Examples with RolesAllowed - jakarta.annotation.security.RolesAllowed

Example 1 with RolesAllowed

use of jakarta.annotation.security.RolesAllowed in project minijax by minijax.

the class MinijaxApplication method checkSecurity.

private void checkSecurity(final MinijaxRequestContext context) {
    final Annotation a = context.getResourceMethod().getSecurityAnnotation();
    if (a == null) {
        return;
    }
    final Class<?> c = a.annotationType();
    if (c == PermitAll.class) {
        return;
    }
    if (c == DenyAll.class) {
        throw new ForbiddenException();
    }
    if (c == RolesAllowed.class) {
        final SecurityContext security = context.getSecurityContext();
        if (security == null || security.getUserPrincipal() == null) {
            throw new NotAuthorizedException(Response.status(Status.UNAUTHORIZED).build());
        }
        boolean found = false;
        for (final String role : ((RolesAllowed) a).value()) {
            if (security.isUserInRole(role)) {
                found = true;
                break;
            }
        }
        if (!found) {
            throw new ForbiddenException();
        }
    }
}

Also used : ForbiddenException(jakarta.ws.rs.ForbiddenException) RolesAllowed(jakarta.annotation.security.RolesAllowed) SecurityContext(jakarta.ws.rs.core.SecurityContext) NotAuthorizedException(jakarta.ws.rs.NotAuthorizedException) Annotation(java.lang.annotation.Annotation)

Example 2 with RolesAllowed

use of jakarta.annotation.security.RolesAllowed in project resteasy by resteasy.

the class EJBConstraintChecker method checkInternal.

private boolean checkInternal(Method method) {
    // From now on we can use this class since it's there. I (Stef Epardaud) don't think we need to
    // remove the reference here and use reflection.
    RolesAllowed rolesAllowed = method.getAnnotation(RolesAllowed.class);
    if (rolesAllowed == null) {
        return true;
    }
    SecurityContext context = ResteasyContext.getContextData(SecurityContext.class);
    for (String role : rolesAllowed.value()) {
        if (context.isUserInRole(role)) {
            return true;
        }
    }
    return false;
}

Also used : RolesAllowed(jakarta.annotation.security.RolesAllowed) SecurityContext(jakarta.ws.rs.core.SecurityContext)

Example 3 with RolesAllowed

use of jakarta.annotation.security.RolesAllowed in project helidon by oracle.

the class RoleValidator method fromAnnotations.

@Override
public RoleConfig fromAnnotations(EndpointConfig endpointConfig) {
    RoleConfig.Builder builder = RoleConfig.builder();
    for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
        for (EndpointConfig.AnnotationScope scope : EndpointConfig.AnnotationScope.values()) {
            // Order of the annotations matters because of annotation handling.
            List<Annotation> annotations = new ArrayList<>();
            for (Class<? extends Annotation> annotation : supportedAnnotations()) {
                annotations.addAll(securityLevel.filterAnnotations(annotation, scope));
            }
            List<String> roles = new ArrayList<>();
            List<String> serviceRoles = new ArrayList<>();
            for (Annotation annotation : annotations) {
                if (annotation instanceof RolesAllowed) {
                    // these are user roles by default
                    roles.addAll(Arrays.asList(((RolesAllowed) annotation).value()));
                    builder.permitAll(false);
                    builder.denyAll(false);
                } else if (annotation instanceof Roles) {
                    // these are configured
                    Roles r = (Roles) annotation;
                    if (r.subjectType() == SubjectType.USER) {
                        roles.addAll(Arrays.asList(r.value()));
                    } else {
                        serviceRoles.addAll(Arrays.asList(r.value()));
                    }
                    builder.permitAll(false);
                    builder.denyAll(false);
                } else if (annotation instanceof PermitAll) {
                    builder.permitAll(true);
                    builder.denyAll(false);
                } else if (annotation instanceof DenyAll) {
                    builder.permitAll(false);
                    builder.denyAll(true);
                }
            }
            if (!roles.isEmpty()) {
                builder.clearRoles().addRoles(roles);
            }
            if (!serviceRoles.isEmpty()) {
                builder.clearServiceRoles().addServiceRoles(serviceRoles);
            }
        }
    }
    return builder.build();
}

Also used : ArrayList(java.util.ArrayList) AbacAnnotation(io.helidon.security.providers.abac.AbacAnnotation) Annotation(java.lang.annotation.Annotation) RolesAllowed(jakarta.annotation.security.RolesAllowed) DenyAll(jakarta.annotation.security.DenyAll) SecurityLevel(io.helidon.security.SecurityLevel) PermitAll(jakarta.annotation.security.PermitAll) EndpointConfig(io.helidon.security.EndpointConfig)

Example 4 with RolesAllowed

use of jakarta.annotation.security.RolesAllowed in project helidon by oracle.

the class RoleValidatorTest method testDenyAllAndRoles.

@Test
void testDenyAllAndRoles() {
    RoleValidator validator = RoleValidator.create();
    DenyAll denyAll = mock(DenyAll.class);
    RolesAllowed rolesAllowed = mock(RolesAllowed.class);
    String[] roleArray = new String[] { "admin" };
    when(rolesAllowed.value()).thenReturn(roleArray);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(DenyAll.class, EndpointConfig.AnnotationScope.CLASS)).thenReturn(List.of(denyAll));
    when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(rolesAllowed));
    RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(rConfig, collector, request);
    collector.collect().checkValid();
}

Also used : ArrayList(java.util.ArrayList) ProviderRequest(io.helidon.security.ProviderRequest) Errors(io.helidon.common.Errors) DenyAll(jakarta.annotation.security.DenyAll) RolesAllowed(jakarta.annotation.security.RolesAllowed) SecurityLevel(io.helidon.security.SecurityLevel) EndpointConfig(io.helidon.security.EndpointConfig) Test(org.junit.jupiter.api.Test)

Example 5 with RolesAllowed

use of jakarta.annotation.security.RolesAllowed in project helidon by oracle.

the class RoleValidatorTest method testRolesAllowedPermit.

@Test
void testRolesAllowedPermit() {
    RoleValidator validator = RoleValidator.create();
    RolesAllowed annot = mock(RolesAllowed.class);
    String[] roleArray = new String[] { "admin" };
    when(annot.value()).thenReturn(roleArray);
    SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
    SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
    List<SecurityLevel> securityLevels = new ArrayList<>();
    securityLevels.add(appSecurityLevel);
    securityLevels.add(classSecurityLevel);
    EndpointConfig ep = mock(EndpointConfig.class);
    when(ep.securityLevels()).thenReturn(securityLevels);
    when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(annot));
    RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
    Errors.Collector collector = Errors.collector();
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("admin")).build()));
    when(request.service()).thenReturn(Optional.empty());
    validator.validate(rConfig, collector, request);
    collector.collect().checkValid();
}

Also used : Errors(io.helidon.common.Errors) RolesAllowed(jakarta.annotation.security.RolesAllowed) SecurityLevel(io.helidon.security.SecurityLevel) ArrayList(java.util.ArrayList) EndpointConfig(io.helidon.security.EndpointConfig) ProviderRequest(io.helidon.security.ProviderRequest) Test(org.junit.jupiter.api.Test)

Aggregations

RolesAllowed (jakarta.annotation.security.RolesAllowed)12 EndpointConfig (io.helidon.security.EndpointConfig)7 SecurityLevel (io.helidon.security.SecurityLevel)7 ArrayList (java.util.ArrayList)7 ProviderRequest (io.helidon.security.ProviderRequest)6 DenyAll (jakarta.annotation.security.DenyAll)6 Test (org.junit.jupiter.api.Test)6 Errors (io.helidon.common.Errors)5 PermitAll (jakarta.annotation.security.PermitAll)5 SecurityContext (jakarta.ws.rs.core.SecurityContext)3 Annotation (java.lang.annotation.Annotation)3 Method (java.lang.reflect.Method)2 AuthorizationResponse (io.helidon.security.AuthorizationResponse)1 AbacAnnotation (io.helidon.security.providers.abac.AbacAnnotation)1 ForbiddenException (jakarta.ws.rs.ForbiddenException)1 NotAuthorizedException (jakarta.ws.rs.NotAuthorizedException)1 ConfigAttribute (org.springframework.security.access.ConfigAttribute)1