Internal db call bypassing Authorization interceptor in hapi fhir

62 views
Skip to first unread message

Ajay shekar

unread,
Feb 22, 2021, 12:29:27 PM2/22/21
to HAPI FHIR
Hello,

I am using Hapi-Fhir version 5.3.0-SNAPSHOT. 
If I have to create/edit/read resource in database during Extended operation or inside interceptor, I am using DaoRegistry class.

Eg: For search operation in patient resource i make call as below - 
daoRegistry.getResourceDao(Patient.class).search(SearchParameterMap var1, RequestDetails var2);

But this goes through Authorization interceptor and picks the access context from the Request details. 

I wanted to know is there any mechanism for internal database call that doesn't go through Pointcuts, So it will not hit the Authorization interceptor ?  

James Agnew

unread,
Feb 22, 2021, 4:26:04 PM2/22/21
to Ajay shekar, HAPI FHIR
You could probably register your auth interceptor against the FHIR Server and not against the DAOs. There are actually 2 interceptor registries, the RestfulServer one and one that is created by Spring that gets autowired into the DAOs. Both of them get invoked so you can put the Auth Interceptor (or other interceptors) in either place, but internal API calls don't go through the server registry since there is no server for those calls.

Cheers,
James

--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hapi-fhir/e9f2e329-77ff-4faa-ad27-75a78e6a2084n%40googlegroups.com.

Ajay shekar

unread,
Feb 23, 2021, 2:53:52 AM2/23/21
to HAPI FHIR
Hi James, 
I am registering auth interceptor against the FHIR server.
How to make Internal API call bypassing Auth interceptor ?

My problem is - 
I need some details from a resource before building rules in auth interceptor. So I am trying to make one db call in auth interceptor before building rules.
But this sets up a loop because at Pointcut.STORAGE_PRESHOW_RESOURCES  it calls this.checkOutgoingResourceAndFailIfDeny(theRequestDetails, next, thePointcut);


Which doesn't pass until rules are built but to build rules, I need some details from DB.

To solve this i need a internal db call which bypasses the auth interceptor/pointcuts. 
Reply all
Reply to author
Forward
0 new messages