public class AuthenticationFilter implements ContainerRequestFilter{ @Conte

1. public class AuthenticationFilter implements ContainerRequestFilter
2. {
3. @Context
4. private ResourceInfo resourceInfo;
5.  
6. private static final String AUTHORIZATION_PROPERTY = "Authorization";
7. private static final String AUTHENTICATION_SCHEME = "Basic";
8. private static final Response ACCESS_DENIED = Response.status(Response.Status.UNAUTHORIZED).entity("You cannot acces this resource").build();
9. private static final Response ACCES_FORBIDDEN = Response.status(Response.Status.FORBIDDEN).entity("Access blocked for all users!!!").build();
10.  
11. @Override
12. public void filter(ContainerRequestContext containerRequestContext) throws IOException
13. {
14. Method method = resourceInfo.getResourceMethod();
15.  
16. //Method allowed for all
17. if (!method.isAnnotationPresent(PermitAll.class))
18. {
19. //Access denied for all
20. if (method.isAnnotationPresent(DenyAll.class))
21. {
22. containerRequestContext.abortWith(ACCES_FORBIDDEN);
23. return;
24. }
25.  
26. //Get request headers
27. final MultivaluedMap<String, String> headers = containerRequestContext.getHeaders();
28.  
29. //Fetch authorization header
30. final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY);
31.  
32. //If no authorization information present, block access
33. if (authorization == null || authorization.isEmpty())
34. {
35. containerRequestContext.abortWith(ACCESS_DENIED);
36. return;
37. }
38.  
39. //Get encoded username and password
40. final String encodedUserPassword = authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", "");
41.  
42. //Decode username and password
43. String usernameAndPassword = new String(Base64.decode(encodedUserPassword.getBytes()));
44.  
45. //Split username and password tokens
46. final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
47. final String username = tokenizer.nextToken();
48. final String password = tokenizer.nextToken();
49.  
50. //Verify user access
51. if (method.isAnnotationPresent(RolesAllowed.class))
52. {
53. RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class);
54. Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value()));
55.  
56. //Is user valid?
57. if (!isUserAllowed(username, password, rolesSet))
58. {
59. containerRequestContext.abortWith(ACCESS_DENIED);
60. return;
61. }
62. }
63. }
64. }
65.  
66. private Boolean isUserAllowed(final String username, final String password, final Set<String> rolesSet)
67. {
68. boolean isAllowed = false;
69. //for test purposes I'm still not checking user credentials from the db
70. if (username.equals("test") && password.equals("test"))
71. {
72. String userRole = "test";
73.  
74. if (rolesSet.contains(userRole))
75. {
76. isAllowed = true;
77. }
78. }
79. return isAllowed;
80. }
81. }
82.  
83. @ApplicationPath("/rest")
84. @PermitAll
85. public class MyApplication extends ResourceConfig
86. {
87. public MyApplication()
88. {
89. register(AuthenticationFilter.class);
90. register(RolesAllowedDynamicFeature.class);
91. }
92. }
93.  
94. ...
95. <init-param>
96. <param-name>javax.ws.rs.Application</param-name>
97. <param-value>mypackage.MyApplication</param-value>
98. </init-param>
99. ...
100. <security-constraint>
101. <web-resource-collection>
102. <web-resource-name>/</web-resource-name>
103. <url-pattern>/*</url-pattern>
104. </web-resource-collection>
105. <auth-constraint>
106. <role-name>test</role-name>
107. </auth-constraint>
108. </security-constraint>