Use annotations for resource access control

3 files changed, 13 insertions, 6 deletions

diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java
index 3563cbf77..782ca7de5 100644
--- a/src/org/traccar/api/SecurityRequestFilter.java
+++ b/src/org/traccar/api/SecurityRequestFilter.java
@@ -16,17 +16,18 @@
 package org.traccar.api;
 
 import org.traccar.Context;
-import org.traccar.api.resource.ServerResource;
 import org.traccar.api.resource.SessionResource;
 import org.traccar.model.User;
 
+import java.lang.reflect.Method;
 import java.nio.charset.Charset;
 import java.sql.SQLException;
+import javax.annotation.security.PermitAll;
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 import javax.xml.bind.DatatypeConverter;
@@ -49,12 +50,13 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
     @javax.ws.rs.core.Context
     private HttpServletRequest req;
 
+    @javax.ws.rs.core.Context
+    private ResourceInfo resourceInfo;
+
     @Override
     public void filter(ContainerRequestContext requestContext) {
-        String path = requestContext.getUriInfo().getPath();
-        String serverPath = ServerResource.class.getAnnotation(Path.class).value();
-        String sessionPath = SessionResource.class.getAnnotation(Path.class).value();
-        if (serverPath.equals(path) || sessionPath.equals(path)) {
+        Method method = resourceInfo.getResourceMethod();
+        if (method.isAnnotationPresent(PermitAll.class)) {
             return;
         }
 
diff --git a/src/org/traccar/api/resource/ServerResource.java b/src/org/traccar/api/resource/ServerResource.java
index fc04ee248..ffe6745f4 100644
--- a/src/org/traccar/api/resource/ServerResource.java
+++ b/src/org/traccar/api/resource/ServerResource.java
@@ -20,6 +20,7 @@ import org.traccar.api.BaseResource;
 import org.traccar.model.Server;
 import org.traccar.model.User;
 
+import javax.annotation.security.PermitAll;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.FormParam;
@@ -37,6 +38,7 @@ import java.sql.SQLException;
 @Consumes(MediaType.APPLICATION_JSON)
 public class ServerResource extends BaseResource {
 
+    @PermitAll
     @GET
     public Server get() {
         try {
diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java
index 347beb9a3..53e29802c 100644
--- a/src/org/traccar/api/resource/SessionResource.java
+++ b/src/org/traccar/api/resource/SessionResource.java
@@ -19,6 +19,7 @@ import org.traccar.Context;
 import org.traccar.api.BaseResource;
 import org.traccar.model.User;
 
+import javax.annotation.security.PermitAll;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@@ -43,6 +44,7 @@ public class SessionResource extends BaseResource {
     @javax.ws.rs.core.Context
     private HttpServletRequest req;
 
+    @PermitAll
     @GET
     public User get() {
         try {
@@ -57,6 +59,7 @@ public class SessionResource extends BaseResource {
         }
     }
 
+    @PermitAll
     @POST
     public User add(@FormParam("email") String email, @FormParam("password") String password) {
         try {