Servlet Security Context for webhook

wwnjj13 · July 8, 2021, 5:28pm

I am working to implement some webhooks. I understand how to use Servlets to handle the requests. I got it working using the following code (I got it from another thread on the forum, I don’t remember who to credit though):

String trustedClientPassword = AppBeans.get(Configuration.class).getConfig(WebAuthConfig.class).getTrustedClientPassword();
UserSession systemSession = AppBeans.get(TrustedClientService.class).getSystemSession(trustedClientPassword);
SecurityContext securityContext = new SecurityContext(systemSession);
SecurityContext previousSecurityContext = AppContext.getSecurityContext();
AppContext.setSecurityContext(securityContext);

However, I would like someway to have finer security controls. For example, if I have events coming in from Stripe vs events coming in from Mailgun, I’d like to apply different permissions depending if it comes from one or the other, really just to add that extra layer of security. I am unclear how to implement this. Any help would be appreciated.

albudarov · July 9, 2021, 6:21pm

Hi,
To login as some particular user on the web client layer, you need to do the following:

    @Inject
    private TrustedClientService trustedClientService;
    @Inject
    private AuthenticationService authenticationService;
    @Inject
    private WebAuthConfig webAuthConfig;

TrustedClientCredentials creds = new TrustedClientCredentials("web-service-user", webAuthConfig.getTrustedClientPassword(), Locale.ENGLISH);
userSession = authenticationService.login(creds).getSession();
AppContext.setSecurityContext(new SecurityContext(userSession));

userSession can be saved between requests.

It will contain permissions given to the “web-service-user” user.