Source code

001// ***************************************************************************************************************************
002// * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.  See the NOTICE file *
003// * distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file        *
004// * to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance            *
005// * with the License.  You may obtain a copy of the License at                                                              *
006// *                                                                                                                         *
007// *  http://www.apache.org/licenses/LICENSE-2.0                                                                             *
008// *                                                                                                                         *
009// * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an  *
010// * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the        *
011// * specific language governing permissions and limitations under the License.                                              *
012// ***************************************************************************************************************************
013package org.apache.juneau.rest;
014
015import org.apache.juneau.rest.annotation.*;
016import org.apache.juneau.http.exception.*;
017
018/**
019 * REST method guard.
020 *
021 * <h5 class='topic'>Description</h5>
022 *
023 * Implements a guard mechanism for REST method calls that allows requests to be rejected before invocation of the REST
024 * method.
025 * For example, guards can be used to ensure that only administrators can call certain methods.
026 *
027 * <p>
028 * Guards are applied to REST methods declaratively through the {@link RestResource#guards() @RestResource(guards)} or
029 * {@link RestMethod#guards() @RestMethod(guards)} annotations.
030 *
031 * <p>
032 * If multiple guards are specified, ALL guards must pass in order for the request to proceed.
033 *
034 * <h5 class='topic'>How to implement</h5>
035 *
036 * Typically, guards will be used for permissions checking on the user making the request, but it can also be used for
037 * other purposes like pre-call validation of a request.
038 *
039 * <p>
040 * Implementers should simply throw a {@link HttpException} from the {@link #guard(RestRequest, RestResponse)}
041 * method to abort processing on the current request.
042 *
043 * <p>
044 * Guards must implement a no-args constructor.
045 *
046 * <h5 class='topic'>Example usage:</h5>
047 * <p class='bcode w800'>
048 *    <jk>public</jk> MyResource <jk>extends</jk> RestServlet {
049 *
050 *       <jc>// Delete method with guard that only allows Billy to call it.</jc>
051 *       <ja>@RestMethod</ja>(name=<jsf>DELETE</jsf>, guards=BillyGuard.<jk>class</jk>)
052 *       <jk>public</jk> doDelete(RestRequest req, RestResponse res) <jk>throws</jk> Exception {...}
053 *    }
054 * </p>
055 *
056 * <h5 class='topic'>Example implementation:</h5>
057 * <p class='bcode w800'>
058 *    <jc>// Define a guard that only lets Billy make a request</jc>
059 *    <jk>public</jk> BillyGuard <jk>extends</jk> RestGuard {
060 *
061 *       <ja>@Override</ja>
062 *       <jk>public boolean</jk> isRequestAllowed(RestRequest req) {
063 *          return req.getUserPrincipal().getName().contains(<js>"Billy"</js>);
064 *       }
065 *    }
066 * </p>
067 *
068 * <ul class='seealso'>
069 *    <li class='link'>{@doc juneau-rest-server.Guards}
070 * </ul>
071 */
072public abstract class RestGuard {
073
074   /**
075    * Checks the current HTTP request and throws a {@link HttpException} if the guard does not permit the request.
076    *
077    * <p>
078    * By default, throws an <jsf>SC_FORBIDDEN</jsf> exception if {@link #isRequestAllowed(RestRequest)} returns
079    * <jk>false</jk>.
080    *
081    * <p>
082    * Subclasses are free to override this method to tailor the behavior of how to handle unauthorized requests.
083    *
084    * @param req The servlet request.
085    * @param res The servlet response.
086    * @throws HttpException Thrown to abort processing on current request.
087    * @return
088    *    <jk>true</jk> if request can proceed.
089    *    Specify <jk>false</jk> if you're doing something like a redirection to a login page.
090    */
091   public boolean guard(RestRequest req, RestResponse res) throws HttpException {
092      if (! isRequestAllowed(req))
093         throw new Forbidden("Access denied by guard");
094      return true;
095   }
096
097   /**
098    * Returns <jk>true</jk> if the specified request can pass through this guard.
099    *
100    * @param req The servlet request.
101    * @return <jk>true</jk> if the specified request can pass through this guard.
102    */
103   public abstract boolean isRequestAllowed(RestRequest req);
104}