Package ca.uhn.fhir.rest.server.interceptor.auth

Class SearchNarrowingInterceptor

java.lang.Object

ca.uhn.fhir.rest.server.interceptor.auth.SearchNarrowingInterceptor

public class SearchNarrowingInterceptor
extends Object

This interceptor can be used to automatically narrow the scope of searches in order to automatically restrict the searches to specific compartments.

For example, this interceptor could be used to restrict a user to only viewing data belonging to Patient/123 (i.e. data in the Patient/123 compartment). In this case, a user performing a search for
http://baseurl/Observation?category=laboratory
would receive results as though they had requested
http://baseurl/Observation?subject=Patient/123invalid input: '&category'=laboratory

Note that this interceptor should be used in combination with AuthorizationInterceptor if you are restricting results because of a security restriction. This interceptor is not intended to be a failsafe way of preventing users from seeing the wrong data (that is the purpose of AuthorizationInterceptor). This interceptor is simply intended as a convenience to help users simplify their queries while not receiving security errors for to trying to access data they do not have access to see.

See Also:

• AuthorizationInterceptor

Field Summary

Fields

Modifier and Type	Field	Description
static final String	POST_FILTERING_LIST_ATTRIBUTE_NAME

Constructor Summary

Constructors

Constructor	Description
SearchNarrowingInterceptor()

Method Summary

Modifier and Type	Method	Description
protected AuthorizedList	buildAuthorizedList(RequestDetails theRequestDetails)	Subclasses should override this method to supply the set of compartments that the user making the request should actually have access to.
void	hookIncomingRequestPostProcessed(RequestDetails theRequestDetails, jakarta.servlet.http.HttpServletRequest theRequest, jakarta.servlet.http.HttpServletResponse theResponse)	This method handles narrowing for FHIR search/create/update/patch operations.
void	hookIncomingRequestPreHandled(ServletRequestDetails theRequestDetails, jakarta.servlet.http.HttpServletRequest theRequest, jakarta.servlet.http.HttpServletResponse theResponse)	This method narrows FHIR transaction operations (because this pointcut is called after the request body is parsed).
void	setNarrowConditionalUrls(boolean theNarrowConditionalUrls)	If set to true (default is false), conditional URLs such as the If-None-Exist header used for Conditional Create operations will also be narrowed.
void	setPostFilterLargeValueSetThreshold(int thePostFilterLargeValueSetThreshold)	Supplies a threshold over which any ValueSet-based rules will be applied by
SearchNarrowingInterceptor	setValidationSupport(ca.uhn.fhir.context.support.IValidationSupport theValidationSupport)	Supplies a validation support module that will be used to apply the

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

POST_FILTERING_LIST_ATTRIBUTE_NAME

public static final String POST_FILTERING_LIST_ATTRIBUTE_NAME

Constructor Details

SearchNarrowingInterceptor

public SearchNarrowingInterceptor()

Method Details

setNarrowConditionalUrls

public void setNarrowConditionalUrls(boolean theNarrowConditionalUrls)

If set to true (default is false), conditional URLs such as the If-None-Exist header used for Conditional Create operations will also be narrowed.

Parameters:

theNarrowConditionalUrls - Should we narrow conditional URLs in requests

Since:

7.2.0

setPostFilterLargeValueSetThreshold

public void setPostFilterLargeValueSetThreshold(int thePostFilterLargeValueSetThreshold)

Supplies a threshold over which any ValueSet-based rules will be applied by

Note that this setting will have no effect if setValidationSupport(IValidationSupport) has not also been called in order to supply a validation support module for testing ValueSet membership.

Parameters:

thePostFilterLargeValueSetThreshold - The threshold

See Also:

• setValidationSupport(IValidationSupport)

setValidationSupport

public SearchNarrowingInterceptor setValidationSupport(ca.uhn.fhir.context.support.IValidationSupport theValidationSupport)

Supplies a validation support module that will be used to apply the

Since:

6.0.0

See Also:

• setPostFilterLargeValueSetThreshold(int)

hookIncomingRequestPostProcessed

public void hookIncomingRequestPostProcessed(RequestDetails theRequestDetails,
 jakarta.servlet.http.HttpServletRequest theRequest,
 jakarta.servlet.http.HttpServletResponse theResponse)
                                      throws ca.uhn.fhir.rest.server.exceptions.AuthenticationException

This method handles narrowing for FHIR search/create/update/patch operations.

Throws:

ca.uhn.fhir.rest.server.exceptions.AuthenticationException

See Also:

• This method narrows FHIR transaction bundles

hookIncomingRequestPreHandled

public void hookIncomingRequestPreHandled(ServletRequestDetails theRequestDetails,
 jakarta.servlet.http.HttpServletRequest theRequest,
 jakarta.servlet.http.HttpServletResponse theResponse)
                                   throws ca.uhn.fhir.rest.server.exceptions.AuthenticationException

This method narrows FHIR transaction operations (because this pointcut is called after the request body is parsed).

Throws:

ca.uhn.fhir.rest.server.exceptions.AuthenticationException

See Also:

• This method narrows FHIR search/create/update/etc operations

buildAuthorizedList

protected AuthorizedList buildAuthorizedList(RequestDetails theRequestDetails)

Subclasses should override this method to supply the set of compartments that the user making the request should actually have access to.

Typically this is done by examining theRequestDetails to find out who the current user is and then building a list of Strings.

Parameters:

theRequestDetails - The individual request currently being applied

Returns:

The list of allowed compartments and instances that should be used for search narrowing. If this method returns null, no narrowing will be performed