3

I am trying to read the user id of the user that is calling my OData service.

In my web.xml the OData servlet is a protected area

<servlet>
    <servlet-name>EJODataServlet</servlet-name>
    <servlet-class>org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet</servlet-class>
    <init-param>
        <param-name>javax.ws.rs.Application</param-name>
        <param-value>org.apache.olingo.odata2.core.rest.app.ODataApplication</param-value>
    </init-param>
    <init-param>
        <param-name>org.apache.olingo.odata2.service.factory</param-name>
        <param-value>com.wombling.odata.service.EJServiceFactory</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>EJODataServlet</servlet-name>
    <url-pattern>/EJOData.svc/*</url-pattern>
</servlet-mapping>
<login-config>
    <auth-method>FORM</auth-method>
</login-config>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/a/*</url-pattern>
        <url-pattern>/index.html</url-pattern>
        <url-pattern>*.html</url-pattern>
        <url-pattern>/EJOData.svc/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>extension_user</role-name>
    </auth-constraint>
</security-constraint>

When I create the factory to serve the response to a query:

public class EJServiceFactory extends ODataServiceFactory {

@Override
public ODataService createService(ODataContext ctx) throws ODataException {
    return RuntimeDelegate
            .createODataSingleProcessorService(
                    new AnnotationEdmProvider(
                            "com.wombling.odata.models"),
                    new EJODataProcessor("admin")); //TODO this should not be hardcoded
}

}

I cannot see any way that I can get from the ODataContext the user that has passed authentication. If I were to be using basic auth - then I could just get the header, but I'm not using basic auth, but OAuth2 bearer tokens (created by a SAML assertion).

I'd expect the ODataContext provide me access to the request user id, but no luck. Is there some other means that I can use? Or do I need to force the calling application to insert the user id in the request headers (doesn't seem ideal to me!)

wombling - Chris Paine
  • 1,651
  • 1
  • 18
  • 17

1 Answers1

1

To retrieve the request object via the ODataContext object is a little bit tricky. Try this:

HttpServletRequest r = (HttpServletRequest) ctx.getParameter(ODataContext.HTTP_SERVLET_REQUEST_OBJECT);

ctx is your instance of the ODataContext class. From the request object you get all what you need.

user3655248
  • 26
  • 1
  • That was not obvious! but thank you it worked! - I added `String userId = r.getRemoteUser();` and now I can check whether the user is supposed to see the data! – wombling - Chris Paine May 20 '14 at 11:31