RestSecurityProcessor (ATG Rest 1.0 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

atg.rest.processor
Class RestSecurityProcessor

java.lang.Object
  atg.nucleus.logging.VariableArgumentApplicationLoggingImpl
      atg.nucleus.GenericService
          atg.rest.processor.GenericRestProcessor
              atg.rest.processor.RestSecurityProcessor

All Implemented Interfaces:: atg.naming.NameContextBindingListener, atg.naming.NameContextElement, atg.naming.NameResolver, atg.nucleus.AdminableService, atg.nucleus.logging.ApplicationLogging, atg.nucleus.logging.ApplicationLoggingSender, atg.nucleus.logging.TraceApplicationLogging, atg.nucleus.logging.VariableArgumentApplicationLogging, atg.nucleus.naming.ComponentNameResolver, atg.nucleus.Service, atg.nucleus.ServiceListener, RestProcessor, java.util.EventListener

public class RestSecurityProcessor
extends GenericRestProcessor
extends GenericRestProcessor

RestSecurityProcessor the base type for Rest security checking. This class handles GET, POST, PUT, and DELETE requests.

Author:: bzhang
See Also:: GenericRestProcessor, RestProcessor

Field Summary
`static java.lang.String`	`CLASS_VERSION` Class version string

Fields inherited from class atg.nucleus.GenericService
`SERVICE_INFO_KEY`

Fields inherited from interface atg.nucleus.logging.TraceApplicationLogging
`DEFAULT_LOG_TRACE_STATUS`

Fields inherited from interface atg.nucleus.logging.ApplicationLogging
`DEFAULT_LOG_DEBUG_STATUS, DEFAULT_LOG_ERROR_STATUS, DEFAULT_LOG_INFO_STATUS, DEFAULT_LOG_WARNING_STATUS`

Constructor Summary
`RestSecurityProcessor()`

Method Summary
`protected void`	`checkAccess(BeanURI pParsedURI, RestSecurityConfiguration pRestSecurityConfiguration, atg.security.AccessRight pAccessRight, atg.servlet.DynamoHttpServletResponse pResponse)` Checks security for component resource access.
`void`	`doRESTDelete(atg.servlet.DynamoHttpServletRequest pRequest, atg.servlet.DynamoHttpServletResponse pResponse)` This method handles a REST "DELETE" request.
`void`	`doRESTGet(atg.servlet.DynamoHttpServletRequest pRequest, atg.servlet.DynamoHttpServletResponse pResponse)` This method handles a REST "GET" request.
`void`	`doRESTPost(atg.servlet.DynamoHttpServletRequest pRequest, atg.servlet.DynamoHttpServletResponse pResponse)` This method handles a REST "POST" request.
`void`	`doRESTPut(atg.servlet.DynamoHttpServletRequest pRequest, atg.servlet.DynamoHttpServletResponse pResponse)` This method handles a REST "PUT" request.
`protected ComponentSecurityConfiguration`	`findParentSecurityConfiguration(ComponentSecurityConfiguration pCsc, BeanURI pParsedURI)` Looks for parent ComponentSecurityConfiguration if neccessary.
`protected ComponentSecurityConfiguration`	`getComponentSecurityConfiguration(BeanURI pParsedURI)` Looks for ComponentSecurityConfiguration for a resource.
`java.util.List<java.lang.String>`	`getExcludePrefixes()` List of prefixes that should be ignored.
`static java.lang.String`	`getMethodNameWithSignature(java.lang.String pMethodName)` Retrieves the method name with its signature
`protected ComponentSecurityConfiguration`	`getParentSecurityConfiguration(BeanURI pParsedURI)` Looks for wildcard or default ComponentSecurityConfiguration for a resource
`RestSecurityManager`	`getRestSecurityManager()`
`protected void`	`handleRepositoryRequest(RepositoryURI pRepositoryURI, atg.servlet.DynamoHttpServletRequest pRequest, atg.servlet.DynamoHttpServletResponse pResponse)` Checks security for repository access.
`boolean`	`isAllowAccessForUnsecuredRepository()`
`boolean`	`isEnabled()`
`protected boolean`	`isFormHanlder(java.lang.Object resContainer)` This method attempts to find out if a component is a FormHanlder
`protected boolean`	`isMethodRequest(BeanURI pParsedURI, atg.servlet.DynamoHttpServletRequest pRequest, atg.servlet.DynamoHttpServletResponse pResponse)` This method attempts to find out if the request is for a method call.
`protected boolean`	`isRepositoryURI(ParsedURI pParsedURI)` Check if the ParsedURI is a RepositoryURI
`void`	`setAllowAccessForUnsecuredRepository(boolean pAllowAccessForUnsecuredRepository)`
`void`	`setEnabled(boolean pEnabled)`
`void`	`setExcludePrefixes(java.util.List<java.lang.String> pExcludePrefixes)` Sets the list of prefixes that should be ignored
`void`	`setRestSecurityManager(RestSecurityManager pRestSecurityManager)`
`protected boolean`	`shouldSkipRequest(atg.servlet.DynamoHttpServletRequest pRequest)` Checks if a given request starts with a prefix from `excludePrefixes`

Methods inherited from class atg.rest.processor.GenericRestProcessor
`determineJSONControlParams, determineJSONUsage, getBooleanControlParam, getComponentResolver, getFilteringManager, getOutputCustomizer, getParentServlet, getStringControlParam, isAcceptJSONInput, isResourceWritable, isResourceWritable, setAcceptJSONInput, setComponentResolver, setOutputCustomizer, setParentServlet, useSimpleResponseCodes, validateResource`

Methods inherited from class atg.nucleus.GenericService
addLogListener, createAdminServlet, doStartService, doStopService, getAbsoluteName, getAdminServlet, getLoggingForVlogging, getLogListenerCount, getLogListeners, getName, getNameContext, getNucleus, getRoot, getServiceConfiguration, getServiceInfo, isLoggingDebug, isLoggingError, isLoggingInfo, isLoggingTrace, isLoggingWarning, isRunning, logDebug, logDebug, logDebug, logError, logError, logError, logInfo, logInfo, logInfo, logTrace, logTrace, logTrace, logWarning, logWarning, logWarning, nameContextElementBound, nameContextElementUnbound, removeLogListener, resolveName, resolveName, resolveName, resolveName, sendLogEvent, setLoggingDebug, setLoggingError, setLoggingInfo, setLoggingTrace, setLoggingWarning, setNucleus, setServiceInfo, startService, stopService

Methods inherited from class atg.nucleus.GenericService

addLogListener, createAdminServlet, doStartService, doStopService, getAbsoluteName, getAdminServlet, getLoggingForVlogging, getLogListenerCount, getLogListeners, getName, getNameContext, getNucleus, getRoot, getServiceConfiguration, getServiceInfo, isLoggingDebug, isLoggingError, isLoggingInfo, isLoggingTrace, isLoggingWarning, isRunning, logDebug, logDebug, logDebug, logError, logError, logError, logInfo, logInfo, logInfo, logTrace, logTrace, logTrace, logWarning, logWarning, logWarning, nameContextElementBound, nameContextElementUnbound, removeLogListener, resolveName, resolveName, resolveName, resolveName, sendLogEvent, setLoggingDebug, setLoggingError, setLoggingInfo, setLoggingTrace, setLoggingWarning, setNucleus, setServiceInfo, startService, stopService

Methods inherited from class atg.nucleus.logging.VariableArgumentApplicationLoggingImpl
`vlogDebug, vlogDebug, vlogDebug, vlogDebug, vlogError, vlogError, vlogError, vlogError, vlogInfo, vlogInfo, vlogInfo, vlogInfo, vlogTrace, vlogTrace, vlogTrace, vlogTrace, vlogWarning, vlogWarning, vlogWarning, vlogWarning`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

CLASS_VERSION

public static final java.lang.String CLASS_VERSION

Class version string

See Also:: Constant Field Values

Constructor Detail

RestSecurityProcessor

public RestSecurityProcessor()

Method Detail

setEnabled

public void setEnabled(boolean pEnabled)

Parameters:: pEnabled - the enabled to set

isEnabled

public boolean isEnabled()

Returns:: Returns the value of enabled.

setAllowAccessForUnsecuredRepository

public void setAllowAccessForUnsecuredRepository(boolean pAllowAccessForUnsecuredRepository)

Parameters:: pAllowAccessForUnsecuredRepository - the allowAccessForUnsecuredRepository to set

isAllowAccessForUnsecuredRepository

public boolean isAllowAccessForUnsecuredRepository()

Returns:: Returns the value of allowAccessForUnsecuredRepository.

setRestSecurityManager

public void setRestSecurityManager(RestSecurityManager pRestSecurityManager)

Parameters:: pRestSecurityManager - the restSecurityManager to set

getRestSecurityManager

public RestSecurityManager getRestSecurityManager()

Returns:: Returns the value of restSecurityManager.

doRESTDelete

public void doRESTDelete(atg.servlet.DynamoHttpServletRequest pRequest,
                         atg.servlet.DynamoHttpServletResponse pResponse)
                  throws java.io.IOException,
                         RestException

This method handles a REST "DELETE" request.

Parameters:: pRequest - the servlet request; pResponse - the servlet response
Throws:: RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED; java.io.IOException - if an input or output stream exception occurs
See Also:: RestProcessor#handleRESTDeleteRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

doRESTGet

public void doRESTGet(atg.servlet.DynamoHttpServletRequest pRequest,
                      atg.servlet.DynamoHttpServletResponse pResponse)
               throws java.io.IOException,
                      RestException

This method handles a REST "GET" request.

Parameters:: pRequest - the servlet request; pResponse - the servlet response
Throws:: RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED; java.io.IOException - if an input or output stream exception occurs
See Also:: atg.rest.processor.RestProcessor#handleRESTGetRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

doRESTPost

public void doRESTPost(atg.servlet.DynamoHttpServletRequest pRequest,
                       atg.servlet.DynamoHttpServletResponse pResponse)
                throws java.io.IOException,
                       RestException

This method handles a REST "POST" request.

Parameters:: pRequest - the servlet request; pResponse - the servlet response
Throws:: RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED; java.io.IOException - if an input or output stream exception occurs
See Also:: atg.rest.processor.RestProcessor#handleRESTPostRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

doRESTPut

public void doRESTPut(atg.servlet.DynamoHttpServletRequest pRequest,
                      atg.servlet.DynamoHttpServletResponse pResponse)
               throws java.io.IOException,
                      RestException

This method handles a REST "PUT" request.

Parameters:: pRequest - the servlet request; pResponse - the servlet response
Throws:: RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED; java.io.IOException - if an input or output stream exception occurs, sets the response status to HttpServletResponse.SC_BAD_REQUEST
See Also:: atg.rest.processor.RestProcessor#handleRESTPutRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

getComponentSecurityConfiguration

protected ComponentSecurityConfiguration getComponentSecurityConfiguration(BeanURI pParsedURI)

Looks for ComponentSecurityConfiguration for a resource. Looks for wildcard or default configuration if there is not specific defintion for the resource.

Parameters:: pParsedURI - an object containing the parsed URI
Returns:: ComponentSecurityConfiguration

getParentSecurityConfiguration

protected ComponentSecurityConfiguration getParentSecurityConfiguration(BeanURI pParsedURI)

Looks for wildcard or default ComponentSecurityConfiguration for a resource

Parameters:: pParsedURI - an object containing the parsed URI
Returns:: parent ComponentSecurityConfiguration

findParentSecurityConfiguration

protected ComponentSecurityConfiguration findParentSecurityConfiguration(ComponentSecurityConfiguration pCsc,
                                                                         BeanURI pParsedURI)

Looks for parent ComponentSecurityConfiguration if neccessary.

Parameters:: pComponentSecurityConfiguration -
Returns:: parent ComponentSecurityConfiguration

handleRepositoryRequest

protected void handleRepositoryRequest(RepositoryURI pRepositoryURI,
                                       atg.servlet.DynamoHttpServletRequest pRequest,
                                       atg.servlet.DynamoHttpServletResponse pResponse)
                                throws RestException

Checks security for repository access. It only allows access for SecuredRepository.

Parameters:: pRepositoryURI - the RepositoryURI; pRequest - the servlet request; pResponse - the servlet response
Throws:: RestException - if the repository is not SecuredRepository

isRepositoryURI

protected boolean isRepositoryURI(ParsedURI pParsedURI)

Check if the ParsedURI is a RepositoryURI

Parameters:: pParsedURI - The ParseURI
Returns:: Returns true if the ParsedURI is a RepositoryURI

checkAccess

protected void checkAccess(BeanURI pParsedURI,
                           RestSecurityConfiguration pRestSecurityConfiguration,
                           atg.security.AccessRight pAccessRight,
                           atg.servlet.DynamoHttpServletResponse pResponse)
                    throws RestException

Checks security for component resource access.

Parameters:: pParsedURI - the ParsedURI; pRestSecurityConfiguration - the RestSecurityConfiguration to check; pAccessRight - the AccessRight to check; pResponse - the servlet response
Throws:: RestException - if the current user doesn't have the access right for the resource, , sets the response status to HttpServletResponse.SC_UNAUTHORIZED

isMethodRequest

protected boolean isMethodRequest(BeanURI pParsedURI,
                                  atg.servlet.DynamoHttpServletRequest pRequest,
                                  atg.servlet.DynamoHttpServletResponse pResponse)

This method attempts to find out if the request is for a method call.

Parameters:: pParsedURI - an object containing the parsed URI; pRequest - the servlet request; pResponse - the servlet response
Returns:: tr
Throws:: RestException

isFormHanlder

protected boolean isFormHanlder(java.lang.Object resContainer)

This method attempts to find out if a component is a FormHanlder

Parameters:: resContainer - The component to check.
Returns:: true if the component is a FormHandler.

getExcludePrefixes

public java.util.List<java.lang.String> getExcludePrefixes()

List of prefixes that should be ignored.

Returns:: the excludePrefixes

setExcludePrefixes

public void setExcludePrefixes(java.util.List<java.lang.String> pExcludePrefixes)

Sets the list of prefixes that should be ignored

Parameters:: pExcludePrefixes - the excludePrefixes to set

shouldSkipRequest

protected boolean shouldSkipRequest(atg.servlet.DynamoHttpServletRequest pRequest)

Checks if a given request starts with a prefix from excludePrefixes

Parameters:: pRequest - The request
Returns:: Whether this request should be skipped because it includes one of the excluded prefixes.

getMethodNameWithSignature

public static java.lang.String getMethodNameWithSignature(java.lang.String pMethodName)

Retrieves the method name with its signature

Parameters:: pMethodName - the method name
Returns:: the method name + ":" + the signature from the METHOD control parameter (or "NULL")