Examples with DenyAll jakarta.annotation.security.DenyAll used on opensource projects

Example 1 with DenyAll

use of jakarta.annotation.security.DenyAll in project helidon by oracle.

the class RoleValidator method fromAnnotations.

@Override
public RoleConfig fromAnnotations(EndpointConfig endpointConfig) {
    RoleConfig.Builder builder = RoleConfig.builder();
    for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
        for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
            // Order of the annotations matters because of annotation handling.
            List<Annotation> annotations = new ArrayList<>();
            for (Class<? extends Annotation> annotation : supportedAnnotations()) {
                annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
            }
            List<String> roles = new ArrayList<>();
            List<String> serviceRoles = new ArrayList<>();
            for (Annotation annotation : annotations) {
                if (annotation instanceof RolesAllowed) {
                    // these are user roles by default
                    roles.addAll(Arrays.asList(((RolesAllowed) annotation).value()));
                    builder.permitAll(false);
                    builder.denyAll(false);
                } else if (annotation instanceof Roles) {
                    // these are configured
                    Roles r = (Roles) annotation;
                    if (r.subjectType() == SubjectType.USER) {
                        roles.addAll(Arrays.asList(r.value()));
                    } else {
                        serviceRoles.addAll(Arrays.asList(r.value()));
                    }
                    builder.permitAll(false);
                    builder.denyAll(false);
                } else if (annotation instanceof PermitAll) {
                    builder.permitAll(true);
                    builder.denyAll(false);
                } else if (annotation instanceof DenyAll) {
                    builder.permitAll(false);
                    builder.denyAll(true);
                }
            }
            if (!roles.isEmpty()) {
                builder.clearRoles().addRoles(roles);
            }
            if (!serviceRoles.isEmpty()) {
                builder.clearServiceRoles().addServiceRoles(serviceRoles);
            }
        }
    }
    return builder.build();
}

Example 2 with DenyAll

use of jakarta.annotation.security.DenyAll in project helidon by oracle.

the class RoleValidatorTest method testDenyAllAndRoles.

@Test
void testDenyAllAndRoles() {
    RoleValidator validator = RoleValidator.create();
    DenyAll denyAll = mock(DenyAll.class);
    RolesAllowed rolesAllowed = mock(RolesAllowed.class);
    String[] roleArray = new String[] { "admin" };
    when(rolesAllowed.value()).thenReturn(roleArray);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
    when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(rolesAllowed));
    RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(rConfig, collector, request);
    collector.collect().checkValid();
}

Example 3 with DenyAll

use of jakarta.annotation.security.DenyAll in project spring-security by spring-projects.

the class Jsr250MethodSecurityMetadataSource method processAnnotations.

private List<ConfigAttribute> processAnnotations(Annotation[] annotations) {
    if (annotations == null || annotations.length == 0) {
        return null;
    }
    List<ConfigAttribute> attributes = new ArrayList<>();
    for (Annotation annotation : annotations) {
        if (annotation instanceof DenyAll) {
            attributes.add(Jsr250SecurityConfig.DENY_ALL_ATTRIBUTE);
            return attributes;
        }
        if (annotation instanceof PermitAll) {
            attributes.add(Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE);
            return attributes;
        }
        if (annotation instanceof RolesAllowed) {
            RolesAllowed ra = (RolesAllowed) annotation;
            for (String allowed : ra.value()) {
                String defaultedAllowed = getRoleWithDefaultPrefix(allowed);
                attributes.add(new Jsr250SecurityConfig(defaultedAllowed));
            }
            return attributes;
        }
    }
    return null;
}

Example 4 with DenyAll

use of jakarta.annotation.security.DenyAll in project resteasy by resteasy.

the class RoleBasedSecurityFeature method configure.

@SuppressWarnings(value = "unchecked")
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext configurable) {
    @SuppressWarnings("rawtypes") final Class declaring = resourceInfo.getResourceClass();
    final Method method = resourceInfo.getResourceMethod();
    if (declaring == null || method == null)
        return;
    String[] rolesAllowed = null;
    boolean denyAll;
    boolean permitAll;
    RolesAllowed allowed = (RolesAllowed) declaring.getAnnotation(RolesAllowed.class);
    RolesAllowed methodAllowed = method.getAnnotation(RolesAllowed.class);
    if (methodAllowed != null)
        allowed = methodAllowed;
    if (allowed != null) {
        rolesAllowed = allowed.value();
    }
    denyAll = (declaring.isAnnotationPresent(DenyAll.class) && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(PermitAll.class) == false) || method.isAnnotationPresent(DenyAll.class);
    permitAll = (declaring.isAnnotationPresent(PermitAll.class) == true && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(DenyAll.class) == false) || method.isAnnotationPresent(PermitAll.class);
    if (rolesAllowed != null || denyAll || permitAll) {
        RoleBasedSecurityFilter filter = new RoleBasedSecurityFilter(rolesAllowed, denyAll, permitAll);
        configurable.register(filter);
    }
}

Example 5 with DenyAll

use of jakarta.annotation.security.DenyAll in project helidon by oracle.

the class RoleValidatorTest method testDenyAllAndPermitAll.

@Test
void testDenyAllAndPermitAll() {
    RoleValidator validator = RoleValidator.create();
    PermitAll permitAll = mock(PermitAll.class);
    DenyAll denyAll = mock(DenyAll.class);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
    when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
    RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(rConfig, collector, request);
    collector.collect().checkValid();
}