SecurityInterceptor.java 3.95 KB
package etunicorn;

import etunicorn.controller.BaseController;
import etunicorn.entity.Permission;
import etunicorn.entity.Session;
import etunicorn.repository.PermissionRepository;
import etunicorn.service.SessionService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * etunicorn-server
 * Copyright © 2017 Le Club Info Polytech Lille
 * Tous droits réservés
 */
public class SecurityInterceptor extends HandlerInterceptorAdapter {
    @Autowired
    SessionService sessionService;
    @Autowired
    PermissionRepository permissionRepository;

    public SecurityInterceptor() {
        super();
    }

    private void responseEntityToServletResponse(ResponseEntity responseEntity, HttpServletResponse response) throws IOException {
        HttpHeaders httpHeaders = responseEntity.getHeaders();
        for (String header : httpHeaders.keySet()) {
            for (String headerValue : httpHeaders.get(header)) {
                response.setHeader(header, headerValue);
            }
        }
        response.getWriter().write(responseEntity.getBody().toString());
    }

    @Override
    @Transactional
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        Session session = sessionService.getSession(request);

        HandlerMethod method = (HandlerMethod) handler;
        RestrictedTo annotation = method.getMethodAnnotation(RestrictedTo.class);

        if (annotation != null) {
            Permission requiredPermission = permissionRepository.findByNom(annotation.value());

            if (annotation.authentifie()) {
                BaseController baseController = new BaseController();
                baseController.setRequest(request);

                if (requiredPermission == null) {
                    response.setStatus(HttpStatus.NOT_IMPLEMENTED.value());

                    ResponseEntity responseEntity = baseController.generateError(HttpStatus.NOT_IMPLEMENTED);
                    responseEntityToServletResponse(responseEntity, response);
                    return false;
                }

                if (session == null) {
                    ResponseEntity responseEntity = baseController.generateError(HttpStatus.UNAUTHORIZED);
                    responseEntityToServletResponse(responseEntity, response);
                    return false;
                } else {
                    if (!session.hasPermission(requiredPermission)) {
                        ResponseEntity responseEntity = baseController.generateError(HttpStatus.FORBIDDEN);
                        responseEntityToServletResponse(responseEntity, response);
                        return false;
                    }
                }
            }
        }
        return super.preHandle(request, response, handler);
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        super.postHandle(request, response, handler, modelAndView);
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        super.afterCompletion(request, response, handler, ex);
    }

    @Override
    public void afterConcurrentHandlingStarted(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        super.afterConcurrentHandlingStarted(request, response, handler);
    }
}