Class AuthzPolicyEnforcementPersistenceInterceptor

  • All Implemented Interfaces:
    FHIRPersistenceInterceptor

    public class AuthzPolicyEnforcementPersistenceInterceptor
    extends java.lang.Object
    implements FHIRPersistenceInterceptor
    A persistence interceptor that enforces authorization policy based on a JWT access token with SMART-on-FHIR scopes.

    SMART App Launch: Scopes and Launch Context defines the following pattern for the OAuth 2.0 scopes expected in the JWT:

     ( 'patient' | 'user' ) '/' ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' )`
     

    SMART Backend Services extends that to include an additional context type for 'system'.

    This interceptor supports both flavors.

    Before and after each interaction, as appropriate, the Authorization header is checked for a scope that permits the requested interaction. If the scope that permits the interaction is of context type 'patient' then the interceptor looks for a patient_id claim in the access token.

    1. For search interactions targeting resource types that can be in a patient compartment, the search is automatically scoped to the Patient compartment(s) of the id(s) in the patient_id claim.
    2. For any interaction that returns resources, if the resource type can be in a patient compartment then the interceptor ensures that it is in the compartment of the the id(s) passed in the patient_id claim.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void afterHistory​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'history' REST API invocation, immediately after the resource's history has been read by the persistence layer.
      void afterInvoke​(FHIROperationContext context)
      This method is called during the invocation of a 'custom operation', immediately after the operation logic is executed.
      void afterRead​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'read' REST API invocation, immediately after the resource has been read by the persistence layer.
      void afterSearch​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'search' REST API invocation, immediately after the search has been performed by the persistence layer.
      void afterVread​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'vread' REST API invocation, immediately after the resource has been read by the persistence layer.
      void beforeCreate​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'create' REST API invocation, immediately before the new resource is stored by the persistence layer.
      void beforeDelete​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'delete' REST API invocation, immediately before the resource is deleted by the persistence layer.
      void beforeHistory​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'history' REST API invocation, immediately before the resource's history is read by the persistence layer.
      void beforeInvoke​(FHIROperationContext context)
      This method is called during the invocation of a 'custom operation', immediately before the operation logic is executed.
      void beforePatch​(FHIRPersistenceEvent event)
      This method is called during the processing of an 'patch' REST API invocation, immediately before the updated resource is stored by the persistence layer.
      void beforeRead​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'read' REST API invocation, immediately before the resource is read by the persistence layer.
      void beforeSearch​(FHIRPersistenceEvent event)
      This method ensures the search is either for a resource type that is not a member of the patient compartment, or is a valid patient-compartment resource search that is scoped to the patient context from the access token.
      void beforeUpdate​(FHIRPersistenceEvent event)
      This method is called during the processing of an 'update' REST API invocation, immediately before the updated resource is stored by the persistence layer.
      void beforeVread​(FHIRPersistenceEvent event)
      This method is called during the processing of a 'vread' (versioned read) REST API invocation, immediately before the resource is read by the persistence layer.
      • Methods inherited from class java.lang.Object

        clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait