Authentication checks in Native Modules

The delivered libraries contain several helper methods which make it possible to do additional authentication and authorization in custom code. The following methods are available in the AOM object (accessible through the model or <modulename>.AOM):

	/**
	 * Checks the credentials given in the request. This method will return false if the request was not from a customer
	 * or organization or the credentials did not match
	 *
	 * @param r the request to check
	 * @return true, if the credentials in request are correct and the requestor was an organization or customer
	 */
	public boolean checkAccountRequestCredentials( final Request r );
 
	/**
	 * Checks the credentials given in the request. This method will return false if the request was not from a user or
	 * the credentials did not match
	 *
	 * @param r the request to check
	 * @return true, if the credentials in request are correct and the requestor was a user
	 */
	public boolean checkUserRequestCredentials( final Request r );
 
	/**
	 * Checks the credentials given in the request. This method will return the authenticated user or null if
	 * the credentials did not match
	 *
	 * @param r the request to check
	 * @return authenticated user or null if the credentials did not match
	 */
	public IModel<?> checkUserRequestCredentialsAndReturn( final Request r );
 
	/**
	 * Checks the apiKey given in the request. This method will return true if the apikey is equal.
	 *
	 * @param r the request to check
	 * @return true, if the apikey in request is equal to the apikey for the current system
	 */
	public boolean checkRequestApikey( final Request r );
 
    /**
	 * Returns the roles of the requesting customer for the requested app and system.
	 * If the requester is not a customer or no app is given, it will return an empty array.
	 * It will also return an empty array, if the request credentials are invalid.
	 *
	 * @param r the request
	 * @return the roles of the requesting customer for the requested app and system.
	 */
	public Set<CustomerRole> getRequesterAppRoles( final Request r );
 
 
	/**
	 * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the class. The
	 * right-type is determined by the HTTP request method (CREATE, READ, UPDATE, DELETE).<br/>
	 * The username gets taken from the Basic auth header in the request.<br/>
	 * <br/>
	 * Use {@link #checkRoles(IModel, Request)} when accessing an object that might have additional object-specific
	 * roles.<br/>
	 * Use {@link #checkRoles(String, String, String, Operation, com.apiomat.nativemodule.Request)} for a method you can
	 * use when not using Basic auth and when you want to check the roles for another right-type.
	 *
	 * @param moduleName
	 * @param modelName
	 * @param request
	 * @return TRUE if the requesting user has access, FALSE otherwise
	 */
	public boolean checkRoles( final String moduleName, final String modelName,
		final com.apiomat.nativemodule.Request request );
 
	/**
	 * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the class. The
	 * right-type is determined by the given operation parameter.<br/>
	 * Instead of the username from the request, the given member ID is searched in the roles' member list.<br/>
	 * <br/>
	 * Use {@link #checkRoles(IModel, String, Operation, Request)} when accessing an object that might have additional
	 * object-specific roles.
	 *
	 * @param moduleName
	 * @param modelName
	 * @param memberId The custom member ID to check for in the roles' member list
	 * @param op Operation type to check the role for
	 * @param request
	 * @return TRUE if the requesting user has access, FALSE otherwise
	 */
	public boolean checkRoles( final String moduleName, final String modelName, final String memberId,
		final Operation op, final com.apiomat.nativemodule.Request request );
 
	/**
	 * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the
	 * class/object. The right-type is determined by the HTTP request method (CREATE, READ, UPDATE, DELETE).<br/>
	 * The username gets taken from the Basic auth header in the request.<br/>
	 * <br/>
	 * Use {@link #checkRoles(com.apiomat.nativemodule.IModel, String, Operation, com.apiomat.nativemodule.Request)} for
	 * a method you can use when not using Basic auth and when you want to check the roles for another right-type.
	 *
	 * @param obj
	 * @param request
	 * @return TRUE if the requesting user has access, FALSE otherwise
	 */
	public boolean checkRoles( final com.apiomat.nativemodule.IModel<?> obj,
		final com.apiomat.nativemodule.Request request );
 
	/**
	 * Check if the requesting user is member of a custom ACL role that has CREATE/READ/WRITE rights for the
	 * class/object. The right-type is determined by the given operation parameter.<br/>
	 * Instead of the username from the request, the given member ID is searched in the roles' member list.
	 *
	 * @param obj
	 * @param memberId The custom member ID to check for in the roles' member list.
	 * @param op Operation type to check the role for
	 * @param request
	 * @return TRUE if the requesting user has access, FALSE otherwise
	 */
	public boolean checkRoles( final com.apiomat.nativemodule.IModel<?> obj, final String memberId, final Operation op,
		final com.apiomat.nativemodule.Request request );

The model itself has another method which checks access to that model for the current request user. If access is denied, an exception will be thrown.

model.verifyRequest( httpVerb, request )

Furthermore, the request object contains information about the username, password, token or api key. Most of the values can be fetched using the self-explaining getter methods. To check if a requester is an organization or a customer, the following method can be used:

boolean request.getIsAccountRequest()

If the request was sent from an organization or a customer, the attribute accountName contains the respective value:

String request.getAccountName()