Authentication checks in Native Modules

The delivered libraries contain several helper methods which make it possible to do additional authentication and authorization in custom code. The following methods are available in the AOM object (accessible through the model or <modulename>.AOM):

	/**
	 * Checks the credentials given in the request. This method will return false if the request was not from a customer
	 * or organization or the credentials did not match
	 *
	 * @param r the request to check
	 * @return true, if the credentials in request are correct and the requestor was an organization or customer
	 */
	public boolean checkAccountRequestCredentials( final Request r );
 
	/**
	 * Checks the credentials given in the request. This method will return false if the request was not from a user or
	 * the credentials did not match
	 *
	 * @param r the request to check
	 * @return true, if the credentials in request are correct and the requestor was a user
	 */
	public boolean checkUserRequestCredentials( final Request r );
 
	/**
	 * Checks the credentials given in the request. This method will return the authenticated user or null if
	 * the credentials did not match
	 *
	 * @param r the request to check
	 * @return authenticated user or null if the credentials did not match
	 */
	public IModel<?> checkUserRequestCredentialsAndReturn( final Request r );
 
	/**
	 * Checks the apiKey given in the request. This method will return true if the apikey is equal.
	 *
	 * @param r the request to check
	 * @return true, if the apikey in request is equal to the apikey for the current system
	 */
	public boolean checkRequestApikey( final Request r );
 
    /**
	 * Returns the roles of the requesting customer for the requested app and system.
	 * If the requester is not a customer or no app is given, it will return an empty array.
	 * It will also return an empty array, if the request credentials are invalid.
	 *
	 * @param r the request
	 * @return the roles of the requesting customer for the requested app and system.
	 */
	public Set<CustomerRole> getRequesterAppRoles( final Request r );
 
	/**
     * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the class. The
     * right-type is determined by the HTTP request method (CREATE, READ, UPDATE, DELETE).<br/>
     * <b>The username gets taken from the Basic authentication header in the request.</b><br/>
     * <br/>
     * <b>Alternative methods:</b><br/>
     * Use {@link #checkRoles(IModel, Request)} when accessing an object that might have additional object-specific
     * roles.<br/>
     * Use {@link #checkRoles(String, String, String, Operation, com.apiomat.nativemodule.Request)} for a method you can
     * use when not using Basic authentication and when you want to check the roles for another right-type.<br/>
     * <br/>
     * <b>Caution:</b> Don't use this method within a dynamic role check
     * ({@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)}), which would end up in an endless
     * loop!<br/>
     * If you need to check the roles of a user within
     * {@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)} you can add Basics$Role to the MetaModel's
     * roleClassesMap instead.<br/>
     * 
     * @param moduleName
     * @param modelName
     * @param request
     * @return TRUE if the requesting user has access, FALSE otherwise
     */
    public boolean checkRoles( final String moduleName, final String modelName,
        final com.apiomat.nativemodule.Request request );
 
    /**
     * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the class. The
     * right-type is determined by the given operation parameter.<br/>
     * <b>Instead of the username from the request, the given member ID is searched in the roles' member list.</b><br/>
     * <br/>
     * <b>Alternative methods:</b><br/>
     * Use {@link #checkRoles(IModel, String, Operation, Request)} when accessing an object that might have additional
     * object-specific roles.<br/>
     * <br/>
     * <b>Caution:</b> Don't use this method within a dynamic role check
     * ({@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)}), which would end up in an endless
     * loop!<br/>
     * If you need to check the roles of a user within
     * {@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)} you can add Basics$Role to the MetaModel's
     * roleClassesMap instead.<br/>
     *
     * @param moduleName
     * @param modelName
     * @param memberId The custom member ID to check for in the roles' member list
     * @param op Operation type to check the role for
     * @param request
     * @return TRUE if the requesting user has access, FALSE otherwise
     */
    public boolean checkRoles( final String moduleName, final String modelName, final String memberId,
        final Operation op, final com.apiomat.nativemodule.Request request );
 
    /**
     * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the
     * class/object. The right-type is determined by the HTTP request method (CREATE, READ, UPDATE, DELETE).<br/>
     * <b>The username gets taken from the Basic authentication header in the request.</b><br/>
     * <br/>
     * <b>Alternative methods:</b><br/>
     * Use {@link #checkRoles(com.apiomat.nativemodule.IModel, String, Operation, com.apiomat.nativemodule.Request)} for
     * a method you can use when not using Basic authentication and when you want to check the roles for another
     * right-type.<br/>
     * <br/>
     * <b>Caution:</b> Don't use this method within a dynamic role check
     * ({@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)}), which would end up in an endless
     * loop!<br/>
     * If you need to check the roles of a user within
     * {@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)} you can add Basics$Role to the MetaModel's
     * roleClassesMap instead.<br/>
     *
     * @param obj
     * @param request
     * @return TRUE if the requesting user has access, FALSE otherwise
     */
    public boolean checkRoles( final com.apiomat.nativemodule.IModel<?> obj,
        final com.apiomat.nativemodule.Request request );
 
    /**
     * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the
     * class/object. The right-type is determined by the given operation parameter.<br/>
     * <b>Instead of the username from the request, the given member ID is searched in the roles' member list.</b><br/>
     * <br/>
     * <b>Caution:</b> Don't use this method within a dynamic role check
     * ({@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)}), which would end up in an endless
     * loop!<br/>
     * If you need to check the roles of a user within
     * {@link IModelHooksCommon#isUserInRoles(DynamicRoleWrapper, Request)} you can add Basics$Role to the MetaModel's
     * roleClassesMap instead.<br/>
     * 
     * @param obj
     * @param memberId The custom member ID to check for in the roles' member list.
     * @param op Operation type to check the role for
     * @param request
     * @return TRUE if the requesting user has access, FALSE otherwise
     */
    public boolean checkRoles( final com.apiomat.nativemodule.IModel<?> obj, final String memberId, final Operation op,
        final com.apiomat.nativemodule.Request request );

The model itself has another method which checks access to that model for the current request user. If access is denied, an exception will be thrown.

model.verifyRequest( httpVerb, request )

Furthermore, the request object contains information about the username, password, token or api key. Most of the values can be fetched using the self-explaining getter methods. To check if a requester is an organization or a customer, the following method can be used:

boolean request.getIsAccountRequest()

If the request was sent from an organization or a customer, the attribute accountName contains the respective value:

String request.getAccountName()