Examples with UserSession io.vertigo.persona.security.UserSession used on opensource projects

Example 1 with UserSession

use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.

the class AuthorizationManagerImpl method getUserPermissionsOpt.

private Optional<UserAuthorizations> getUserPermissionsOpt() {
    final Optional<UserSession> userSessionOpt = securityManager.getCurrentUserSession();
    if (!userSessionOpt.isPresent()) {
        // Si il n'y a pas de session alors pas d'autorisation.
        return Optional.empty();
    }
    UserAuthorizations userAuthorizations = userSessionOpt.get().getAttribute(USER_SESSION_ACL_KEY);
    if (userAuthorizations == null) {
        userAuthorizations = new UserAuthorizations();
        userSessionOpt.get().putAttribute(USER_SESSION_ACL_KEY, userAuthorizations);
    }
    return Optional.of(userAuthorizations);
}

Example 2 with UserSession

use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.

the class SessionWebServiceHandlerPlugin method handle.

/**
 * {@inheritDoc}
 */
@Override
public Object handle(final Request request, final Response response, final WebServiceCallContext routeContext, final HandlerChain chain) throws SessionException {
    // obtain session (create if needed)
    final Session session = request.session(true);
    final UserSession user = obtainUserSession(session);
    try {
        // Bind userSession to SecurityManager
        securityManager.startCurrentUserSession(user);
        return chain.handle(request, response, routeContext);
    } catch (final VSecurityException e) {
        if (session.isNew()) {
            // If a new session is badly use, we invalid it (light protection against DDOS)
            session.invalidate();
            // If session was just created, we translate securityException as a Session expiration.
            throw (SessionException) new SessionException("Session has expired").initCause(e);
        }
        throw e;
    } finally {
        // Unbind userSession to SecurityManager
        securityManager.stopCurrentUserSession();
    }
}

Example 3 with UserSession

use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.

the class SessionWebServiceHandlerPlugin method obtainUserSession.

// ==========================================================================
// =================GESTION DE LA SESSION UTILISATEUR========================
// ==========================================================================
/**
 * Retourne la session utilisateur.
 *
 * @return Session utilisateur
 */
private UserSession obtainUserSession(final Session session) {
    UserSession user = session.attribute(USER_SESSION);
    // Si la session user n'est pas créée on la crée
    if (user == null) {
        user = securityManager.createUserSession();
        session.attribute(USER_SESSION, user);
    }
    return user;
}

Example 4 with UserSession

use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.

the class AuthenticationManagerTest method testLoginFail.

@Test
public void testLoginFail() {
    final AuthenticationToken token = new UsernamePasswordAuthenticationToken("badUserName", "badPassword");
    final Optional<Account> account = authenticationManager.login(token);
    Assert.assertFalse("Shouldn't found any account with a bad login", account.isPresent());
    final Optional<UserSession> userSession = securityManager.getCurrentUserSession();
    Assert.assertTrue("No UserSession", userSession.isPresent());
    Assert.assertFalse("Badly authenticated", userSession.get().isAuthenticated());
}

Example 5 with UserSession

use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.

the class VSecurityManagerTest method testSecuritySqlOnEntity.

@Test
public void testSecuritySqlOnEntity() {
    final Record recordTooExpensive = createRecord();
    recordTooExpensive.setAmount(10000d);
    final Record recordOtherUser = createRecord();
    recordOtherUser.setUtiIdOwner(2000L);
    final Record recordOtherUserAndTooExpensive = createRecord();
    recordOtherUserAndTooExpensive.setUtiIdOwner(2000L);
    recordOtherUserAndTooExpensive.setAmount(10000d);
    final Authorization recordRead = getAuthorization(RecordAuthorizations.ATZ_RECORD$READ);
    final UserSession userSession = securityManager.<TestUserSession>createUserSession();
    try {
        securityManager.startCurrentUserSession(userSession);
        authorizationManager.obtainUserAuthorizations().withSecurityKeys("utiId", DEFAULT_UTI_ID).withSecurityKeys("typId", DEFAULT_TYPE_ID).withSecurityKeys("montantMax", DEFAULT_MONTANT_MAX).addAuthorization(recordRead);
        final boolean canReadRecord = authorizationManager.hasAuthorization(RecordAuthorizations.ATZ_RECORD$READ);
        Assert.assertTrue(canReadRecord);
        final SqlDialect sqlDialect = new PostgreSqlDataBase().getSqlDialect();
        final Tuple2<String, CriteriaCtx> readRecordSql = authorizationManager.getCriteriaSecurity(Record.class, RecordOperations.READ).toSql(sqlDialect);
        // read -> MONTANT<=${montantMax} or UTI_ID_OWNER=${utiId}
        Assert.assertEquals("( AMOUNT <= #AMOUNT_0# OR UTI_ID_OWNER = #UTI_ID_OWNER_1# ) ", readRecordSql.getVal1());
        Assert.assertEquals(100.0, readRecordSql.getVal2().getAttributeValue("AMOUNT_0"));
        Assert.assertEquals(1000L, readRecordSql.getVal2().getAttributeValue("UTI_ID_OWNER_1"));
    } finally {
        securityManager.stopCurrentUserSession();
    }
}