Package ca.uhn.fhir.rest.server.interceptor.auth

Class AuthorizationInterceptor

java.lang.Object

ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor

All Implemented Interfaces:

IRuleApplier

public class AuthorizationInterceptor
extends Object
implements IRuleApplier

This class is a base class for interceptors which can be used to inspect requests and responses to determine whether the calling user has permission to perform the given action.

See the HAPI FHIR Documentation on Server Security for information on how to use this interceptor.

See Also:

• SearchNarrowingInterceptor

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AuthorizationInterceptor.Verdict

Field Summary

Fields

Modifier and Type	Field	Description
static final String	REQUEST_ATTRIBUTE_BULK_DATA_EXPORT_OPTIONS
static final List<ca.uhn.fhir.rest.api.RestOperationTypeEnum>	REST_OPERATIONS_TO_EXCLUDE_SECURITY_FOR_OPERATION_OUTCOME

Constructor Summary

Constructors

Constructor	Description
AuthorizationInterceptor()	Constructor
AuthorizationInterceptor(PolicyEnum theDefaultPolicy)	Constructor

Method Summary

Modifier and Type	Method	Description
AuthorizationInterceptor.Verdict	applyRulesAndReturnDecision(ca.uhn.fhir.rest.api.RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, org.hl7.fhir.instance.model.api.IBaseResource theInputResource, org.hl7.fhir.instance.model.api.IIdType theInputResourceId, org.hl7.fhir.instance.model.api.IBaseResource theOutputResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
List<IAuthRule>	buildRuleList(RequestDetails theRequestDetails)	Subclasses should override this method to supply the set of rules to be applied to this individual request.
PolicyEnum	getDefaultPolicy()	The default policy if no rules have been found to apply.
Set<AuthorizationFlagsEnum>	getFlags()	This property configures any flags affecting how authorization is applied.
IAuthorizationSearchParamMatcher	getSearchParamMatcher()
org.slf4j.Logger	getTroubleshootingLog()
ca.uhn.fhir.context.support.IValidationSupport	getValidationSupport()
protected void	handleDeny(RequestDetails theRequestDetails, AuthorizationInterceptor.Verdict decision)	Handle an access control verdict of PolicyEnum.DENY.
protected void	handleDeny(AuthorizationInterceptor.Verdict decision)	This method should not be overridden.
void	hookCascadeDeleteForConflict(RequestDetails theRequestDetails, ca.uhn.fhir.interceptor.api.Pointcut thePointcut, org.hl7.fhir.instance.model.api.IBaseResource theResourceToDelete)
void	hookDeleteExpunge(RequestDetails theRequestDetails, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookOutgoingResponse(RequestDetails theRequestDetails, org.hl7.fhir.instance.model.api.IBaseResource theResponseObject, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookPreShow(RequestDetails theRequestDetails, IPreResourceShowDetails theDetails, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookResourcePreCreate(RequestDetails theRequest, org.hl7.fhir.instance.model.api.IBaseResource theResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookResourcePreDelete(RequestDetails theRequest, org.hl7.fhir.instance.model.api.IBaseResource theResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	hookResourcePreUpdate(RequestDetails theRequest, org.hl7.fhir.instance.model.api.IBaseResource theOldResource, org.hl7.fhir.instance.model.api.IBaseResource theNewResource, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	incomingRequestPreHandled(RequestDetails theRequest, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	initiateBulkExport(RequestDetails theRequestDetails, BulkExportJobParameters theBulkExportOptions, ca.uhn.fhir.interceptor.api.Pointcut thePointcut)
void	setAuthorizationSearchParamMatcher(IAuthorizationSearchParamMatcher theAuthorizationSearchParamMatcher)	Sets a search parameter matcher for use in handling SMART v2 filter scopes
AuthorizationInterceptor	setDefaultPolicy(PolicyEnum theDefaultPolicy)	The default policy if no rules have been found to apply.
AuthorizationInterceptor	setFlags(AuthorizationFlagsEnum... theFlags)	This property configures any flags affecting how authorization is applied.
AuthorizationInterceptor	setFlags(Collection<AuthorizationFlagsEnum> theFlags)	This property configures any flags affecting how authorization is applied.
void	setTroubleshootingLog(org.slf4j.Logger theTroubleshootingLog)
AuthorizationInterceptor	setValidationSupport(ca.uhn.fhir.context.support.IValidationSupport theValidationSupport)	Sets a validation support module that will be used for terminology-based rules
protected static boolean	shouldExamineChildResources(org.hl7.fhir.instance.model.api.IBaseResource theResource, ca.uhn.fhir.context.FhirContext theFhirContext)	This method determines if the given Resource should have permissions applied to the resources inside or to the Resource itself.
static List<org.hl7.fhir.instance.model.api.IBaseResource>	toListOfResourcesAndExcludeContainer(org.hl7.fhir.instance.model.api.IBaseResource theResponseObject, ca.uhn.fhir.context.FhirContext fhirContext)
protected static List<org.hl7.fhir.instance.model.api.IBaseResource>	toListOfResourcesAndExcludeContainerUnlessStandalone(org.hl7.fhir.instance.model.api.IBaseResource theResponseObject, ca.uhn.fhir.context.FhirContext fhirContext, RequestDetails theRequestDetails)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

REQUEST_ATTRIBUTE_BULK_DATA_EXPORT_OPTIONS

public static final String REQUEST_ATTRIBUTE_BULK_DATA_EXPORT_OPTIONS

REST_OPERATIONS_TO_EXCLUDE_SECURITY_FOR_OPERATION_OUTCOME

public static final List<ca.uhn.fhir.rest.api.RestOperationTypeEnum> REST_OPERATIONS_TO_EXCLUDE_SECURITY_FOR_OPERATION_OUTCOME

Constructor Details

AuthorizationInterceptor

public AuthorizationInterceptor()

Constructor

AuthorizationInterceptor

public AuthorizationInterceptor(PolicyEnum theDefaultPolicy)

Constructor

Parameters:

theDefaultPolicy - The default policy if no rules apply (must not be null)

Method Details

getTroubleshootingLog

@Nonnull
public org.slf4j.Logger getTroubleshootingLog()

Specified by:

getTroubleshootingLog in interface IRuleApplier

setTroubleshootingLog

public void setTroubleshootingLog(@Nonnull
 org.slf4j.Logger theTroubleshootingLog)

applyRulesAndReturnDecision

public AuthorizationInterceptor.Verdict applyRulesAndReturnDecision(ca.uhn.fhir.rest.api.RestOperationTypeEnum theOperation,
 RequestDetails theRequestDetails,
 org.hl7.fhir.instance.model.api.IBaseResource theInputResource,
 org.hl7.fhir.instance.model.api.IIdType theInputResourceId,
 org.hl7.fhir.instance.model.api.IBaseResource theOutputResource,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

Specified by:

applyRulesAndReturnDecision in interface IRuleApplier

getValidationSupport

@Nullable
public ca.uhn.fhir.context.support.IValidationSupport getValidationSupport()

Specified by:

getValidationSupport in interface IRuleApplier

Since:

6.0.0

setValidationSupport

public AuthorizationInterceptor setValidationSupport(ca.uhn.fhir.context.support.IValidationSupport theValidationSupport)

Sets a validation support module that will be used for terminology-based rules

Parameters:

theValidationSupport - The validation support. Null is also acceptable (this is the default), in which case the validation support module associated with the FhirContext will be used.

Since:

6.0.0

setAuthorizationSearchParamMatcher

public void setAuthorizationSearchParamMatcher(@Nullable
 IAuthorizationSearchParamMatcher theAuthorizationSearchParamMatcher)

Sets a search parameter matcher for use in handling SMART v2 filter scopes

Parameters:

theAuthorizationSearchParamMatcher - The search parameter matcher. Defaults to null.

getSearchParamMatcher

@Nullable
public IAuthorizationSearchParamMatcher getSearchParamMatcher()

Specified by:

getSearchParamMatcher in interface IRuleApplier

buildRuleList

public List<IAuthRule> buildRuleList(RequestDetails theRequestDetails)

Subclasses should override this method to supply the set of rules to be applied to this individual request.

Typically this is done by examining theRequestDetails to find out who the current user is and then using a RuleBuilder to create an appropriate rule chain.

Parameters:

theRequestDetails - The individual request currently being applied

getDefaultPolicy

public PolicyEnum getDefaultPolicy()

The default policy if no rules have been found to apply. Default value for this setting is PolicyEnum.DENY

setDefaultPolicy

public AuthorizationInterceptor setDefaultPolicy(PolicyEnum theDefaultPolicy)

The default policy if no rules have been found to apply. Default value for this setting is PolicyEnum.DENY

Parameters:

theDefaultPolicy - The policy (must not be null)

getFlags

public Set<AuthorizationFlagsEnum> getFlags()

This property configures any flags affecting how authorization is applied. By default no flags are applied.

See Also:

• setFlags(Collection)

setFlags

public AuthorizationInterceptor setFlags(Collection<AuthorizationFlagsEnum> theFlags)

This property configures any flags affecting how authorization is applied. By default no flags are applied.

Parameters:

theFlags - The flags (must not be null)

See Also:

• setFlags(AuthorizationFlagsEnum...)

setFlags

public AuthorizationInterceptor setFlags(AuthorizationFlagsEnum... theFlags)

This property configures any flags affecting how authorization is applied. By default no flags are applied.

Parameters:

theFlags - The flags (must not be null)

See Also:

• setFlags(Collection)

handleDeny

protected void handleDeny(RequestDetails theRequestDetails,
 AuthorizationInterceptor.Verdict decision)

Handle an access control verdict of PolicyEnum.DENY.

Subclasses may override to implement specific behaviour, but default is to throw ForbiddenOperationException (HTTP 403) with error message citing the rule name which trigered failure

Since:

HAPI FHIR 3.6.0

handleDeny

protected void handleDeny(AuthorizationInterceptor.Verdict decision)

This method should not be overridden. As of HAPI FHIR 3.6.0, you should override handleDeny(RequestDetails, Verdict) instead. This method will be removed in the future.

incomingRequestPreHandled

public void incomingRequestPreHandled(RequestDetails theRequest,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookPreShow

public void hookPreShow(RequestDetails theRequestDetails,
 IPreResourceShowDetails theDetails,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookOutgoingResponse

public void hookOutgoingResponse(RequestDetails theRequestDetails,
 org.hl7.fhir.instance.model.api.IBaseResource theResponseObject,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookCascadeDeleteForConflict

public void hookCascadeDeleteForConflict(RequestDetails theRequestDetails,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut,
 org.hl7.fhir.instance.model.api.IBaseResource theResourceToDelete)

hookDeleteExpunge

public void hookDeleteExpunge(RequestDetails theRequestDetails,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

initiateBulkExport

public void initiateBulkExport(RequestDetails theRequestDetails,
 BulkExportJobParameters theBulkExportOptions,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookResourcePreCreate

public void hookResourcePreCreate(RequestDetails theRequest,
 org.hl7.fhir.instance.model.api.IBaseResource theResource,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookResourcePreDelete

public void hookResourcePreDelete(RequestDetails theRequest,
 org.hl7.fhir.instance.model.api.IBaseResource theResource,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

hookResourcePreUpdate

public void hookResourcePreUpdate(RequestDetails theRequest,
 org.hl7.fhir.instance.model.api.IBaseResource theOldResource,
 org.hl7.fhir.instance.model.api.IBaseResource theNewResource,
 ca.uhn.fhir.interceptor.api.Pointcut thePointcut)

toListOfResourcesAndExcludeContainerUnlessStandalone

protected static List<org.hl7.fhir.instance.model.api.IBaseResource> toListOfResourcesAndExcludeContainerUnlessStandalone(org.hl7.fhir.instance.model.api.IBaseResource theResponseObject,
 ca.uhn.fhir.context.FhirContext fhirContext,
 RequestDetails theRequestDetails)

toListOfResourcesAndExcludeContainer

@Nonnull
public static List<org.hl7.fhir.instance.model.api.IBaseResource> toListOfResourcesAndExcludeContainer(org.hl7.fhir.instance.model.api.IBaseResource theResponseObject,
 ca.uhn.fhir.context.FhirContext fhirContext)

shouldExamineChildResources

protected static boolean shouldExamineChildResources(org.hl7.fhir.instance.model.api.IBaseResource theResource,
 ca.uhn.fhir.context.FhirContext theFhirContext)

This method determines if the given Resource should have permissions applied to the resources inside or to the Resource itself. For Parameters resources, we include child resources when checking the permissions. For Bundle resources, we only look at resources inside if the Bundle is of type document, collection, or message.