001/* 002 * (C) Copyright 2016 Nuxeo (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Gabriel Barata <gbarata@nuxeo.com> 018 */ 019package org.nuxeo.ecm.restapi.server.jaxrs; 020 021import static org.nuxeo.ecm.platform.oauth2.Constants.TOKEN_SERVICE; 022import static org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token.SCHEMA; 023 024import java.io.IOException; 025import java.io.Serializable; 026import java.util.HashMap; 027import java.util.List; 028import java.util.Map; 029import java.util.Objects; 030import java.util.stream.Collectors; 031 032import javax.servlet.http.HttpServletRequest; 033import javax.ws.rs.Consumes; 034import javax.ws.rs.DELETE; 035import javax.ws.rs.GET; 036import javax.ws.rs.POST; 037import javax.ws.rs.PUT; 038import javax.ws.rs.Path; 039import javax.ws.rs.PathParam; 040import javax.ws.rs.Produces; 041import javax.ws.rs.QueryParam; 042import javax.ws.rs.core.Context; 043import javax.ws.rs.core.MediaType; 044import javax.ws.rs.core.Response; 045import javax.ws.rs.core.Response.Status; 046import javax.ws.rs.core.Response.StatusType; 047 048import org.nuxeo.ecm.core.api.DocumentModel; 049import org.nuxeo.ecm.core.api.NuxeoException; 050import org.nuxeo.ecm.core.api.NuxeoPrincipal; 051import org.nuxeo.ecm.directory.Session; 052import org.nuxeo.ecm.directory.api.DirectoryService; 053import org.nuxeo.ecm.platform.oauth2.clients.OAuth2Client; 054import org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService; 055import org.nuxeo.ecm.platform.oauth2.enums.NuxeoOAuth2TokenType; 056import org.nuxeo.ecm.platform.oauth2.providers.AbstractOAuth2UserEmailProvider; 057import org.nuxeo.ecm.platform.oauth2.providers.NuxeoOAuth2ServiceProvider; 058import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProvider; 059import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProviderRegistry; 060import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token; 061import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenService; 062import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenServiceImpl; 063import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenStore; 064import org.nuxeo.ecm.webengine.model.WebObject; 065import org.nuxeo.ecm.webengine.model.exceptions.WebResourceNotFoundException; 066import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException; 067import org.nuxeo.ecm.webengine.model.impl.AbstractResource; 068import org.nuxeo.ecm.webengine.model.impl.ResourceTypeImpl; 069import org.nuxeo.runtime.api.Framework; 070 071import com.fasterxml.jackson.databind.ObjectMapper; 072import com.google.api.client.auth.oauth2.Credential; 073 074/** 075 * Endpoint to retrieve OAuth2 authentication data 076 * 077 * @since 8.4 078 */ 079@WebObject(type = "oauth2") 080public class OAuth2Object extends AbstractResource<ResourceTypeImpl> { 081 082 protected static final String ACCESS_DENIED_MESSAGE = "You do not have permissions to perform this operation."; 083 084 /** 085 * @deprecated since 11.1. Use {@link OAuth2TokenServiceImpl#TOKEN_DIR} instead. 086 */ 087 @Deprecated(since = "11.1", forRemoval = true) 088 public static final String TOKEN_DIR = OAuth2TokenServiceImpl.TOKEN_DIR; 089 090 /** 091 * Lists all oauth2 service providers. 092 * 093 * @since 9.2 094 */ 095 @GET 096 @Path("provider") 097 public List<NuxeoOAuth2ServiceProvider> getProviders(@Context HttpServletRequest request) { 098 return getProviders(); 099 } 100 101 /** 102 * Retrieves oauth2 data for a given provider. 103 */ 104 @GET 105 @Path("provider/{providerId}") 106 public Response getProvider(@PathParam("providerId") String providerId, @Context HttpServletRequest request) { 107 return Response.ok(getProvider(providerId)).build(); 108 } 109 110 /** 111 * Creates a new OAuth2 service provider. 112 * 113 * @since 9.2 114 */ 115 @POST 116 @Path("provider") 117 @Consumes(MediaType.APPLICATION_JSON) 118 public Response addProvider(@Context HttpServletRequest request, NuxeoOAuth2ServiceProvider provider) { 119 checkPermission(); 120 Framework.doPrivileged(() -> { 121 OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class); 122 registry.addProvider(provider.getServiceName(), provider.getDescription(), provider.getTokenServerURL(), 123 provider.getAuthorizationServerURL(), provider.getUserAuthorizationURL(), provider.getClientId(), 124 provider.getClientSecret(), provider.getScopes(), provider.isEnabled()); 125 }); 126 return Response.ok(getProvider(provider.getServiceName())).build(); 127 } 128 129 /** 130 * Updates an OAuth2 service provider. 131 * 132 * @since 9.2 133 */ 134 @PUT 135 @Path("provider/{providerId}") 136 @Consumes(MediaType.APPLICATION_JSON) 137 public Response updateProvider(@PathParam("providerId") String providerId, @Context HttpServletRequest request, 138 NuxeoOAuth2ServiceProvider provider) { 139 checkPermission(); 140 getProvider(providerId); 141 Framework.doPrivileged(() -> { 142 OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class); 143 registry.updateProvider(providerId, provider); 144 }); 145 return Response.ok(getProvider(provider.getServiceName())).build(); 146 } 147 148 /** 149 * Deletes an OAuth2 service provider. 150 * 151 * @since 9.2 152 */ 153 @DELETE 154 @Path("provider/{providerId}") 155 public Response deleteProvider(@PathParam("providerId") String providerId, @Context HttpServletRequest request) { 156 checkPermission(); 157 getProvider(providerId); 158 Framework.doPrivileged(() -> { 159 OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class); 160 registry.deleteProvider(providerId); 161 }); 162 return Response.noContent().build(); 163 } 164 165 /** 166 * Retrieves a valid access token for a given provider and the current user. If expired, the token will be 167 * refreshed. 168 */ 169 @GET 170 @Path("provider/{providerId}/token") 171 public Response getToken(@PathParam("providerId") String providerId, @Context HttpServletRequest request) 172 throws IOException { 173 174 NuxeoOAuth2ServiceProvider provider = getProvider(providerId); 175 176 String username = request.getUserPrincipal().getName(); 177 NuxeoOAuth2Token token = getToken(provider, username); 178 if (token == null) { 179 return Response.status(Status.NOT_FOUND).build(); 180 } 181 Credential credential = getCredential(provider, token); 182 183 if (credential == null) { 184 return Response.status(Status.NOT_FOUND).build(); 185 } 186 Long expiresInSeconds = credential.getExpiresInSeconds(); 187 if (expiresInSeconds != null && expiresInSeconds <= 0) { 188 credential.refreshToken(); 189 } 190 Map<String, Object> result = new HashMap<>(); 191 result.put("token", credential.getAccessToken()); 192 return buildResponse(Status.OK, result); 193 } 194 195 /** 196 * Retrieves all OAuth2 tokens. 197 * 198 * @since 9.2 199 */ 200 @GET 201 @Path("token") 202 public List<NuxeoOAuth2Token> getTokens(@Context HttpServletRequest request) { 203 return Framework.getService(OAuth2TokenService.class).getTokens(getPrincipal()); 204 } 205 206 /** 207 * Retrieves all oAuth2 tokens by {@link NuxeoOAuth2TokenType}. 208 * 209 * @param type, the value of {@code NuxeoOAuth2TokenType} 210 * @return if <code>type</code> is {@link NuxeoOAuth2TokenType#AS_PROVIDER}, then we retrieve tokens that are 211 * provided by Nuxeo, otherwise those used by Nuxeo to connect to others applications 212 * @since 11.1 213 */ 214 @GET 215 @Path("token/{type}") 216 public List<NuxeoOAuth2Token> getTokens(@PathParam("type") NuxeoOAuth2TokenType type) { 217 return Framework.getService(OAuth2TokenService.class).getTokens(type, getPrincipal()); 218 } 219 220 /** 221 * Search all oAuth2 tokens that match the query. 222 * 223 * @param query the query to match 224 * @since 11.1 225 */ 226 @GET 227 @Path("token/search") 228 public List<NuxeoOAuth2Token> searchTokens(@QueryParam("q") String query) { 229 return Framework.getService(OAuth2TokenService.class).search(query, getPrincipal()); 230 } 231 232 /** 233 * Retrieves an OAuth2 provider token. 234 * 235 * @since 10.2 236 */ 237 @GET 238 @Path("token/provider/{providerId}/user/{nxuser}") 239 public Response getProviderToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser, 240 @Context HttpServletRequest request) { 241 checkPermission(nxuser); 242 NuxeoOAuth2ServiceProvider provider = getProvider(providerId); 243 return Response.ok(getToken(provider, nxuser)).build(); 244 } 245 246 /** 247 * Retrieves an OAuth2 Token. 248 * 249 * @since 9.2 250 * @deprecated since 10.2 Use {@link #getProviderToken(String, String, HttpServletRequest)} instead. 251 */ 252 @Deprecated 253 @GET 254 @Path("token/{providerId}/{nxuser}") 255 public Response getToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser, 256 @Context HttpServletRequest request) { 257 return getProviderToken(providerId, nxuser, request); 258 } 259 260 /** 261 * Updates an OAuth2 provider token. 262 * 263 * @since 10.2 264 */ 265 @PUT 266 @Path("token/provider/{providerId}/user/{nxuser}") 267 @Consumes(MediaType.APPLICATION_JSON) 268 public Response updateProviderToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser, 269 @Context HttpServletRequest request, NuxeoOAuth2Token token) { 270 checkPermission(nxuser); 271 NuxeoOAuth2ServiceProvider provider = getProvider(providerId); 272 return Response.ok(updateToken(provider, nxuser, token)).build(); 273 } 274 275 /** 276 * Updates an OAuth2 Token. 277 * 278 * @since 9.2 279 * @deprecated since 10.2 Use {@link #updateProviderToken(String, String, HttpServletRequest, NuxeoOAuth2Token)} 280 * instead. 281 */ 282 @Deprecated 283 @PUT 284 @Path("token/{providerId}/{nxuser}") 285 @Consumes(MediaType.APPLICATION_JSON) 286 public Response updateToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser, 287 @Context HttpServletRequest request, NuxeoOAuth2Token token) { 288 return updateProviderToken(providerId, nxuser, request, token); 289 } 290 291 /** 292 * Deletes an OAuth2 provider token. 293 * 294 * @since 10.2 295 */ 296 @DELETE 297 @Path("token/provider/{providerId}/user/{nxuser}") 298 public Response deleteProviderToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser, 299 @Context HttpServletRequest request) { 300 checkPermission(nxuser); 301 NuxeoOAuth2ServiceProvider provider = getProvider(providerId); 302 deleteToken(getTokenDoc(provider, nxuser)); 303 return Response.noContent().build(); 304 } 305 306 /** 307 * Deletes an OAuth2 Token. 308 * 309 * @since 9.2 310 * @deprecated since 10.2 Use {@link #deleteProviderToken(String, String, HttpServletRequest)} instead. 311 */ 312 @Deprecated 313 @DELETE 314 @Path("token/{providerId}/{nxuser}") 315 public Response deleteToken(@PathParam("providerId") String providerId, @PathParam("nxuser") String nxuser, 316 @Context HttpServletRequest request) { 317 return deleteProviderToken(providerId, nxuser, request); 318 } 319 320 /** 321 * Retrieves all oauth2 provider tokens for the current user. 322 * 323 * @since 10.2 324 */ 325 @GET 326 @Path("token/provider") 327 public List<NuxeoOAuth2Token> getProviderUserTokens(@Context HttpServletRequest request) { 328 checkNotAnonymousUser(); 329 return Framework.getService(OAuth2TokenService.class) 330 .getTokens(request.getUserPrincipal().getName(), NuxeoOAuth2TokenType.AS_CLIENT); 331 } 332 333 /** 334 * Retrieves all oauth2 client tokens for the current user. 335 * 336 * @since 10.2 337 */ 338 @GET 339 @Path("token/client") 340 public List<NuxeoOAuth2Token> getClientUserTokens(@Context HttpServletRequest request) { 341 checkNotAnonymousUser(); 342 return Framework.getService(OAuth2TokenService.class) 343 .getTokens(request.getUserPrincipal().getName(), NuxeoOAuth2TokenType.AS_PROVIDER); 344 } 345 346 /** 347 * Retrieves a oauth2 client token. 348 * 349 * @since 10.2 350 */ 351 @GET 352 @Path("token/client/{clientId}/user/{nxuser}") 353 public Response getClientToken(@PathParam("clientId") String clientId, @PathParam("nxuser") String nxuser, 354 @Context HttpServletRequest request) { 355 checkPermission(nxuser); 356 OAuth2Client client = getClient(clientId); 357 return Response.ok(getToken(client, nxuser)).build(); 358 } 359 360 /** 361 * Updates an OAuth2 client token. 362 * 363 * @since 10.2 364 */ 365 @PUT 366 @Path("token/client/{clientId}/user/{nxuser}") 367 @Consumes(MediaType.APPLICATION_JSON) 368 public Response updateClientToken(@PathParam("clientId") String clientId, @PathParam("nxuser") String nxuser, 369 @Context HttpServletRequest request, NuxeoOAuth2Token token) { 370 checkPermission(nxuser); 371 OAuth2Client client = getClient(clientId); 372 return Response.ok(updateToken(client, nxuser, token)).build(); 373 } 374 375 /** 376 * Deletes a oauth2 client token. 377 * 378 * @since 10.2 379 */ 380 @DELETE 381 @Path("token/client/{clientId}/user/{nxuser}") 382 public Response deleteClientToken(@PathParam("clientId") String clientId, @PathParam("nxuser") String nxuser, 383 @Context HttpServletRequest request) { 384 checkPermission(nxuser); 385 OAuth2Client client = getClient(clientId); 386 deleteToken(getTokenDoc(client, nxuser)); 387 return Response.noContent().build(); 388 } 389 390 /** 391 * Retrieves oauth2 clients. 392 * 393 * @since 10.2 394 */ 395 @GET 396 @Path("client") 397 public List<OAuth2Client> getClients(@Context HttpServletRequest request) { 398 return Framework.getService(OAuth2ClientService.class).getClients(); 399 } 400 401 /** 402 * Retrieves a oauth2 client. 403 * 404 * @since 10.2 405 */ 406 @GET 407 @Path("client/{clientId}") 408 public Response getClient(@PathParam("clientId") String clientId, @Context HttpServletRequest request) { 409 OAuth2Client client = getClient(clientId); 410 return Response.ok(client).build(); 411 } 412 413 /** 414 * Creates a new oauth2 client. 415 * 416 * @param client the oAuth2Client to create 417 * @return the {@link Response} 418 * @since 11.1 419 */ 420 @POST 421 @Path("client") 422 @Consumes(MediaType.APPLICATION_JSON) 423 @Produces(MediaType.APPLICATION_JSON) 424 public Response createClient(OAuth2Client client) { 425 OAuth2Client oAuth2Client = Framework.getService(OAuth2ClientService.class).create(client, getPrincipal()); 426 return Response.status(Status.CREATED).entity(oAuth2Client).build(); 427 } 428 429 /** 430 * Updates the oauth2 client. 431 * 432 * @param clientId the oAuth2 client id to update 433 * @param client the oAuth2Client to update 434 * @return the {@link Response} 435 * @since 11.1 436 */ 437 @PUT 438 @Path("client/{clientId}") 439 @Consumes(MediaType.APPLICATION_JSON) 440 @Produces(MediaType.APPLICATION_JSON) 441 public Response updateClient(@PathParam("clientId") String clientId, OAuth2Client client) { 442 OAuth2Client oAuth2Client = Framework.getService(OAuth2ClientService.class) 443 .update(clientId, client, getPrincipal()); 444 return Response.ok(oAuth2Client).build(); 445 } 446 447 /** 448 * Deletes the oauth2 client. 449 * 450 * @param clientId the oAuth2 client id to delete 451 * @return the {@link Response} 452 * @since 11.1 453 */ 454 @DELETE 455 @Path("client/{clientId}") 456 public Response deleteClient(@PathParam("clientId") String clientId) { 457 Framework.getService(OAuth2ClientService.class).delete(clientId, getPrincipal()); 458 return Response.noContent().build(); 459 } 460 461 protected List<NuxeoOAuth2ServiceProvider> getProviders() { 462 OAuth2ServiceProviderRegistry registry = Framework.getService(OAuth2ServiceProviderRegistry.class); 463 return registry.getProviders() 464 .stream() 465 .filter(NuxeoOAuth2ServiceProvider.class::isInstance) 466 .map(provider -> (NuxeoOAuth2ServiceProvider) provider) 467 .collect(Collectors.toList()); 468 } 469 470 protected NuxeoOAuth2ServiceProvider getProvider(String providerId) { 471 OAuth2ServiceProvider provider = Framework.getService(OAuth2ServiceProviderRegistry.class) 472 .getProvider(providerId); 473 if (provider == null || !(provider instanceof NuxeoOAuth2ServiceProvider)) { 474 throw new WebResourceNotFoundException("Invalid provider: " + providerId); 475 } 476 return (NuxeoOAuth2ServiceProvider) provider; 477 } 478 479 /** 480 * @deprecated since 11.1. Use {@link OAuth2TokenService#getTokens(NuxeoPrincipal)} instead. 481 */ 482 @Deprecated(since = "11.1", forRemoval = true) 483 protected List<NuxeoOAuth2Token> getTokens() { 484 return Framework.getService(OAuth2TokenService.class).getTokens(getPrincipal()); 485 } 486 487 /** 488 * @deprecated since 11.1. Use {@link OAuth2TokenService#getTokens(String)} instead. 489 */ 490 @Deprecated(since = "11.1", forRemoval = true) 491 protected List<NuxeoOAuth2Token> getTokens(String nxuser) { 492 return Framework.getService(OAuth2TokenService.class).getTokens(nxuser); 493 } 494 495 protected OAuth2Client getClient(String clientId) { 496 OAuth2Client client = Framework.getService(OAuth2ClientService.class).getClient(clientId); 497 if (client == null) { 498 throw new WebResourceNotFoundException("Invalid client: " + clientId); 499 } 500 return client; 501 } 502 503 protected DocumentModel getTokenDoc(NuxeoOAuth2ServiceProvider provider, String nxuser) { 504 Map<String, Serializable> filter = new HashMap<>(); 505 filter.put("serviceName", provider.getServiceName()); 506 filter.put(NuxeoOAuth2Token.KEY_NUXEO_LOGIN, nxuser); 507 List<DocumentModel> tokens = Framework.doPrivileged(() -> { 508 List<DocumentModel> entries = provider.getCredentialDataStore().query(filter); 509 return entries.stream().filter(Objects::nonNull).collect(Collectors.toList()); 510 }); 511 if (tokens.size() > 1) { 512 throw new NuxeoException("Found multiple " + provider.getId() + " accounts for " + nxuser); 513 } else if (tokens.isEmpty()) { 514 throw new WebResourceNotFoundException("No token found for provider: " + provider.getServiceName()); 515 } else { 516 return tokens.get(0); 517 } 518 } 519 520 protected DocumentModel getTokenDoc(OAuth2Client client, String nxuser) { 521 Map<String, Serializable> filter = new HashMap<>(); 522 filter.put("clientId", client.getId()); 523 filter.put(NuxeoOAuth2Token.KEY_NUXEO_LOGIN, nxuser); 524 OAuth2TokenStore tokenStore = new OAuth2TokenStore(TOKEN_SERVICE); 525 List<DocumentModel> tokens = tokenStore.query(filter) 526 .stream() 527 .filter(Objects::nonNull) 528 .collect(Collectors.toList()); 529 if (tokens.size() > 1) { 530 throw new NuxeoException("Found multiple " + client.getId() + " accounts for " + nxuser); 531 } else if (tokens.size() == 0) { 532 throw new WebResourceNotFoundException("No token found for client: " + client.getId()); 533 } else { 534 return tokens.get(0); 535 } 536 } 537 538 protected NuxeoOAuth2Token getToken(NuxeoOAuth2ServiceProvider provider, String nxuser) { 539 return new NuxeoOAuth2Token(getTokenDoc(provider, nxuser)); 540 } 541 542 protected NuxeoOAuth2Token getToken(OAuth2Client client, String nxuser) { 543 return new NuxeoOAuth2Token(getTokenDoc(client, nxuser)); 544 } 545 546 protected NuxeoOAuth2Token updateToken(NuxeoOAuth2ServiceProvider provider, String nxuser, NuxeoOAuth2Token token) { 547 updateTokenDoc(token, getTokenDoc(provider, nxuser)); 548 return getToken(provider, nxuser); 549 } 550 551 protected NuxeoOAuth2Token updateToken(OAuth2Client client, String nxuser, NuxeoOAuth2Token token) { 552 updateTokenDoc(token, getTokenDoc(client, nxuser)); 553 return getToken(client, nxuser); 554 } 555 556 protected void updateTokenDoc(NuxeoOAuth2Token token, DocumentModel entry) { 557 entry.setProperty(SCHEMA, "serviceName", token.getServiceName()); 558 entry.setProperty(SCHEMA, "nuxeoLogin", token.getNuxeoLogin()); 559 entry.setProperty(SCHEMA, "clientId", token.getClientId()); 560 entry.setProperty(SCHEMA, "isShared", token.isShared()); 561 entry.setProperty(SCHEMA, "sharedWith", token.getSharedWith()); 562 entry.setProperty(SCHEMA, "serviceLogin", token.getServiceLogin()); 563 entry.setProperty(SCHEMA, "creationDate", token.getCreationDate()); 564 Framework.doPrivileged(() -> { 565 DirectoryService ds = Framework.getService(DirectoryService.class); 566 try (Session session = ds.open(OAuth2TokenServiceImpl.TOKEN_DIR)) { 567 session.updateEntry(entry); 568 } 569 }); 570 } 571 572 protected void deleteToken(DocumentModel token) { 573 Framework.doPrivileged(() -> { 574 DirectoryService ds = Framework.getService(DirectoryService.class); 575 try (Session session = ds.open(OAuth2TokenServiceImpl.TOKEN_DIR)) { 576 session.deleteEntry(token); 577 } 578 }); 579 } 580 581 protected Credential getCredential(NuxeoOAuth2ServiceProvider provider, NuxeoOAuth2Token token) { 582 return provider.loadCredential((provider instanceof AbstractOAuth2UserEmailProvider) ? token.getServiceLogin() 583 : token.getNuxeoLogin()); 584 } 585 586 protected Response buildResponse(StatusType status, Object obj) throws IOException { 587 ObjectMapper mapper = new ObjectMapper(); 588 String message = mapper.writeValueAsString(obj); 589 590 return Response.status(status) 591 .header("Content-Length", message.getBytes("UTF-8").length) 592 .type(MediaType.APPLICATION_JSON + "; charset=UTF-8") 593 .entity(message) 594 .build(); 595 } 596 597 protected void checkPermission() { 598 if (!getPrincipal().isAdministrator()) { 599 throw new WebSecurityException(ACCESS_DENIED_MESSAGE); 600 } 601 } 602 603 protected void checkPermission(String nxuser) { 604 NuxeoPrincipal principal = getPrincipal(); 605 if (principal.isAdministrator()) { 606 return; 607 } 608 if (!nxuser.equals(principal.getName())) { 609 throw new WebSecurityException(ACCESS_DENIED_MESSAGE); 610 } 611 } 612 613 protected void checkNotAnonymousUser() { 614 if (getPrincipal().isAnonymous()) { 615 throw new WebSecurityException(ACCESS_DENIED_MESSAGE); 616 } 617 } 618 619 protected NuxeoPrincipal getPrincipal() { 620 return getContext().getCoreSession().getPrincipal(); 621 } 622 623}