atg.rest.processor

Class RestSecurityProcessor

java.lang.Object

atg.nucleus.logging.VariableArgumentApplicationLoggingImpl

atg.nucleus.GenericService

atg.rest.processor.GenericRestProcessor

atg.rest.processor.RestSecurityProcessor

All Implemented Interfaces:

atg.core.logging.Logging, atg.core.logging.TraceLogging, atg.naming.AbsoluteNameable, NameContextBindingListener, NameContextElement, atg.naming.NameContextParentable, NameResolver, AdminableService, atg.nucleus.Configured, ApplicationLogging, atg.nucleus.logging.ApplicationLoggingSender, atg.nucleus.logging.TraceApplicationLogging, VariableArgumentApplicationLogging, ComponentNameResolver, Service, ServiceListener, RestProcessor, java.util.EventListener

public class RestSecurityProcessor
extends GenericRestProcessor

RestSecurityProcessor the base type for Rest security checking. This class handles GET, POST, PUT, and DELETE requests.

See Also:

GenericRestProcessor, RestProcessor

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CLASS_VERSION Class version string

Fields inherited from class atg.nucleus.GenericService

SERVICE_INFO_KEY

Fields inherited from interface atg.nucleus.logging.TraceApplicationLogging

DEFAULT_LOG_TRACE_STATUS

Fields inherited from interface atg.nucleus.logging.ApplicationLogging

DEFAULT_LOG_DEBUG_STATUS, DEFAULT_LOG_ERROR_STATUS, DEFAULT_LOG_INFO_STATUS, DEFAULT_LOG_WARNING_STATUS

Constructor Summary

Constructors

Constructor and Description
RestSecurityProcessor()

Method Summary

Modifier and Type	Method and Description
protected void	checkAccess(BeanURI pParsedURI, RestSecurityConfiguration pRestSecurityConfiguration, AccessRight pAccessRight, DynamoHttpServletResponse pResponse) Checks security for component resource access.
void	doRESTDelete(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse) This method handles a REST "DELETE" request.
void	doRESTGet(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse) This method handles a REST "GET" request.
void	doRESTPost(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse) This method handles a REST "POST" request.
void	doRESTPut(DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse) This method handles a REST "PUT" request.
protected ComponentSecurityConfiguration	findParentSecurityConfiguration(ComponentSecurityConfiguration pCsc, BeanURI pParsedURI) Looks for parent ComponentSecurityConfiguration if neccessary.
protected ComponentSecurityConfiguration	getComponentSecurityConfiguration(BeanURI pParsedURI) Looks for ComponentSecurityConfiguration for a resource.
java.util.List<java.lang.String>	getExcludePrefixes() List of prefixes that should be ignored.
static java.lang.String	getMethodNameWithSignature(java.lang.String pMethodName) Retrieves the method name with its signature
protected ComponentSecurityConfiguration	getParentSecurityConfiguration(BeanURI pParsedURI) Looks for wildcard or default ComponentSecurityConfiguration for a resource
RestSecurityManager	getRestSecurityManager()
protected void	handleRepositoryRequest(RepositoryURI pRepositoryURI, DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse) Checks security for repository access.
boolean	isAllowAccessForUnsecuredRepository()
boolean	isEnabled()
protected boolean	isFormHanlder(java.lang.Object resContainer) This method attempts to find out if a component is a FormHanlder
protected boolean	isMethodRequest(BeanURI pParsedURI, DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse) This method attempts to find out if the request is for a method call.
protected boolean	isRepositoryURI(ParsedURI pParsedURI) Check if the ParsedURI is a RepositoryURI
void	setAllowAccessForUnsecuredRepository(boolean pAllowAccessForUnsecuredRepository)
void	setEnabled(boolean pEnabled)
void	setExcludePrefixes(java.util.List<java.lang.String> pExcludePrefixes) Sets the list of prefixes that should be ignored
void	setRestSecurityManager(RestSecurityManager pRestSecurityManager)
protected boolean	shouldSkipRequest(DynamoHttpServletRequest pRequest) Checks if a given request starts with a prefix from excludePrefixes

Methods inherited from class atg.rest.processor.GenericRestProcessor

determineJSONControlParams, determineJSONUsage, getBooleanControlParam, getComponentResolver, getFilteringManager, getOutputCustomizer, getParentServlet, getStringControlParam, isAcceptJSONInput, isResourceWritable, isResourceWritable, setAcceptJSONInput, setComponentResolver, setOutputCustomizer, setParentServlet, useSimpleResponseCodes, validateResource

Methods inherited from class atg.nucleus.GenericService

addLogListener, createAdminServlet, doStartService, doStopService, getAbsoluteName, getAdminServlet, getAdminServletOutputStreamEncoding, getLoggingForVlogging, getLogListenerCount, getLogListeners, getName, getNameContext, getNucleus, getRoot, getServiceConfiguration, getServiceInfo, isAdminServletUseServletOutputStream, isLoggingDebug, isLoggingError, isLoggingInfo, isLoggingTrace, isLoggingWarning, isRunning, logDebug, logDebug, logDebug, logError, logError, logError, logInfo, logInfo, logInfo, logTrace, logTrace, logTrace, logWarning, logWarning, logWarning, nameContextElementBound, nameContextElementUnbound, removeLogListener, reResolveThis, resolveName, resolveName, resolveName, resolveName, sendLogEvent, setAdminServletOutputStreamEncoding, setAdminServletUseServletOutputStream, setLoggingDebug, setLoggingError, setLoggingInfo, setLoggingTrace, setLoggingWarning, setNucleus, setServiceInfo, startService, stopService, toString

Methods inherited from class atg.nucleus.logging.VariableArgumentApplicationLoggingImpl

vlogDebug, vlogDebug, vlogDebug, vlogDebug, vlogDebugTrace, vlogError, vlogError, vlogError, vlogError, vlogInfo, vlogInfo, vlogInfo, vlogInfo, vlogTrace, vlogTrace, vlogTrace, vlogTrace, vlogWarning, vlogWarning, vlogWarning, vlogWarning

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

CLASS_VERSION

public static final java.lang.String CLASS_VERSION

Class version string

See Also:

Constant Field Values

Constructor Detail

RestSecurityProcessor

public RestSecurityProcessor()

Method Detail

setEnabled

public void setEnabled(boolean pEnabled)

Parameters:

pEnabled - the enabled to set

isEnabled

public boolean isEnabled()

Returns:

Returns the value of enabled.

setAllowAccessForUnsecuredRepository

public void setAllowAccessForUnsecuredRepository(boolean pAllowAccessForUnsecuredRepository)

Parameters:

pAllowAccessForUnsecuredRepository - the allowAccessForUnsecuredRepository to set

isAllowAccessForUnsecuredRepository

public boolean isAllowAccessForUnsecuredRepository()

Returns:

Returns the value of allowAccessForUnsecuredRepository.

setRestSecurityManager

public void setRestSecurityManager(RestSecurityManager pRestSecurityManager)

Parameters:

pRestSecurityManager - the restSecurityManager to set

getRestSecurityManager

public RestSecurityManager getRestSecurityManager()

Returns:

Returns the value of restSecurityManager.

doRESTDelete

public void doRESTDelete(DynamoHttpServletRequest pRequest,
                         DynamoHttpServletResponse pResponse)
                  throws java.io.IOException,
                         RestException

This method handles a REST "DELETE" request.

Parameters:

pRequest - the servlet request

pResponse - the servlet response

Throws:

RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED

java.io.IOException - if an input or output stream exception occurs

See Also:

RestProcessor#handleRESTDeleteRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

doRESTGet

public void doRESTGet(DynamoHttpServletRequest pRequest,
                      DynamoHttpServletResponse pResponse)
               throws java.io.IOException,
                      RestException

This method handles a REST "GET" request.

Parameters:

pRequest - the servlet request

pResponse - the servlet response

Throws:

RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED

java.io.IOException - if an input or output stream exception occurs

See Also:

atg.rest.processor.RestProcessor#handleRESTGetRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

doRESTPost

public void doRESTPost(DynamoHttpServletRequest pRequest,
                       DynamoHttpServletResponse pResponse)
                throws java.io.IOException,
                       RestException

This method handles a REST "POST" request.

Parameters:

pRequest - the servlet request

pResponse - the servlet response

Throws:

RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED

java.io.IOException - if an input or output stream exception occurs

See Also:

atg.rest.processor.RestProcessor#handleRESTPostRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

doRESTPut

public void doRESTPut(DynamoHttpServletRequest pRequest,
                      DynamoHttpServletResponse pResponse)
               throws java.io.IOException,
                      RestException

This method handles a REST "PUT" request.

Parameters:

pRequest - the servlet request

pResponse - the servlet response

Throws:

RestException - if security check is failed, sets the response status to HttpServletResponse.SC_UNAUTHORIZED

java.io.IOException - if an input or output stream exception occurs, sets the response status to HttpServletResponse.SC_BAD_REQUEST

See Also:

atg.rest.processor.RestProcessor#handleRESTPutRequest(java.lang.String, atg.servlet.DynamoHttpServletRequest, atg.servlet.DynamoHttpServletResponse)

getComponentSecurityConfiguration

protected ComponentSecurityConfiguration getComponentSecurityConfiguration(BeanURI pParsedURI)

Looks for ComponentSecurityConfiguration for a resource. Looks for wildcard or default configuration if there is not specific defintion for the resource.

Parameters:

pParsedURI - an object containing the parsed URI

Returns:

ComponentSecurityConfiguration

getParentSecurityConfiguration

protected ComponentSecurityConfiguration getParentSecurityConfiguration(BeanURI pParsedURI)

Looks for wildcard or default ComponentSecurityConfiguration for a resource

Parameters:

pParsedURI - an object containing the parsed URI

Returns:

parent ComponentSecurityConfiguration

findParentSecurityConfiguration

protected ComponentSecurityConfiguration findParentSecurityConfiguration(ComponentSecurityConfiguration pCsc,
                                                                         BeanURI pParsedURI)

Looks for parent ComponentSecurityConfiguration if neccessary.

Parameters:

pComponentSecurityConfiguration -

Returns:

parent ComponentSecurityConfiguration

handleRepositoryRequest

protected void handleRepositoryRequest(RepositoryURI pRepositoryURI,
                                       DynamoHttpServletRequest pRequest,
                                       DynamoHttpServletResponse pResponse)
                                throws RestException

Checks security for repository access. It only allows access for SecuredRepository.

Parameters:

pRepositoryURI - the RepositoryURI

pRequest - the servlet request

pResponse - the servlet response

Throws:

RestException - if the repository is not SecuredRepository

isRepositoryURI

protected boolean isRepositoryURI(ParsedURI pParsedURI)

Check if the ParsedURI is a RepositoryURI

Parameters:

pParsedURI - The ParseURI

Returns:

Returns true if the ParsedURI is a RepositoryURI

checkAccess

protected void checkAccess(BeanURI pParsedURI,
                           RestSecurityConfiguration pRestSecurityConfiguration,
                           AccessRight pAccessRight,
                           DynamoHttpServletResponse pResponse)
                    throws RestException

Checks security for component resource access.

Parameters:

pParsedURI - the ParsedURI

pRestSecurityConfiguration - the RestSecurityConfiguration to check

pAccessRight - the AccessRight to check

pResponse - the servlet response

Throws:

RestException - if the current user doesn't have the access right for the resource, , sets the response status to HttpServletResponse.SC_UNAUTHORIZED

isMethodRequest

protected boolean isMethodRequest(BeanURI pParsedURI,
                                  DynamoHttpServletRequest pRequest,
                                  DynamoHttpServletResponse pResponse)

This method attempts to find out if the request is for a method call.

Parameters:

pParsedURI - an object containing the parsed URI

pRequest - the servlet request

pResponse - the servlet response

Returns:

tr

Throws:

RestException

isFormHanlder

protected boolean isFormHanlder(java.lang.Object resContainer)

This method attempts to find out if a component is a FormHanlder

Parameters:

resContainer - The component to check.

Returns:

true if the component is a FormHandler.

getExcludePrefixes

public java.util.List<java.lang.String> getExcludePrefixes()

List of prefixes that should be ignored.

Returns:

the excludePrefixes

setExcludePrefixes

public void setExcludePrefixes(java.util.List<java.lang.String> pExcludePrefixes)

Sets the list of prefixes that should be ignored

Parameters:

pExcludePrefixes - the excludePrefixes to set

shouldSkipRequest

protected boolean shouldSkipRequest(DynamoHttpServletRequest pRequest)

Checks if a given request starts with a prefix from excludePrefixes

Parameters:

pRequest - The request

Returns:

Whether this request should be skipped because it includes one of the excluded prefixes.

getMethodNameWithSignature

public static java.lang.String getMethodNameWithSignature(java.lang.String pMethodName)

Retrieves the method name with its signature

Parameters:

pMethodName - the method name

Returns:

the method name + ":" + the signature from the METHOD control parameter (or "NULL")