Source code

001// ***************************************************************************************************************************
002// * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.  See the NOTICE file *
003// * distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file        *
004// * to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance            *
005// * with the License.  You may obtain a copy of the License at                                                              *
006// *                                                                                                                         *
007// *  http://www.apache.org/licenses/LICENSE-2.0                                                                             *
008// *                                                                                                                         *
009// * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an  *
010// * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the        *
011// * specific language governing permissions and limitations under the License.                                              *
012// ***************************************************************************************************************************
013package org.apache.juneau.rest.guard;
014
015import org.apache.juneau.rest.*;
016import org.apache.juneau.rest.annotation.*;
017import org.apache.juneau.http.response.*;
018
019/**
020 * REST method guard.
021 *
022 * <h5 class='topic'>Description</h5>
023 *
024 * Implements a guard mechanism for REST method calls that allows requests to be rejected before invocation of the REST
025 * method.
026 * For example, guards can be used to ensure that only administrators can call certain methods.
027 *
028 * <p>
029 * Guards are applied to REST methods declaratively through the {@link Rest#guards() @Rest(guards)} or
030 * {@link RestOp#guards() @RestOp(guards)} annotations.
031 *
032 * <p>
033 * If multiple guards are specified, ALL guards must pass in order for the request to proceed.
034 *
035 * <h5 class='topic'>How to implement</h5>
036 *
037 * Typically, guards will be used for permissions checking on the user making the request, but it can also be used for
038 * other purposes like pre-call validation of a request.
039 *
040 * <p>
041 * Implementers should simply throw a {@link BasicHttpException} from the {@link #guard(RestRequest, RestResponse)}
042 * method to abort processing on the current request.
043 *
044 * <p>
045 * Guards must implement a no-args constructor.
046 *
047 * <h5 class='topic'>Example usage:</h5>
048 * <p class='bjava'>
049 *    <jk>public</jk> MyResource <jk>extends</jk> BasicRestServlet {
050 *
051 *       <jc>// Delete method with guard that only allows Billy to call it.</jc>
052 *       <ja>@RestDelete</ja>(guards=BillyGuard.<jk>class</jk>)
053 *       <jk>public</jk> doDelete(RestRequest <jv>req</jv>, RestResponse <jv>res</jv>) <jk>throws</jk> Exception {...}
054 *    }
055 * </p>
056 *
057 * <h5 class='topic'>Example implementation:</h5>
058 * <p class='bjava'>
059 *    <jc>// Define a guard that only lets Billy make a request</jc>
060 *    <jk>public</jk> BillyGuard <jk>extends</jk> RestGuard {
061 *
062 *       <ja>@Override</ja>
063 *       <jk>public boolean</jk> isRequestAllowed(RestRequest <jv>req</jv>) {
064 *          <jk>return</jk> <jv>req</jv>.getUserPrincipal().getName().contains(<js>"Billy"</js>);
065 *       }
066 *    }
067 * </p>
068 *
069 * <h5 class='section'>See Also:</h5><ul>
070 *    <li class='link'><a class="doclink" href="../../../../../index.html#jrs.Guards">Guards</a>
071 * </ul>
072 */
073public abstract class RestGuard {
074
075   /**
076    * Checks the current HTTP request and throws a {@link BasicHttpException} if the guard does not permit the request.
077    *
078    * <p>
079    * By default, throws an <jsf>SC_FORBIDDEN</jsf> exception if {@link #isRequestAllowed(RestRequest)} returns
080    * <jk>false</jk>.
081    *
082    * <p>
083    * Subclasses are free to override this method to tailor the behavior of how to handle unauthorized requests.
084    *
085    * @param req The servlet request.
086    * @param res The servlet response.
087    * @throws BasicHttpException Thrown to abort processing on current request.
088    * @return
089    *    <jk>true</jk> if request can proceed.
090    *    Specify <jk>false</jk> if you're doing something like a redirection to a login page.
091    */
092   public boolean guard(RestRequest req, RestResponse res) throws BasicHttpException {
093      if (! isRequestAllowed(req))
094         throw new Forbidden("Access denied by guard");
095      return true;
096   }
097
098   /**
099    * Returns <jk>true</jk> if the specified request can pass through this guard.
100    *
101    * @param req The servlet request.
102    * @return <jk>true</jk> if the specified request can pass through this guard.
103    */
104   public abstract boolean isRequestAllowed(RestRequest req);
105}