authz/mcutout: implements a workaround for mcutout authZ: if async request...

   }

   public boolean isUserInGroup(String group)

   {

      for(String uGroup : userGroups)

			if(uGroup.equals(group)) return true;

      return false;

   }

   public String[] removeNotAuthorized(String[] pubdidArr)

   {

      LOGGER.finer("trace");

   List<String> pubdidList = new ArrayList<String>();

   String servletPath;

   String requestPath;

	// collect ID's in request to pubdidList

   public AuthZ(HttpServletRequest req) throws IOException, ServletException

   {

      LOGGER.fine("constructor");

      requestPath = req.getRequestURI();

      LOGGER.fine("Req.Path: " + requestPath);

      String[] pubdidArr = req.getParameterValues("ID");

      if(pubdidArr == null)

      {

         String pubdids = req.getParameter("pubdid");

         if(pubdids != null) pubdidArr = pubdids.split(";");

         LOGGER.fine("No ID found in request params");

      }

      if(pubdidArr != null)

      else

      {

         for(String pubdid : pubdidArr)

            if(pubdid.length() > 0) pubdidList.add(pubdid);

         LOGGER.finest("pubdids: " + String.join(" ", pubdidList));

         LOGGER.finest("Request IDs: " + String.join(" ", pubdidList));

      }

   }

   private String getValue(Part part) throws IOException

   {

      BufferedReader reader = new BufferedReader(new InputStreamReader(part.getInputStream(), "UTF-8"));

      StringBuilder value = new StringBuilder();

      char[] buffer = new char[1024];

      for (int length = 0; (length = reader.read(buffer)) > 0;)

      {

         value.append(buffer, 0, length);

      }

      return value.toString();

   }

   public boolean isAuthorized(HttpServletRequest req)

   {

      LOGGER.fine("isAuthorized");

      {

         throw new IllegalArgumentException("Authorization : UserPrincipal is not of expected type");

      }

      String[] pubdidArr = pubdidList.toArray(new String[pubdidList.size()]);

      String[] authorizedPubdids;

      authorizedPubdids = auth.removeNotAuthorized(pubdidArr);

		String[] authorizedPubdids = auth.removeNotAuthorized(pubdidArr);

		// none of above must result in null

      /* If multiplicity allowed (and in mcutout/merge):

       * if one or more of pubdids not-authorized -> all request not authorized

       * */

      /* NOTE for now soda/vlkb_cutout does not allow multiplicity --> only one pubdid allowed */

		LOGGER.finest("authorized vs original length: " + authorizedPubdids.length + " / " + pubdidArr.length);

      if((authorizedPubdids==null) || (pubdidArr==null))

      {

         LOGGER.warning("One of arrays null");

         return true;

      }

		if(requestPath.contains("async"))

			return auth.isUserInGroup("VLKB.AllPrivate");// FIXME workaround for mcutout request

		else

      {

         LOGGER.finest("authorized vs original length: "+authorizedPubdids.length + " / " + pubdidArr.length);

         return (authorizedPubdids.length == pubdidArr.length);

      }

			return (authorizedPubdids.length == pubdidArr.length); // SODA request

		/* NOTE: If multiplicity allowed like in mcutout/merge:

		 * if one or more of pubdids not-authorized -> all request not authorized

		 * SODA does not allow multiplicity, has only one ID */

	}

}

			if(authz.isAuthorized(req))

			{

				LOGGER.fine("Decision: Authorized, pass to servlet");

				chain.doFilter(request, response);

			}

			else

			{

				LOGGER.fine("Decision: Not Authorized, return FORBIDDEN");

				resp.setContentType("text/plain");

				// FIXME use VO errors vlkb-volib: implement Lib.doPermissionError()...

				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");