Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-18 03:01:05 +01:00
Code Issues Packages Projects Releases Activity

Replace method interceptor with request filter

Browse Source
This commit is contained in:
René Pfeuffer
2018-11-13 09:54:28 +01:00
parent 96c2114e53
commit 3e99709035
4 changed files with 108 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
scm-webapp/src/main/java/sonia/scm/security/SecurityInterceptor.java
View File

@@ -1,29 +0,0 @@
package sonia.scm.security;
import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.subject.Subject;
public class SecurityInterceptor implements MethodInterceptor {
@Override
public Object invoke(MethodInvocation methodInvocation) throws Throwable {
if (hasPermission() || anonymousAccessIsAllowed(methodInvocation)) {
return methodInvocation.proceed();
} else {
throw new AuthenticationException();
}
}
private boolean anonymousAccessIsAllowed(MethodInvocation methodInvocation) {
return methodInvocation.getMethod().isAnnotationPresent(AllowAnonymousAccess.class)
|| methodInvocation.getMethod().getDeclaringClass().isAnnotationPresent(AllowAnonymousAccess.class);
}
private boolean hasPermission() {
Subject subject = SecurityUtils.getSubject();
return subject.isAuthenticated() || subject.isRemembered();
}
}

46
scm-webapp/src/main/java/sonia/scm/security/SecurityRequestFilter.java Normal file
View File

@@ -0,0 +1,46 @@
package sonia.scm.security;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.ext.Provider;
import java.lang.reflect.Method;
@Provider
public class SecurityRequestFilter implements ContainerRequestFilter {
private static final Logger LOG = LoggerFactory.getLogger(SecurityRequestFilter.class);
@Context
private ResourceInfo resourceInfo;
@Override
public void filter(ContainerRequestContext requestContext) {
Method resourceMethod = resourceInfo.getResourceMethod();
LOG.info("jax-rs method {}", resourceMethod.getName());
if (hasPermission() || anonymousAccessIsAllowed(resourceMethod)) {
LOG.debug("allowed unauthenticated request to method {}", resourceMethod);
// nothing further to do
} else {
LOG.debug("blocked unauthenticated request to method {}", resourceMethod);
throw new AuthenticationException();
}
}
private boolean anonymousAccessIsAllowed(Method method) {
return method.isAnnotationPresent(AllowAnonymousAccess.class)
|| method.getDeclaringClass().isAnnotationPresent(AllowAnonymousAccess.class);
}
private boolean hasPermission() {
Subject subject = SecurityUtils.getSubject();
return subject.isAuthenticated() || subject.isRemembered();
}
}