001/*
002 * (C) Copyright 2016 Nuxeo (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Gabriel Barata <gbarata@nuxeo.com>
018 */
019package org.nuxeo.ecm.restapi.server.jaxrs;
020
021import static org.nuxeo.ecm.platform.oauth2.Constants.TOKEN_SERVICE;
022import static org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token.SCHEMA;
023
024import java.io.IOException;
025import java.io.Serializable;
026import java.util.HashMap;
027import java.util.List;
028import java.util.Map;
029import java.util.Objects;
030import java.util.stream.Collectors;
031
032import javax.servlet.http.HttpServletRequest;
033import javax.ws.rs.Consumes;
034import javax.ws.rs.DELETE;
035import javax.ws.rs.GET;
036import javax.ws.rs.POST;
037import javax.ws.rs.PUT;
038import javax.ws.rs.Path;
039import javax.ws.rs.PathParam;
040import javax.ws.rs.Produces;
041import javax.ws.rs.QueryParam;
042import javax.ws.rs.core.Context;
043import javax.ws.rs.core.MediaType;
044import javax.ws.rs.core.Response;
045import javax.ws.rs.core.Response.Status;
046import javax.ws.rs.core.Response.StatusType;
047
048import org.nuxeo.ecm.core.api.DocumentModel;
049import org.nuxeo.ecm.core.api.NuxeoException;
050import org.nuxeo.ecm.core.api.NuxeoPrincipal;
051import org.nuxeo.ecm.directory.Session;
052import org.nuxeo.ecm.directory.api.DirectoryService;
053import org.nuxeo.ecm.platform.oauth2.clients.OAuth2Client;
054import org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService;
055import org.nuxeo.ecm.platform.oauth2.enums.NuxeoOAuth2TokenType;
056import org.nuxeo.ecm.platform.oauth2.providers.AbstractOAuth2UserEmailProvider;
057import org.nuxeo.ecm.platform.oauth2.providers.NuxeoOAuth2ServiceProvider;
058import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProvider;
059import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProviderRegistry;
060import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token;
061import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenService;
062import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenServiceImpl;
063import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenStore;
064import org.nuxeo.ecm.webengine.model.WebObject;
065import org.nuxeo.ecm.webengine.model.exceptions.WebResourceNotFoundException;
066import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException;
067import org.nuxeo.ecm.webengine.model.impl.AbstractResource;
068import org.nuxeo.ecm.webengine.model.impl.ResourceTypeImpl;
069import org.nuxeo.runtime.api.Framework;
070
071import com.fasterxml.jackson.databind.ObjectMapper;
072import com.google.api.client.auth.oauth2.Credential;
073
074/**
075 * Endpoint to retrieve OAuth2 authentication data
076 *
077 * @since 8.4
078 */
079@WebObject(type = "oauth2")
080public class OAuth2Object extends AbstractResource<ResourceTypeImpl> {
081
082    protected static final String ACCESS_DENIED_MESSAGE = "You do not have permissions to perform this operation.";
083
084    /**
085     * @deprecated since 11.1. Use {@link OAuth2TokenServiceImpl#TOKEN_DIR} instead.
086     */
087    @Deprecated(since = "11.1", forRemoval = true)
088    public static final String TOKEN_DIR = OAuth2TokenServiceImpl.TOKEN_DIR;
089
090    /**
091     * Lists all oauth2 service providers.
092     *
093     * @since 9.2
094     */
095    @GET
096    @Path("provider")
097    public List<NuxeoOAuth2ServiceProvider> getProviders(@Context HttpServletRequest request) {
098        return getProviders();
099    }
100
101    /**
102     * Retrieves oauth2 data for a given provider.
103     */
104    @GET
105    @Path("provider/{providerId}")
106    public Response getProvider(@PathParam("providerId") String providerId, @Context HttpServletRequest request) {
107        return Response.ok(getProvider(providerId)).build();
108    }
109
110    /**
111     * Creates a new OAuth2 service provider.
112     *
113     * @since 9.2
114     */
115    @POST
116    @Path("provider")
117    @Consumes(MediaType.APPLICATION_JSON)
118    public Response addProvider(@Context HttpServletRequest request, NuxeoOAuth2ServiceProvider provider) {
119        checkPermission();
120        Framework.doPrivileged(() -> {
121            OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class);
122            registry.addProvider(provider.getServiceName(), provider.getDescription(), provider.getTokenServerURL(),
123                    provider.getAuthorizationServerURL(), provider.getUserAuthorizationURL(), provider.getClientId(),
124                    provider.getClientSecret(), provider.getScopes(), provider.isEnabled());
125        });
126        return Response.ok(getProvider(provider.getServiceName())).build();
127    }
128
129    /**
130     * Updates an OAuth2 service provider.
131     *
132     * @since 9.2
133     */
134    @PUT
135    @Path("provider/{providerId}")
136    @Consumes(MediaType.APPLICATION_JSON)
137    public Response updateProvider(@PathParam("providerId") String providerId, @Context HttpServletRequest request,
138            NuxeoOAuth2ServiceProvider provider) {
139        checkPermission();
140        getProvider(providerId);
141        Framework.doPrivileged(() -> {
142            OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class);
143            registry.updateProvider(providerId, provider);
144        });
145        return Response.ok(getProvider(provider.getServiceName())).build();
146    }
147
148    /**
149     * Deletes an OAuth2 service provider.
150     *
151     * @since 9.2
152     */
153    @DELETE
154    @Path("provider/{providerId}")
155    public Response deleteProvider(@PathParam("providerId") String providerId, @Context HttpServletRequest request) {
156        checkPermission();
157        getProvider(providerId);
158        Framework.doPrivileged(() -> {
159            OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class);
160            registry.deleteProvider(providerId);
161        });
162        return Response.noContent().build();
163    }
164
165    /**
166     * Retrieves a valid access token for a given provider and the current user. If expired, the token will be
167     * refreshed.
168     */
169    @GET
170    @Path("provider/{providerId}/token")
171    public Response getToken(@PathParam("providerId") String providerId, @Context HttpServletRequest request)
172            throws IOException {
173
174        NuxeoOAuth2ServiceProvider provider = getProvider(providerId);
175
176        String username = request.getUserPrincipal().getName();
177        NuxeoOAuth2Token token = getToken(provider, username);
178        if (token == null) {
179            return Response.status(Status.NOT_FOUND).build();
180        }
181        Credential credential = getCredential(provider, token);
182
183        if (credential == null) {
184            return Response.status(Status.NOT_FOUND).build();
185        }
186        Long expiresInSeconds = credential.getExpiresInSeconds();
187        if (expiresInSeconds != null && expiresInSeconds <= 0) {
188            credential.refreshToken();
189        }
190        Map<String, Object> result = new HashMap<>();
191        result.put("token", credential.getAccessToken());
192        return buildResponse(Status.OK, result);
193    }
194
195    /**
196     * Retrieves all OAuth2 tokens.
197     *
198     * @since 9.2
199     */
200    @GET
201    @Path("token")
202    public List<NuxeoOAuth2Token> getTokens(@Context HttpServletRequest request) {
203        return Framework.getService(OAuth2TokenService.class).getTokens(getPrincipal());
204    }
205
206    /**
207     * Retrieves all oAuth2 tokens by {@link NuxeoOAuth2TokenType}.
208     *
209     * @param type, the value of {@code NuxeoOAuth2TokenType}
210     * @return if <code>type</code> is {@link NuxeoOAuth2TokenType#AS_PROVIDER}, then we retrieve tokens that are
211     *         provided by Nuxeo, otherwise those used by Nuxeo to connect to others applications
212     * @since 11.1
213     */
214    @GET
215    @Path("token/{type}")
216    public List<NuxeoOAuth2Token> getTokens(@PathParam("type") NuxeoOAuth2TokenType type) {
217        return Framework.getService(OAuth2TokenService.class).getTokens(type, getPrincipal());
218    }
219
220    /**
221     * Search all oAuth2 tokens that match the query.
222     *
223     * @param query the query to match
224     * @since 11.1
225     */
226    @GET
227    @Path("token/search")
228    public List<NuxeoOAuth2Token> searchTokens(@QueryParam("q") String query) {
229        return Framework.getService(OAuth2TokenService.class).search(query, getPrincipal());
230    }
231
232    /**
233     * Retrieves an OAuth2 provider token.
234     *
235     * @since 10.2
236     */
237    @GET
238    @Path("token/provider/{providerId}/user/{nxuser}")
239    public Response getProviderToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser,
240            @Context HttpServletRequest request) {
241        checkPermission(nxuser);
242        NuxeoOAuth2ServiceProvider provider = getProvider(providerId);
243        return Response.ok(getToken(provider, nxuser)).build();
244    }
245
246    /**
247     * Retrieves an OAuth2 Token.
248     *
249     * @since 9.2
250     * @deprecated since 10.2 Use {@link #getProviderToken(String, String, HttpServletRequest)} instead.
251     */
252    @Deprecated
253    @GET
254    @Path("token/{providerId}/{nxuser}")
255    public Response getToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser,
256            @Context HttpServletRequest request) {
257        return getProviderToken(providerId, nxuser, request);
258    }
259
260    /**
261     * Updates an OAuth2 provider token.
262     *
263     * @since 10.2
264     */
265    @PUT
266    @Path("token/provider/{providerId}/user/{nxuser}")
267    @Consumes(MediaType.APPLICATION_JSON)
268    public Response updateProviderToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser,
269            @Context HttpServletRequest request, NuxeoOAuth2Token token) {
270        checkPermission(nxuser);
271        NuxeoOAuth2ServiceProvider provider = getProvider(providerId);
272        return Response.ok(updateToken(provider, nxuser, token)).build();
273    }
274
275    /**
276     * Updates an OAuth2 Token.
277     *
278     * @since 9.2
279     * @deprecated since 10.2 Use {@link #updateProviderToken(String, String, HttpServletRequest, NuxeoOAuth2Token)}
280     *             instead.
281     */
282    @Deprecated
283    @PUT
284    @Path("token/{providerId}/{nxuser}")
285    @Consumes(MediaType.APPLICATION_JSON)
286    public Response updateToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser,
287            @Context HttpServletRequest request, NuxeoOAuth2Token token) {
288        return updateProviderToken(providerId, nxuser, request, token);
289    }
290
291    /**
292     * Deletes an OAuth2 provider token.
293     *
294     * @since 10.2
295     */
296    @DELETE
297    @Path("token/provider/{providerId}/user/{nxuser}")
298    public Response deleteProviderToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser,
299            @Context HttpServletRequest request) {
300        checkPermission(nxuser);
301        NuxeoOAuth2ServiceProvider provider = getProvider(providerId);
302        deleteToken(getTokenDoc(provider, nxuser));
303        return Response.noContent().build();
304    }
305
306    /**
307     * Deletes an OAuth2 Token.
308     *
309     * @since 9.2
310     * @deprecated since 10.2 Use {@link #deleteProviderToken(String, String, HttpServletRequest)} instead.
311     */
312    @Deprecated
313    @DELETE
314    @Path("token/{providerId}/{nxuser}")
315    public Response deleteToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser,
316            @Context HttpServletRequest request) {
317        return deleteProviderToken(providerId, nxuser, request);
318    }
319
320    /**
321     * Retrieves all oauth2 provider tokens for the current user.
322     *
323     * @since 10.2
324     */
325    @GET
326    @Path("token/provider")
327    public List<NuxeoOAuth2Token> getProviderUserTokens(@Context HttpServletRequest request) {
328        checkNotAnonymousUser();
329        return Framework.getService(OAuth2TokenService.class)
330                        .getTokens(request.getUserPrincipal().getName(), NuxeoOAuth2TokenType.AS_CLIENT);
331    }
332
333    /**
334     * Retrieves all oauth2 client tokens for the current user.
335     *
336     * @since 10.2
337     */
338    @GET
339    @Path("token/client")
340    public List<NuxeoOAuth2Token> getClientUserTokens(@Context HttpServletRequest request) {
341        checkNotAnonymousUser();
342        return Framework.getService(OAuth2TokenService.class)
343                        .getTokens(request.getUserPrincipal().getName(), NuxeoOAuth2TokenType.AS_PROVIDER);
344    }
345
346    /**
347     * Retrieves a oauth2 client token.
348     *
349     * @since 10.2
350     */
351    @GET
352    @Path("token/client/{clientId}/user/{nxuser}")
353    public Response getClientToken(@PathParam("clientId") String clientId, @PathParam("nxuser") String nxuser,
354            @Context HttpServletRequest request) {
355        checkPermission(nxuser);
356        OAuth2Client client = getClient(clientId);
357        return Response.ok(getToken(client, nxuser)).build();
358    }
359
360    /**
361     * Updates an OAuth2 client token.
362     *
363     * @since 10.2
364     */
365    @PUT
366    @Path("token/client/{clientId}/user/{nxuser}")
367    @Consumes(MediaType.APPLICATION_JSON)
368    public Response updateClientToken(@PathParam("clientId") String clientId, @PathParam("nxuser") String nxuser,
369            @Context HttpServletRequest request, NuxeoOAuth2Token token) {
370        checkPermission(nxuser);
371        OAuth2Client client = getClient(clientId);
372        return Response.ok(updateToken(client, nxuser, token)).build();
373    }
374
375    /**
376     * Deletes a oauth2 client token.
377     *
378     * @since 10.2
379     */
380    @DELETE
381    @Path("token/client/{clientId}/user/{nxuser}")
382    public Response deleteClientToken(@PathParam("clientId") String clientId, @PathParam("nxuser") String nxuser,
383            @Context HttpServletRequest request) {
384        checkPermission(nxuser);
385        OAuth2Client client = getClient(clientId);
386        deleteToken(getTokenDoc(client, nxuser));
387        return Response.noContent().build();
388    }
389
390    /**
391     * Retrieves oauth2 clients.
392     *
393     * @since 10.2
394     */
395    @GET
396    @Path("client")
397    public List<OAuth2Client> getClients(@Context HttpServletRequest request) {
398        return Framework.getService(OAuth2ClientService.class).getClients();
399    }
400
401    /**
402     * Retrieves a oauth2 client.
403     *
404     * @since 10.2
405     */
406    @GET
407    @Path("client/{clientId}")
408    public Response getClient(@PathParam("clientId") String clientId, @Context HttpServletRequest request) {
409        OAuth2Client client = getClient(clientId);
410        return Response.ok(client).build();
411    }
412
413    /**
414     * Creates a new oauth2 client.
415     *
416     * @param client the oAuth2Client to create
417     * @return the {@link Response}
418     * @since 11.1
419     */
420    @POST
421    @Path("client")
422    @Consumes(MediaType.APPLICATION_JSON)
423    @Produces(MediaType.APPLICATION_JSON)
424    public Response createClient(OAuth2Client client) {
425        OAuth2Client oAuth2Client = Framework.getService(OAuth2ClientService.class).create(client, getPrincipal());
426        return Response.status(Status.CREATED).entity(oAuth2Client).build();
427    }
428
429    /**
430     * Updates the oauth2 client.
431     *
432     * @param clientId the oAuth2 client id to update
433     * @param client the oAuth2Client to update
434     * @return the {@link Response}
435     * @since 11.1
436     */
437    @PUT
438    @Path("client/{clientId}")
439    @Consumes(MediaType.APPLICATION_JSON)
440    @Produces(MediaType.APPLICATION_JSON)
441    public Response updateClient(@PathParam("clientId") String clientId, OAuth2Client client) {
442        OAuth2Client oAuth2Client = Framework.getService(OAuth2ClientService.class)
443                                             .update(clientId, client, getPrincipal());
444        return Response.ok(oAuth2Client).build();
445    }
446
447    /**
448     * Deletes the oauth2 client.
449     *
450     * @param clientId the oAuth2 client id to delete
451     * @return the {@link Response}
452     * @since 11.1
453     */
454    @DELETE
455    @Path("client/{clientId}")
456    public Response deleteClient(@PathParam("clientId") String clientId) {
457        Framework.getService(OAuth2ClientService.class).delete(clientId, getPrincipal());
458        return Response.noContent().build();
459    }
460
461    protected List<NuxeoOAuth2ServiceProvider> getProviders() {
462        OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class);
463        return registry.getProviders()
464                       .stream()
465                       .filter(NuxeoOAuth2ServiceProvider.class::isInstance)
466                       .map(provider -> (NuxeoOAuth2ServiceProvider) provider)
467                       .collect(Collectors.toList());
468    }
469
470    protected NuxeoOAuth2ServiceProvider getProvider(String providerId) {
471        OAuth2ServiceProvider provider = Framework.getService(OAuth2ServiceProviderRegistry.class)
472                                                  .getProvider(providerId);
473        if (provider == null || !(provider instanceof NuxeoOAuth2ServiceProvider)) {
474            throw new WebResourceNotFoundException("Invalid provider: " + providerId);
475        }
476        return (NuxeoOAuth2ServiceProvider) provider;
477    }
478
479    /**
480     * @deprecated since 11.1. Use {@link OAuth2TokenService#getTokens(NuxeoPrincipal)} instead.
481     */
482    @Deprecated(since = "11.1", forRemoval = true)
483    protected List<NuxeoOAuth2Token> getTokens() {
484        return Framework.getService(OAuth2TokenService.class).getTokens(getPrincipal());
485    }
486
487    /**
488     * @deprecated since 11.1. Use {@link OAuth2TokenService#getTokens(String)} instead.
489     */
490    @Deprecated(since = "11.1", forRemoval = true)
491    protected List<NuxeoOAuth2Token> getTokens(String nxuser) {
492        return Framework.getService(OAuth2TokenService.class).getTokens(nxuser);
493    }
494
495    protected OAuth2Client getClient(String clientId) {
496        OAuth2Client client = Framework.getService(OAuth2ClientService.class).getClient(clientId);
497        if (client == null) {
498            throw new WebResourceNotFoundException("Invalid client: " + clientId);
499        }
500        return client;
501    }
502
503    protected DocumentModel getTokenDoc(NuxeoOAuth2ServiceProvider provider, String nxuser) {
504        Map<String, Serializable> filter = new HashMap<>();
505        filter.put("serviceName", provider.getServiceName());
506        filter.put(NuxeoOAuth2Token.KEY_NUXEO_LOGIN, nxuser);
507        List<DocumentModel> tokens = Framework.doPrivileged(() -> {
508            List<DocumentModel> entries = provider.getCredentialDataStore().query(filter);
509            return entries.stream().filter(Objects::nonNull).collect(Collectors.toList());
510        });
511        if (tokens.size() > 1) {
512            throw new NuxeoException("Found multiple " + provider.getId() + " accounts for " + nxuser);
513        } else if (tokens.isEmpty()) {
514            throw new WebResourceNotFoundException("No token found for provider: " + provider.getServiceName());
515        } else {
516            return tokens.get(0);
517        }
518    }
519
520    protected DocumentModel getTokenDoc(OAuth2Client client, String nxuser) {
521        Map<String, Serializable> filter = new HashMap<>();
522        filter.put("clientId", client.getId());
523        filter.put(NuxeoOAuth2Token.KEY_NUXEO_LOGIN, nxuser);
524        OAuth2TokenStore tokenStore = new OAuth2TokenStore(TOKEN_SERVICE);
525        List<DocumentModel> tokens = tokenStore.query(filter)
526                                               .stream()
527                                               .filter(Objects::nonNull)
528                                               .collect(Collectors.toList());
529        if (tokens.size() > 1) {
530            throw new NuxeoException("Found multiple " + client.getId() + " accounts for " + nxuser);
531        } else if (tokens.size() == 0) {
532            throw new WebResourceNotFoundException("No token found for client: " + client.getId());
533        } else {
534            return tokens.get(0);
535        }
536    }
537
538    protected NuxeoOAuth2Token getToken(NuxeoOAuth2ServiceProvider provider, String nxuser) {
539        return new NuxeoOAuth2Token(getTokenDoc(provider, nxuser));
540    }
541
542    protected NuxeoOAuth2Token getToken(OAuth2Client client, String nxuser) {
543        return new NuxeoOAuth2Token(getTokenDoc(client, nxuser));
544    }
545
546    protected NuxeoOAuth2Token updateToken(NuxeoOAuth2ServiceProvider provider, String nxuser, NuxeoOAuth2Token token) {
547        updateTokenDoc(token, getTokenDoc(provider, nxuser));
548        return getToken(provider, nxuser);
549    }
550
551    protected NuxeoOAuth2Token updateToken(OAuth2Client client, String nxuser, NuxeoOAuth2Token token) {
552        updateTokenDoc(token, getTokenDoc(client, nxuser));
553        return getToken(client, nxuser);
554    }
555
556    protected void updateTokenDoc(NuxeoOAuth2Token token, DocumentModel entry) {
557        entry.setProperty(SCHEMA, "serviceName", token.getServiceName());
558        entry.setProperty(SCHEMA, "nuxeoLogin", token.getNuxeoLogin());
559        entry.setProperty(SCHEMA, "clientId", token.getClientId());
560        entry.setProperty(SCHEMA, "isShared", token.isShared());
561        entry.setProperty(SCHEMA, "sharedWith", token.getSharedWith());
562        entry.setProperty(SCHEMA, "serviceLogin", token.getServiceLogin());
563        entry.setProperty(SCHEMA, "creationDate", token.getCreationDate());
564        Framework.doPrivileged(() -> {
565            DirectoryService ds = Framework.getService(DirectoryService.class);
566            try (Session session = ds.open(OAuth2TokenServiceImpl.TOKEN_DIR)) {
567                session.updateEntry(entry);
568            }
569        });
570    }
571
572    protected void deleteToken(DocumentModel token) {
573        Framework.doPrivileged(() -> {
574            DirectoryService ds = Framework.getService(DirectoryService.class);
575            try (Session session = ds.open(OAuth2TokenServiceImpl.TOKEN_DIR)) {
576                session.deleteEntry(token);
577            }
578        });
579    }
580
581    protected Credential getCredential(NuxeoOAuth2ServiceProvider provider, NuxeoOAuth2Token token) {
582        return provider.loadCredential((provider instanceof AbstractOAuth2UserEmailProvider) ? token.getServiceLogin()
583                : token.getNuxeoLogin());
584    }
585
586    protected Response buildResponse(StatusType status, Object obj) throws IOException {
587        ObjectMapper mapper = new ObjectMapper();
588        String message = mapper.writeValueAsString(obj);
589
590        return Response.status(status)
591                       .header("Content-Length", message.getBytes("UTF-8").length)
592                       .type(MediaType.APPLICATION_JSON + "; charset=UTF-8")
593                       .entity(message)
594                       .build();
595    }
596
597    protected void checkPermission() {
598        if (!getPrincipal().isAdministrator()) {
599            throw new WebSecurityException(ACCESS_DENIED_MESSAGE);
600        }
601    }
602
603    protected void checkPermission(String nxuser) {
604        NuxeoPrincipal principal = getPrincipal();
605        if (principal.isAdministrator()) {
606            return;
607        }
608        if (!nxuser.equals(principal.getName())) {
609            throw new WebSecurityException(ACCESS_DENIED_MESSAGE);
610        }
611    }
612
613    protected void checkNotAnonymousUser() {
614        if (getPrincipal().isAnonymous()) {
615            throw new WebSecurityException(ACCESS_DENIED_MESSAGE);
616        }
617    }
618
619    protected NuxeoPrincipal getPrincipal() {
620        return getContext().getCoreSession().getPrincipal();
621    }
622
623}