Package io.goobi.viewer.model.security
Class AccessConditionUtils
java.lang.Object
io.goobi.viewer.model.security.AccessConditionUtils
Utility class providing methods to evaluate access conditions and licence restrictions for records, images, and metadata.
-
Method Summary
Modifier and TypeMethodDescriptionstatic booleanaddDownloadTicketToSession(String pi, HttpSession session) static booleanaddSessionPermission(String attributeName, Object attributeValue, HttpSession session) static AccessPermissioncheckAccess(HttpSession session, String action, String pi, String contentFileName, String ipAddress, boolean isThumbnail) checkAccess.static AccessPermissioncheckAccess(HttpSession session, String action, String pi, String contentFileName, String ipAddress, boolean isThumbnail, User user) checkAccess.static AccessPermissioncheckAccessPermission(List<LicenseType> allLicenseTypes, Set<String> requiredAccessConditions, String privilegeName, User user, String remoteAddress, Optional<ClientApplication> client, String query) Base method for checking access permissions of various types.static AccessPermissioncheckAccessPermission(Set<String> requiredAccessConditions, String privilegeName, String query, HttpServletRequest request) checkAccessPermission.static Map<String, AccessPermission> checkAccessPermissionByIdentiferForAllLogids(String identifier, String privilegeName, HttpServletRequest request) Checks whether the current users has the given access permissions each element of the record with the given identifier.static AccessPermissioncheckAccessPermissionByIdentifierAndFileNameWithSessionMap(HttpSession session, String pi, String contentFileName, String privilegeType, String ipAddress) Checks access permission of the given privilege type for the given image and puts the permission status into the corresponding session map.static AccessPermissioncheckAccessPermissionByIdentifierAndFileNameWithSessionMap(HttpSession session, String pi, String contentFileName, String privilegeType, String ipAddress, User user) Checks access permission of the given privilege type for the given image and puts the permission status into the corresponding session map.static AccessPermissioncheckAccessPermissionByIdentifierAndFilePathWithSessionMap(HttpServletRequest request, String filePath, String privilegeType) checkAccessPermissionByIdentifierAndFilePathWithSessionMap.static AccessPermissioncheckAccessPermissionByIdentifierAndFilePathWithSessionMap(HttpServletRequest request, String filePath, String privilegeType, User user) checkAccessPermissionByIdentifierAndFilePathWithSessionMap.static AccessPermissioncheckAccessPermissionByIdentifierAndLogId(String identifier, String logId, String privilegeName, HttpServletRequest request) Checks whether the current users has the given access permissions to the element with the given identifier and LOGID.static AccessPermissioncheckAccessPermissionByIdentifierAndPageOrder(PhysicalElement page, String privilegeName, HttpServletRequest request) Checks whether the client may access an image (by PI + file name).static AccessPermissioncheckAccessPermissionByIdentifierAndPageOrder(String pi, Integer pageOrder, String privilegeName, HttpServletRequest request) Checks whether the client may access an image (by PI + file name).static AccessPermissioncheckAccessPermissionByImageUrn(String imageUrn, String privilegeName, HttpServletRequest request) Checks whether the client may access an image (by image URN).static AccessPermissioncheckAccessPermissionBySolrDoc(org.apache.solr.common.SolrDocument doc, String originalQuery, String privilegeName, HttpServletRequest request) static AccessPermissioncheckAccessPermissionForCmsPage(HttpServletRequest request, CMSPage page) static AccessPermissioncheckAccessPermissionForImage(HttpSession session, String pi, String contentFileName, String ipAddress) Checks access permission for the given image and puts the permission status into the corresponding session map.static AccessPermissioncheckAccessPermissionForImage(HttpSession session, String pi, String contentFileName, String ipAddress, User user) Checks access permission for the given image and puts the permission status into the corresponding session map.static AccessPermissioncheckAccessPermissionForPagePdf(HttpServletRequest request, PhysicalElement page) Checks access permission for the given image and puts the permission status into the corresponding session map.static AccessPermissioncheckAccessPermissionForThumbnail(HttpSession session, String pi, String contentFileName, String ipAddress) Checks access permission for the given thumbnail and puts the permission status into the corresponding session map.static AccessPermissioncheckAccessPermissionForThumbnail(HttpSession session, String pi, String contentFileName, String ipAddress, User user) Checks access permission for the given thumbnail and puts the permission status into the corresponding session map.static AccessPermissioncheckContentFileAccessPermission(String identifier, HttpServletRequest request) Checks if the record with the given identifier should allow access to the given request.static intclearSessionPermissions(HttpSession session) Removes privileges saved in the user session.static AccessPermissiongetAccessPermission(String pi, String fileName, String privilegeName) static AccessPermissiongetAccessPermission(String pi, String fileName, String privilegeName, User user) getApplyingLicenses(Optional<User> user, String ipAddress, LicenseType type, IDAO dao) List all licenses ("rights") that the given user and ipAddress is entitled to, either because they are directly given to the user, a group the user belongs to or to the given ipAddress, whether or not the given user exists.static intstatic ObjectgetSessionPermission(String attributeName, HttpSession session) static booleanisConcurrentViewsLimitEnabledForAnyAccessCondition(List<String> accessConditions) static booleanisFreeOpenAccess(Set<String> requiredAccessConditions, Collection<LicenseType> allLicenseTypes) Check whether the requiredAccessConditions consist only of theOPENACCESScondition and OPENACCESS is not contained in allLicenseTypes.static booleanisHasDownloadTicket(String pi, HttpSession session) static booleanisPrivilegeGrantedForDoc(org.apache.solr.common.SolrDocument doc, String privilegeName, HttpServletRequest request) static UserretrieveUserFromContext(HttpSession session) Central method to retrieve user from a HttpSession.
-
Method Details
-
checkAccess
public static AccessPermission checkAccess(HttpSession session, String action, String pi, String contentFileName, String ipAddress, boolean isThumbnail) throws IndexUnreachableException, DAOException checkAccess.- Parameters:
session- HTTP session for caching permission resultsaction- access action type (e.g. "image", "text", "pdf")pi- persistent identifier of the recordcontentFileName- name of the content file being accessedipAddress- client IP addressisThumbnail- true if the request is for a thumbnail image- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccess
public static AccessPermission checkAccess(HttpSession session, String action, String pi, String contentFileName, String ipAddress, boolean isThumbnail, User user) throws IndexUnreachableException, DAOException checkAccess.- Parameters:
session- HTTP session for caching permission resultsaction- access action type (e.g. "image", "text", "pdf")pi- persistent identifier of the recordcontentFileName- name of the content file being accessedipAddress- client IP addressisThumbnail- true if the request is for a thumbnail imageuser- the User requesting access. If null, it is fetched from the jsfContext if one exists- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
retrieveUserFromContext
Central method to retrieve user from a HttpSession.- Parameters:
session- The session in which the user data is stored- Returns:
- The user logged into the given session. May be null if no user is logged in
-
checkAccessPermissionByIdentifierAndPageOrder
public static AccessPermission checkAccessPermissionByIdentifierAndPageOrder(PhysicalElement page, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException Checks whether the client may access an image (by PI + file name).- Parameters:
page- physical page element whose access conditions are checkedprivilegeName- access privilege name to verifyrequest- Calling HttpServiceRequest.- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByIdentifierAndPageOrder
public static AccessPermission checkAccessPermissionByIdentifierAndPageOrder(String pi, Integer pageOrder, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException Checks whether the client may access an image (by PI + file name).- Parameters:
pi- identifier of the recordpageOrder- order property of the pageprivilegeName- access privilege name to verifyrequest- Calling HttpServiceRequest.- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByIdentifierAndLogId
public static AccessPermission checkAccessPermissionByIdentifierAndLogId(String identifier, String logId, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException, RecordNotFoundException Checks whether the current users has the given access permissions to the element with the given identifier and LOGID.- Parameters:
identifier- The PI to check.logId- The LOGID to check (optional).privilegeName- Particular privilege for which to check the permission.request- HTTP servlet request providing session and IP address- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.RecordNotFoundException
-
checkAccessPermissionBySolrDoc
public static AccessPermission checkAccessPermissionBySolrDoc(org.apache.solr.common.SolrDocument doc, String originalQuery, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException - Parameters:
doc- Solr document whose access conditions are checkedoriginalQuery- original Solr query used to retrieve the documentprivilegeName- access privilege name to verifyrequest- HTTP servlet request providing session and IP address- Returns:
AccessPermission- Throws:
IndexUnreachableExceptionDAOException
-
checkAccessPermissionByIdentiferForAllLogids
public static Map<String,AccessPermission> checkAccessPermissionByIdentiferForAllLogids(String identifier, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException Checks whether the current users has the given access permissions each element of the record with the given identifier.- Parameters:
identifier- persistent identifier of the recordprivilegeName- access privilege name to verifyrequest- HTTP servlet request providing session and IP address- Returns:
- Map with true/false for each LOGID
- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkContentFileAccessPermission
public static AccessPermission checkContentFileAccessPermission(String identifier, HttpServletRequest request) throws IndexUnreachableException, DAOException Checks if the record with the given identifier should allow access to the given request.- Parameters:
identifier- The PI of the work to checkrequest- The HttpRequest which may provide aHttpSessionto store the access map- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByImageUrn
public static AccessPermission checkAccessPermissionByImageUrn(String imageUrn, String privilegeName, HttpServletRequest request) throws IndexUnreachableException, DAOException Checks whether the client may access an image (by image URN).- Parameters:
imageUrn- Image URN.privilegeName- access privilege name to verifyrequest- Calling HttpServiceRequest.- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermission
public static AccessPermission checkAccessPermission(Set<String> requiredAccessConditions, String privilegeName, String query, HttpServletRequest request) throws IndexUnreachableException, PresentationException, DAOException checkAccessPermission.- Parameters:
requiredAccessConditions- set of access condition names to satisfyprivilegeName- access privilege name to verifyquery- Solr query describing the resource in questionrequest- HTTP servlet request providing session and IP address- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.PresentationException- if any.DAOException- if any.
-
checkAccessPermissionForImage
public static AccessPermission checkAccessPermissionForImage(HttpSession session, String pi, String contentFileName, String ipAddress) throws IndexUnreachableException, DAOException Checks access permission for the given image and puts the permission status into the corresponding session map.- Parameters:
session- HTTP session for caching permission resultspi- persistent identifier of the recordcontentFileName- name of the image file to checkipAddress- client IP address- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionForImage
public static AccessPermission checkAccessPermissionForImage(HttpSession session, String pi, String contentFileName, String ipAddress, User user) throws IndexUnreachableException, DAOException Checks access permission for the given image and puts the permission status into the corresponding session map.- Parameters:
session- HTTP session for caching permission resultspi- persistent identifier of the recordcontentFileName- name of the image file to checkipAddress- client IP addressuser- the user requesting permission. If null, it is fetchted from the jsf context if it exists- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionForThumbnail
public static AccessPermission checkAccessPermissionForThumbnail(HttpSession session, String pi, String contentFileName, String ipAddress) throws IndexUnreachableException, DAOException Checks access permission for the given thumbnail and puts the permission status into the corresponding session map.- Parameters:
session- HTTP session for caching permission resultspi- persistent identifier of the recordcontentFileName- name of the thumbnail file to checkipAddress- client IP address- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionForThumbnail
public static AccessPermission checkAccessPermissionForThumbnail(HttpSession session, String pi, String contentFileName, String ipAddress, User user) throws IndexUnreachableException, DAOException Checks access permission for the given thumbnail and puts the permission status into the corresponding session map.- Parameters:
session- HTTP session for caching permission resultspi- persistent identifier of the recordcontentFileName- name of the thumbnail file to checkipAddress- client IP addressuser- the user requesting permission. If null, it is fetchted from the jsf context if it exists- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionForPagePdf
public static AccessPermission checkAccessPermissionForPagePdf(HttpServletRequest request, PhysicalElement page) throws IndexUnreachableException, DAOException Checks access permission for the given image and puts the permission status into the corresponding session map.- Parameters:
request- HTTP servlet request providing session and IP addresspage- physical page element to check PDF download permission for- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByIdentifierAndFilePathWithSessionMap
public static AccessPermission checkAccessPermissionByIdentifierAndFilePathWithSessionMap(HttpServletRequest request, String filePath, String privilegeType) throws IndexUnreachableException, DAOException checkAccessPermissionByIdentifierAndFilePathWithSessionMap.- Parameters:
request- HTTP servlet request providing session and IP addressfilePath- FILENAME_ALTO or FILENAME_FULLTEXT valueprivilegeType- access privilege type to verify- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByIdentifierAndFilePathWithSessionMap
public static AccessPermission checkAccessPermissionByIdentifierAndFilePathWithSessionMap(HttpServletRequest request, String filePath, String privilegeType, User user) throws IndexUnreachableException, DAOException checkAccessPermissionByIdentifierAndFilePathWithSessionMap.- Parameters:
request- HTTP servlet request providing session and IP addressfilePath- FILENAME_ALTO or FILENAME_FULLTEXT valueprivilegeType- access privilege type to verifyuser- the user requesting permission. If null, it is fetchted from the jsf context if it exists- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByIdentifierAndFileNameWithSessionMap
public static AccessPermission checkAccessPermissionByIdentifierAndFileNameWithSessionMap(HttpSession session, String pi, String contentFileName, String privilegeType, String ipAddress) throws IndexUnreachableException, DAOException Checks access permission of the given privilege type for the given image and puts the permission status into the corresponding session map.- Parameters:
session- HTTP session for caching permission resultspi- persistent identifier of the recordcontentFileName- name of the content file to checkprivilegeType- access privilege type to verifyipAddress- client IP address- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionByIdentifierAndFileNameWithSessionMap
public static AccessPermission checkAccessPermissionByIdentifierAndFileNameWithSessionMap(HttpSession session, String pi, String contentFileName, String privilegeType, String ipAddress, User user) throws IndexUnreachableException, DAOException Checks access permission of the given privilege type for the given image and puts the permission status into the corresponding session map.- Parameters:
session- HTTP session for caching permission resultspi- persistent identifier of the recordcontentFileName- name of the content file to checkprivilegeType- access privilege type to verifyipAddress- client IP addressuser- theUserrequesting access. May be null in which case the the method will attempt to retrieve the user from theUserBean, given an existing jsfContext- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.DAOException- if any.
-
checkAccessPermissionForCmsPage
public static AccessPermission checkAccessPermissionForCmsPage(HttpServletRequest request, CMSPage page) throws DAOException, IndexUnreachableException, PresentationException - Parameters:
request- HTTP servlet request providing session and IP addresspage-CMSPageto check- Returns:
AccessPermission- Throws:
DAOExceptionIndexUnreachableExceptionPresentationException
-
checkAccessPermission
public static AccessPermission checkAccessPermission(List<LicenseType> allLicenseTypes, Set<String> requiredAccessConditions, String privilegeName, User user, String remoteAddress, Optional<ClientApplication> client, String query) throws IndexUnreachableException, PresentationException, DAOException Base method for checking access permissions of various types.- Parameters:
allLicenseTypes- all configured license types to evaluaterequiredAccessConditions- Set of access condition names to satisfy (one suffices).privilegeName- The particular privilege to check.user- Logged in user.remoteAddress- client IP address stringclient- optional client application making the requestquery- Solr query describing the resource in question.- Returns:
AccessPermission- Throws:
IndexUnreachableException- if any.PresentationException- if any.DAOException- if any.
-
isFreeOpenAccess
public static boolean isFreeOpenAccess(Set<String> requiredAccessConditions, Collection<LicenseType> allLicenseTypes) throws DAOException Check whether the requiredAccessConditions consist only of theOPENACCESScondition and OPENACCESS is not contained in allLicenseTypes. In this and only this case can we safely assume that everything is permitted. If OPENACCESS is in the database then it likely contains some access restrictions which need to be checked- Parameters:
requiredAccessConditions- set of access condition names from the Solr documentallLicenseTypes- all license types relevant for access. If null, the DAO is checked if it contains the OPENACCESS condition- Returns:
- true if we can savely assume that we have entirely open access
- Throws:
DAOException- if any.
-
getPdfDownloadQuotaForRecord
public static int getPdfDownloadQuotaForRecord(String pi) throws PresentationException, IndexUnreachableException, DAOException, RecordNotFoundException - Parameters:
pi- persistent identifier of the record- Returns:
- Number of allowed downloads for given pi; 100 of no value set
- Throws:
PresentationExceptionIndexUnreachableExceptionDAOExceptionRecordNotFoundException
-
isConcurrentViewsLimitEnabledForAnyAccessCondition
public static boolean isConcurrentViewsLimitEnabledForAnyAccessCondition(List<String> accessConditions) throws DAOException - Parameters:
accessConditions- list of access condition strings to check- Returns:
- true if any license type for the given list of access conditions has concurrent views limit enabled; false otherwise
- Throws:
DAOException
-
isPrivilegeGrantedForDoc
public static boolean isPrivilegeGrantedForDoc(org.apache.solr.common.SolrDocument doc, String privilegeName, HttpServletRequest request) - Parameters:
doc- The document containing access condition metadataprivilegeName- The privilege to checkrequest- The request trying to access the resource- Returns:
- true if granted; false otherwise
-
getApplyingLicenses
public static List<License> getApplyingLicenses(Optional<User> user, String ipAddress, LicenseType type, IDAO dao) throws DAOException List all licenses ("rights") that the given user and ipAddress is entitled to, either because they are directly given to the user, a group the user belongs to or to the given ipAddress, whether or not the given user exists.- Parameters:
user- optional logged-in user to match against licensesipAddress- client IP address used for IP range matchingtype- license type to query licenses fordao- DAO instance used to retrieve licenses and IP ranges- Returns:
- List
- Throws:
DAOException
-
isHasDownloadTicket
- Parameters:
pi- Record identifiersession-HttpSessionthat contains permission attributes- Returns:
- true if given
sessioncontains permission forpi; false otherwise
-
addDownloadTicketToSession
-
getSessionPermission
- Parameters:
attributeName- session attribute key for the permission entrysession- HTTP session to look up the attribute in- Returns:
- Object found in session; null otherwise
-
addSessionPermission
public static boolean addSessionPermission(String attributeName, Object attributeValue, HttpSession session) - Parameters:
attributeName- session attribute key under which the value is storedattributeValue- permission value to store in the sessionsession- HTTP session to store the attribute in- Returns:
- true if successful; false otherwise
-
clearSessionPermissions
Removes privileges saved in the user session.- Parameters:
session- HTTP session whose permission attributes are cleared- Returns:
- Number of removed session attributes
-
getAccessPermission
public static AccessPermission getAccessPermission(String pi, String fileName, String privilegeName) throws IndexUnreachableException, DAOException - Parameters:
pi- persistent identifier of the recordfileName- content file name to check access forprivilegeName- access privilege name to verify- Returns:
AccessPermission- Throws:
DAOExceptionIndexUnreachableException
-
getAccessPermission
public static AccessPermission getAccessPermission(String pi, String fileName, String privilegeName, User user) throws IndexUnreachableException, DAOException - Parameters:
pi- persistent identifier of the recordfileName- content file name to check access forprivilegeName- access privilege name to verifyuser- The user requesting access. If null it is retrieved from the jsfContext if available- Returns:
AccessPermission- Throws:
DAOExceptionIndexUnreachableException
-