Package com.inductiveautomation.ignition.gateway.web.session

Class WebUiSession.WebUiSessionAccessControl

java.lang.Object

com.inductiveautomation.ignition.gateway.dataroutes.AbstractAccessControlStrategy

com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy

com.inductiveautomation.ignition.gateway.web.session.WebUiSession.WebUiSessionAccessControl

All Implemented Interfaces:

AccessControlStrategy

Direct Known Subclasses:

WebUiSession.CsrfWebUiSessionAccessControl

Enclosing interface:

WebUiSession

public static class WebUiSession.WebUiSessionAccessControl
extends AbstractGatewayAccessControlStrategy

An AbstractGatewayAccessControlStrategy where auth context such as user information and granted security levels are derived from Web UI session cookies.

Note: by default, this strategy can only be mounted with Routes which use a safe HTTP method such as GET, HEAD, or OPTIONS. This strategy does not offer CSRF protections. Use the WebUiSession.CsrfWebUiSessionAccessControl strategy if you need to protect a Route which uses an unsafe HTTP method so that you can get CSRF protections.

Field Summary

Fields inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy

permissionType

Fields inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractAccessControlStrategy

EMPTY_SECURITY_LEVELS

Fields inherited from interface com.inductiveautomation.ignition.gateway.dataroutes.AccessControlStrategy

OPEN_ROUTE

Constructor Summary

Constructors

Constructor	Description
WebUiSessionAccessControl(PermissionType permissionType)

Method Summary

Modifier and Type	Method	Description
static Optional<String>	getActor(RequestContext request)	If the request is authenticated with a web ui session, this will return the username of the associated WebAuthUser
protected com.google.common.collect.ImmutableCollection<SecurityLevelConfig>	getSecurityLevels(RequestContext request)
static Optional<WebAuthUser>	getWebAuthUser(RequestContext request)
void	validate(RouteMounterContext routeMounterContext)	Only safe HTTP methods are allowed by default since it is usually the intention that unsafe HTTP methods are used for state changing operations and this strategy does not offer any CSRF protections

Methods inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy

getRequiredPermissions, toString

Methods inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractAccessControlStrategy

canAccess

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.inductiveautomation.ignition.gateway.dataroutes.AccessControlStrategy

getWwwAuthenticateHeader

Constructor Details

WebUiSessionAccessControl

public WebUiSessionAccessControl(PermissionType permissionType)

Method Details

getSecurityLevels

protected com.google.common.collect.ImmutableCollection<SecurityLevelConfig> getSecurityLevels(RequestContext request)

Specified by:

getSecurityLevels in class AbstractAccessControlStrategy

Returns:

The security levels associated with the request.

getActor

public static Optional<String> getActor(RequestContext request)

If the request is authenticated with a web ui session, this will return the username of the associated WebAuthUser

getWebAuthUser

public static Optional<WebAuthUser> getWebAuthUser(RequestContext request)

validate

public void validate(RouteMounterContext routeMounterContext)
              throws RouteMounterValidationException

Only safe HTTP methods are allowed by default since it is usually the intention that unsafe HTTP methods are used for state changing operations and this strategy does not offer any CSRF protections

Parameters:

routeMounterContext - the RouteMounterContext to validate

Throws:

RouteMounterValidationException - if validation fails