Example 16 with UserSession
use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.
the class VSecurityManagerTest method testAuthorized.
@Test
public void testAuthorized() {
final Authorization admUsr = getAuthorization(GlobalAuthorizations.ATZ_ADMUSR);
final Authorization admPro = getAuthorization(GlobalAuthorizations.ATZ_ADMPRO);
final UserSession userSession = securityManager.<TestUserSession>createUserSession();
try {
securityManager.startCurrentUserSession(userSession);
authorizationManager.obtainUserAuthorizations().withSecurityKeys("utiId", DEFAULT_UTI_ID).withSecurityKeys("typId", DEFAULT_TYPE_ID).withSecurityKeys("montantMax", DEFAULT_MONTANT_MAX).addAuthorization(admUsr).addAuthorization(admPro);
Assert.assertTrue(authorizationManager.hasAuthorization(GlobalAuthorizations.ATZ_ADMUSR));
Assert.assertTrue(authorizationManager.hasAuthorization(GlobalAuthorizations.ATZ_ADMPRO));
Assert.assertFalse(authorizationManager.hasAuthorization(GlobalAuthorizations.ATZ_ADMAPP));
} finally {
securityManager.stopCurrentUserSession();
}
}
Also used :
Authorization(io.vertigo.account.authorization.metamodel.Authorization)
TestUserSession(io.vertigo.account.data.TestUserSession)
UserSession(io.vertigo.persona.security.UserSession)
TestUserSession(io.vertigo.account.data.TestUserSession)
Test(org.junit.Test)
Example 17 with UserSession
use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.
the class VSecurityManagerTest method testAuthorizedOnEntityEnumAxes.
@Test
public void testAuthorizedOnEntityEnumAxes() {
final Record record = createRecord();
final Record recordTooExpensive = createRecord();
recordTooExpensive.setAmount(10000d);
final Record recordOtherUser = createRecord();
recordOtherUser.setUtiIdOwner(2000L);
final Record recordOtherUserAndTooExpensive = createRecord();
recordOtherUserAndTooExpensive.setUtiIdOwner(2000L);
recordOtherUserAndTooExpensive.setAmount(10000d);
final Record recordArchivedNotWriteable = createRecord();
recordArchivedNotWriteable.setEtaCd("ARC");
final Authorization recordWrite = getAuthorization(RecordAuthorizations.ATZ_RECORD$WRITE);
final UserSession userSession = securityManager.<TestUserSession>createUserSession();
try {
securityManager.startCurrentUserSession(userSession);
authorizationManager.obtainUserAuthorizations().withSecurityKeys("utiId", DEFAULT_UTI_ID).withSecurityKeys("typId", DEFAULT_TYPE_ID).withSecurityKeys("montantMax", DEFAULT_MONTANT_MAX).addAuthorization(recordWrite);
final boolean canReadRecord = authorizationManager.hasAuthorization(RecordAuthorizations.ATZ_RECORD$WRITE);
Assert.assertTrue(canReadRecord);
// read -> MONTANT<=${montantMax} or UTI_ID_OWNER=${utiId}
Assert.assertTrue(authorizationManager.isAuthorized(record, RecordOperations.READ));
Assert.assertTrue(authorizationManager.isAuthorized(recordTooExpensive, RecordOperations.READ));
Assert.assertTrue(authorizationManager.isAuthorized(recordOtherUser, RecordOperations.READ));
Assert.assertFalse(authorizationManager.isAuthorized(recordOtherUserAndTooExpensive, RecordOperations.READ));
Assert.assertTrue(authorizationManager.isAuthorized(recordArchivedNotWriteable, RecordOperations.READ));
// write -> (UTI_ID_OWNER=${utiId} and ETA_CD<ARC) or (TYP_ID=${typId} and MONTANT<=${montantMax} and ETA_CD<ARC)
Assert.assertTrue(authorizationManager.isAuthorized(record, RecordOperations.WRITE));
Assert.assertTrue(authorizationManager.isAuthorized(recordTooExpensive, RecordOperations.WRITE));
Assert.assertTrue(authorizationManager.isAuthorized(recordOtherUser, RecordOperations.WRITE));
Assert.assertFalse(authorizationManager.isAuthorized(recordOtherUserAndTooExpensive, RecordOperations.WRITE));
Assert.assertFalse(authorizationManager.isAuthorized(recordArchivedNotWriteable, RecordOperations.WRITE));
} finally {
securityManager.stopCurrentUserSession();
}
}
Also used :
Authorization(io.vertigo.account.authorization.metamodel.Authorization)
TestUserSession(io.vertigo.account.data.TestUserSession)
UserSession(io.vertigo.persona.security.UserSession)
Record(io.vertigo.account.authorization.model.Record)
TestUserSession(io.vertigo.account.data.TestUserSession)
Test(org.junit.Test)
Example 18 with UserSession
use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.
the class VSecurityManagerTest method testPredicateOnEntity.
@Test
public void testPredicateOnEntity() {
final Record record = createRecord();
final Record recordTooExpensive = createRecord();
recordTooExpensive.setAmount(10000d);
final Record recordOtherUser = createRecord();
recordOtherUser.setUtiIdOwner(2000L);
final Record recordOtherUserAndTooExpensive = createRecord();
recordOtherUserAndTooExpensive.setUtiIdOwner(2000L);
recordOtherUserAndTooExpensive.setAmount(10000d);
final Authorization recordRead = getAuthorization(RecordAuthorizations.ATZ_RECORD$READ);
final UserSession userSession = securityManager.<TestUserSession>createUserSession();
try {
securityManager.startCurrentUserSession(userSession);
authorizationManager.obtainUserAuthorizations().withSecurityKeys("utiId", DEFAULT_UTI_ID).withSecurityKeys("typId", DEFAULT_TYPE_ID).withSecurityKeys("montantMax", DEFAULT_MONTANT_MAX).addAuthorization(recordRead);
final boolean canReadRecord = authorizationManager.hasAuthorization(RecordAuthorizations.ATZ_RECORD$READ);
Assert.assertTrue(canReadRecord);
final Predicate<Record> readRecordPredicate = authorizationManager.getCriteriaSecurity(Record.class, RecordOperations.READ).toPredicate();
// read -> MONTANT<=${montantMax} or UTI_ID_OWNER=${utiId}
Assert.assertTrue(readRecordPredicate.test(record));
Assert.assertTrue(readRecordPredicate.test(recordTooExpensive));
Assert.assertTrue(readRecordPredicate.test(recordOtherUser));
Assert.assertFalse(readRecordPredicate.test(recordOtherUserAndTooExpensive));
} finally {
securityManager.stopCurrentUserSession();
}
}
Also used :
Authorization(io.vertigo.account.authorization.metamodel.Authorization)
TestUserSession(io.vertigo.account.data.TestUserSession)
UserSession(io.vertigo.persona.security.UserSession)
Record(io.vertigo.account.authorization.model.Record)
TestUserSession(io.vertigo.account.data.TestUserSession)
Test(org.junit.Test)
Example 19 with UserSession
use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.
the class AccountManagerTest method testLogin.
@Test
public void testLogin() {
securityManager.startCurrentUserSession(new UserSession() {
private static final long serialVersionUID = 1L;
@Override
public Locale getLocale() {
return null;
}
});
// identityManager.login(accountURI1);
// Assert.assertEquals(accountURI1, identityManager.getLoggedAccount());
securityManager.stopCurrentUserSession();
}
Also used :
Locale(java.util.Locale)
UserSession(io.vertigo.persona.security.UserSession)
Test(org.junit.Test)
Example 20 with UserSession
use of io.vertigo.persona.security.UserSession in project vertigo by KleeGroup.
the class SecurityFilter method doSecurityFilter.
private void doSecurityFilter(final boolean needsAuthentification, final HttpServletRequest httpRequest, final HttpServletResponse httpResponse, final FilterChain chain) throws IOException, ServletException {
final boolean hasSession = httpRequest.getSession(false) != null;
// On récupère la session de l'utilisateur
final UserSession user = obtainUserSession(httpRequest);
try {
// on place la session en ThreadLocal
securityManager.startCurrentUserSession(user);
// 1. Persistance de UserSession dans la session HTTP.
bindUser(httpRequest, user);
// 2. Vérification que l'utilisateur est authentifié si l'adresse demandée l'exige
if (needsAuthentification && !user.isAuthenticated()) {
/*
* Lance des exceptions - si la session a expiré - ou si aucune session utilisateur n'existe.
*/
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
// il ne faut pas continuer
if (!hasSession) {
// Par défaut on considère que la session a expirer
throw new ServletException(new SessionException("Session expirée"));
}
} else if (checkRequestAccess && needsAuthentification && !securityManager.isAuthorized("HttpServletRequest", httpRequest, "OP_READ")) {
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
} else {
chain.doFilter(httpRequest, httpResponse);
}
} finally {
// On retire le user du ThreadLocal (il est déjà en session)
securityManager.stopCurrentUserSession();
}
}
Also used :
ServletException(javax.servlet.ServletException)
UserSession(io.vertigo.persona.security.UserSession)
SessionException(io.vertigo.vega.webservice.exception.SessionException)
Aggregations
UserSession (io.vertigo.persona.security.UserSession)21
Test (org.junit.Test)14
TestUserSession (io.vertigo.account.data.TestUserSession)13
Authorization (io.vertigo.account.authorization.metamodel.Authorization)9
Record (io.vertigo.account.authorization.model.Record)8
Account (io.vertigo.account.account.Account)2
AuthenticationToken (io.vertigo.account.authentication.AuthenticationToken)2
UsernamePasswordAuthenticationToken (io.vertigo.account.impl.authentication.UsernamePasswordAuthenticationToken)2
SessionException (io.vertigo.vega.webservice.exception.SessionException)2
UserAuthorizations (io.vertigo.account.authorization.UserAuthorizations)1
PostgreSqlDataBase (io.vertigo.database.impl.sql.vendor.postgresql.PostgreSqlDataBase)1
SqlDialect (io.vertigo.database.sql.vendor.SqlDialect)1
CriteriaCtx (io.vertigo.dynamo.criteria.CriteriaCtx)1
VSecurityException (io.vertigo.vega.webservice.exception.VSecurityException)1
Locale (java.util.Locale)1
ServletException (javax.servlet.ServletException)1
HttpSession (javax.servlet.http.HttpSession)1
Session (spark.Session)1
