Package org.linuxforhealth.fhir.smart
Class AuthzPolicyEnforcementPersistenceInterceptor
- java.lang.Object
-
- org.linuxforhealth.fhir.smart.AuthzPolicyEnforcementPersistenceInterceptor
-
- All Implemented Interfaces:
FHIRPersistenceInterceptor
public class AuthzPolicyEnforcementPersistenceInterceptor extends java.lang.Object implements FHIRPersistenceInterceptor
A persistence interceptor that enforces authorization policy based on a JWT access token with SMART-on-FHIR scopes.SMART App Launch: Scopes and Launch Context defines the following pattern for the OAuth 2.0 scopes expected in the JWT:
( 'patient' | 'user' ) '/' ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' )`
SMART Backend Services extends that to include an additional context type for 'system'.
This interceptor supports both flavors.
Before and after each interaction, as appropriate, the Authorization header is checked for a scope that permits the requested interaction. If the scope that permits the interaction is of context type 'patient' then the interceptor looks for a
patient_id
claim in the access token.- For search interactions targeting resource types that can be in a patient compartment, the search is automatically scoped to the Patient compartment(s) of the id(s) in the patient_id claim.
- For any interaction that returns resources, if the resource type can be in a patient compartment then the interceptor ensures that it is in the compartment of the the id(s) passed in the patient_id claim.
-
-
Constructor Summary
Constructors Constructor Description AuthzPolicyEnforcementPersistenceInterceptor()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
afterHistory(FHIRPersistenceEvent event)
This method is called during the processing of a 'history' REST API invocation, immediately after the resource's history has been read by the persistence layer.void
afterInvoke(FHIROperationContext context)
This method is called during the invocation of a 'custom operation', immediately after the operation logic is executed.void
afterRead(FHIRPersistenceEvent event)
This method is called during the processing of a 'read' REST API invocation, immediately after the resource has been read by the persistence layer.void
afterSearch(FHIRPersistenceEvent event)
This method is called during the processing of a 'search' REST API invocation, immediately after the search has been performed by the persistence layer.void
afterVread(FHIRPersistenceEvent event)
This method is called during the processing of a 'vread' REST API invocation, immediately after the resource has been read by the persistence layer.void
beforeCreate(FHIRPersistenceEvent event)
This method is called during the processing of a 'create' REST API invocation, immediately before the new resource is stored by the persistence layer.void
beforeDelete(FHIRPersistenceEvent event)
This method is called during the processing of a 'delete' REST API invocation, immediately before the resource is deleted by the persistence layer.void
beforeHistory(FHIRPersistenceEvent event)
This method is called during the processing of a 'history' REST API invocation, immediately before the resource's history is read by the persistence layer.void
beforeInvoke(FHIROperationContext context)
This method is called during the invocation of a 'custom operation', immediately before the operation logic is executed.void
beforePatch(FHIRPersistenceEvent event)
This method is called during the processing of an 'patch' REST API invocation, immediately before the updated resource is stored by the persistence layer.void
beforeRead(FHIRPersistenceEvent event)
This method is called during the processing of a 'read' REST API invocation, immediately before the resource is read by the persistence layer.void
beforeSearch(FHIRPersistenceEvent event)
This method ensures the search is either for a resource type that is not a member of the patient compartment, or is a valid patient-compartment resource search that is scoped to the patient context from the access token.void
beforeUpdate(FHIRPersistenceEvent event)
This method is called during the processing of an 'update' REST API invocation, immediately before the updated resource is stored by the persistence layer.void
beforeVread(FHIRPersistenceEvent event)
This method is called during the processing of a 'vread' (versioned read) REST API invocation, immediately before the resource is read by the persistence layer.-
Methods inherited from class java.lang.Object
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.linuxforhealth.fhir.server.spi.interceptor.FHIRPersistenceInterceptor
afterCreate, afterDelete, afterPatch, afterUpdate
-
-
-
-
Method Detail
-
beforeInvoke
public void beforeInvoke(FHIROperationContext context) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the invocation of a 'custom operation', immediately before the operation logic is executed.- Specified by:
beforeInvoke
in interfaceFHIRPersistenceInterceptor
- Throws:
FHIRPersistenceInterceptorException
-
afterInvoke
public void afterInvoke(FHIROperationContext context) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the invocation of a 'custom operation', immediately after the operation logic is executed.- Specified by:
afterInvoke
in interfaceFHIRPersistenceInterceptor
- Throws:
FHIRPersistenceInterceptorException
-
beforeRead
public void beforeRead(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'read' REST API invocation, immediately before the resource is read by the persistence layer.- Specified by:
beforeRead
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'read' event- Throws:
FHIRPersistenceInterceptorException
-
beforeVread
public void beforeVread(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'vread' (versioned read) REST API invocation, immediately before the resource is read by the persistence layer.- Specified by:
beforeVread
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'vread' event- Throws:
FHIRPersistenceInterceptorException
-
beforeHistory
public void beforeHistory(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'history' REST API invocation, immediately before the resource's history is read by the persistence layer.- Specified by:
beforeHistory
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'history' event- Throws:
FHIRPersistenceInterceptorException
-
beforeSearch
public void beforeSearch(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
This method ensures the search is either for a resource type that is not a member of the patient compartment, or is a valid patient-compartment resource search that is scoped to the patient context from the access token.- Specified by:
beforeSearch
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'search' event- Throws:
FHIRPersistenceInterceptorException
-
beforeCreate
public void beforeCreate(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'create' REST API invocation, immediately before the new resource is stored by the persistence layer.- Specified by:
beforeCreate
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'create' event- Throws:
FHIRPersistenceInterceptorException
-
beforeDelete
public void beforeDelete(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'delete' REST API invocation, immediately before the resource is deleted by the persistence layer.- Specified by:
beforeDelete
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'delete' event- Throws:
FHIRPersistenceInterceptorException
-
beforeUpdate
public void beforeUpdate(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of an 'update' REST API invocation, immediately before the updated resource is stored by the persistence layer.- Specified by:
beforeUpdate
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'update' event- Throws:
FHIRPersistenceInterceptorException
-
beforePatch
public void beforePatch(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of an 'patch' REST API invocation, immediately before the updated resource is stored by the persistence layer.- Specified by:
beforePatch
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'patch' event- Throws:
FHIRPersistenceInterceptorException
-
afterRead
public void afterRead(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'read' REST API invocation, immediately after the resource has been read by the persistence layer.- Specified by:
afterRead
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'read' event- Throws:
FHIRPersistenceInterceptorException
-
afterVread
public void afterVread(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'vread' REST API invocation, immediately after the resource has been read by the persistence layer.- Specified by:
afterVread
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'vread' event- Throws:
FHIRPersistenceInterceptorException
-
afterHistory
public void afterHistory(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'history' REST API invocation, immediately after the resource's history has been read by the persistence layer.- Specified by:
afterHistory
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'history' event- Throws:
FHIRPersistenceInterceptorException
-
afterSearch
public void afterSearch(FHIRPersistenceEvent event) throws FHIRPersistenceInterceptorException
Description copied from interface:FHIRPersistenceInterceptor
This method is called during the processing of a 'search' REST API invocation, immediately after the search has been performed by the persistence layer.- Specified by:
afterSearch
in interfaceFHIRPersistenceInterceptor
- Parameters:
event
- information about the 'search' event- Throws:
FHIRPersistenceInterceptorException
-
-