2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.sample.cadi.jetty;
24 import java.io.IOException;
26 import javax.servlet.Servlet;
27 import javax.servlet.ServletException;
28 import javax.servlet.ServletRequest;
29 import javax.servlet.ServletResponse;
30 import javax.servlet.UnavailableException;
31 import javax.servlet.http.HttpServletRequest;
32 import javax.servlet.http.HttpServletResponse;
34 import org.eclipse.jetty.server.Request;
35 import org.eclipse.jetty.servlet.ServletHolder;
36 import org.onap.aaf.cadi.filter.RolesAllowed;
43 * Support the ability to check JASPI Annotation Style Authorizations.
45 * This can be a clean way to enforce API Authorization without mistakes in code.
47 * @author JonathanGathman
50 public class MiniJASPIWrap extends ServletHolder {
51 private RolesAllowed rolesAllowed;
52 //private String roles;
53 public MiniJASPIWrap(Class<? extends Servlet> servlet) {
55 this.rolesAllowed = servlet.getAnnotation(RolesAllowed.class);
56 StringBuilder sb = new StringBuilder();
58 if(rolesAllowed!=null) {
59 for(String str : rolesAllowed.value()) {
65 //roles = sb.toString();
71 * When utilized, this class authorizes the transaction by first calling the standard J2EE API call
72 * "isUserInRole" with the role(s) found in the class Annotations (JASPI Style)
75 public void handle(Request baseRequest, ServletRequest request, ServletResponse response) throws ServletException, UnavailableException, IOException {
76 if(rolesAllowed==null) {
77 super.handle(baseRequest, request, response);
81 HttpServletRequest hreq = (HttpServletRequest)request;
82 boolean proceed = false;
83 for(String role : rolesAllowed.value()) {
84 if(hreq.isUserInRole(role)) {
90 super.handle(baseRequest, request, response);
92 //baseRequest.getServletContext().log(hreq.getUserPrincipal().getName()+" Refused " + roles);
93 ((HttpServletResponse)response).sendError(403); // forbidden
95 } catch(ClassCastException e) {
96 throw new ServletException("JASPIWrap only supports HTTPServletRequest/HttpServletResponse");