Package io.goobi.viewer.model.security

Class AccessConditionUtils

java.lang.Object
io.goobi.viewer.model.security.AccessConditionUtils
public final class AccessConditionUtils extends Object
Utility class providing methods to evaluate access conditions and licence restrictions for records, images, and metadata.

  • Method Details

    • checkAccess

      public static AccessPermission checkAccess(HttpSession session, String action, String pi, String contentFileName, String ipAddress, boolean isThumbnail) throws IndexUnreachableException, DAOException
      checkAccess.
      Parameters:
      session - HTTP session for caching permission results
      action - access action type (e.g. "image", "text", "pdf")
      pi - persistent identifier of the record
      contentFileName - name of the content file being accessed
      ipAddress - client IP address
      isThumbnail - true if the request is for a thumbnail image
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccess

      public static AccessPermission checkAccess(HttpSession session, String action, String pi, String contentFileName, String ipAddress, boolean isThumbnail, User user) throws IndexUnreachableException, DAOException
      checkAccess.
      Parameters:
      session - HTTP session for caching permission results
      action - access action type (e.g. "image", "text", "pdf")
      pi - persistent identifier of the record
      contentFileName - name of the content file being accessed
      ipAddress - client IP address
      isThumbnail - true if the request is for a thumbnail image
      user - the User requesting access. If null, it is fetched from the jsfContext if one exists
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • retrieveUserFromContext

      public static User retrieveUserFromContext(HttpSession session)
      Central method to retrieve user from a HttpSession.
      Parameters:
      session - The session in which the user data is stored
      Returns:
      The user logged into the given session. May be null if no user is logged in

    • fetchPagePermissions

      public static PagePermissions fetchPagePermissions(String pi, HttpServletRequest request)
      Fetches and pre-evaluates access permissions for all pages of a record in a single batch Solr query, avoiding O(n) per-page Solr queries during IIIF manifest generation.

      Steps:

      1. One Solr query: +PI_TOPSTRUCT:pi +DOCTYPE:PAGE (fields: ORDER, ACCESSCONDITION)
      2. One DAO call: getRecordLicenseTypes()
      3. One user + IP resolution from request
      4. In-memory evaluation of VIEW_IMAGES, VIEW_THUMBNAILS, ZOOM_IMAGES, DOWNLOAD_IMAGES, VIEW_FULLTEXT, DOWNLOAD_PAGE_PDF per page
      Parameters:
      pi - persistent identifier of the record
      request - HTTP servlet request for user and client IP resolution; may be null
      Returns:
      populated PagePermissions; PagePermissions.EMPTY when pi is blank, when no pages are found, or when a Solr/DAO error occurs (logged at WARN)

    • fetchAccessibleFileNames

      public static List<String> fetchAccessibleFileNames(String pi, String filenameField, String privilegeType, HttpServletRequest request)
      Fetches the list of filenames accessible to the current user for a given record and Solr filename field, using a single batch Solr query. Permissions are evaluated in memory — no further Solr queries are issued per file.

      Steps:

      1. One Solr query: +PI_TOPSTRUCT:pi +DOCTYPE:PAGE +filenameField:[* TO *]
      2. One DAO call: getRecordLicenseTypes()
      3. One user + IP resolution from request
      4. In-memory evaluation of privilegeType per page document

      Only bare filenames are returned (e.g. 00000001.xml), not full Solr paths (e.g. alto/PI/00000001.xml). Results are ordered by page ORDER.

      Parameters:
      pi - persistent identifier of the record; blank input returns an empty list immediately
      filenameField - Solr field to query, e.g. SolrConstants.FILENAME_ALTO
      privilegeType - privilege to check, e.g. IPrivilegeHolder.PRIV_VIEW_FULLTEXT
      request - HTTP servlet request for user and IP resolution; null = anonymous
      Returns:
      ordered list of accessible bare filenames; empty list on any error (fail-safe)

    • checkAccessPermissionByIdentifierAndPageOrder

      public static AccessPermission checkAccessPermissionByIdentifierAndPageOrder(PhysicalElement page, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException
      Checks whether the client may access an image (by PI + file name).
      Parameters:
      page - physical page element whose access conditions are checked
      privilegeName - access privilege name to verify
      request - Calling HttpServiceRequest.
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByIdentifierAndPageOrder

      public static AccessPermission checkAccessPermissionByIdentifierAndPageOrder(String pi, Integer pageOrder, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException
      Checks whether the client may access an image (by PI + file name).
      Parameters:
      pi - identifier of the record
      pageOrder - order property of the page
      privilegeName - access privilege name to verify
      request - Calling HttpServiceRequest.
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByIdentifierAndLogId

      public static AccessPermission checkAccessPermissionByIdentifierAndLogId(String identifier, String logId, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException, RecordNotFoundException
      Checks whether the current users has the given access permissions to the element with the given identifier and LOGID.
      Parameters:
      identifier - The PI to check.
      logId - The LOGID to check (optional).
      privilegeName - Particular privilege for which to check the permission.
      request - HTTP servlet request providing session and IP address
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.
      RecordNotFoundException

    • checkAccessPermissionBySolrDoc

      public static AccessPermission checkAccessPermissionBySolrDoc(org.apache.solr.common.SolrDocument doc, String originalQuery, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException
      Parameters:
      doc - Solr document whose access conditions are checked
      originalQuery - original Solr query used to retrieve the document
      privilegeName - access privilege name to verify
      request - HTTP servlet request providing session and IP address
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException
      DAOException

    • checkAccessPermissionByIdentiferForAllLogids

      public static Map<String,AccessPermission> checkAccessPermissionByIdentiferForAllLogids(String identifier, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException
      Checks whether the current users has the given access permissions each element of the record with the given identifier.
      Parameters:
      identifier - persistent identifier of the record
      privilegeName - access privilege name to verify
      request - HTTP servlet request providing session and IP address
      Returns:
      Map with true/false for each LOGID
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkContentFileAccessPermission

      public static AccessPermission checkContentFileAccessPermission(String identifier, HttpServletRequest request) throws IndexUnreachableException, DAOException
      Checks if the record with the given identifier should allow access to the given request.
      Parameters:
      identifier - The PI of the work to check
      request - The HttpRequest which may provide a HttpSession to store the access map
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByImageUrn

      public static AccessPermission checkAccessPermissionByImageUrn(String imageUrn, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException
      Checks whether the client may access an image (by image URN).
      Parameters:
      imageUrn - Image URN.
      privilegeName - access privilege name to verify
      request - Calling HttpServiceRequest.
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermission

      public static AccessPermission checkAccessPermission(Set<String> requiredAccessConditions, String privilegeName, String query, HttpServletRequest request) throws IndexUnreachableException, PresentationException, DAOException
      checkAccessPermission.
      Parameters:
      requiredAccessConditions - set of access condition names to satisfy
      privilegeName - access privilege name to verify
      query - Solr query describing the resource in question
      request - HTTP servlet request providing session and IP address
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      PresentationException - if any.
      DAOException - if any.

    • checkAccessPermissionForImage

      public static AccessPermission checkAccessPermissionForImage(HttpSession session, String pi, String contentFileName, String ipAddress) throws IndexUnreachableException, DAOException
      Checks access permission for the given image and puts the permission status into the corresponding session map.
      Parameters:
      session - HTTP session for caching permission results
      pi - persistent identifier of the record
      contentFileName - name of the image file to check
      ipAddress - client IP address
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionForImage

      public static AccessPermission checkAccessPermissionForImage(HttpSession session, String pi, String contentFileName, String ipAddress, User user) throws IndexUnreachableException, DAOException
      Checks access permission for the given image and puts the permission status into the corresponding session map.
      Parameters:
      session - HTTP session for caching permission results
      pi - persistent identifier of the record
      contentFileName - name of the image file to check
      ipAddress - client IP address
      user - the user requesting permission. If null, it is fetchted from the jsf context if it exists
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionForThumbnail

      public static AccessPermission checkAccessPermissionForThumbnail(HttpSession session, String pi, String contentFileName, String ipAddress) throws IndexUnreachableException, DAOException
      Checks access permission for the given thumbnail and puts the permission status into the corresponding session map.
      Parameters:
      session - HTTP session for caching permission results
      pi - persistent identifier of the record
      contentFileName - name of the thumbnail file to check
      ipAddress - client IP address
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionForThumbnail

      public static AccessPermission checkAccessPermissionForThumbnail(HttpSession session, String pi, String contentFileName, String ipAddress, User user) throws IndexUnreachableException, DAOException
      Checks access permission for the given thumbnail and puts the permission status into the corresponding session map.
      Parameters:
      session - HTTP session for caching permission results
      pi - persistent identifier of the record
      contentFileName - name of the thumbnail file to check
      ipAddress - client IP address
      user - the user requesting permission. If null, it is fetchted from the jsf context if it exists
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionForPagePdf

      public static AccessPermission checkAccessPermissionForPagePdf(HttpServletRequest request, PhysicalElement page) throws IndexUnreachableException, DAOException
      Checks access permission for the given image and puts the permission status into the corresponding session map.
      Parameters:
      request - HTTP servlet request providing session and IP address
      page - physical page element to check PDF download permission for
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByIdentifierAndFilePathWithSessionMap

      public static AccessPermission checkAccessPermissionByIdentifierAndFilePathWithSessionMap(HttpServletRequest request, String filePath, String privilegeType) throws IndexUnreachableException, DAOException
      checkAccessPermissionByIdentifierAndFilePathWithSessionMap.
      Parameters:
      request - HTTP servlet request providing session and IP address
      filePath - FILENAME_ALTO or FILENAME_FULLTEXT value
      privilegeType - access privilege type to verify
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByIdentifierAndFilePathWithSessionMap

      public static AccessPermission checkAccessPermissionByIdentifierAndFilePathWithSessionMap(HttpServletRequest request, String filePath, String privilegeType, User user) throws IndexUnreachableException, DAOException
      checkAccessPermissionByIdentifierAndFilePathWithSessionMap.
      Parameters:
      request - HTTP servlet request providing session and IP address
      filePath - FILENAME_ALTO or FILENAME_FULLTEXT value
      privilegeType - access privilege type to verify
      user - the user requesting permission. If null, it is fetchted from the jsf context if it exists
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByIdentifierAndFileNameWithSessionMap

      public static AccessPermission checkAccessPermissionByIdentifierAndFileNameWithSessionMap(HttpSession session, String pi, String contentFileName, String privilegeType, String ipAddress) throws IndexUnreachableException, DAOException
      Checks access permission of the given privilege type for the given image and puts the permission status into the corresponding session map.
      Parameters:
      session - HTTP session for caching permission results
      pi - persistent identifier of the record
      contentFileName - name of the content file to check
      privilegeType - access privilege type to verify
      ipAddress - client IP address
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionByIdentifierAndFileNameWithSessionMap

      public static AccessPermission checkAccessPermissionByIdentifierAndFileNameWithSessionMap(HttpSession session, String pi, String contentFileName, String privilegeType, String ipAddress, User user) throws IndexUnreachableException, DAOException
      Checks access permission of the given privilege type for the given image and puts the permission status into the corresponding session map.
      Parameters:
      session - HTTP session for caching permission results
      pi - persistent identifier of the record
      contentFileName - name of the content file to check
      privilegeType - access privilege type to verify
      ipAddress - client IP address
      user - the User requesting access. May be null in which case the the method will attempt to retrieve the user from the UserBean, given an existing jsfContext
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      DAOException - if any.

    • checkAccessPermissionForCmsPage

      public static AccessPermission checkAccessPermissionForCmsPage(HttpServletRequest request, CMSPage page) throws DAOException, IndexUnreachableException, PresentationException
      Parameters:
      request - HTTP servlet request providing session and IP address
      page - CMSPage to check
      Returns:
      AccessPermission
      Throws:
      DAOException
      IndexUnreachableException
      PresentationException

    • checkAccessPermission

      public static AccessPermission checkAccessPermission(List<LicenseType> allLicenseTypes, Set<String> requiredAccessConditions, String privilegeName, User user, String remoteAddress, Optional<ClientApplication> client, String query) throws IndexUnreachableException, PresentationException, DAOException
      Base method for checking access permissions of various types.
      Parameters:
      allLicenseTypes - all configured license types to evaluate
      requiredAccessConditions - Set of access condition names to satisfy (one suffices).
      privilegeName - The particular privilege to check.
      user - Logged in user.
      remoteAddress - client IP address string
      client - optional client application making the request
      query - Solr query describing the resource in question.
      Returns:
      AccessPermission
      Throws:
      IndexUnreachableException - if any.
      PresentationException - if any.
      DAOException - if any.

    • isFreeOpenAccess

      public static boolean isFreeOpenAccess(Set<String> requiredAccessConditions, Collection<LicenseType> allLicenseTypes) throws DAOException
      Check whether the requiredAccessConditions consist only of the OPENACCESS condition and OPENACCESS is not contained in allLicenseTypes. In this and only this case can we safely assume that everything is permitted. If OPENACCESS is in the database then it likely contains some access restrictions which need to be checked
      Parameters:
      requiredAccessConditions - set of access condition names from the Solr document
      allLicenseTypes - all license types relevant for access. If null, the DAO is checked if it contains the OPENACCESS condition
      Returns:
      true if we can savely assume that we have entirely open access
      Throws:
      DAOException - if any.

    • getPdfDownloadQuotaForRecord

      public static int getPdfDownloadQuotaForRecord(String pi) throws PresentationException, IndexUnreachableException, DAOException, RecordNotFoundException
      Parameters:
      pi - persistent identifier of the record
      Returns:
      Number of allowed downloads for given pi; 100 of no value set
      Throws:
      PresentationException
      IndexUnreachableException
      DAOException
      RecordNotFoundException

    • isConcurrentViewsLimitEnabledForAnyAccessCondition

      public static boolean isConcurrentViewsLimitEnabledForAnyAccessCondition(List<String> accessConditions) throws DAOException
      Parameters:
      accessConditions - list of access condition strings to check
      Returns:
      true if any license type for the given list of access conditions has concurrent views limit enabled; false otherwise
      Throws:
      DAOException

    • isPrivilegeGrantedForDoc

      public static boolean isPrivilegeGrantedForDoc(org.apache.solr.common.SolrDocument doc, String privilegeName, HttpServletRequest request)
      Parameters:
      doc - The document containing access condition metadata
      privilegeName - The privilege to check
      request - The request trying to access the resource
      Returns:
      true if granted; false otherwise

    • getApplyingLicenses

      public static List<License> getApplyingLicenses(Optional<User> user, String ipAddress, LicenseType type, IDAO dao) throws DAOException
      List all licenses ("rights") that the given user and ipAddress is entitled to, either because they are directly given to the user, a group the user belongs to or to the given ipAddress, whether or not the given user exists.
      Parameters:
      user - optional logged-in user to match against licenses
      ipAddress - client IP address used for IP range matching
      type - license type to query licenses for
      dao - DAO instance used to retrieve licenses and IP ranges
      Returns:
      List
      Throws:
      DAOException

    • isHasDownloadTicket

      public static boolean isHasDownloadTicket(String pi, HttpSession session)
      Parameters:
      pi - Record identifier
      session - HttpSession that contains permission attributes
      Returns:
      true if given session contains permission for pi; false otherwise

    • addDownloadTicketToSession

      public static boolean addDownloadTicketToSession(String pi, HttpSession session)

    • getSessionPermission

      public static Object getSessionPermission(String attributeName, HttpSession session)
      Parameters:
      attributeName - session attribute key for the permission entry
      session - HTTP session to look up the attribute in
      Returns:
      Object found in session; null otherwise

    • addSessionPermission

      public static boolean addSessionPermission(String attributeName, Object attributeValue, HttpSession session)
      Parameters:
      attributeName - session attribute key under which the value is stored
      attributeValue - permission value to store in the session
      session - HTTP session to store the attribute in
      Returns:
      true if successful; false otherwise

    • clearSessionPermissions

      public static int clearSessionPermissions(HttpSession session)
      Removes privileges saved in the user session.
      Parameters:
      session - HTTP session whose permission attributes are cleared
      Returns:
      Number of removed session attributes

    • getAccessPermission

      public static AccessPermission getAccessPermission(String pi, String fileName, String privilegeName) throws IndexUnreachableException, DAOException
      Parameters:
      pi - persistent identifier of the record
      fileName - content file name to check access for
      privilegeName - access privilege name to verify
      Returns:
      AccessPermission
      Throws:
      DAOException
      IndexUnreachableException

    • getAccessPermission

      public static AccessPermission getAccessPermission(String pi, String fileName, String privilegeName, User user) throws IndexUnreachableException, DAOException
      Parameters:
      pi - persistent identifier of the record
      fileName - content file name to check access for
      privilegeName - access privilege name to verify
      user - The user requesting access. If null it is retrieved from the jsfContext if available
      Returns:
      AccessPermission
      Throws:
      DAOException
      IndexUnreachableException