View Javadoc

1   package com.atlassian.asap.core.server.jersey;
2   
3   import com.atlassian.asap.api.Jwt;
4   import com.atlassian.asap.api.exception.AuthorizationFailedException;
5   import com.google.common.collect.ImmutableSet;
6   import com.sun.jersey.api.core.HttpRequestContext;
7   
8   import java.util.Set;
9   
10  /**
11   * Decides if a request is authorized based on whitelists for the issuer and effective subject.
12   */
13  public class WhitelistJerseyRequestAuthorizer implements JerseyRequestAuthorizer {
14      private final Set<String> authorizedSubjects;
15      private final Set<String> authorizedIssuers;
16  
17      public WhitelistJerseyRequestAuthorizer(Iterable<String> authorizedSubjects, Iterable<String> authorizedIssuers) {
18          this.authorizedSubjects = ImmutableSet.copyOf(authorizedSubjects);
19          this.authorizedIssuers = ImmutableSet.copyOf(authorizedIssuers);
20      }
21  
22      @Override
23      public void authorize(Jwt authenticJwt, HttpRequestContext requestContext) throws AuthorizationFailedException {
24          if (!authorizedIssuers.contains(authenticJwt.getClaims().getIssuer())) {
25              throw new AuthorizationFailedException("Issuer is not authorized");
26          }
27  
28          String effectiveSubject = authenticJwt.getClaims().getSubject().orElse(authenticJwt.getClaims().getIssuer());
29          if (!authorizedSubjects.contains(effectiveSubject)) {
30              throw new AuthorizationFailedException("Effective subject is not authorized");
31          }
32      }
33  }