Source code

001// ***************************************************************************************************************************
002// * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.  See the NOTICE file *
003// * distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file        *
004// * to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance            *
005// * with the License.  You may obtain a copy of the License at                                                              *
006// *                                                                                                                         *
007// *  http://www.apache.org/licenses/LICENSE-2.0                                                                             *
008// *                                                                                                                         *
009// * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an  *
010// * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the        *
011// * specific language governing permissions and limitations under the License.                                              *
012// ***************************************************************************************************************************
013package org.apache.juneau.rest;
014
015import static javax.servlet.http.HttpServletResponse.*;
016
017import org.apache.juneau.rest.annotation.*;
018
019/**
020 * REST method guard.
021 * 
022 * <h5 class='topic'>Description</h5>
023 * 
024 * Implements a guard mechanism for REST method calls that allows requests to be rejected before invocation of the REST
025 * method.
026 * For example, guards can be used to ensure that only administrators can call certain methods.
027 * 
028 * <p>
029 * Guards are applied to REST methods declaratively through the {@link RestResource#guards() @RestResource.guards()} or
030 * {@link RestMethod#guards() @RestMethod.guards()} annotations.
031 * 
032 * <p>
033 * If multiple guards are specified, ALL guards must pass in order for the request to proceed.
034 * 
035 * <h5 class='topic'>How to implement</h5>
036 * 
037 * Typically, guards will be used for permissions checking on the user making the request, but it can also be used for
038 * other purposes like pre-call validation of a request.
039 * 
040 * <p>
041 * Implementers should simply throw a {@link RestException} from the {@link #guard(RestRequest, RestResponse)}
042 * method to abort processing on the current request.
043 * 
044 * <p>
045 * Guards must implement a no-args constructor.
046 * 
047 * <h5 class='topic'>Example usage:</h5>
048 * <p class='bcode'>
049 *    <jk>public</jk> MyResource <jk>extends</jk> RestServlet {
050 * 
051 *       <jc>// Delete method with guard that only allows Billy to call it.</jc>
052 *       <ja>@RestMethod</ja>(name=<jsf>DELETE</jsf>, guards=BillyGuard.<jk>class</jk>)
053 *       <jk>public</jk> doDelete(RestRequest req, RestResponse res) <jk>throws</jk> Exception {...}
054 *    }
055 * </p>
056 * 
057 * <h5 class='topic'>Example implementation:</h5>
058 * <p class='bcode'>
059 *    <jc>// Define a guard that only lets Billy make a request</jc>
060 *    <jk>public</jk> BillyGuard <jk>extends</jk> RestGuard {
061 * 
062 *       <ja>@Override</ja>
063 *       <jk>public boolean</jk> isRequestAllowed(RestRequest req) {
064 *          return req.getUserPrincipal().getName().contains(<js>"Billy"</js>);
065 *       }
066 *    }
067 * </p>
068 * 
069 * <h5 class='section'>See Also:</h5>
070 * <ul>
071 *    <li class='link'><a class="doclink" href="../../../../overview-summary.html#juneau-rest-server.Guards">Overview &gt; juneau-rest-server &gt; Guards</a>
072 * </ul>
073 */
074public abstract class RestGuard {
075
076   /**
077    * Checks the current HTTP request and throws a {@link RestException} if the guard does not permit the request.
078    * 
079    * <p>
080    * By default, throws an <jsf>SC_FORBIDDEN</jsf> exception if {@link #isRequestAllowed(RestRequest)} returns
081    * <jk>false</jk>.
082    * 
083    * <p>
084    * Subclasses are free to override this method to tailor the behavior of how to handle unauthorized requests.
085    * 
086    * @param req The servlet request.
087    * @param res The servlet response.
088    * @throws RestException Thrown to abort processing on current request.
089    * @return
090    *    <jk>true</jk> if request can proceed.
091    *    Specify <jk>false</jk> if you're doing something like a redirection to a login page.
092    */
093   public boolean guard(RestRequest req, RestResponse res) throws RestException {
094      if (! isRequestAllowed(req))
095         throw new RestException(SC_FORBIDDEN, "Access denied by guard");
096      return true;
097   }
098
099   /**
100    * Returns <jk>true</jk> if the specified request can pass through this guard.
101    * 
102    * @param req The servlet request.
103    * @return <jk>true</jk> if the specified request can pass through this guard.
104    */
105   public abstract boolean isRequestAllowed(RestRequest req);
106}