AuthorizationHandler xref

View Javadoc

1   package org.astrogrid.applications.service.v1.cea;
2   
3   import java.security.Principal;
4   import org.apache.axis.AxisFault;
5   import org.apache.axis.MessageContext;
6   import org.apache.axis.description.OperationDesc;
7   import org.apache.axis.handlers.BasicHandler;
8   import org.apache.log4j.Logger;
9   import org.astrogrid.security.AxisServiceSecurityGuard;
10  
11  /***
12   * A handler to check authorization of requests to CEA services.
13   * 
14   * The checks are minimal: only the init and execute operations are
15   * checked (no authorization is required for the others); and any caller
16   * who authenticates is considered authorized. Unauthorized requests are
17   * rejected by throwing AxisFaults.
18   *
19   * This handler must be deployed in the request chain to function properly and
20   * AxisServiceCredentialHandler must precede it in that chain.
21   *
22   * @author Guy Rixon
23   */
24  public class AuthorizationHandler extends BasicHandler {
25    
26    private static Logger log = Logger.getLogger(AuthorizationHandler.class);
27    
28    /*** Creates a new instance of AuthorizationHandler */
29    public AuthorizationHandler() {
30      super();
31    }
32    
33    /***
34     * Handles a request message.
35     * Gets name of the web-service operation and calls the
36     * authorization check.
37     */
38    public void invoke(MessageContext msgContext) throws AxisFault {
39      
40      // Find out which web-service operation has been called.
41      // This allows the authorization to discrimination between operations.
42      OperationDesc operation = msgContext.getOperation();
43      if (operation == null) {
44        log.info("Axis cannot tell the web-service operation.");
45      }
46      else {
47        this.checkAuthorization(operation);
48      }
49    }
50    
51    /***
52     * Checks authorization for an operation based on a signed request.
53     * The authenticated identity of the caller is available from the security
54     * facade (assuming that this code is used in the intended environment -
55     * see the Javadoc comments for the class). Throws an Axis fault if 
56     * authorization is denied.
57     *
58     * The 'init' and 'execute' operations are authorized for any authenticated
59     * caller. The other operations are authorized for any caller, whether or
60     * not authenticated.
61     */
62    protected void checkAuthorization(OperationDesc operation) throws AxisFault {
63      String name = operation.getName();
64      if ("init".equals(name) || "execute".equals(name)) {
65        AxisServiceSecurityGuard guard 
66            = AxisServiceSecurityGuard.getInstanceFromContext();
67        Principal x500 = guard.getX500Principal();
68        if (x500 != null) {
69          log.info(x500.getName() + " is authorized to use operation '" + name + "'.");
70        }
71        else {
72          String message = "A request for operation '" + name +
73                           "' was rejected because the caller was not authenticated.";
74          log.info(message);
75          throw new AxisFault(message);
76        }
77      }
78      else {
79        log.info("Authorization is not required for operation '" + name + "'.");
80      }
81    }
82    
83  }