this.next = next;
}
@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
List<SingleConstraintMatch> constraints = servletRequestContext.getRequiredConstrains();
SecurityContext sc = exchange.getAttachment(SecurityContext.ATTACHMENT_KEY);
ServletRequest request = servletRequestContext.getServletRequest();
if (request.getDispatcherType() != DispatcherType.REQUEST) {
next.handleRequest(exchange);
} else if (constraints == null || constraints.isEmpty()) {
next.handleRequest(exchange);
} else {
Account account = sc.getAuthenticatedAccount();
for (final SingleConstraintMatch constraint : constraints) {
boolean found = false;
Set<String> roleSet = constraint.getRequiredRoles();
if (roleSet.isEmpty() && constraint.getEmptyRoleSemantic() != SecurityInfo.EmptyRoleSemantic.DENY) {
/*
* The EmptyRoleSemantic was either PERMIT or AUTHENTICATE, either way a roles check is not needed.
*/
found = true;
} else {
for (String role : roleSet) {
if (account.isUserInRole(role)) {
found = true;
break;
}
}
}
if (!found) {
HttpServletResponse response = (HttpServletResponse) servletRequestContext.getServletResponse();
response.sendError(403);
return;
}
}
next.handleRequest(exchange);