--- /dev/null
+package com.prueba.authorization.persistence.dao;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.sql.DataSource;
+
+import com.prueba.core.context.integration.database.impl.DataBaseAccessImpl;
+import com.prueba.core.context.web.application.ApplicationWebContext;
+
+public class AuthorizationDao {
+ public static final String URL_PATTERN = "URL_PATTERN";
+ public static final String HTTP_METHOD = "HTTP_METHOD";
+
+ public List<Map<String, String>> findURLsByUserName(String userName) {
+ final DataSource dataSource = ApplicationWebContext.getInstance().getDataSource();
+ final DataBaseAccessImpl dataBaseAccess = new DataBaseAccessImpl(dataSource);
+
+ return dataBaseAccess.executeQuery(""
+ + "SELECT APP_RES.URL_PATTERN, APP_RES.HTTP_METHOD FROM APPLICATION_ROLE APP_ROLE "
+ + "INNER JOIN APPLICATION_RESOURCE_APPLICATION_ROLE APP_RES_APP_ROLE ON APP_ROLE.CODE = APP_RES_APP_ROLE.APPLICATION_ROLE_CODE "
+ + "INNER JOIN APPLICATION_RESOURCE APP_RES ON APP_RES.URL_PATTERN = APP_RES_APP_ROLE.APPLICATION_RESOURCE_URL_PATTERN "
+ + "INNER JOIN ACCOUNT ACC ON ACC.APPLICATION_ROLE_CODE = APP_ROLE.CODE "
+ + "WHERE ACC.CODE = ? ",
+ answer ->
+ {
+ final List<Map<String, String>> result = new ArrayList<>();
+ while (answer.next()) {
+ final Map<String, String> row = new HashMap<>();
+ String urlPatternValue = answer.getString(URL_PATTERN);
+ String httpMethodValue = answer.getString(HTTP_METHOD);
+ row.put(URL_PATTERN, urlPatternValue);
+ row.put(HTTP_METHOD, httpMethodValue);
+ result.add(row);
+ }
+
+ return result;
+ },
+ preparedStatement -> {
+ preparedStatement.setString(1, userName);
+ });
+ }
+}
+
--- /dev/null
+package com.prueba.authorization.services.impl;
+
+import java.util.List;
+import java.util.Map;
+
+import com.prueba.authorization.persistence.dao.AuthorizationDao;
+
+public class AuthorizationServicesImpl {
+
+ public boolean isAuthorized(String httpMethod, String url, String userName) {
+ final AuthorizationDao dao = new AuthorizationDao();
+
+ final List<Map<String, String>> urls = dao.findURLsByUserName(userName);
+
+ return urls.stream().anyMatch(urlMap ->
+ {
+ String urlPatternValue = urlMap.get(AuthorizationDao.URL_PATTERN);
+ String httpMethodValue = urlMap.get(AuthorizationDao.HTTP_METHOD);
+
+ return urlPatternValue.equals(url) && httpMethodValue.equals(httpMethod);
+ });
+
+ }
+}
import org.slf4j.LoggerFactory;
import com.prueba.core.context.integration.database.DataBaseAccess;
-import com.prueba.core.context.integration.datasource.impl.DoDataSourceContext;
public class DataBaseAccessImpl implements DataBaseAccess {
private static final Logger LOGGER = LoggerFactory.getLogger(DataBaseAccessImpl.class);
import java.io.IOException;
import java.net.URI;
+import com.prueba.authorization.services.impl.AuthorizationServicesImpl;
import com.prueba.core.context.security.persistence.SessionInfo;
import com.prueba.core.context.security.persistence.Sessions;
import com.prueba.resources.controllers.PagesController;
private static final String SERVER_ADDRESS = "http://localhost:8080";
private final PagesController pagesController = new PagesController();
+ private final AuthorizationServicesImpl authorizationService = new AuthorizationServicesImpl();
private final HttpHandler sessionHandler;
public PagesHandler(HttpHandler sessionHandler) {
final SessionInfo sessionInfo = SessionHandler.getLocalSession();
if (Sessions.getInstance().isValidSession(httpExchange)) {
- pagesController.handle(httpExchange);
+ if(authorizationService.isAuthorized(httpExchange.getRequestMethod(),
+ httpExchange.getRequestURI().toString(), sessionInfo.getUsername())) {
+
+ pagesController.handle(httpExchange);
+
+ } else {
+ httpExchange.sendResponseHeaders(403, 0);
+ }
Sessions.getInstance().refreshSession(sessionInfo.getUUID(), sessionInfo.getUsername());
} else {
('/app/pages/page_1.html', 'GET', 'ROLE_APP_PAGE_1'),
('/app/pages/page_2.html', 'GET', 'ROLE_APP_PAGE_2'),
('/app/pages/page_3.html', 'GET', 'ROLE_APP_PAGE_3'),
+('/app/pages/page_1.html', 'GET', 'ROLE_APP_ADMIN'),
+('/app/pages/page_2.html', 'GET', 'ROLE_APP_ADMIN'),
+('/app/pages/page_3.html', 'GET', 'ROLE_APP_ADMIN'),
('/app/api/{username}', 'GET', 'ROLE_APP_PAGE_1'),
('/app/api/{username}', 'GET', 'ROLE_APP_PAGE_2'),
('/app/api/{username}', 'GET', 'ROLE_APP_PAGE_3'),
INSERT INTO ACCOUNT (CODE, NAME, SURNAME, PASSWORD, APPLICATION_ROLE_CODE) values
('GUMARTIN', 'Gustavo', 'Martin Morcuende', 'lame', 'ROLE_APP_ADMIN'),
-('USER1', 'Gustavo', 'Martin Morcuende', 'god', 'ROLE_APP_PAG_1'),
-('USER2', 'Gustavo', 'Martin Morcuende', 'root', 'ROLE_APP_PAG_2');
+('USER1', 'Gustavo', 'Martin Morcuende', 'god', 'ROLE_APP_PAGE_1'),
+('USER2', 'Gustavo', 'Martin Morcuende', 'root', 'ROLE_APP_PAGE_2');