), "land");
         LStatus obj = (LStatus)object.getData();
+        if (!authorization.isAuthorized(
+                request,
+                obj,
+                RequestMethod.DELETE,
+                LStatus.class)
+        ) {
+            return new Response(false, 699, null);
+        }
         /* Delete the object*/
         return defaultRepo.delete(obj, "land");
     }
diff -r bb76a5d7a98d -r a04658486ede src/main/java/de/intevation/lada/rest/ZusatzwertService.java
--- a/src/main/java/de/intevation/lada/rest/ZusatzwertService.java	Mon Mar 23 17:50:51 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/ZusatzwertService.java	Mon Mar 23 17:52:17 2015 +0100
@@ -9,6 +9,7 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -22,42 +23,29 @@
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
 
-import org.apache.log4j.Logger;
-
 import de.intevation.lada.model.land.LZusatzWert;
-import de.intevation.lada.util.annotation.AuthenticationConfig;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
-import de.intevation.lada.util.auth.Authentication;
-import de.intevation.lada.util.auth.AuthenticationType;
 import de.intevation.lada.util.auth.Authorization;
 import de.intevation.lada.util.auth.AuthorizationType;
 import de.intevation.lada.util.data.QueryBuilder;
 import de.intevation.lada.util.data.Repository;
 import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
 @Path("zusatzwert")
 @RequestScoped
 public class ZusatzwertService {
 
-    /* The logger used in this class.*/
-    @Inject
-    private Logger logger;
-
     /* The data repository granting read/write access.*/
     @Inject
     @RepositoryConfig(type=RepositoryType.RW)
     private Repository defaultRepo;
 
-    /* The authentication module.*/
-    @Inject
-    @AuthenticationConfig(type=AuthenticationType.NONE)
-    private Authentication authentication;
-
     /* The authorization module.*/
     @Inject
-    @AuthorizationConfig(type=AuthorizationType.NONE)
+    @AuthorizationConfig(type=AuthorizationType.OPEN_ID)
     private Authorization authorization;
 
     /**
@@ -70,12 +58,9 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response get(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @Context UriInfo info
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         MultivaluedMap<String, String> params = info.getQueryParameters();
         if (params.isEmpty() || !params.containsKey("probeId")) {
             return defaultRepo.getAll(LZusatzWert.class, "land");
@@ -86,7 +71,10 @@
                 defaultRepo.entityManager("land"),
                 LZusatzWert.class);
         builder.and("probeId", probeId);
-        return defaultRepo.filter(builder.getQuery(), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.filter(builder.getQuery(), "land"),
+            LZusatzWert.class);
     }
 
     /**
@@ -99,13 +87,13 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response getById(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
-        return defaultRepo.getById(LZusatzWert.class, Integer.valueOf(id), "land");
+        return authorization.filter(
+            request,
+            defaultRepo.getById(LZusatzWert.class, Integer.valueOf(id), "land"),
+            LZusatzWert.class);
     }
 
     @POST
@@ -113,9 +101,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response create(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LZusatzWert zusatzwert
     ) {
-        if (!authentication.isAuthenticated(headers)) {
+        if (!authorization.isAuthorized(
+                request,
+                zusatzwert,
+                RequestMethod.POST,
+                LZusatzWert.class)
+        ) {
             return new Response(false, 699, null);
         }
         /* Persist the new object*/
@@ -132,10 +126,15 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response update(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         LZusatzWert zusatzwert
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
+        if (!authorization.isAuthorized(
+                request,
+                zusatzwert,
+                RequestMethod.PUT,
+                LZusatzWert.class)
+        ) {
             return new Response(false, 699, null);
         }
         Response response = defaultRepo.update(zusatzwert, "land");
@@ -155,16 +154,21 @@
     @Produces(MediaType.APPLICATION_JSON)
     public Response delete(
         @Context HttpHeaders headers,
+        @Context HttpServletRequest request,
         @PathParam("id") String id
     ) {
-        if (!authentication.isAuthenticated(headers)) {
-            logger.debug("User is not authenticated!");
-            return new Response(false, 699, null);
-        }
         /* Get the object by id*/
         Response object =
             defaultRepo.getById(LZusatzWert.class, Integer.valueOf(id), "land");
         LZusatzWert obj = (LZusatzWert)object.getData();
+        if (!authorization.isAuthorized(
+                request,
+                obj,
+                RequestMethod.DELETE,
+                LZusatzWert.class)
+        ) {
+            return new Response(false, 699, null);
+        }
         /* Delete the object*/
         return defaultRepo.delete(obj, "land");
     }