com.silverpeas.web
Class UserPriviledgeValidation

java.lang.Object
  com.silverpeas.web.UserPriviledgeValidation

@Named
public class UserPriviledgeValidation
extends Object

It is a decorator of a REST-based web service that provides access to the validation of the authentification and of the authorization for a caller to request the decorated web service. Indeed, the validation mechanisme is encapsulated within the RESTWebService as it requires access to the incoming HTTP request as well to the current user session if any. In order to delegate externally the validation triggering,

Field Summary

static String	HTTP_AUTHORIZATION The standard HTTP header parameter in an incoming request that carries user credentials information in order to open an authorized connexion with the web service that backs the refered resource.
static String	HTTP_SESSIONKEY The HTTP header paremeter in an incoming request that carries the user session key.

Constructor Summary

UserPriviledgeValidation()

Method Summary

UserPriviledgeValidation	skipLastUserAccessTimeRegistering(javax.servlet.http.HttpServletRequest request) Sets into the request attributes the SKIP_LAST_USER_ACCESS_TIME_REGISTERING attribute to true.
SessionInfo	validateUserAuthentication(javax.servlet.http.HttpServletRequest request) Validates the authentication of the user at the origin of a web request.
void	validateUserAuthorizationOnAttachment(javax.servlet.http.HttpServletRequest request, UserDetail user, SimpleDocument doc) Validates the authorization of the specified user to access the specified attachment.
void	validateUserAuthorizationOnComponentInstance(UserDetail user, String instanceId) Validates the authorization of the specified user to access the component instance with the specified unique identifier.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

HTTP_SESSIONKEY

public static final String HTTP_SESSIONKEY

The HTTP header paremeter in an incoming request that carries the user session key. By the user session key could be passed a user token to perform a HTTP request without opening a session. This parameter isn't mandatory as the session key can be found from an active HTTP session. If neither HTTP session nor session key is available for the incoming request, user credentials must be passed in the standard HTTP header parameter Authorization.

See Also:

Constant Field Values

HTTP_AUTHORIZATION

public static final String HTTP_AUTHORIZATION

The standard HTTP header parameter in an incoming request that carries user credentials information in order to open an authorized connexion with the web service that backs the refered resource. This parameter must be used when requests aren't sent through an opened HTTP session. It should be the prefered way for a REST client to access resources in Silverpeas as it offers better scalability.

See Also:

Constant Field Values

Constructor Detail

UserPriviledgeValidation

public UserPriviledgeValidation()

Method Detail

validateUserAuthentication

public SessionInfo validateUserAuthentication(javax.servlet.http.HttpServletRequest request)
                                       throws javax.ws.rs.WebApplicationException

Validates the authentication of the user at the origin of a web request. The validation checks first the user is already authenticated and then it has a valid opened session in Silverpeas. Otherwise it attempts to open a new session for the user by using its credentials passed through the request (as an HTTP header). Once the authentication succeed, the identification of the user is done and detail about it can then be got. A runtime exception is thrown with an HTTP status code UNAUTHORIZED (401) at validation failure. The validation fails when one of the belowed situation is occuring:

• The user session key is invalid;
• The user isn't authenticated and no credentials are passed with the request;
• The user authentication failed.

Parameters:

request - the HTTP request from which the authentication of the caller can be done.

Returns:

the opened session of the user at the origin of the specified request.

Throws:

javax.ws.rs.WebApplicationException - exception if the validation failed.

skipLastUserAccessTimeRegistering

public UserPriviledgeValidation skipLastUserAccessTimeRegistering(javax.servlet.http.HttpServletRequest request)

Sets into the request attributes the SKIP_LAST_USER_ACCESS_TIME_REGISTERING attribute to true.

Parameters:

request - the current request performed.

Returns:

itself.

validateUserAuthorizationOnComponentInstance

public void validateUserAuthorizationOnComponentInstance(UserDetail user,
                                                         String instanceId)
                                                  throws javax.ws.rs.WebApplicationException

Validates the authorization of the specified user to access the component instance with the specified unique identifier.

Parameters:

user - the user for whom the authorization has to be validated.

instanceId - the unique identifier of the accessed component instance.

Throws:

javax.ws.rs.WebApplicationException - exception if the validation failed.

validateUserAuthorizationOnAttachment

public void validateUserAuthorizationOnAttachment(javax.servlet.http.HttpServletRequest request,
                                                  UserDetail user,
                                                  SimpleDocument doc)
                                           throws javax.ws.rs.WebApplicationException

Validates the authorization of the specified user to access the specified attachment.

Parameters:

request - the HTTP request from which the authentication of the caller can be done.

user - the user for whom the authorization has to be validated.

doc - the document accessed.

Throws:

javax.ws.rs.WebApplicationException - exception if the validation failed.