Skip to content

Add hooks to specify access controls to various service endpoints #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryanrdoherty merged 6 commits into from
Feb 11, 2026
Merged

Add hooks to specify access controls to various service endpoints #135

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7cc100c
Change superclass API to enable easy configuring of endpoint access r…
ryanrdoherty Feb 11, 2026
bca824e
Merge branch 'master' into hide-jbrowse
Feb 11, 2026
16a91d7
Slight exception handling change
ryanrdoherty Feb 11, 2026
42bd210
Merge branch 'hide-jbrowse' of github.com:VEuPathDB/WDK into hide-jbr…
ryanrdoherty Feb 11, 2026
4cab27e
Clearer comments on new methods
ryanrdoherty Feb 11, 2026
47daab7
Fix logic for guests
ryanrdoherty Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 44 additions & 12 deletions Service/src/main/java/org/gusdb/wdk/service/filter/CheckLoginFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import javax.inject.Provider;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
Expand Down Expand Up @@ -57,9 +58,29 @@ public class CheckLoginFilter implements ContainerRequestFilter, ContainerRespon
@Inject
protected Provider<Request> _grizzlyRequest;

/*************** The following three methods control the default behavior for WDK endpoints ************/

// override and add paths to this list if no authentication is required AND'
// no guest user should be created for this request
protected boolean isPathToSkip(String path) {
// skip user check for prometheus metrics requests
return SystemService.PROMETHEUS_ENDPOINT_PATH.equals(path);
}

// override and add paths to this list if valid token is required (no guest will be created)
protected boolean isValidTokenRequired(String path) {
return false;
}

// authentication is required AND
// if token is absent or expired, create new guest to use for this request
protected boolean isGuestUserAllowed(String path) {
return true;
}

@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// skip endpoints which do not require a user; prevents guests from being unnecessarily created
// skip endpoints which do not require auth nor a guest user; prevents guests from being unnecessarily created
String requestPath = requestContext.getUriInfo().getPath();
if (isPathToSkip(requestPath)) return;

Expand All @@ -72,16 +93,32 @@ public void filter(ContainerRequestContext requestContext) throws IOException {

try {
if (rawToken == null) {
// no credentials submitted; automatically create a guest to use on this request
useNewGuest(factory, request, requestContext, requestPath);
// no credentials submitted; check requirements of this path
if (isValidTokenRequired(requestPath)) {
LOG.warn("Did not received bearer token as required for path:" + requestPath);
throw new NotAuthorizedException(Response.status(Status.UNAUTHORIZED).build());
}
// if allowed, automatically create a guest to use on this request
if (isGuestUserAllowed(requestPath)) {
useNewGuest(factory, request, requestContext, requestPath);
return;
}
// no authentication provided, and guests are disallowed
throw new NotAuthorizedException(Response.status(Status.UNAUTHORIZED).build());
}
else {
try {
// validate submitted token
ValidatedToken token = factory.validateBearerToken(rawToken);
User user = factory.convertToUser(token);
setRequestAttributes(request, token, user);
LOG.info("Validated successfully. Request will be processed for user " + user.getUserId());
if (isGuestUserAllowed(requestPath)) {
setRequestAttributes(request, token, user);
LOG.info("Validated successfully. Request will be processed for user " + user.getUserId());
}
else {
// valid guest token submitted, but guests disallowed for this path
throw new ForbiddenException();
}
}
catch (ExpiredTokenException e) {
// token is expired; use guest token for now which should inspire them to log back in
Expand All @@ -94,10 +131,10 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
}
}
}
catch (Exception e) {
catch (WdkModelException | RuntimeException e) {
// any other exception is fatal, but log first
LOG.error("Unable to authenticate with Authorization header " + rawToken, e);
throw e instanceof RuntimeException ? (RuntimeException)e : new WdkRuntimeException(e);
throw e instanceof WdkModelException ? new WdkRuntimeException(e) : (RuntimeException)e;
}
}

Expand Down Expand Up @@ -131,11 +168,6 @@ private String findRawBearerToken(RequestData request, ContainerRequestContext r
return cookie == null ? null : cookie.getValue();
}

protected boolean isPathToSkip(String path) {
// skip user check for prometheus metrics requests
return SystemService.PROMETHEUS_ENDPOINT_PATH.equals(path);
}

@Override
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
throws IOException {
Expand Down