9.3Search Narrowing Interceptor

 

HAPI FHIR 3.7.0 introduced a new interceptor, the SearchNarrowingInterceptor.

This interceptor is designed to be used in conjunction with AuthorizationInterceptor. It uses a similar strategy where a dynamic list is built up for each request, but the purpose of this interceptor is to modify client searches that are received (after HAPI FHIR received the HTTP request, but before the search is actually performed) to restrict the search to only search for specific resources or compartments that the user has access to.

This could be used, for example, to allow the user to perform a search for: http://baseurl/Observation?category=laboratory

...and then receive results as though they had requested: http://baseurl/Observation?subject=Patient/123&category=laboratory

An example of this interceptor follows:

public class MyPatientSearchNarrowingInterceptor extends SearchNarrowingInterceptor {

   /**
    * This method must be overridden to provide the list of compartments
    * and/or resources that the current user should have access to
    */
   @Override
   protected AuthorizedList buildAuthorizedList(RequestDetails theRequestDetails) {
      // Process authorization header - The following is a fake
      // implementation. Obviously we'd want something more real
      // for a production scenario.
      //
      // In this basic example we have two hardcoded bearer tokens,
      // one which is for a user that has access to one patient, and
      // another that has full access.
      String authHeader = theRequestDetails.getHeader("Authorization");
      if ("Bearer dfw98h38r".equals(authHeader)) {

         // This user will have access to two compartments
         return new AuthorizedList()
            .addCompartment("Patient/123")
            .addCompartment("Patient/456");

      } else if ("Bearer 39ff939jgg".equals(authHeader)) {

         // This user has access to everything
         return new AuthorizedList();

      } else {

         throw new AuthenticationException("Unknown bearer token");

      }

   }

}