Examples with ConfigAttribute org.springframework.security.access.ConfigAttribute used on opensource projects

Example 26 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class InterceptorStatusTokenTests method testOperation.

@Test
public void testOperation() {
    List<ConfigAttribute> attr = SecurityConfig.createList("FOO");
    MethodInvocation mi = new SimpleMethodInvocation();
    SecurityContext ctx = SecurityContextHolder.createEmptyContext();
    InterceptorStatusToken token = new InterceptorStatusToken(ctx, true, attr, mi);
    assertThat(token.isContextHolderRefreshRequired()).isTrue();
    assertThat(token.getAttributes()).isEqualTo(attr);
    assertThat(token.getSecureObject()).isEqualTo(mi);
    assertThat(token.getSecurityContext()).isSameAs(ctx);
}

Example 27 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class DelegatingMethodSecurityMetadataSourceTests method returnsDelegateAttributes.

@Test
public void returnsDelegateAttributes() throws Exception {
    List sources = new ArrayList();
    MethodSecurityMetadataSource delegate = mock(MethodSecurityMetadataSource.class);
    ConfigAttribute ca = mock(ConfigAttribute.class);
    List attributes = Arrays.asList(ca);
    Method toString = String.class.getMethod("toString");
    when(delegate.getAttributes(toString, String.class)).thenReturn(attributes);
    sources.add(delegate);
    mds = new DelegatingMethodSecurityMetadataSource(sources);
    assertThat(mds.getMethodSecurityMetadataSources()).isSameAs(sources);
    assertThat(mds.getAllConfigAttributes().isEmpty()).isTrue();
    MethodInvocation mi = new SimpleMethodInvocation("", toString);
    assertThat(mds.getAttributes(mi)).isSameAs(attributes);
    // Exercise the cached case
    assertThat(mds.getAttributes(mi)).isSameAs(attributes);
    assertThat(mds.getAttributes(new SimpleMethodInvocation(null, String.class.getMethod("length")))).isEmpty();
    ;
}

Example 28 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class AbstractAccessDecisionManagerTests method testDelegatesSupportsRequests.

@Test
public void testDelegatesSupportsRequests() throws Exception {
    List list = new Vector();
    DenyVoter voter = new DenyVoter();
    DenyAgainVoter denyVoter = new DenyAgainVoter();
    list.add(voter);
    list.add(denyVoter);
    MockDecisionManagerImpl mock = new MockDecisionManagerImpl(list);
    ConfigAttribute attr = new SecurityConfig("DENY_AGAIN_FOR_SURE");
    assertThat(mock.supports(attr)).isTrue();
    ConfigAttribute badAttr = new SecurityConfig("WE_DONT_SUPPORT_THIS");
    assertThat(!mock.supports(badAttr)).isTrue();
}

Example 29 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class DefaultWebInvocationPrivilegeEvaluator method isAllowed.

/**
	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
	 * object is allowed to invoke the supplied URI, with the given .
	 * <p>
	 * Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
	 * disregards the <code>contextPath</code> when evaluating which secure object
	 * metadata applies to a given request URI, so generally the <code>contextPath</code>
	 * is unimportant unless you are using a custom
	 * <code>FilterInvocationSecurityMetadataSource</code>.
	 *
	 * @param uri the URI excluding the context path
	 * @param contextPath the context path (may be null, in which case a default value
	 * will be used).
	 * @param method the HTTP method (or null, for any method)
	 * @param authentication the <tt>Authentication</tt> instance whose authorities should
	 * be used in evaluation whether access should be granted.
	 * @return true if access is allowed, false if denied
	 */
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
    Assert.notNull(uri, "uri parameter is required");
    FilterInvocation fi = new FilterInvocation(contextPath, uri, method);
    Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(fi);
    if (attrs == null) {
        if (securityInterceptor.isRejectPublicInvocations()) {
            return false;
        }
        return true;
    }
    if (authentication == null) {
        return false;
    }
    try {
        securityInterceptor.getAccessDecisionManager().decide(authentication, fi, attrs);
    } catch (AccessDeniedException unauthorized) {
        if (logger.isDebugEnabled()) {
            logger.debug(fi.toString() + " denied for " + authentication.toString(), unauthorized);
        }
        return false;
    }
    return true;
}

Example 30 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security-oauth by spring-projects.

the class OAuthConsumerProcessingFilter method getAccessTokenDependencies.

/**
   * Loads the access token dependencies for the given request. This will be a set of {@link ProtectedResourceDetails#getId() resource ids}
   * for which an OAuth access token is required.
   *
   * @param request     The request.
   * @param response    The response
   * @param filterChain The filter chain
   * @return The access token dependencies (could be empty).
   */
protected Set<String> getAccessTokenDependencies(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
    Set<String> deps = new TreeSet<String>();
    if (getObjectDefinitionSource() != null) {
        FilterInvocation invocation = new FilterInvocation(request, response, filterChain);
        Collection<ConfigAttribute> attributes = getObjectDefinitionSource().getAttributes(invocation);
        if (attributes != null) {
            for (ConfigAttribute attribute : attributes) {
                deps.add(attribute.getAttribute());
            }
        }
    }
    return deps;
}