Change superclass API to enable easy configuring of endpoint access rules

Author: ryanrdoherty

Service/src/main/java/org/gusdb/wdk/service/filter/CheckLoginFilter.java

@@ -7,6 +7,7 @@
 import javax.inject.Provider;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.NotAuthorizedException;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
@@ -57,6 +58,26 @@ public class CheckLoginFilter implements ContainerRequestFilter, ContainerRespon
   @Inject
   protected Provider<Request> _grizzlyRequest;
 
+  /*************** The following methods control the default behavior for WDK endpoints ************/
+
+  // override and add paths to this list if no authentication is required AND'
+  //   no guest user should be created for this request
+  protected boolean isPathToSkip(String path) {
+    // skip user check for prometheus metrics requests
+    return SystemService.PROMETHEUS_ENDPOINT_PATH.equals(path);
+  }
+
+  // override and add paths to this list if valid token is required (no guest will be created)
+  protected boolean isValidTokenRequired(String path) {
+    return false;
+  }
+
+  // authentication is required AND
+  //   if token is absent or expired, create new guest to use for this request
+  protected boolean isGuestUserAllowed(String path) {
+    return true;
+  }
+
   @Override
   public void filter(ContainerRequestContext requestContext) throws IOException {
     // skip endpoints which do not require a user; prevents guests from being unnecessarily created
@@ -72,16 +93,32 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 
     try {
       if (rawToken == null) {
-        // no credentials submitted; automatically create a guest to use on this request
-        useNewGuest(factory, request, requestContext, requestPath);
+        // no credentials submitted; check requirements of this path
+        if (isValidTokenRequired(requestPath)) {
+          LOG.warn("Did not received bearer token as required for path:" + requestPath);
+          throw new NotAuthorizedException(Response.status(Status.UNAUTHORIZED).build());
+        }
+        // if allowed, automatically create a guest to use on this request
+        if (isGuestUserAllowed(requestPath)) {
+          useNewGuest(factory, request, requestContext, requestPath);
+          return;
+        }
+        // no authentication provided, and guests are disallowed
+        throw new NotAuthorizedException(Response.status(Status.UNAUTHORIZED).build());
       }
       else {
         try {
           // validate submitted token
           ValidatedToken token = factory.validateBearerToken(rawToken);
           User user = factory.convertToUser(token);
-          setRequestAttributes(request, token, user);
-          LOG.info("Validated successfully.  Request will be processed for user " + user.getUserId());
+          if (isGuestUserAllowed(requestPath)) {
+            setRequestAttributes(request, token, user);
+            LOG.info("Validated successfully.  Request will be processed for user " + user.getUserId());
+          }
+          else {
+            // valid guest token submitted, but guests disallowed for this path
+            throw new ForbiddenException();
+          }
         }
         catch (ExpiredTokenException e) {
           // token is expired; use guest token for now which should inspire them to log back in
@@ -131,11 +168,6 @@ private String findRawBearerToken(RequestData request, ContainerRequestContext r
     return cookie == null ? null : cookie.getValue();
   }
 
-  protected boolean isPathToSkip(String path) {
-    // skip user check for prometheus metrics requests
-    return SystemService.PROMETHEUS_ENDPOINT_PATH.equals(path);
-  }
-
   @Override
   public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
       throws IOException {