use of io.helidon.security.annotations.Audited in project helidon by oracle.
the class SecurityFilter method getMethodSecurity.
private SecurityDefinition getMethodSecurity(InvokedResource invokedResource, Method definitionMethod, ExtendedUriInfo uriInfo) {
// Check cache
// Jersey model 'definition method' is the method that contains JAX-RS/Jersey annotations. JAX-RS does not support
// merging annotations from a parent, so we don't have to look for annotations on corresponding methods of interfaces
// and abstract classes implemented by the definition method.
// Jersey model does not have a 'definition class', so we have to find it from a handler class
Class<?> obtainedClass = invokedResource.definitionClass().orElseThrow(() -> new SecurityException("Got definition method, cannot get definition class"));
Class<?> definitionClass = getRealClass(obtainedClass);
// Get the application for this request in case there's more than one
Application appInstance = serverRequest.context().get(Application.class).get();
// Create and cache security definition for application
Class<?> appRealClass = getRealClass(appInstance.getClass());
SecurityDefinition appClassSecurity = appClassSecurity(appRealClass);
if (definitionClass.getAnnotation(Path.class) == null) {
// this is a sub-resource
// I must locate the resource class and method that was invoked
PathVisitor visitor = new PathVisitor();
visitor.visit(uriInfo.getMatchedRuntimeResources());
Collections.reverse(visitor.list);
StringBuilder fullPathBuilder = new StringBuilder();
List<Method> methodsToProcess = new LinkedList<>();
for (Invocable m : visitor.list) {
// first the top most class (MpMainResource.sub())
// then the one under it (MpSubResource.sub())
// these methods are above our sub resource
Method parentDefMethod = m.getDefinitionMethod();
Class<?> parentClass = parentDefMethod.getDeclaringClass();
fullPathBuilder.append("/").append(parentClass.getName()).append(".").append(parentDefMethod.getName());
methodsToProcess.add(parentDefMethod);
}
fullPathBuilder.append("/").append(definitionClass.getName()).append(".").append(definitionMethod.getName());
methodsToProcess.add(definitionMethod);
String fullPath = fullPathBuilder.toString();
// now full path can be used as a cache
if (subResourceMethodSecurity(appRealClass).containsKey(fullPath)) {
return subResourceMethodSecurity(appRealClass).get(fullPath);
}
// now process each definition method and class
SecurityDefinition current = appClassSecurity;
for (Method method : methodsToProcess) {
Class<?> clazz = method.getDeclaringClass();
current = securityForClass(clazz, current);
Authenticated atn = method.getAnnotation(Authenticated.class);
Authorized atz = method.getAnnotation(Authorized.class);
Audited audited = method.getAnnotation(Audited.class);
SecurityDefinition methodDef = current.copyMe();
methodDef.add(atn);
methodDef.add(atz);
methodDef.add(audited);
SecurityLevel currentSecurityLevel = methodDef.getSecurityLevels().get(methodDef.getSecurityLevels().size() - 1);
Map<Class<? extends Annotation>, List<Annotation>> methodAnnotations = new HashMap<>();
addCustomAnnotations(methodAnnotations, method);
SecurityLevel newSecurityLevel = SecurityLevel.create(currentSecurityLevel).withMethodName(method.getName()).withMethodAnnotations(methodAnnotations).build();
methodDef.getSecurityLevels().set(methodDef.getSecurityLevels().size() - 1, newSecurityLevel);
for (AnnotationAnalyzer analyzer : analyzers) {
AnnotationAnalyzer.AnalyzerResponse analyzerResponse = analyzer.analyze(method, current.analyzerResponse(analyzer));
methodDef.analyzerResponse(analyzer, analyzerResponse);
}
current = methodDef;
}
subResourceMethodSecurity(appRealClass).put(fullPath, current);
return current;
}
if (resourceMethodSecurity(appRealClass).containsKey(definitionMethod)) {
return resourceMethodSecurity(appRealClass).get(definitionMethod);
}
SecurityDefinition resClassSecurity = resourceClassSecurity(appRealClass).computeIfAbsent(definitionClass, aClass -> securityForClass(definitionClass, appClassSecurity));
Authenticated atn = definitionMethod.getAnnotation(Authenticated.class);
Authorized atz = definitionMethod.getAnnotation(Authorized.class);
Audited audited = definitionMethod.getAnnotation(Audited.class);
SecurityDefinition methodDef = resClassSecurity.copyMe();
methodDef.add(atn);
methodDef.add(atz);
methodDef.add(audited);
int index = methodDef.getSecurityLevels().size() - 1;
SecurityLevel currentSecurityLevel = methodDef.getSecurityLevels().get(index);
Map<Class<? extends Annotation>, List<Annotation>> methodLevelAnnots = new HashMap<>();
addCustomAnnotations(methodLevelAnnots, definitionMethod);
methodDef.getSecurityLevels().set(index, SecurityLevel.create(currentSecurityLevel).withMethodName(definitionMethod.getName()).withMethodAnnotations(methodLevelAnnots).build());
resourceMethodSecurity(appRealClass).put(definitionMethod, methodDef);
for (AnnotationAnalyzer analyzer : analyzers) {
AnnotationAnalyzer.AnalyzerResponse analyzerResponse = analyzer.analyze(definitionMethod, resClassSecurity.analyzerResponse(analyzer));
methodDef.analyzerResponse(analyzer, analyzerResponse);
}
return methodDef;
}
use of io.helidon.security.annotations.Audited in project helidon by oracle.
the class SecurityFilter method securityForClass.
/**
* Creates security definition based on the annotations on a class and using a
* parent as a starting point. Obtains real class before processing to skip
* proxies.
*
* @param theClass class from which to create security definition
* @param parent base security definition or {@code null}
* @return security definition for the class
*/
private SecurityDefinition securityForClass(Class<?> theClass, SecurityDefinition parent) {
Class<?> realClass = getRealClass(theClass);
Authenticated atn = realClass.getAnnotation(Authenticated.class);
Authorized atz = realClass.getAnnotation(Authorized.class);
Audited audited = realClass.getAnnotation(Audited.class);
// as sometimes we may want to prevent calls to authorization provider unless
// explicitly invoked by developer
SecurityDefinition definition = ((null == parent) ? new SecurityDefinition(featureConfig().shouldAuthorizeAnnotatedOnly(), featureConfig().failOnFailureIfOptional()) : parent.copyMe());
definition.add(atn);
definition.add(atz);
definition.add(audited);
if (!featureConfig().shouldAuthenticateAnnotatedOnly()) {
definition.requiresAuthentication(true);
}
Map<Class<? extends Annotation>, List<Annotation>> customAnnotsMap = new HashMap<>();
addCustomAnnotations(customAnnotsMap, realClass);
SecurityLevel securityLevel = SecurityLevel.create(realClass.getName()).withClassAnnotations(customAnnotsMap).build();
definition.getSecurityLevels().add(securityLevel);
for (AnnotationAnalyzer analyzer : analyzers) {
AnnotationAnalyzer.AnalyzerResponse analyzerResponse;
if (null == parent) {
analyzerResponse = analyzer.analyze(realClass);
} else {
analyzerResponse = analyzer.analyze(realClass, parent.analyzerResponse(analyzer));
}
definition.analyzerResponse(analyzer, analyzerResponse);
}
return definition;
}
Aggregations