Search in sources :

Example 1 with PermitAll

use of jakarta.annotation.security.PermitAll in project helidon by oracle.

the class RoleValidator method fromAnnotations.

@Override
public RoleConfig fromAnnotations(EndpointConfig endpointConfig) {
    RoleConfig.Builder builder = RoleConfig.builder();
    for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
        for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
            // Order of the annotations matters because of annotation handling.
            List<Annotation> annotations = new ArrayList<>();
            for (Class<? extends Annotation> annotation : supportedAnnotations()) {
                annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
            }
            List<String> roles = new ArrayList<>();
            List<String> serviceRoles = new ArrayList<>();
            for (Annotation annotation : annotations) {
                if (annotation instanceof RolesAllowed) {
                    // these are user roles by default
                    roles.addAll(Arrays.asList(((RolesAllowed) annotation).value()));
                    builder.permitAll(false);
                    builder.denyAll(false);
                } else if (annotation instanceof Roles) {
                    // these are configured
                    Roles r = (Roles) annotation;
                    if (r.subjectType() == SubjectType.USER) {
                        roles.addAll(Arrays.asList(r.value()));
                    } else {
                        serviceRoles.addAll(Arrays.asList(r.value()));
                    }
                    builder.permitAll(false);
                    builder.denyAll(false);
                } else if (annotation instanceof PermitAll) {
                    builder.permitAll(true);
                    builder.denyAll(false);
                } else if (annotation instanceof DenyAll) {
                    builder.permitAll(false);
                    builder.denyAll(true);
                }
            }
            if (!roles.isEmpty()) {
                builder.clearRoles().addRoles(roles);
            }
            if (!serviceRoles.isEmpty()) {
                builder.clearServiceRoles().addServiceRoles(serviceRoles);
            }
        }
    }
    return builder.build();
}
Also used : ArrayList(java.util.ArrayList) AbacAnnotation(io.helidon.security.providers.abac.AbacAnnotation) Annotation(java.lang.annotation.Annotation) RolesAllowed(jakarta.annotation.security.RolesAllowed) DenyAll(jakarta.annotation.security.DenyAll) SecurityLevel(io.helidon.security.SecurityLevel) PermitAll(jakarta.annotation.security.PermitAll) EndpointConfig(io.helidon.security.EndpointConfig)

Example 2 with PermitAll

use of jakarta.annotation.security.PermitAll in project spring-security by spring-projects.

the class Jsr250MethodSecurityMetadataSource method processAnnotations.

private List<ConfigAttribute> processAnnotations(Annotation[] annotations) {
    if (annotations == null || annotations.length == 0) {
        return null;
    }
    List<ConfigAttribute> attributes = new ArrayList<>();
    for (Annotation annotation : annotations) {
        if (annotation instanceof DenyAll) {
            attributes.add(Jsr250SecurityConfig.DENY_ALL_ATTRIBUTE);
            return attributes;
        }
        if (annotation instanceof PermitAll) {
            attributes.add(Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE);
            return attributes;
        }
        if (annotation instanceof RolesAllowed) {
            RolesAllowed ra = (RolesAllowed) annotation;
            for (String allowed : ra.value()) {
                String defaultedAllowed = getRoleWithDefaultPrefix(allowed);
                attributes.add(new Jsr250SecurityConfig(defaultedAllowed));
            }
            return attributes;
        }
    }
    return null;
}
Also used : DenyAll(jakarta.annotation.security.DenyAll) RolesAllowed(jakarta.annotation.security.RolesAllowed) ConfigAttribute(org.springframework.security.access.ConfigAttribute) ArrayList(java.util.ArrayList) PermitAll(jakarta.annotation.security.PermitAll) Annotation(java.lang.annotation.Annotation)

Example 3 with PermitAll

use of jakarta.annotation.security.PermitAll in project resteasy by resteasy.

the class RoleBasedSecurityFeature method configure.

@SuppressWarnings(value = "unchecked")
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext configurable) {
    @SuppressWarnings("rawtypes") final Class declaring = resourceInfo.getResourceClass();
    final Method method = resourceInfo.getResourceMethod();
    if (declaring == null || method == null)
        return;
    String[] rolesAllowed = null;
    boolean denyAll;
    boolean permitAll;
    RolesAllowed allowed = (RolesAllowed) declaring.getAnnotation(RolesAllowed.class);
    RolesAllowed methodAllowed = method.getAnnotation(RolesAllowed.class);
    if (methodAllowed != null)
        allowed = methodAllowed;
    if (allowed != null) {
        rolesAllowed = allowed.value();
    }
    denyAll = (declaring.isAnnotationPresent(DenyAll.class) && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(PermitAll.class) == false) || method.isAnnotationPresent(DenyAll.class);
    permitAll = (declaring.isAnnotationPresent(PermitAll.class) == true && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(DenyAll.class) == false) || method.isAnnotationPresent(PermitAll.class);
    if (rolesAllowed != null || denyAll || permitAll) {
        RoleBasedSecurityFilter filter = new RoleBasedSecurityFilter(rolesAllowed, denyAll, permitAll);
        configurable.register(filter);
    }
}
Also used : RolesAllowed(jakarta.annotation.security.RolesAllowed) DenyAll(jakarta.annotation.security.DenyAll) Method(java.lang.reflect.Method) PermitAll(jakarta.annotation.security.PermitAll)

Example 4 with PermitAll

use of jakarta.annotation.security.PermitAll in project helidon by oracle.

the class RoleValidatorTest method testDenyAllAndPermitAll.

@Test
void testDenyAllAndPermitAll() {
    RoleValidator validator = RoleValidator.create();
    PermitAll permitAll = mock(PermitAll.class);
    DenyAll denyAll = mock(DenyAll.class);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
    when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
    RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(rConfig, collector, request);
    collector.collect().checkValid();
}
Also used : Errors(io.helidon.common.Errors) DenyAll(jakarta.annotation.security.DenyAll) SecurityLevel(io.helidon.security.SecurityLevel) ArrayList(java.util.ArrayList) PermitAll(jakarta.annotation.security.PermitAll) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Example 5 with PermitAll

use of jakarta.annotation.security.PermitAll in project helidon by oracle.

the class RoleValidatorTest method testAllAccessAnnotationsOnTheSameLevel.

@Test
void testAllAccessAnnotationsOnTheSameLevel() {
    RoleValidator validator = RoleValidator.create();
    PermitAll permitAll = mock(PermitAll.class);
    DenyAll denyAll = mock(DenyAll.class);
    RolesAllowed rolesAllowed = mock(RolesAllowed.class);
    String[] roleArray = new String[] { "admin" };
    when(rolesAllowed.value()).thenReturn(roleArray);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(PermitAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(permitAll));
    when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(denyAll));
    when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(rolesAllowed));
    RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(rConfig, collector, request);
    if (collector.collect().isValid()) {
        fail("DenyAll is set on this method, this should have failed");
    }
}
Also used : ArrayList(java.util.ArrayList) ProviderRequest(io.helidon.security.ProviderRequest) Errors(io.helidon.common.Errors) DenyAll(jakarta.annotation.security.DenyAll) RolesAllowed(jakarta.annotation.security.RolesAllowed) SecurityLevel(io.helidon.security.SecurityLevel) PermitAll(jakarta.annotation.security.PermitAll) EndpointConfig(io.helidon.security.EndpointConfig) Test(org.junit.jupiter.api.Test)

Aggregations

PermitAll (jakarta.annotation.security.PermitAll)7 DenyAll (jakarta.annotation.security.DenyAll)6 ArrayList (java.util.ArrayList)6 EndpointConfig (io.helidon.security.EndpointConfig)5 SecurityLevel (io.helidon.security.SecurityLevel)5 RolesAllowed (jakarta.annotation.security.RolesAllowed)5 Errors (io.helidon.common.Errors)4 ProviderRequest (io.helidon.security.ProviderRequest)4 Test (org.junit.jupiter.api.Test)4 Annotation (java.lang.annotation.Annotation)2 AbacAnnotation (io.helidon.security.providers.abac.AbacAnnotation)1 Method (java.lang.reflect.Method)1 ConfigAttribute (org.springframework.security.access.ConfigAttribute)1