use of jakarta.annotation.security.PermitAll in project helidon by oracle.
the class RoleValidator method fromAnnotations.
@Override
public RoleConfig fromAnnotations(EndpointConfig endpointConfig) {
RoleConfig.Builder builder = RoleConfig.builder();
for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
// Order of the annotations matters because of annotation handling.
List<Annotation> annotations = new ArrayList<>();
for (Class<? extends Annotation> annotation : supportedAnnotations()) {
annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
}
List<String> roles = new ArrayList<>();
List<String> serviceRoles = new ArrayList<>();
for (Annotation annotation : annotations) {
if (annotation instanceof RolesAllowed) {
// these are user roles by default
roles.addAll(Arrays.asList(((RolesAllowed) annotation).value()));
builder.permitAll(false);
builder.denyAll(false);
} else if (annotation instanceof Roles) {
// these are configured
Roles r = (Roles) annotation;
if (r.subjectType() == SubjectType.USER) {
roles.addAll(Arrays.asList(r.value()));
} else {
serviceRoles.addAll(Arrays.asList(r.value()));
}
builder.permitAll(false);
builder.denyAll(false);
} else if (annotation instanceof PermitAll) {
builder.permitAll(true);
builder.denyAll(false);
} else if (annotation instanceof DenyAll) {
builder.permitAll(false);
builder.denyAll(true);
}
}
if (!roles.isEmpty()) {
builder.clearRoles().addRoles(roles);
}
if (!serviceRoles.isEmpty()) {
builder.clearServiceRoles().addServiceRoles(serviceRoles);
}
}
}
return builder.build();
}
use of jakarta.annotation.security.PermitAll in project spring-security by spring-projects.
the class Jsr250MethodSecurityMetadataSource method processAnnotations.
private List<ConfigAttribute> processAnnotations(Annotation[] annotations) {
if (annotations == null || annotations.length == 0) {
return null;
}
List<ConfigAttribute> attributes = new ArrayList<>();
for (Annotation annotation : annotations) {
if (annotation instanceof DenyAll) {
attributes.add(Jsr250SecurityConfig.DENY_ALL_ATTRIBUTE);
return attributes;
}
if (annotation instanceof PermitAll) {
attributes.add(Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE);
return attributes;
}
if (annotation instanceof RolesAllowed) {
RolesAllowed ra = (RolesAllowed) annotation;
for (String allowed : ra.value()) {
String defaultedAllowed = getRoleWithDefaultPrefix(allowed);
attributes.add(new Jsr250SecurityConfig(defaultedAllowed));
}
return attributes;
}
}
return null;
}
use of jakarta.annotation.security.PermitAll in project resteasy by resteasy.
the class RoleBasedSecurityFeature method configure.
@SuppressWarnings(value = "unchecked")
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext configurable) {
@SuppressWarnings("rawtypes") final Class declaring = resourceInfo.getResourceClass();
final Method method = resourceInfo.getResourceMethod();
if (declaring == null || method == null)
return;
String[] rolesAllowed = null;
boolean denyAll;
boolean permitAll;
RolesAllowed allowed = (RolesAllowed) declaring.getAnnotation(RolesAllowed.class);
RolesAllowed methodAllowed = method.getAnnotation(RolesAllowed.class);
if (methodAllowed != null)
allowed = methodAllowed;
if (allowed != null) {
rolesAllowed = allowed.value();
}
denyAll = (declaring.isAnnotationPresent(DenyAll.class) && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(PermitAll.class) == false) || method.isAnnotationPresent(DenyAll.class);
permitAll = (declaring.isAnnotationPresent(PermitAll.class) == true && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(DenyAll.class) == false) || method.isAnnotationPresent(PermitAll.class);
if (rolesAllowed != null || denyAll || permitAll) {
RoleBasedSecurityFilter filter = new RoleBasedSecurityFilter(rolesAllowed, denyAll, permitAll);
configurable.register(filter);
}
}
use of jakarta.annotation.security.PermitAll in project helidon by oracle.
the class RoleValidatorTest method testDenyAllAndPermitAll.
@Test
void testDenyAllAndPermitAll() {
RoleValidator validator = RoleValidator.create();
PermitAll permitAll = mock(PermitAll.class);
DenyAll denyAll = mock(DenyAll.class);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
collector.collect().checkValid();
}
use of jakarta.annotation.security.PermitAll in project helidon by oracle.
the class RoleValidatorTest method testAllAccessAnnotationsOnTheSameLevel.
@Test
void testAllAccessAnnotationsOnTheSameLevel() {
RoleValidator validator = RoleValidator.create();
PermitAll permitAll = mock(PermitAll.class);
DenyAll denyAll = mock(DenyAll.class);
RolesAllowed rolesAllowed = mock(RolesAllowed.class);
String[] roleArray = new String[] { "admin" };
when(rolesAllowed.value()).thenReturn(roleArray);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(denyAll));
when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(rolesAllowed));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
if (collector.collect().isValid()) {
fail("DenyAll is set on this method, this should have failed");
}
}
Aggregations