Examples with RequestMatcher org.springframework.security.web.util.matcher.RequestMatcher used on opensource projects

Example 1 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project motech by motech.

the class SecurityRuleBuilder method addFilterSecurityInterceptor.

private void addFilterSecurityInterceptor(List<Filter> filters, MotechURLSecurityRule securityRule) {
    Map<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>();
    List<AccessDecisionVoter> voters = new ArrayList<>();
    Collection<ConfigAttribute> configAtts = new ArrayList<>();
    if (CollectionUtils.isEmpty(securityRule.getPermissionAccess()) && CollectionUtils.isEmpty(securityRule.getUserAccess())) {
        configAtts.add(new SecurityConfig("IS_AUTHENTICATED_FULLY"));
        AuthenticatedVoter authVoter = new AuthenticatedVoter();
        voters.add(authVoter);
    } else {
        if (!CollectionUtils.isEmpty(securityRule.getPermissionAccess())) {
            for (String permission : securityRule.getPermissionAccess()) {
                configAtts.add(new SecurityConfig(permission));
            }
        }
        if (!CollectionUtils.isEmpty(securityRule.getUserAccess())) {
            for (String userAccess : securityRule.getUserAccess()) {
                configAtts.add(new SecurityConfig(SecurityConfigConstants.USER_ACCESS_PREFIX + userAccess));
            }
        }
    }
    buildRequestMap(requestMap, configAtts, securityRule);
    FilterInvocationSecurityMetadataSource metadataSource = new DefaultFilterInvocationSecurityMetadataSource((LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>) requestMap);
    FilterSecurityInterceptor interceptor = new FilterSecurityInterceptor();
    interceptor.setSecurityMetadataSource(metadataSource);
    RoleVoter roleVoter = new RoleVoter();
    roleVoter.setRolePrefix(SecurityConfigConstants.ROLE_ACCESS_PREFIX);
    voters.add(roleVoter);
    voters.add(new MotechAccessVoter());
    AccessDecisionManager decisionManager = new AffirmativeBased(voters);
    interceptor.setAccessDecisionManager(decisionManager);
    interceptor.setAuthenticationManager(authenticationManager);
    filters.add(interceptor);
}

Example 2 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project motech by motech.

the class SecurityRuleBuilder method buildSecurityChain.

/**
 * Builds SecurityFilterChain which is capable of being
 * matched against HttpServletRequest in order to decide
 * whether it applies to that request
 *
 * @param securityRule that will be used as pattern
 * @param method to be used in filter
 * @return new filter chain with security rule, matcher and filters
 */
public synchronized SecurityFilterChain buildSecurityChain(MotechURLSecurityRule securityRule, HTTPMethod method) {
    LOGGER.info("Building security chain for rule: {} and method: {}", securityRule.getPattern(), method);
    List<Filter> filters = new ArrayList<>();
    RequestMatcher matcher;
    validateRule(securityRule);
    String pattern = securityRule.getPattern();
    if (pattern.equals(SecurityConfigConstants.ANY_PATTERN) || "/**".equals(pattern) || "**".equals(pattern)) {
        matcher = AnyRequestMatcher.INSTANCE;
    } else if (ANY == method) {
        matcher = new AntPathRequestMatcher(pattern);
    } else {
        matcher = new AntPathRequestMatcher(pattern, method.name());
    }
    if (!noSecurity(securityRule)) {
        try {
            filters = addFilters(securityRule);
        } catch (ServletException e) {
            LOGGER.error("Cannot create {} in {} security rule.", SecurityContextHolderAwareRequestFilter.class, securityRule.getPattern(), e);
        }
    }
    LOGGER.info("Built security chain for rule: {} and method: {}", securityRule.getPattern(), method);
    return new MotechSecurityFilterChain(securityRule, matcher, filters);
}

Example 3 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project motech by motech.

the class SecurityRuleBuilder method buildRequestMap.

private void buildRequestMap(Map<RequestMatcher, Collection<ConfigAttribute>> requestMap, Collection<ConfigAttribute> configAtts, MotechURLSecurityRule securityRule) {
    String pattern = securityRule.getPattern();
    for (HTTPMethod method : securityRule.getMethodsRequired()) {
        RequestMatcher matcher;
        if (securityRule.getMethodsRequired().contains(ANY) && (pattern.equals(SecurityConfigConstants.ANY_PATTERN) || "/**".equals(pattern))) {
            matcher = AnyRequestMatcher.INSTANCE;
        } else if (securityRule.getMethodsRequired().contains(ANY)) {
            matcher = new AntPathRequestMatcher(pattern, null);
        } else {
            matcher = new AntPathRequestMatcher(pattern, method.name());
        }
        requestMap.put(matcher, configAtts);
    }
}

Example 4 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project motech by motech.

the class SecurityRuleBuilder method addSecureChannel.

private void addSecureChannel(List<Filter> filters, Protocol protocol) {
    ChannelProcessingFilter channelProcessingFilter = new ChannelProcessingFilter();
    channelProcessingFilter.setChannelDecisionManager(channelDecisionManager);
    RequestMatcher anyRequest = AnyRequestMatcher.INSTANCE;
    LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>();
    Collection<ConfigAttribute> configAtts = new ArrayList<>();
    switch(protocol) {
        case HTTP:
            configAtts.add(new SecurityConfig("ANY_CHANNEL"));
            break;
        case HTTPS:
            configAtts.add(new SecurityConfig("REQUIRES_SECURE_CHANNEL"));
            break;
        default:
    }
    requestMap.put(anyRequest, configAtts);
    FilterInvocationSecurityMetadataSource securityMetadataSource = new DefaultFilterInvocationSecurityMetadataSource(requestMap);
    channelProcessingFilter.setSecurityMetadataSource(securityMetadataSource);
    filters.add(channelProcessingFilter);
}

Example 5 with RequestMatcher

use of org.springframework.security.web.util.matcher.RequestMatcher in project ma-core-public by infiniteautomation.

the class MangoSecurityConfiguration method createBrowserHtmlRequestMatcher.

/**
 * Internal method to create a static matcher
 * @return
 */
private static RequestMatcher createBrowserHtmlRequestMatcher() {
    ContentNegotiationStrategy contentNegotiationStrategy = contentNegotiationStrategy();
    MediaTypeRequestMatcher mediaMatcher = new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.APPLICATION_XHTML_XML, MediaType.TEXT_HTML);
    mediaMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
    RequestMatcher notXRequestedWith = new NegatedRequestMatcher(new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest"));
    return new AndRequestMatcher(Arrays.asList(notXRequestedWith, mediaMatcher));
}