View Javadoc

1   package com.atlassian.asap.core.server.filter;
2   
3   import com.atlassian.asap.api.Jwt;
4   import org.apache.http.HttpStatus;
5   
6   import javax.servlet.Filter;
7   import javax.servlet.FilterChain;
8   import javax.servlet.FilterConfig;
9   import javax.servlet.ServletException;
10  import javax.servlet.ServletRequest;
11  import javax.servlet.ServletResponse;
12  import javax.servlet.http.HttpServletRequest;
13  import javax.servlet.http.HttpServletResponse;
14  import java.io.IOException;
15  
16  /**
17   * Filters requests that contain authentic JWT tokens based on an authorization policy.
18   */
19  public abstract class AbstractRequestAuthorizationFilter implements Filter {
20      @Override
21      public void init(FilterConfig filterConfig) throws ServletException {
22          // nothing to do
23      }
24  
25      @Override
26      public final void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
27          // will fail if the request is not an HTTP request
28          HttpServletRequest httpRequest = (HttpServletRequest) request;
29          HttpServletResponse httpResponse = (HttpServletResponse) response;
30  
31          // get the authentic JWT token
32          Jwt jwt = (Jwt) httpRequest.getAttribute(AbstractRequestAuthenticationFilter.AUTHENTIC_JWT_REQUEST_ATTRIBUTE);
33          if (jwt == null) {
34              onTokenNotFound(httpRequest, httpResponse, filterChain);
35          } else if (isAuthorized(httpRequest, jwt)) {
36              onAuthorizationSuccess(jwt, httpRequest, httpResponse, filterChain);
37          } else {
38              onAuthorizationFailure(jwt, httpRequest, httpResponse, filterChain);
39          }
40      }
41  
42      /**
43       * Override this method to define the behaviour of the filter when a token is not found in the request.
44       * The default behaviour is to throw {@link IllegalStateException} since it is assumed that this filter is
45       * behind the {@link AbstractRequestAuthenticationFilter}.
46       *
47       * @param request     HTTP request
48       * @param response    HTTP response
49       * @param filterChain Web filter chain
50       * @throws IOException      see exception definition
51       * @throws ServletException see exception definition
52       */
53      protected void onTokenNotFound(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
54          throw new IllegalStateException(
55                  "Request authorization filter requires an authentic JWT attribute in the request. " +
56                  "Have you added the authentication filter to the chain?");
57      }
58  
59      /**
60       * Override this method to define the behaviour of the filter when a valid token is found, but the request is not
61       * authorized. The default behaviour is to return a 403 FORBIDDEN error.
62       *
63       * @param jwt         Authentic and valid JWT token extracted from the request
64       * @param request     HTTP request
65       * @param response    HTTP response
66       * @param filterChain Web filter chain
67       * @throws IOException      see exception definition
68       * @throws ServletException see exception definition
69       */
70      protected void onAuthorizationFailure(Jwt jwt, HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
71              throws IOException, ServletException {
72          response.sendError(HttpStatus.SC_FORBIDDEN);
73      }
74  
75      /**
76       * Override this method to define the behaviour of the filter when a valid token is found and the request is authorized.
77       * The default behaviour is to let the request continue down the filter chain.
78       *
79       * @param request     HTTP request
80       * @param response    HTTP response
81       * @param filterChain Web filter chain
82       * @throws IOException      see exception definition
83       * @throws ServletException see exception definition
84       */
85      protected void onAuthorizationSuccess(Jwt jwt, HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
86              throws IOException, ServletException {
87          filterChain.doFilter(request, response);
88      }
89  
90      /**
91       * Decides if the token is authorized for the request.
92       *
93       * @param request HTTP request received
94       * @param jwt     Authentic and valid JWT token extracted from the request
95       * @return true if the token is authorized for the request
96       */
97      protected abstract boolean isAuthorized(HttpServletRequest request, Jwt jwt);
98  
99      @Override
100     public void destroy() {
101         // nothing to do
102     }
103 }