Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- public class AuthenticationFilter implements ContainerRequestFilter
- {
- @Context
- private ResourceInfo resourceInfo;
- private static final String AUTHORIZATION_PROPERTY = "Authorization";
- private static final String AUTHENTICATION_SCHEME = "Basic";
- private static final Response ACCESS_DENIED = Response.status(Response.Status.UNAUTHORIZED).entity("You cannot acces this resource").build();
- private static final Response ACCES_FORBIDDEN = Response.status(Response.Status.FORBIDDEN).entity("Access blocked for all users!!!").build();
- @Override
- public void filter(ContainerRequestContext containerRequestContext) throws IOException
- {
- Method method = resourceInfo.getResourceMethod();
- //Method allowed for all
- if (!method.isAnnotationPresent(PermitAll.class))
- {
- //Access denied for all
- if (method.isAnnotationPresent(DenyAll.class))
- {
- containerRequestContext.abortWith(ACCES_FORBIDDEN);
- return;
- }
- //Get request headers
- final MultivaluedMap<String, String> headers = containerRequestContext.getHeaders();
- //Fetch authorization header
- final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY);
- //If no authorization information present, block access
- if (authorization == null || authorization.isEmpty())
- {
- containerRequestContext.abortWith(ACCESS_DENIED);
- return;
- }
- //Get encoded username and password
- final String encodedUserPassword = authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", "");
- //Decode username and password
- String usernameAndPassword = new String(Base64.decode(encodedUserPassword.getBytes()));
- //Split username and password tokens
- final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
- final String username = tokenizer.nextToken();
- final String password = tokenizer.nextToken();
- //Verify user access
- if (method.isAnnotationPresent(RolesAllowed.class))
- {
- RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class);
- Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value()));
- //Is user valid?
- if (!isUserAllowed(username, password, rolesSet))
- {
- containerRequestContext.abortWith(ACCESS_DENIED);
- return;
- }
- }
- }
- }
- private Boolean isUserAllowed(final String username, final String password, final Set<String> rolesSet)
- {
- boolean isAllowed = false;
- //for test purposes I'm still not checking user credentials from the db
- if (username.equals("test") && password.equals("test"))
- {
- String userRole = "test";
- if (rolesSet.contains(userRole))
- {
- isAllowed = true;
- }
- }
- return isAllowed;
- }
- }
- @ApplicationPath("/rest")
- @PermitAll
- public class MyApplication extends ResourceConfig
- {
- public MyApplication()
- {
- register(AuthenticationFilter.class);
- register(RolesAllowedDynamicFeature.class);
- }
- }
- ...
- <init-param>
- <param-name>javax.ws.rs.Application</param-name>
- <param-value>mypackage.MyApplication</param-value>
- </init-param>
- ...
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>/</web-resource-name>
- <url-pattern>/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>test</role-name>
- </auth-constraint>
- </security-constraint>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement