Summary Table

Categories Total Count
PII 0
URL 0
DNS 0
EKL 0
IP 0
PORT 0
VsID 0
CF 0
AI 0
VPD 0
PL 0
Other 0

File Content

package gov.va.oneconsult.seoc.api.filter;


import java.io.IOException;
import java.util.Iterator;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.fasterxml.jackson.core.Version;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;

import gov.va.oneconsult.seoc.api.exceptions.BusinessException;
import gov.va.oneconsult.seoc.api.serializer.StringSerializer;
import gov.va.oneconsult.seoc.api.util.Constants;


public class ApiAuthenticationFilter implements Filter {
private static final Logger logger = LoggerFactory.getLogger(ApiAuthenticationFilter.class);

private String seocClientKey;


private static ObjectMapper mapper = new ObjectMapper();
private static SimpleModule module = new SimpleModule("Serializer",
new Version(1, 0, 0, null, null, null));

static
{
module.addSerializer((Class<String>) String.class, new StringSerializer());
mapper.registerModule(module);
}

public ApiAuthenticationFilter(String seocClientKey) {
this.seocClientKey = seocClientKey;
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws BusinessException, IOException, ServletException
{
logger.info(
"ApiAuthentication filter check to determine allowed urls based on the value of the Client-Key in the header.");

HttpServletRequest httpreq = (HttpServletRequest) request;
String url = httpreq.getRequestURI();
String method = httpreq.getMethod();
String reqClientKey = httpreq.getHeader(Constants.CLIENT_KEY);

if (!isExternalURL(url, method)) {
if (reqClientKey == null) {
String result = "Client-Key header is missing in the request";

logger.info(result);
((HttpServletResponse) response).sendError(400, result);
return;
}

if (!reqClientKey.equals(seocClientKey)) {
String result = "Access denied. Invalid Client-Key";

logger.info(result);
((HttpServletResponse) response).sendError(403, result);
return;
}
}

chain.doFilter(request, response);
}

@Override
public void init(FilterConfig filterConfig) throws ServletException
{
logger.info("Initializing Authentication Filter :{}", this);

}

@Override
public void destroy()
{
logger.warn("Destructing Authentication Filter :{}", this);

}

/**
* Description: Determines if the URL for the current request is an external URL, which would not require validation
*
* @param url
* @param method
* @return Returns true if the URL is an external URL, false otherwise
*/
public boolean isExternalURL(String url, String method) {
boolean isSwaggerUrl = false;

Iterator<String> iterator = Constants.swaggerUrls.iterator();

while (iterator.hasNext()) {
String swaggerUrl = iterator.next();

isSwaggerUrl = isSwaggerUrl || url.startsWith(swaggerUrl);
}

return isSwaggerUrl || method.equalsIgnoreCase("OPTIONS") || (Constants.externalUrls.contains(url) && method.equalsIgnoreCase("GET"));
}
}