001// *************************************************************************************************************************** 002// * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file * 003// * distributed with this work for additional information regarding copyright ownership. The ASF licenses this file * 004// * to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance * 005// * with the License. You may obtain a copy of the License at * 006// * * 007// * http://www.apache.org/licenses/LICENSE-2.0 * 008// * * 009// * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an * 010// * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the * 011// * specific language governing permissions and limitations under the License. * 012// *************************************************************************************************************************** 013package org.apache.juneau.rest; 014 015import org.apache.juneau.rest.annotation.*; 016import org.apache.juneau.rest.exception.*; 017 018/** 019 * REST method guard. 020 * 021 * <h5 class='topic'>Description</h5> 022 * 023 * Implements a guard mechanism for REST method calls that allows requests to be rejected before invocation of the REST 024 * method. 025 * For example, guards can be used to ensure that only administrators can call certain methods. 026 * 027 * <p> 028 * Guards are applied to REST methods declaratively through the {@link RestResource#guards() @RestResource(guards)} or 029 * {@link RestMethod#guards() @RestMethod(guards)} annotations. 030 * 031 * <p> 032 * If multiple guards are specified, ALL guards must pass in order for the request to proceed. 033 * 034 * <h5 class='topic'>How to implement</h5> 035 * 036 * Typically, guards will be used for permissions checking on the user making the request, but it can also be used for 037 * other purposes like pre-call validation of a request. 038 * 039 * <p> 040 * Implementers should simply throw a {@link RestException} from the {@link #guard(RestRequest, RestResponse)} 041 * method to abort processing on the current request. 042 * 043 * <p> 044 * Guards must implement a no-args constructor. 045 * 046 * <h5 class='topic'>Example usage:</h5> 047 * <p class='bcode w800'> 048 * <jk>public</jk> MyResource <jk>extends</jk> RestServlet { 049 * 050 * <jc>// Delete method with guard that only allows Billy to call it.</jc> 051 * <ja>@RestMethod</ja>(name=<jsf>DELETE</jsf>, guards=BillyGuard.<jk>class</jk>) 052 * <jk>public</jk> doDelete(RestRequest req, RestResponse res) <jk>throws</jk> Exception {...} 053 * } 054 * </p> 055 * 056 * <h5 class='topic'>Example implementation:</h5> 057 * <p class='bcode w800'> 058 * <jc>// Define a guard that only lets Billy make a request</jc> 059 * <jk>public</jk> BillyGuard <jk>extends</jk> RestGuard { 060 * 061 * <ja>@Override</ja> 062 * <jk>public boolean</jk> isRequestAllowed(RestRequest req) { 063 * return req.getUserPrincipal().getName().contains(<js>"Billy"</js>); 064 * } 065 * } 066 * </p> 067 * 068 * <ul class='seealso'> 069 * <li class='link'>{@doc juneau-rest-server.Guards} 070 * </ul> 071 */ 072public abstract class RestGuard { 073 074 /** 075 * Checks the current HTTP request and throws a {@link RestException} if the guard does not permit the request. 076 * 077 * <p> 078 * By default, throws an <jsf>SC_FORBIDDEN</jsf> exception if {@link #isRequestAllowed(RestRequest)} returns 079 * <jk>false</jk>. 080 * 081 * <p> 082 * Subclasses are free to override this method to tailor the behavior of how to handle unauthorized requests. 083 * 084 * @param req The servlet request. 085 * @param res The servlet response. 086 * @throws RestException Thrown to abort processing on current request. 087 * @return 088 * <jk>true</jk> if request can proceed. 089 * Specify <jk>false</jk> if you're doing something like a redirection to a login page. 090 */ 091 public boolean guard(RestRequest req, RestResponse res) throws RestException { 092 if (! isRequestAllowed(req)) 093 throw new Forbidden("Access denied by guard"); 094 return true; 095 } 096 097 /** 098 * Returns <jk>true</jk> if the specified request can pass through this guard. 099 * 100 * @param req The servlet request. 101 * @return <jk>true</jk> if the specified request can pass through this guard. 102 */ 103 public abstract boolean isRequestAllowed(RestRequest req); 104}