/** * Create a Source object based on information in the incoming request * * @param theServletRequest * the incoming request * @return a Source object with the identifier, type, and site specified * @throws NotImplementedException * if the authorization type is OAuth */ protected Source getSourceElement(HttpServletRequest theServletRequest) throws NotImplementedException { if (theServletRequest.getHeader(Constants.HEADER_AUTHORIZATION) != null && theServletRequest.getHeader(Constants.HEADER_AUTHORIZATION).startsWith("OAuth")) { if (myClientParamsOptional) return null; // no auditing required // TODO: get application info from token throw new NotImplementedException("OAuth auditing not yet implemented."); } else { // no auth or basic auth or anything else, use HTTP headers for audit info String appId = theServletRequest.getHeader(UserInfoInterceptor.HEADER_APPLICATION_NAME); Source source = new Source(); source.setIdentifier(appId); source.setType(getAccessType(theServletRequest)); source.setSite(getSiteId(theServletRequest)); return source; } }
log.info("Auditing resource: " + theResponseObject + " from request: " + theRequestDetails); SecurityEvent auditEvent = new SecurityEvent(); auditEvent.setEvent(getEventInfo(theRequestDetails)); Participant participant = getParticipant(theServletRequest); if (participant == null) { log.debug("No participant to audit"); auditEvent.setParticipant(participants); byte[] query = getQueryFromRequestDetails(theRequestDetails); SecurityEventObjectLifecycleEnum lifecycle = mapResourceTypeToSecurityLifecycle(theRequestDetails.getRestOperationType()); ObjectElement auditableObject = getObjectElement((IResource) theResponseObject, lifecycle, query); if (auditableObject == null) { log.debug("No auditable resources to audit"); auditableObjects.add(auditableObject); auditEvent.setObject(auditableObjects); auditEvent.setSource(getSourceElement(theServletRequest)); log.debug("Auditing one resource."); store(auditEvent); return true; } catch (Exception e) {
/** * Generates the Event segment of the SecurityEvent based on the incoming request details * * @param theRequestDetails * the RequestDetails of the incoming request * @return an Event populated with the action, date, and outcome */ protected Event getEventInfo(RequestDetails theRequestDetails) { Event event = new Event(); event.setAction(mapResourceTypeToSecurityEventAction(theRequestDetails.getRestOperationType())); event.setDateTimeWithMillisPrecision(new Date()); event.setOutcome(SecurityEventOutcomeEnum.SUCCESS); // we audit successful return of PHI only, otherwise an // exception is thrown and no resources are returned to be // audited return event; }
List<ObjectDetail> details = new ArrayList<SecurityEvent.ObjectDetail>(); for (Entry<String, String> entry : detailMap.entrySet()) { ObjectDetail detail = makeObjectDetail(entry.getKey(), entry.getValue()); details.add(detail);
log.info("Auditing bundle: " + theResponseObject + " from request " + theRequestDetails); SecurityEvent auditEvent = new SecurityEvent(); auditEvent.setEvent(getEventInfo(theRequestDetails)); Participant participant = getParticipant(theServletRequest); if (participant == null) { log.debug("No participant to audit"); auditEvent.setParticipant(participants); SecurityEventObjectLifecycleEnum lifecycle = mapResourceTypeToSecurityLifecycle(theRequestDetails.getRestOperationType()); byte[] query = getQueryFromRequestDetails(theRequestDetails); List<ObjectElement> auditableObjects = new ArrayList<SecurityEvent.ObjectElement>(); for (BundleEntry entry : theResponseObject.getEntries()) { IResource resource = entry.getResource(); ObjectElement auditableObject = getObjectElement(resource, lifecycle, query); if (auditableObject != null) auditableObjects.add(auditableObject); auditEvent.setSource(getSourceElement(theServletRequest)); store(auditEvent); return true; // success } catch (Exception e) {