Package ca.uhn.fhir.rest.server.interceptor.auth

Class AuthorizationInterceptor

java.lang.Object

ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor

All Implemented Interfaces:

IRuleApplier

public class AuthorizationInterceptor
extends Object
implements IRuleApplier

This class is a base class for interceptors which can be used to inspect requests and responses to determine whether the calling user has permission to perform the given action.

See the HAPI FHIR Documentation on Server Security for information on how to use this interceptor.

See Also:

SearchNarrowingInterceptor

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AuthorizationInterceptor.Verdict

Constructor Summary

Constructors

Constructor	Description
AuthorizationInterceptor()	Constructor
AuthorizationInterceptor(PolicyEnum theDefaultPolicy)	Constructor

Method Summary

Modifier and Type	Method	Description
AuthorizationInterceptor.Verdict	applyRulesAndReturnDecision(ca.uhn.fhir.rest.api.RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, org.hl7.fhir.instance.model.api.IBaseResource theInputResource, org.hl7.fhir.instance.model.api.IIdType theInputResourceId, org.hl7.fhir.instance.model.api.IBaseResource theOutputResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
List<IAuthRule>	buildRuleList(RequestDetails theRequestDetails)	Subclasses should override this method to supply the set of rules to be applied to this individual request.
PolicyEnum	getDefaultPolicy()	The default policy if no rules have been found to apply.
Set<AuthorizationFlagsEnum>	getFlags()	This property configures any flags affecting how authorization is applied.
protected void	handleDeny(RequestDetails theRequestDetails, AuthorizationInterceptor.Verdict decision)	Handle an access control verdict of PolicyEnum.DENY.
protected void	handleDeny(AuthorizationInterceptor.Verdict decision)	This method should not be overridden.
void	hookCascadeDeleteForConflict(RequestDetails theRequestDetails, ca.uhn.fhir.interceptor.api.Pointcut thePointcut, org.hl7.fhir.instance.model.api.IBaseResource theResourceToDelete)
void	hookOutgoingResponse(RequestDetails theRequestDetails, org.hl7.fhir.instance.model.api.IBaseResource theResponseObject, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookPreShow(RequestDetails theRequestDetails, IPreResourceShowDetails theDetails, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookResourcePreCreate(RequestDetails theRequest, org.hl7.fhir.instance.model.api.IBaseResource theResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookResourcePreDelete(RequestDetails theRequest, org.hl7.fhir.instance.model.api.IBaseResource theResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookResourcePreUpdate(RequestDetails theRequest, org.hl7.fhir.instance.model.api.IBaseResource theOldResource, org.hl7.fhir.instance.model.api.IBaseResource theNewResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	incomingRequestPreHandled(RequestDetails theRequest, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	setDefaultPolicy(PolicyEnum theDefaultPolicy)	The default policy if no rules have been found to apply.
AuthorizationInterceptor	setFlags(AuthorizationFlagsEnum... theFlags)	This property configures any flags affecting how authorization is applied.
AuthorizationInterceptor	setFlags(Collection<AuthorizationFlagsEnum> theFlags)	This property configures any flags affecting how authorization is applied.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationInterceptor

public AuthorizationInterceptor()

Constructor

AuthorizationInterceptor

public AuthorizationInterceptor(PolicyEnum theDefaultPolicy)

Constructor

Parameters:

theDefaultPolicy - The default policy if no rules apply (must not be null)

Method Detail

applyRulesAndReturnDecision

public AuthorizationInterceptor.Verdict applyRulesAndReturnDecision(ca.uhn.fhir.rest.api.RestOperationTypeEnum theOperation,
                                                                    RequestDetails theRequestDetails,
                                                                    org.hl7.fhir.instance.model.api.IBaseResource theInputResource,
                                                                    org.hl7.fhir.instance.model.api.IIdType theInputResourceId,
                                                                    org.hl7.fhir.instance.model.api.IBaseResource theOutputResource,
                                                                    ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

Specified by:

applyRulesAndReturnDecision in interface IRuleApplier

buildRuleList

public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails)

Subclasses should override this method to supply the set of rules to be applied to this individual request.

Typically this is done by examining theRequestDetails to find out who the current user is and then using a RuleBuilder to create an appropriate rule chain.

Parameters:

theRequestDetails - The individual request currently being applied

getDefaultPolicy

public PolicyEnum getDefaultPolicy()

The default policy if no rules have been found to apply. Default value for this setting is PolicyEnum.DENY

setDefaultPolicy

public void setDefaultPolicy(PolicyEnum theDefaultPolicy)

The default policy if no rules have been found to apply. Default value for this setting is PolicyEnum.DENY

Parameters:

theDefaultPolicy - The policy (must not be null)

getFlags

public Set<AuthorizationFlagsEnum> getFlags()

This property configures any flags affecting how authorization is applied. By default no flags are applied.

See Also:

setFlags(Collection)

setFlags

public AuthorizationInterceptor setFlags(Collection<AuthorizationFlagsEnum> theFlags)

This property configures any flags affecting how authorization is applied. By default no flags are applied.

Parameters:

theFlags - The flags (must not be null)

See Also:

setFlags(AuthorizationFlagsEnum...)

setFlags

public AuthorizationInterceptor setFlags(AuthorizationFlagsEnum... theFlags)

This property configures any flags affecting how authorization is applied. By default no flags are applied.

Parameters:

theFlags - The flags (must not be null)

See Also:

setFlags(Collection)

handleDeny

protected void handleDeny(RequestDetails theRequestDetails,
                          AuthorizationInterceptor.Verdict decision)

Handle an access control verdict of PolicyEnum.DENY.

Subclasses may override to implement specific behaviour, but default is to throw ForbiddenOperationException (HTTP 403) with error message citing the rule name which trigered failure

Since:

HAPI FHIR 3.6.0

handleDeny

protected void handleDeny(AuthorizationInterceptor.Verdict decision)

This method should not be overridden. As of HAPI FHIR 3.6.0, you should override handleDeny(RequestDetails, Verdict) instead. This method will be removed in the future.

incomingRequestPreHandled

public void incomingRequestPreHandled(RequestDetails theRequest,
                                      ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookPreShow

public void hookPreShow(RequestDetails theRequestDetails,
                        IPreResourceShowDetails theDetails,
                        ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookOutgoingResponse

public void hookOutgoingResponse(RequestDetails theRequestDetails,
                                 org.hl7.fhir.instance.model.api.IBaseResource theResponseObject,
                                 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookCascadeDeleteForConflict

public void hookCascadeDeleteForConflict(RequestDetails theRequestDetails,
                                         ca.uhn.fhir.interceptor.api.Pointcut thePointcut,
                                         org.hl7.fhir.instance.model.api.IBaseResource theResourceToDelete)

hookResourcePreCreate

public void hookResourcePreCreate(RequestDetails theRequest,
                                  org.hl7.fhir.instance.model.api.IBaseResource theResource,
                                  ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookResourcePreDelete

public void hookResourcePreDelete(RequestDetails theRequest,
                                  org.hl7.fhir.instance.model.api.IBaseResource theResource,
                                  ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookResourcePreUpdate

public void hookResourcePreUpdate(RequestDetails theRequest,
                                  org.hl7.fhir.instance.model.api.IBaseResource theOldResource,
                                  org.hl7.fhir.instance.model.api.IBaseResource theNewResource,
                                  ca.uhn.fhir.interceptor.api.Pointcut thePointcut)