Source Code of br.com.caelum.vraptor.Authz

/**
 *  Copyright 2011 Douglas Campos <qmx@qmx.me>
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package br.com.caelum.vraptor;

import java.util.EnumSet;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import br.com.caelum.vraptor.Accepts;
import br.com.caelum.vraptor.AroundCall;
import br.com.caelum.vraptor.Intercepts;
import br.com.caelum.vraptor.Result;
import br.com.caelum.vraptor.interceptor.SimpleInterceptorStack;

import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;

import br.com.caelum.vraptor.annotation.AuthzBypass;
import br.com.caelum.vraptor.controller.HttpMethod;
import br.com.caelum.vraptor.controller.ControllerMethod;

/**
 * Default authorization interceptor implementation. Check for situations on the
 * test cases.
 *
 * @author douglas campos
 * @author guilherme silveira
 */
@Intercepts
@RequestScoped
public class Authz {
  private static final Logger LOGGER = LoggerFactory.getLogger(Authz.class);

  private Authorizator authorizator;
  private AuthzInfo authInfo;
  private Result result;
  private HttpServletRequest request;

  /**
   * @deprecated cdi eyes only
   */
  @Deprecated
  protected Authz() {

  }

  @Inject
  public Authz(Authorizator authorizator, AuthzInfo authInfo, Result result, HttpServletRequest request) {
    this.authorizator = authorizator;
    this.authInfo = authInfo;
    this.result = result;
    this.request = request;
  }

  @Accepts
  public boolean accepts(ControllerMethod method) {
    return !(method.getMethod().isAnnotationPresent(AuthzBypass.class) || isAnnotationPresent(method.getController().getType()));
  }

  @AroundCall
  public void intercept(SimpleInterceptorStack stack) {
    Authorizable authorizable = authInfo.getAuthorizable();
    if (authorizable == null) {
      LOGGER.error("no AuthInfo found!");
      throw new IllegalStateException("No AuthInfo found");
    } else if (isAllowed(authorizable)) {
      stack.next();
    } else {
      authInfo.handleAuthError(result);
    }
  }

  private boolean isAllowed(Authorizable authorizable) {
    String currentURL = getCurrentURL();
    String method = request.getMethod();
    HttpMethod httpMethod = HttpMethod.valueOf(method);
    Set<HttpMethod> httpMethods = EnumSet.of(httpMethod);
    for (Role role : authorizable.roles()) {
      if (authorizator.isAllowed(role, currentURL, httpMethods)) {
        return true;
      }
    }
    return false;
  }

  private String getCurrentURL() {
    String requestURI = request.getRequestURI();
    String contextPath = request.getContextPath();
    return requestURI.replaceFirst(contextPath, "");
  }

  private boolean isAnnotationPresent(Class<?> type) {
    return type.isAnnotationPresent(AuthzBypass.class) || (!type.equals(Object.class) && isAnnotationPresent(type.getSuperclass()));
  }
}