SecurityInterceptor (Open-Server security 29 API)

java.lang.Object
- org.springframework.web.servlet.handler.HandlerInterceptorAdapter
- - com.wadpam.open.security.SecurityInterceptor

All Implemented Interfaces:

org.springframework.web.servlet.HandlerInterceptor
```
public class SecurityInterceptor
extends org.springframework.web.servlet.handler.HandlerInterceptorAdapter
```
A security interceptor responsible for performing authentication. Default authentication mechanism is AUTH_TYPE_BASIC.

Since:

16

Author:

sosandstrom

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`ATTR_NAME_CONTAINER_ADMIN_NAME`
`static String`	`ATTR_NAME_CONTAINER_ADMIN_PRINCIPAL`
`static String`	`ATTR_NAME_PRINCIPAL`
`static String`	`ATTR_NAME_ROLES`
`static String`	`ATTR_NAME_USERNAME` must be same as MardaoPrincipalInterceptor value
`static String`	`AUTH_PARAM_BASIC`
`static String`	`AUTH_PARAM_COOKIE`
`static String`	`AUTH_PARAM_OAUTH`
`static String`	`AUTH_TYPE_BASIC`
`static String`	`AUTH_TYPE_COOKIE`
`static String`	`AUTH_TYPE_OAUTH`
`protected static int`	`ERR_AUTHENTICATION_FAILED`
`protected static int`	`ERR_CREDENTIALS_NOT_FOUND`
`protected static int`	`ERR_SECURITY_BASE`
`static String`	`HEADER_AUTHORIZATION`
`protected static org.slf4j.Logger`	`LOG`
`static String`	`PATH_AH`
`static TreeSet<String>`	`ROLES_ANONYMOUS`
`static String`	`USERNAME_ANONYMOUS`

Constructor Summary

Constructors
Constructor and Description

SecurityInterceptor()

Constructors
Constructor and Description
`SecurityInterceptor()`

Method Summary

Methods
Modifier and Type	Method and Description
`protected String`	`doAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String uri, String authValue, String clientUsername, Object details)` Returns the realm username if the client is authenticated.
`String`	`getAuthenticationMechanism()`
`protected String`	`getAuthenticationParamName()` Override to specify authentication value parameter name.
`protected String`	`getAuthenticationValue(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String uri)`
`protected String`	`getClientPassword(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String uri, String authValue)` Override to return password from authValue.
`protected String`	`getClientUsername(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String uri, String authValue)` Override to return username from authValue.
`protected static String`	`getEffectiveMethod(javax.servlet.http.HttpServletRequest request)`
`protected String`	`getRealmPassword(Object details)`
`protected String`	`getRealmUsername(String clientUsername, Object details)`
`String`	`isAuthenticated(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Object handler, String uri, String method, String authValue)` Checks if a request is authenticated, based only on uri, method and authValue params.
`protected boolean`	`isWhitelistedMethod(String requestURI, String method)`
`boolean`	`preHandle(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Object handler)`
`void`	`setAuthenticationMechanism(String authenticationMechanism)`
`static void`	`setListedMethods(Collection<Map.Entry<String,Collection<String>>> methods, List<Map.Entry<Pattern,Set<String>>> listedMethods)`
`void`	`setRealmName(String realmName)`
`void`	`setSecurityDetailsService(SecurityDetailsService securityDetailsService)`
`void`	`setWhitelistedMethods(Collection<Map.Entry<String,Collection<String>>> whitelistedMethods)`
`protected boolean`	`skipEnvironmentPaths(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String uri)`

Methods inherited from class org.springframework.web.servlet.handler.HandlerInterceptorAdapter
afterCompletion, postHandle

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

protected static final org.slf4j.Logger LOG

ERR_SECURITY_BASE
```
protected static final int ERR_SECURITY_BASE
```
See Also:
Constant Field Values

ERR_CREDENTIALS_NOT_FOUND
```
protected static final int ERR_CREDENTIALS_NOT_FOUND
```
See Also:
Constant Field Values

ERR_AUTHENTICATION_FAILED
```
protected static final int ERR_AUTHENTICATION_FAILED
```
See Also:
Constant Field Values

AUTH_TYPE_BASIC

public static final String AUTH_TYPE_BASIC

See Also:: Constant Field Values

AUTH_TYPE_COOKIE

public static final String AUTH_TYPE_COOKIE

See Also:: Constant Field Values

AUTH_TYPE_OAUTH

public static final String AUTH_TYPE_OAUTH

See Also:: Constant Field Values

AUTH_PARAM_BASIC

public static final String AUTH_PARAM_BASIC

See Also:: Constant Field Values

AUTH_PARAM_COOKIE

public static final String AUTH_PARAM_COOKIE

See Also:: Constant Field Values

AUTH_PARAM_OAUTH

public static final String AUTH_PARAM_OAUTH

See Also:: Constant Field Values

ATTR_NAME_USERNAME
```
public static final String ATTR_NAME_USERNAME
```
must be same as MardaoPrincipalInterceptor value

See Also:
Constant Field Values

ATTR_NAME_PRINCIPAL

public static final String ATTR_NAME_PRINCIPAL

See Also:: Constant Field Values

ATTR_NAME_ROLES

public static final String ATTR_NAME_ROLES

See Also:: Constant Field Values

ATTR_NAME_CONTAINER_ADMIN_NAME

public static final String ATTR_NAME_CONTAINER_ADMIN_NAME

See Also:: Constant Field Values

ATTR_NAME_CONTAINER_ADMIN_PRINCIPAL

public static final String ATTR_NAME_CONTAINER_ADMIN_PRINCIPAL

See Also:: Constant Field Values

USERNAME_ANONYMOUS

public static final String USERNAME_ANONYMOUS

See Also:: Constant Field Values

HEADER_AUTHORIZATION

public static final String HEADER_AUTHORIZATION

See Also:: Constant Field Values

PATH_AH
```
public static final String PATH_AH
```
See Also:
Constant Field Values

ROLES_ANONYMOUS

public static final TreeSet<String> ROLES_ANONYMOUS

Constructor Detail
- SecurityInterceptor
```
public SecurityInterceptor()
```

Method Detail

doAuthenticate

protected String doAuthenticate(javax.servlet.http.HttpServletRequest request,
                    javax.servlet.http.HttpServletResponse response,
                    String uri,
                    String authValue,
                    String clientUsername,
                    Object details)

Returns the realm username if the client is authenticated.

Parameters:: request -; response -; uri -; authValue -; clientUsername -; details -
Returns:: the realm username if the client is authenticated

getAuthenticationParamName
```
protected String getAuthenticationParamName()
```
Override to specify authentication value parameter name. This implementation supports AUTH_TYPE_BASIC, AUTH_TYPE_COOKIE, AUTH_TYPE_OAUTH

Returns:
authentication value parameter name.

getAuthenticationValue

protected String getAuthenticationValue(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response,
                            String uri)

preHandle

public boolean preHandle(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response,
                Object handler)
                  throws IOException,
                         javax.servlet.ServletException

Specified by:: preHandle in interface org.springframework.web.servlet.HandlerInterceptor
Overrides:: preHandle in class org.springframework.web.servlet.handler.HandlerInterceptorAdapter
Throws:: IOException; javax.servlet.ServletException

isAuthenticated
```
public String isAuthenticated(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     Object handler,
                     String uri,
                     String method,
                     String authValue)
```
Checks if a request is authenticated, based only on uri, method and authValue params. Hence, this method is suitable for unit testing (public for subclass unit tests).

Parameters:
request - not used by this implementation
response - not used by this implementation
handler - not used by this implementation
uri -
method -
authValue - as returned by {@link SecurityInterceptor#getAuthenticationValue(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)

Returns:
username if authenticated, null otherwise

getClientUsername
```
protected String getClientUsername(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       String uri,
                       String authValue)
```
Override to return username from authValue. For OAuth, this implementation simply returns the authValue. For Basic, it returns the first token from authValue, delimited by ':'

Parameters:
request -
response -
uri -
authValue - header, param or cookie value

Returns:
the username to load details for.

getClientPassword
```
protected String getClientPassword(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       String uri,
                       String authValue)
```
Override to return password from authValue. For OAuth, this implementation simply returns the authValue. For Basic, it returns the second token from authValue, delimited by ':'

Parameters:
request -
response -
uri -
authValue - header, param or cookie value

Returns:
the client-provided password

getRealmPassword

protected String getRealmPassword(Object details)

getRealmUsername

protected String getRealmUsername(String clientUsername,
                      Object details)

Parameters:: clientUsername -; details -
Returns:: this implementation returns the specified clientUsername

skipEnvironmentPaths

protected boolean skipEnvironmentPaths(javax.servlet.http.HttpServletRequest request,
                           javax.servlet.http.HttpServletResponse response,
                           String uri)

getAuthenticationMechanism
```
public String getAuthenticationMechanism()
```
Returns:
one of AUTH_TYPE_BASIC, AUTH_TYPE_COOKIE, AUTH_TYPE_OAUTH or your custom type.

setAuthenticationMechanism

public void setAuthenticationMechanism(String authenticationMechanism)

isWhitelistedMethod

protected boolean isWhitelistedMethod(String requestURI,
                          String method)

setWhitelistedMethods

public void setWhitelistedMethods(Collection<Map.Entry<String,Collection<String>>> whitelistedMethods)

setListedMethods

public static void setListedMethods(Collection<Map.Entry<String,Collection<String>>> methods,
                    List<Map.Entry<Pattern,Set<String>>> listedMethods)

setSecurityDetailsService

public void setSecurityDetailsService(SecurityDetailsService securityDetailsService)

setRealmName

public void setRealmName(String realmName)

getEffectiveMethod

protected static String getEffectiveMethod(javax.servlet.http.HttpServletRequest request)

Class SecurityInterceptor

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.springframework.web.servlet.handler.HandlerInterceptorAdapter

Methods inherited from class java.lang.Object

Field Detail

LOG

ERR_SECURITY_BASE

ERR_CREDENTIALS_NOT_FOUND

ERR_AUTHENTICATION_FAILED

AUTH_TYPE_BASIC

AUTH_TYPE_COOKIE

AUTH_TYPE_OAUTH

AUTH_PARAM_BASIC

AUTH_PARAM_COOKIE

AUTH_PARAM_OAUTH

ATTR_NAME_USERNAME

ATTR_NAME_PRINCIPAL

ATTR_NAME_ROLES

ATTR_NAME_CONTAINER_ADMIN_NAME

ATTR_NAME_CONTAINER_ADMIN_PRINCIPAL

USERNAME_ANONYMOUS

HEADER_AUTHORIZATION

PATH_AH

ROLES_ANONYMOUS

Constructor Detail

SecurityInterceptor

Method Detail

doAuthenticate

getAuthenticationParamName

getAuthenticationValue

preHandle

isAuthenticated

getClientUsername

getClientPassword

getRealmPassword

getRealmUsername

skipEnvironmentPaths

getAuthenticationMechanism

setAuthenticationMechanism

isWhitelistedMethod

setWhitelistedMethods

setListedMethods

setSecurityDetailsService

setRealmName

getEffectiveMethod