Most web applications use an authorization system to make sure the user is logged in and authorized to execute specific procedures. For example, a simple user will only have read access, while an admin can edit and delete. For every server endpoint, we ask ourselves : "Who has the privilege to access that service ?"
Implementing such a system is deceptively simple using Guice AOP once you have installed Guice Servlet to enable injection of servlet related objects, like HttpSession.
First, we need to create the annotation :
Then we implement the method interceptor :
Obviously, to get the logged in user you need the session. Thanks to Guice Servlet magic, you can inject a session provider in any object.
Finally, we bind the interceptor in the Guice ServletModule :
Don't forget that only objects instantiated by Guice will have their methods intercepted.
For such cross-cutting concerns, we are told that AOP is the key. Intercepting the methods we want to secure and checking authorization levels in a separate security aspect...
One thing that bothers me with such an approach is that when I want to check the access level of a method, I have to go look in the security aspect to see how it was intercepted. I'd rather have a declarative way to explicit the access level of a method, like an annotation :
@AuthorizationRequired(Role.ADMIN) public void securedMethod() {}
Implementing such a system is deceptively simple using Guice AOP once you have installed Guice Servlet to enable injection of servlet related objects, like HttpSession.
First, we need to create the annotation :
@Target(ElementType.METHOD) @Retention(RetentionPolicy.RUNTIME) public @interface AuthorizationRequired{ Role value(); }
Then we implement the method interceptor :
public class AuthorizationInterceptor implements MethodInterceptor { @Inject private Provider<HttpSession> sessionProvider; @Override public Object invoke(MethodInvocation invoc) throws Throwable { Role required = invoc.getMethod().getAnnotation(AuthorizationRequired.class).value(); User user = getUserFromSession(sessionProvider.get()); if (isUserAuthorized(user, required)) return invoc.proceed(); else throw new UnauthorizedException("User is not authorized"); } }
Obviously, to get the logged in user you need the session. Thanks to Guice Servlet magic, you can inject a session provider in any object.
Finally, we bind the interceptor in the Guice ServletModule :
AuthorizationInterceptor interceptor = new AuthorizationInterceptor (); requestInjection(interceptor); bindInterceptor(classMatcher, annotatedWith(AuthorizationRequired.class), interceptor );
Don't forget that only objects instantiated by Guice will have their methods intercepted.
Aucun commentaire:
Enregistrer un commentaire