public class AuthorizationInterceptor extends InterceptorAdapter implements IServerOperationInterceptor, IRuleApplier
See the HAPI FHIR Documentation on Server Security for information on how to use this interceptor.
| Modifier and Type | Class and Description |
|---|---|
static class |
AuthorizationInterceptor.Verdict |
IServerInterceptor.ActionRequestDetails| Constructor and Description |
|---|
AuthorizationInterceptor()
Constructor
|
AuthorizationInterceptor(PolicyEnum theDefaultPolicy)
Constructor
|
| Modifier and Type | Method and Description |
|---|---|
AuthorizationInterceptor.Verdict |
applyRulesAndReturnDecision(RestOperationTypeEnum theOperation,
RequestDetails theRequestDetails,
IBaseResource theInputResource,
IIdType theInputResourceId,
IBaseResource theOutputResource) |
List<IAuthRule> |
buildRuleList(RequestDetails theRequestDetails)
Subclasses should override this method to supply the set of rules to be applied to
this individual request.
|
PolicyEnum |
getDefaultPolicy()
The default policy if no rules have been found to apply.
|
protected void |
handleDeny(AuthorizationInterceptor.Verdict decision)
Handle an access control verdict of
PolicyEnum.DENY. |
void |
incomingRequestPreHandled(RestOperationTypeEnum theOperation,
IServerInterceptor.ActionRequestDetails theProcessedRequest)
Invoked before an incoming request is processed.
|
boolean |
outgoingResponse(RequestDetails theRequestDetails,
Bundle theBundle)
This method is called after the server implementation method has been called, but before any attempt to stream the
response back to the client
|
boolean |
outgoingResponse(RequestDetails theRequestDetails,
Bundle theResponseObject,
javax.servlet.http.HttpServletRequest theServletRequest,
javax.servlet.http.HttpServletResponse theServletResponse)
This method is called after the server implementation method has been called, but before any attempt to stream the
response back to the client
|
boolean |
outgoingResponse(RequestDetails theRequestDetails,
IBaseResource theResponseObject)
This method is called after the server implementation method has been called, but before any attempt to stream the
response back to the client
|
boolean |
outgoingResponse(RequestDetails theRequestDetails,
TagList theResponseObject)
This method is called after the server implementation method has been called, but before any attempt to stream the
response back to the client
|
boolean |
outgoingResponse(RequestDetails theRequestDetails,
TagList theResponseObject,
javax.servlet.http.HttpServletRequest theServletRequest,
javax.servlet.http.HttpServletResponse theServletResponse)
This method is called after the server implementation method has been called, but before any attempt to stream the
response back to the client
|
void |
resourceCreated(RequestDetails theRequest,
IBaseResource theResource)
User code may call this method to indicate to an interceptor that
a resource is being created
|
void |
resourceDeleted(RequestDetails theRequest,
IBaseResource theResource)
User code may call this method to indicate to an interceptor that
a resource is being deleted
|
void |
resourceUpdated(RequestDetails theRequest,
IBaseResource theResource)
User code may call this method to indicate to an interceptor that
a resource is being updated
|
void |
setDefaultPolicy(PolicyEnum theDefaultPolicy)
The default policy if no rules have been found to apply.
|
handleException, incomingRequestPostProcessed, incomingRequestPreProcessed, outgoingResponse, outgoingResponse, outgoingResponse, preProcessOutgoingException, processingCompletedNormallyclone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waithandleException, incomingRequestPostProcessed, incomingRequestPreProcessed, outgoingResponse, outgoingResponse, outgoingResponse, preProcessOutgoingException, processingCompletedNormallypublic AuthorizationInterceptor()
public AuthorizationInterceptor(PolicyEnum theDefaultPolicy)
theDefaultPolicy - The default policy if no rules apply (must not be null)public AuthorizationInterceptor.Verdict applyRulesAndReturnDecision(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IIdType theInputResourceId, IBaseResource theOutputResource)
applyRulesAndReturnDecision in interface IRuleApplierpublic List<IAuthRule> buildRuleList(RequestDetails theRequestDetails)
Typically this is done by examining theRequestDetails to find
out who the current user is and then using a RuleBuilder to create
an appropriate rule chain.
theRequestDetails - The individual request currently being appliedpublic PolicyEnum getDefaultPolicy()
PolicyEnum.DENYprotected void handleDeny(AuthorizationInterceptor.Verdict decision)
PolicyEnum.DENY.
Subclasses may override to implement specific behaviour, but default is to
throw ForbiddenOperationException (HTTP 403) with error message citing the
rule name which trigered failure
public void incomingRequestPreHandled(RestOperationTypeEnum theOperation, IServerInterceptor.ActionRequestDetails theProcessedRequest)
IServerInterceptorIServerInterceptor.incomingRequestPreHandled(RestOperationTypeEnum, ActionRequestDetails) and
IServerInterceptor.incomingRequestPostProcessed(RequestDetails, HttpServletRequest, HttpServletResponse)
are.
This method may however throw a subclass of BaseServerResponseException, and processing
will be aborted with an appropriate error returned to the client.
incomingRequestPreHandled in interface IServerInterceptorincomingRequestPreHandled in class InterceptorAdaptertheOperation - The type of operation that the FHIR server has determined that the client is trying to invoketheProcessedRequest - An object which will be populated with the details which were extracted from the raw request by the
server, e.g. the FHIR operation type and the parsed resource body (if any).public boolean outgoingResponse(RequestDetails theRequestDetails, Bundle theBundle)
IServerInterceptoroutgoingResponse in interface IServerInterceptoroutgoingResponse in class InterceptorAdaptertheBundle - The actual object which is being streamed to the client as a responsetrue if processing should continue normally. This is generally the right thing to do.
If your interceptor is providing a response rather than letting HAPI handle the response normally, you
must return false. In this case, no further processing will occur and no further interceptors
will be called.public boolean outgoingResponse(RequestDetails theRequestDetails, Bundle theResponseObject, javax.servlet.http.HttpServletRequest theServletRequest, javax.servlet.http.HttpServletResponse theServletResponse) throws AuthenticationException
IServerInterceptoroutgoingResponse in interface IServerInterceptoroutgoingResponse in class InterceptorAdaptertheRequestDetails - A bean containing details about the request that is about to be processed, includingtheResponseObject - The actual object which is being streamed to the client as a responsetheServletRequest - The incoming requesttheServletResponse - The response. Note that interceptors may choose to provide a response (i.e. by calling
ServletResponse.getWriter()) but in that case it is important to return false
to indicate that the server itself should not also provide a response.true if processing should continue normally. This is generally the right thing to do.
If your interceptor is providing a response rather than letting HAPI handle the response normally, you
must return false. In this case, no further processing will occur and no further interceptors
will be called.AuthenticationException - This exception may be thrown to indicate that the interceptor has detected an unauthorized access
attempt. If thrown, processing will stop and an HTTP 401 will be returned to the client.public boolean outgoingResponse(RequestDetails theRequestDetails, IBaseResource theResponseObject)
IServerInterceptoroutgoingResponse in interface IServerInterceptoroutgoingResponse in class InterceptorAdaptertheRequestDetails - A bean containing details about the request that is about to be processed, including details such as the
resource type and logical ID (if any) and other FHIR-specific aspects of the request which have been
pulled out of the servlet request.theResponseObject - The actual object which is being streamed to the client as a responsetrue if processing should continue normally. This is generally the right thing to do.
If your interceptor is providing a response rather than letting HAPI handle the response normally, you
must return false. In this case, no further processing will occur and no further interceptors
will be called.public boolean outgoingResponse(RequestDetails theRequestDetails, TagList theResponseObject)
IServerInterceptoroutgoingResponse in interface IServerInterceptoroutgoingResponse in class InterceptorAdaptertheRequestDetails - A bean containing details about the request that is about to be processed, including details such as the
resource type and logical ID (if any) and other FHIR-specific aspects of the request which have been
pulled out of the servlet request.theResponseObject - The actual object which is being streamed to the client as a responsetrue if processing should continue normally. This is generally the right thing to do.
If your interceptor is providing a response rather than letting HAPI handle the response normally, you
must return false. In this case, no further processing will occur and no further interceptors
will be called.public boolean outgoingResponse(RequestDetails theRequestDetails, TagList theResponseObject, javax.servlet.http.HttpServletRequest theServletRequest, javax.servlet.http.HttpServletResponse theServletResponse) throws AuthenticationException
IServerInterceptoroutgoingResponse in interface IServerInterceptoroutgoingResponse in class InterceptorAdaptertheRequestDetails - A bean containing details about the request that is about to be processed, including details such as the
resource type and logical ID (if any) and other FHIR-specific aspects of the request which have been
pulled out of the servlet request.theResponseObject - The actual object which is being streamed to the client as a responsetheServletRequest - The incoming requesttheServletResponse - The response. Note that interceptors may choose to provide a response (i.e. by calling
ServletResponse.getWriter()) but in that case it is important to return false
to indicate that the server itself should not also provide a response.true if processing should continue normally. This is generally the right thing to do.
If your interceptor is providing a response rather than letting HAPI handle the response normally, you
must return false. In this case, no further processing will occur and no further interceptors
will be called.AuthenticationException - This exception may be thrown to indicate that the interceptor has detected an unauthorized access
attempt. If thrown, processing will stop and an HTTP 401 will be returned to the client.public void resourceCreated(RequestDetails theRequest, IBaseResource theResource)
IServerOperationInterceptorresourceCreated in interface IServerOperationInterceptorpublic void resourceDeleted(RequestDetails theRequest, IBaseResource theResource)
IServerOperationInterceptorresourceDeleted in interface IServerOperationInterceptorpublic void resourceUpdated(RequestDetails theRequest, IBaseResource theResource)
IServerOperationInterceptorresourceUpdated in interface IServerOperationInterceptorpublic void setDefaultPolicy(PolicyEnum theDefaultPolicy)
PolicyEnum.DENYtheDefaultPolicy - The policy (must not be null)Copyright © 2014–2017 University Health Network. All rights reserved.