Source code

001// ***************************************************************************************************************************
002// * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.  See the NOTICE file *
003// * distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file        *
004// * to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance            *
005// * with the License.  You may obtain a copy of the License at                                                              *
006// *                                                                                                                         *
007// *  http://www.apache.org/licenses/LICENSE-2.0                                                                             *
008// *                                                                                                                         *
009// * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an  *
010// * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the        *
011// * specific language governing permissions and limitations under the License.                                              *
012// ***************************************************************************************************************************
013package org.apache.juneau.rest;
014
015import org.apache.juneau.rest.annotation.*;
016import org.apache.juneau.rest.exception.*;
017
018/**
019 * REST method guard.
020 *
021 * <h5 class='topic'>Description</h5>
022 *
023 * Implements a guard mechanism for REST method calls that allows requests to be rejected before invocation of the REST
024 * method.
025 * For example, guards can be used to ensure that only administrators can call certain methods.
026 *
027 * <p>
028 * Guards are applied to REST methods declaratively through the {@link RestResource#guards() @RestResource(guards)} or
029 * {@link RestMethod#guards() @RestMethod(guards)} annotations.
030 *
031 * <p>
032 * If multiple guards are specified, ALL guards must pass in order for the request to proceed.
033 *
034 * <h5 class='topic'>How to implement</h5>
035 *
036 * Typically, guards will be used for permissions checking on the user making the request, but it can also be used for
037 * other purposes like pre-call validation of a request.
038 *
039 * <p>
040 * Implementers should simply throw a {@link RestException} from the {@link #guard(RestRequest, RestResponse)}
041 * method to abort processing on the current request.
042 *
043 * <p>
044 * Guards must implement a no-args constructor.
045 *
046 * <h5 class='topic'>Example usage:</h5>
047 * <p class='bcode w800'>
048 *    <jk>public</jk> MyResource <jk>extends</jk> RestServlet {
049 *
050 *       <jc>// Delete method with guard that only allows Billy to call it.</jc>
051 *       <ja>@RestMethod</ja>(name=<jsf>DELETE</jsf>, guards=BillyGuard.<jk>class</jk>)
052 *       <jk>public</jk> doDelete(RestRequest req, RestResponse res) <jk>throws</jk> Exception {...}
053 *    }
054 * </p>
055 *
056 * <h5 class='topic'>Example implementation:</h5>
057 * <p class='bcode w800'>
058 *    <jc>// Define a guard that only lets Billy make a request</jc>
059 *    <jk>public</jk> BillyGuard <jk>extends</jk> RestGuard {
060 *
061 *       <ja>@Override</ja>
062 *       <jk>public boolean</jk> isRequestAllowed(RestRequest req) {
063 *          return req.getUserPrincipal().getName().contains(<js>"Billy"</js>);
064 *       }
065 *    }
066 * </p>
067 *
068 * <h5 class='section'>See Also:</h5>
069 * <ul>
070 *    <li class='link'>{@doc juneau-rest-server.Guards}
071 * </ul>
072 */
073public abstract class RestGuard {
074
075   /**
076    * Checks the current HTTP request and throws a {@link RestException} if the guard does not permit the request.
077    *
078    * <p>
079    * By default, throws an <jsf>SC_FORBIDDEN</jsf> exception if {@link #isRequestAllowed(RestRequest)} returns
080    * <jk>false</jk>.
081    *
082    * <p>
083    * Subclasses are free to override this method to tailor the behavior of how to handle unauthorized requests.
084    *
085    * @param req The servlet request.
086    * @param res The servlet response.
087    * @throws RestException Thrown to abort processing on current request.
088    * @return
089    *    <jk>true</jk> if request can proceed.
090    *    Specify <jk>false</jk> if you're doing something like a redirection to a login page.
091    */
092   public boolean guard(RestRequest req, RestResponse res) throws RestException {
093      if (! isRequestAllowed(req))
094         throw new Forbidden("Access denied by guard");
095      return true;
096   }
097
098   /**
099    * Returns <jk>true</jk> if the specified request can pass through this guard.
100    *
101    * @param req The servlet request.
102    * @return <jk>true</jk> if the specified request can pass through this guard.
103    */
104   public abstract boolean isRequestAllowed(RestRequest req);
105}