Mercurial > lada > lada-server
changeset 582:a04658486ede
Use authentication info for authorization of requested objects.
author | Raimund Renkert <raimund.renkert@intevation.de> |
---|---|
date | Mon, 23 Mar 2015 17:52:17 +0100 |
parents | bb76a5d7a98d |
children | b3eee6414310 |
files | src/main/java/de/intevation/lada/query/QueryTools.java src/main/java/de/intevation/lada/rest/KommentarMService.java src/main/java/de/intevation/lada/rest/KommentarPService.java src/main/java/de/intevation/lada/rest/LoginService.java src/main/java/de/intevation/lada/rest/MessungService.java src/main/java/de/intevation/lada/rest/MesswertService.java src/main/java/de/intevation/lada/rest/OrtService.java src/main/java/de/intevation/lada/rest/ProbeService.java src/main/java/de/intevation/lada/rest/StatusService.java src/main/java/de/intevation/lada/rest/ZusatzwertService.java |
diffstat | 10 files changed, 353 insertions(+), 270 deletions(-) [+] |
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/query/QueryTools.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/query/QueryTools.java Mon Mar 23 17:52:17 2015 +0100 @@ -24,6 +24,9 @@ import javax.persistence.Query; import javax.ws.rs.core.MultivaluedMap; +import de.intevation.lada.util.auth.Authorization; +import de.intevation.lada.util.auth.UserInfo; + /** * Utility class to handle the SQL query configuration. @@ -159,13 +162,19 @@ public static List<Map<String, Object>> prepareResult( List<Object[]> result, - List<String> names + List<String> names, + Authorization authorization, + UserInfo userInfo ) { List<Map<String, Object>> ret = new ArrayList<Map<String, Object>>(); for (Object[] row: result) { Map<String, Object> set = new HashMap<String, Object>(); for (int i = 0; i < row.length; i++) { set.put(names.get(i), row[i]); + if (names.get(i).toString().equals("id")) { + boolean readOnly = authorization.isReadOnly((Integer)row[i]); + set.put("readonly", readOnly); + } } ret.add(set); }
--- a/src/main/java/de/intevation/lada/rest/KommentarMService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java Mon Mar 23 17:52:17 2015 +0100 @@ -9,6 +9,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -22,42 +23,29 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.UriInfo; -import org.apache.log4j.Logger; - import de.intevation.lada.model.land.LKommentarM; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("mkommentar") @RequestScoped public class KommentarMService { - /* The logger used in this class.*/ - @Inject - private Logger logger; - /* The data repository granting read/write access.*/ @Inject @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -70,12 +58,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { return defaultRepo.getAll(LKommentarM.class, "land"); @@ -86,7 +71,10 @@ defaultRepo.entityManager("land"), LKommentarM.class); builder.and("messungsId", messungId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LKommentarM.class); } /** @@ -99,16 +87,16 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById( - LKommentarM.class, - Integer.valueOf(id), - "land"); + return authorization.filter( + request, + defaultRepo.getById( + LKommentarM.class, + Integer.valueOf(id), + "land"), + LKommentarM.class); } @POST @@ -116,9 +104,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LKommentarM kommentar ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + kommentar, + RequestMethod.POST, + LKommentarM.class) + ) { return new Response(false, 699, null); } /* Persist the new object*/ @@ -135,10 +129,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response update( @Context HttpHeaders headers, + @Context HttpServletRequest request, LKommentarM kommentar ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + if (!authorization.isAuthorized( + request, + kommentar, + RequestMethod.PUT, + LKommentarM.class) + ) { return new Response(false, 699, null); } return defaultRepo.update(kommentar, "land"); @@ -154,16 +153,21 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the object by id*/ Response kommentar = defaultRepo.getById(LKommentarM.class, Integer.valueOf(id), "land"); LKommentarM kommentarObj = (LKommentarM)kommentar.getData(); + if (!authorization.isAuthorized( + request, + kommentarObj, + RequestMethod.DELETE, + LKommentarM.class) + ) { + return new Response(false, 699, null); + } return defaultRepo.delete(kommentarObj, "land"); } }
--- a/src/main/java/de/intevation/lada/rest/KommentarPService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarPService.java Mon Mar 23 17:52:17 2015 +0100 @@ -9,6 +9,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -25,16 +26,14 @@ import org.apache.log4j.Logger; import de.intevation.lada.model.land.LKommentarP; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("pkommentar") @@ -50,14 +49,9 @@ @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -70,12 +64,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("probeId")) { return defaultRepo.getAll(LKommentarP.class, "land"); @@ -86,7 +77,10 @@ defaultRepo.entityManager("land"), LKommentarP.class); builder.and("probeId", probeId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LKommentarP.class); } /** @@ -99,16 +93,13 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById( - LKommentarP.class, - Integer.valueOf(id), - "land"); + return authorization.filter( + request, + defaultRepo.getById(LKommentarP.class,Integer.valueOf(id), "land"), + LKommentarP.class); } @POST @@ -116,9 +107,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LKommentarP kommentar ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + kommentar, + RequestMethod.POST, + LKommentarP.class) + ) { return new Response(false, 699, null); } /* Persist the new object*/ @@ -133,9 +130,18 @@ @PUT @Path("/{id}") @Produces(MediaType.APPLICATION_JSON) - public Response update(@Context HttpHeaders headers, LKommentarP kommentar) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + public Response update( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LKommentarP kommentar + ) { + if (!authorization.isAuthorized( + request, + kommentar, + RequestMethod.PUT, + LKommentarP.class) + ) { + logger.debug("User is not authorized!"); return new Response(false, 699, null); } return defaultRepo.update(kommentar, "land"); @@ -151,16 +157,22 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the object by id*/ Response kommentar = defaultRepo.getById(LKommentarP.class, Integer.valueOf(id), "land"); LKommentarP kommentarObj = (LKommentarP)kommentar.getData(); + if (!authorization.isAuthorized( + request, + kommentarObj, + RequestMethod.DELETE, + LKommentarP.class) + ) { + logger.debug("User is not authorized!"); + return new Response(false, 699, null); + } return defaultRepo.delete(kommentarObj, "land"); } }
--- a/src/main/java/de/intevation/lada/rest/LoginService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/LoginService.java Mon Mar 23 17:52:17 2015 +0100 @@ -5,20 +5,23 @@ * and comes with ABSOLUTELY NO WARRANTY! Check out * the documentation coming with IMIS-Labordaten-Application for details. */ +package de.intevation.lada.rest; + +import java.util.Date; +import java.util.HashMap; +import java.util.Map; import javax.enterprise.context.RequestScoped; - +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.GET; import javax.ws.rs.Path; -import javax.ws.rs.GET; -import javax.inject.Inject; +import javax.ws.rs.Produces; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.UriInfo; -import javax.ws.rs.Produces; - -import org.apache.log4j.Logger; import de.intevation.lada.util.rest.Response; + /** * This class serves as a login check service */ @@ -26,24 +29,24 @@ @RequestScoped public class LoginService { - /* The logger used in this class.*/ - @Inject - private Logger logger; - /** * Get all probe objects. * * @return Response object containing all probe objects. */ - @SuppressWarnings("unchecked") @GET @Path("/") @Produces("application/json") public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { + Map<String, Object> response = new HashMap<String, Object>(); + response.put("username", request.getAttribute("lada.user.name")); + response.put("roles", request.getAttribute("lada.user.roles")); + response.put("servertime", new Date().getTime()); /* This should probably contain the users name and roles. */ - return new Response(true, 200, "Success"); + return new Response(true, 200, response); } }
--- a/src/main/java/de/intevation/lada/rest/MessungService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MessungService.java Mon Mar 23 17:52:17 2015 +0100 @@ -11,6 +11,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -24,43 +25,30 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.UriInfo; -import org.apache.log4j.Logger; - import de.intevation.lada.model.land.LMessung; import de.intevation.lada.model.land.MessungTranslation; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("messung") @RequestScoped public class MessungService { - /* The logger used in this class.*/ - @Inject - private Logger logger; - /* The data repository granting read/write access.*/ @Inject @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -73,12 +61,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("probeId")) { return defaultRepo.getAll(LMessung.class, "land"); @@ -89,7 +74,10 @@ defaultRepo.entityManager("land"), LMessung.class); builder.and("probeId", probeId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LMessung.class); } /** @@ -102,13 +90,13 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById(LMessung.class, Integer.valueOf(id), "land"); + return authorization.filter( + request, + defaultRepo.getById(LMessung.class, Integer.valueOf(id), "land"), + LMessung.class); } @POST @@ -116,11 +104,18 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LMessung messung ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + messung, + RequestMethod.POST, + LMessung.class) + ) { return new Response(false, 699, null); } + /* Persist the new messung object*/ Response response = defaultRepo.create(messung, "land"); LMessung ret = (LMessung)response.getData(); @@ -142,9 +137,17 @@ @PUT @Path("/{id}") @Produces(MediaType.APPLICATION_JSON) - public Response update(@Context HttpHeaders headers, LMessung messung) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + public Response update( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LMessung messung + ) { + if (!authorization.isAuthorized( + request, + messung, + RequestMethod.PUT, + LMessung.class) + ) { return new Response(false, 699, null); } Response response = defaultRepo.update(messung, "land"); @@ -164,16 +167,21 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the messung object by id*/ Response messung = defaultRepo.getById(LMessung.class, Integer.valueOf(id), "land"); LMessung messungObj = (LMessung)messung.getData(); + if (!authorization.isAuthorized( + request, + messung, + RequestMethod.DELETE, + LMessung.class) + ) { + return new Response(false, 699, null); + } /* Create a query and request the messungTranslation object for the * messung*/ QueryBuilder<MessungTranslation> builder =
--- a/src/main/java/de/intevation/lada/rest/MesswertService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MesswertService.java Mon Mar 23 17:52:17 2015 +0100 @@ -9,6 +9,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -25,16 +26,14 @@ import org.apache.log4j.Logger; import de.intevation.lada.model.land.LMesswert; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("messwert") @@ -50,14 +49,9 @@ @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -70,12 +64,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { logger.debug("get all"); @@ -87,7 +78,10 @@ defaultRepo.entityManager("land"), LMesswert.class); builder.and("messungsId", messungId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LMesswert.class); } /** @@ -100,13 +94,13 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"); + return authorization.filter( + request, + defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"), + LMesswert.class); } @POST @@ -114,9 +108,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LMesswert messwert ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + messwert, + RequestMethod.POST, + LMesswert.class) + ) { return new Response(false, 699, null); } /* Persist the new messung object*/ @@ -131,9 +131,17 @@ @PUT @Path("/{id}") @Produces(MediaType.APPLICATION_JSON) - public Response update(@Context HttpHeaders headers, LMesswert messwert) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + public Response update( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LMesswert messwert + ) { + if (!authorization.isAuthorized( + request, + messwert, + RequestMethod.PUT, + LMesswert.class) + ) { return new Response(false, 699, null); } Response response = defaultRepo.update(messwert, "land"); @@ -153,16 +161,21 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the messwert object by id*/ Response messwert = defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"); LMesswert messwertObj = (LMesswert)messwert.getData(); + if (!authorization.isAuthorized( + request, + messwertObj, + RequestMethod.DELETE, + LMesswert.class) + ) { + return new Response(false, 699, null); + } /* Delete the messwert object*/ return defaultRepo.delete(messwertObj, "land"); }
--- a/src/main/java/de/intevation/lada/rest/OrtService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/OrtService.java Mon Mar 23 17:52:17 2015 +0100 @@ -9,6 +9,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -25,16 +26,14 @@ import org.apache.log4j.Logger; import de.intevation.lada.model.land.LOrt; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("ort") @@ -50,14 +49,9 @@ @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -70,12 +64,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("probeId")) { logger.debug("get all"); @@ -87,7 +78,10 @@ defaultRepo.entityManager("land"), LOrt.class); builder.and("probeId", probeId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LOrt.class); } /** @@ -100,13 +94,13 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById(LOrt.class, Integer.valueOf(id), "land"); + return authorization.filter( + request, + defaultRepo.getById(LOrt.class, Integer.valueOf(id), "land"), + LOrt.class); } @POST @@ -114,9 +108,14 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LOrt ort ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + ort, + RequestMethod.POST, + LOrt.class)) { return new Response(false, 699, null); } /* Persist the new object*/ @@ -131,9 +130,16 @@ @PUT @Path("/{id}") @Produces(MediaType.APPLICATION_JSON) - public Response update(@Context HttpHeaders headers, LOrt ort) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + public Response update( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LOrt ort + ) { + if (!authorization.isAuthorized( + request, + ort, + RequestMethod.PUT, + LOrt.class)) { return new Response(false, 699, null); } Response response = defaultRepo.update(ort, "land"); @@ -153,16 +159,20 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the messwert object by id*/ Response object = defaultRepo.getById(LOrt.class, Integer.valueOf(id), "land"); LOrt ortObj = (LOrt)object.getData(); + if (!authorization.isAuthorized( + request, + ortObj, + RequestMethod.PUT, + LOrt.class)) { + return new Response(false, 699, null); + } /* Delete the messwert object*/ return defaultRepo.delete(ortObj, "land"); }
--- a/src/main/java/de/intevation/lada/rest/ProbeService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/ProbeService.java Mon Mar 23 17:52:17 2015 +0100 @@ -20,6 +20,7 @@ import javax.json.JsonObject; import javax.json.JsonReader; import javax.persistence.Query; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -38,16 +39,14 @@ import de.intevation.lada.model.land.LProbe; import de.intevation.lada.model.land.ProbeTranslation; import de.intevation.lada.query.QueryTools; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; import de.intevation.lada.validation.Validator; import de.intevation.lada.validation.Violation; @@ -72,14 +71,9 @@ @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; @Inject @@ -97,12 +91,11 @@ @Produces("application/json") public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } + logger.debug("user: " + request.getAttribute("lada.user.name")); + logger.debug("roles: " + request.getAttribute("lada.user.roles")); MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("qid")) { return defaultRepo.getAll(LProbe.class, "land"); @@ -116,11 +109,12 @@ sql = jsonQuery.getString("sql"); if (params.containsKey("sort")) { String sort = params.getFirst("sort"); + logger.debug("Sort parameter: " + sort); JsonReader reader = Json.createReader(new StringReader(sort)); - JsonObject sortProperties = reader.readObject(); + JsonObject sortProperties = reader.readArray().getJsonObject(0); sql += " ORDER BY "; - sql += sortProperties.getJsonString("property") + " "; - sql += sortProperties.getJsonString("direction"); + sql += sortProperties.getJsonString("property").getString() + " "; + sql += sortProperties.getJsonString("direction").getString(); } JsonArray jsonFilters = jsonQuery.getJsonArray("filters"); JsonArray jsonResults = jsonQuery.getJsonArray("result"); @@ -143,7 +137,7 @@ params, defaultRepo.entityManager("land")); List<Map<String, Object>> result = - QueryTools.prepareResult(query.getResultList(), results); + QueryTools.prepareResult(query.getResultList(), results, authorization, authorization.getInfo(request)); if (params.containsKey("start") && params.containsKey("limit")) { int start = Integer.valueOf(params.getFirst("start")); int limit = Integer.valueOf(params.getFirst("limit")); @@ -163,19 +157,16 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, - @PathParam("id") String id + @PathParam("id") String id, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } Response response = defaultRepo.getById(LProbe.class, Integer.valueOf(id), "land"); Violation violation = validator.validate(response.getData()); if (violation.hasWarnings()) { response.setWarnings(violation.getWarnings()); } - return response; + return this.authorization.filter(request, response, LProbe.class); } /** @@ -186,8 +177,17 @@ @POST @Path("/") @Produces(MediaType.APPLICATION_JSON) - public Response create(@Context HttpHeaders headers, LProbe probe) { - if (!authentication.isAuthenticated(headers)) { + public Response create( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LProbe probe + ) { + if (!authorization.isAuthorized( + request, + probe, + RequestMethod.POST, + LProbe.class) + ) { return new Response(false, 699, null); } Violation violation = validator.validate(probe); @@ -221,9 +221,17 @@ @PUT @Path("/{id}") @Produces(MediaType.APPLICATION_JSON) - public Response update(@Context HttpHeaders headers, LProbe probe) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + public Response update( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LProbe probe + ) { + if (!authorization.isAuthorized( + request, + probe, + RequestMethod.PUT, + LProbe.class) + ) { return new Response(false, 699, null); } Violation violation = validator.validate(probe); @@ -253,16 +261,21 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the probe object by id*/ Response probe = defaultRepo.getById(LProbe.class, Integer.valueOf(id), "land"); LProbe probeObj = (LProbe)probe.getData(); + if (!authorization.isAuthorized( + request, + probeObj, + RequestMethod.DELETE, + LProbe.class) + ) { + return new Response(false, 699, null); + } /* Create a query and request the probetranslation object for the * probe*/ QueryBuilder<ProbeTranslation> builder =
--- a/src/main/java/de/intevation/lada/rest/StatusService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Mon Mar 23 17:52:17 2015 +0100 @@ -9,6 +9,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -22,42 +23,29 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.UriInfo; -import org.apache.log4j.Logger; - import de.intevation.lada.model.land.LStatus; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("status") @RequestScoped public class StatusService { - /* The logger used in this class.*/ - @Inject - private Logger logger; - /* The data repository granting read/write access.*/ @Inject @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -70,12 +58,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, - @Context UriInfo info + @Context UriInfo info, + @Context HttpServletRequest request ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { return defaultRepo.getAll(LStatus.class, "land"); @@ -86,7 +71,10 @@ defaultRepo.entityManager("land"), LStatus.class); builder.and("messungsId", messungId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LStatus.class); } /** @@ -99,13 +87,13 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById(LStatus.class, Integer.valueOf(id), "land"); + return authorization.filter( + request, + defaultRepo.getById(LStatus.class, Integer.valueOf(id), "land"), + LStatus.class); } @POST @@ -113,9 +101,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LStatus status ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + status, + RequestMethod.POST, + LStatus.class) + ) { return new Response(false, 699, null); } /* Persist the new object*/ @@ -130,9 +124,17 @@ @PUT @Path("/{id}") @Produces(MediaType.APPLICATION_JSON) - public Response update(@Context HttpHeaders headers, LStatus status) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + public Response update( + @Context HttpHeaders headers, + @Context HttpServletRequest request, + LStatus status + ) { + if (!authorization.isAuthorized( + request, + status, + RequestMethod.PUT, + LStatus.class) + ) { return new Response(false, 699, null); } Response response = defaultRepo.update(status, "land"); @@ -152,16 +154,21 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the object by id*/ Response object = defaultRepo.getById(LStatus.class, Integer.valueOf(id), "land"); LStatus obj = (LStatus)object.getData(); + if (!authorization.isAuthorized( + request, + obj, + RequestMethod.DELETE, + LStatus.class) + ) { + return new Response(false, 699, null); + } /* Delete the object*/ return defaultRepo.delete(obj, "land"); }
--- a/src/main/java/de/intevation/lada/rest/ZusatzwertService.java Mon Mar 23 17:50:51 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/ZusatzwertService.java Mon Mar 23 17:52:17 2015 +0100 @@ -9,6 +9,7 @@ import javax.enterprise.context.RequestScoped; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; @@ -22,42 +23,29 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.UriInfo; -import org.apache.log4j.Logger; - import de.intevation.lada.model.land.LZusatzWert; -import de.intevation.lada.util.annotation.AuthenticationConfig; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; -import de.intevation.lada.util.auth.Authentication; -import de.intevation.lada.util.auth.AuthenticationType; import de.intevation.lada.util.auth.Authorization; import de.intevation.lada.util.auth.AuthorizationType; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.data.Repository; import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @Path("zusatzwert") @RequestScoped public class ZusatzwertService { - /* The logger used in this class.*/ - @Inject - private Logger logger; - /* The data repository granting read/write access.*/ @Inject @RepositoryConfig(type=RepositoryType.RW) private Repository defaultRepo; - /* The authentication module.*/ - @Inject - @AuthenticationConfig(type=AuthenticationType.NONE) - private Authentication authentication; - /* The authorization module.*/ @Inject - @AuthorizationConfig(type=AuthorizationType.NONE) + @AuthorizationConfig(type=AuthorizationType.OPEN_ID) private Authorization authorization; /** @@ -70,12 +58,9 @@ @Produces(MediaType.APPLICATION_JSON) public Response get( @Context HttpHeaders headers, + @Context HttpServletRequest request, @Context UriInfo info ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("probeId")) { return defaultRepo.getAll(LZusatzWert.class, "land"); @@ -86,7 +71,10 @@ defaultRepo.entityManager("land"), LZusatzWert.class); builder.and("probeId", probeId); - return defaultRepo.filter(builder.getQuery(), "land"); + return authorization.filter( + request, + defaultRepo.filter(builder.getQuery(), "land"), + LZusatzWert.class); } /** @@ -99,13 +87,13 @@ @Produces(MediaType.APPLICATION_JSON) public Response getById( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } - return defaultRepo.getById(LZusatzWert.class, Integer.valueOf(id), "land"); + return authorization.filter( + request, + defaultRepo.getById(LZusatzWert.class, Integer.valueOf(id), "land"), + LZusatzWert.class); } @POST @@ -113,9 +101,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response create( @Context HttpHeaders headers, + @Context HttpServletRequest request, LZusatzWert zusatzwert ) { - if (!authentication.isAuthenticated(headers)) { + if (!authorization.isAuthorized( + request, + zusatzwert, + RequestMethod.POST, + LZusatzWert.class) + ) { return new Response(false, 699, null); } /* Persist the new object*/ @@ -132,10 +126,15 @@ @Produces(MediaType.APPLICATION_JSON) public Response update( @Context HttpHeaders headers, + @Context HttpServletRequest request, LZusatzWert zusatzwert ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); + if (!authorization.isAuthorized( + request, + zusatzwert, + RequestMethod.PUT, + LZusatzWert.class) + ) { return new Response(false, 699, null); } Response response = defaultRepo.update(zusatzwert, "land"); @@ -155,16 +154,21 @@ @Produces(MediaType.APPLICATION_JSON) public Response delete( @Context HttpHeaders headers, + @Context HttpServletRequest request, @PathParam("id") String id ) { - if (!authentication.isAuthenticated(headers)) { - logger.debug("User is not authenticated!"); - return new Response(false, 699, null); - } /* Get the object by id*/ Response object = defaultRepo.getById(LZusatzWert.class, Integer.valueOf(id), "land"); LZusatzWert obj = (LZusatzWert)object.getData(); + if (!authorization.isAuthorized( + request, + obj, + RequestMethod.DELETE, + LZusatzWert.class) + ) { + return new Response(false, 699, null); + } /* Delete the object*/ return defaultRepo.delete(obj, "land"); }