/** * Throws an APIAuthorization exception stating why the user failed * * @param user authenticated user * @param method acting method * @param attrs Collection of String privilege names that the user must have */ private void throwUnauthorized(User user, Method method, Collection<String> attrs) { log.debug(USER_IS_NOT_AUTHORIZED_TO_ACCESS, user, method.getName()); throw new APIAuthenticationException(Context.getMessageSourceService().getMessage("error.privilegesRequired", new Object[] { StringUtils.join(attrs, ",") }, null)); }
/** * @see Daemon#runInNewDaemonThread(Runnable) */ @Test public void runInNewDaemonThread_shouldThrowErrorIfCalledFromANonDaemonThread() { try { Daemon.runInNewDaemonThread(() -> { // do nothing }); Assert.assertTrue("Should not hit this line, since the previous needed to throw an exception", false); } catch (APIAuthenticationException ex) { Assert.assertEquals("Only daemon threads can spawn new daemon threads", ex.getMessage()); } }
/** * Throws an APIAuthorization exception stating why the user failed * * @param user authenticated user * @param method acting method */ private void throwUnauthorized(User user, Method method) { log.debug(USER_IS_NOT_AUTHORIZED_TO_ACCESS, user, method.getName()); throw new APIAuthenticationException(Context.getMessageSourceService().getMessage("error.aunthenticationRequired")); } }
/** * Throws an APIAuthorization exception stating why the user failed * * @param user authenticated user * @param method acting method * @param attrs privilege names that the user must have */ private void throwUnauthorized(User user, Method method, String attr) { log.debug(USER_IS_NOT_AUTHORIZED_TO_ACCESS, user, method.getName()); throw new APIAuthenticationException(Context.getMessageSourceService().getMessage("error.privilegesRequired", new Object[] { attr }, null)); }
/** * @param url * @param openmrsUsername * @param openmrsPassword * @return input stream * @throws MalformedURLException * @throws IOException */ protected static InputStream getResourceInputStream(String url, String openmrsUsername, String openmrsPassword) throws MalformedURLException, IOException, APIException { HttpURLConnection connection = createConnection(url); OutputStreamWriter out = new OutputStreamWriter(connection.getOutputStream(), StandardCharsets.UTF_8); out.write(encodeCredentials(openmrsUsername, openmrsPassword)); out.flush(); out.close(); log.info("Http response message: {}, Code: {}", connection.getResponseMessage(), connection.getResponseCode()); if (connection.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) { throw new APIAuthenticationException("Invalid username or password"); } else if (connection.getResponseCode() == HttpURLConnection.HTTP_INTERNAL_ERROR) { throw new APIException("error.occurred.on.remote.server", (Object[]) null); } return connection.getInputStream(); }
/** * Convenience method to check if the authenticated user has all privileges they are giving out * to the new role * * @param new user that has privileges */ private void checkPrivileges(Role role) { Collection<Privilege> privileges = role.getPrivileges(); if (privileges != null) { for (Privilege p : privileges) { if (!Context.hasPrivilege(p.getPrivilege())) { throw new APIAuthenticationException("Privilege required: " + p); } } } }
throw new APIAuthenticationException("Only daemon threads can spawn new daemon threads");
throw new APIAuthenticationException("You must be a superuser to assume another user's identity");
public void checkPrivilege() throws APIAuthenticationException { if (!Context.hasPrivilege(PrivilegeConstants.MANAGE_MODULES)) { throw new APIAuthenticationException("Privilege required: " + PrivilegeConstants.MANAGE_MODULES); } } }
/** * Set a piece of information for the currently authenticated user. This information is stored * only temporarily. When a new module is loaded or the server is restarted, this information * will disappear * * @param key identifying string for this information * @param value information to be stored */ public static void setVolatileUserData(String key, Object value) { User u = Context.getAuthenticatedUser(); if (u == null) { throw new APIAuthenticationException(); } Map<String, Object> myData = volatileUserData.get(u); if (myData == null) { myData = new HashMap<String, Object>(); volatileUserData.put(u, myData); } myData.put(key, value); }
/** * Get a piece of information for the currently authenticated user. This information is stored * only temporarily. When a new module is loaded or the server is restarted, this information * will disappear. If there is not information by this key, null is returned TODO: This needs to * be refactored/removed * * @param key identifying string for the information * @return the information stored */ public static Object getVolatileUserData(String key) { User u = Context.getAuthenticatedUser(); if (u == null) { throw new APIAuthenticationException(); } Map<String, Object> myData = volatileUserData.get(u); if (myData == null) { return null; } else { return myData.get(key); } }
@RequestMapping(method = RequestMethod.POST) @ResponseStatus(HttpStatus.OK) public void changeOwnPassword(@RequestBody Map<String, String> body) { String oldPassword = body.get("oldPassword"); String newPassword = body.get("newPassword"); if (!Context.isAuthenticated()) { throw new APIAuthenticationException("Must be authenticated to change your own password"); } try { userService.changePassword(oldPassword, newPassword); } catch (APIException ex) { // this happens if they give the wrong oldPassword throw new ValidationException(ex.getMessage()); } }
/** * @verifies return forbidden if logged in * @see BaseRestController#apiAuthenticationExceptionHandler(Exception, * javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @Test public void apiAuthenticationExceptionHandler_shouldReturnForbiddenIfLoggedIn() throws Exception { controller.apiAuthenticationExceptionHandler(new APIAuthenticationException(), request, response); assertThat(response.getStatus(), is(HttpServletResponse.SC_FORBIDDEN)); }
/** * @verifies return unauthorized if not logged in * @see BaseRestController#apiAuthenticationExceptionHandler(Exception, * javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @Test public void apiAuthenticationExceptionHandler_shouldReturnUnauthorizedIfNotLoggedIn() throws Exception { Context.logout(); controller.apiAuthenticationExceptionHandler(new APIAuthenticationException(), request, response); assertThat(response.getStatus(), is(HttpServletResponse.SC_UNAUTHORIZED)); }