Example 6 with RolesAllowed
use of jakarta.annotation.security.RolesAllowed in project spring-security by spring-projects.
the class Jsr250MethodSecurityMetadataSource method processAnnotations.
private List<ConfigAttribute> processAnnotations(Annotation[] annotations) {
if (annotations == null || annotations.length == 0) {
return null;
}
List<ConfigAttribute> attributes = new ArrayList<>();
for (Annotation annotation : annotations) {
if (annotation instanceof DenyAll) {
attributes.add(Jsr250SecurityConfig.DENY_ALL_ATTRIBUTE);
return attributes;
}
if (annotation instanceof PermitAll) {
attributes.add(Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE);
return attributes;
}
if (annotation instanceof RolesAllowed) {
RolesAllowed ra = (RolesAllowed) annotation;
for (String allowed : ra.value()) {
String defaultedAllowed = getRoleWithDefaultPrefix(allowed);
attributes.add(new Jsr250SecurityConfig(defaultedAllowed));
}
return attributes;
}
}
return null;
}
Also used :
DenyAll(jakarta.annotation.security.DenyAll)
RolesAllowed(jakarta.annotation.security.RolesAllowed)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
ArrayList(java.util.ArrayList)
PermitAll(jakarta.annotation.security.PermitAll)
Annotation(java.lang.annotation.Annotation)
Example 7 with RolesAllowed
use of jakarta.annotation.security.RolesAllowed in project org.openntf.xsp.jakartaee by OpenNTF.
the class RolesAllowedFilter method isAllowed.
private boolean isAllowed(ContainerRequestContext requestContext) {
Method method = resourceInfo.getResourceMethod();
Class<?> clazz = resourceInfo.getResourceClass();
if (method.isAnnotationPresent(PermitAll.class)) {
return true;
}
if (method.isAnnotationPresent(DenyAll.class)) {
return false;
}
RolesAllowed roles = method.getAnnotation(RolesAllowed.class);
if (roles == null) {
roles = clazz.getAnnotation(RolesAllowed.class);
}
if (roles != null) {
SecurityContext sec = requestContext.getSecurityContext();
for (String role : roles.value()) {
if (sec.isUserInRole(role)) {
return true;
}
}
return false;
}
return true;
}
Also used :
RolesAllowed(jakarta.annotation.security.RolesAllowed)
SecurityContext(jakarta.ws.rs.core.SecurityContext)
Method(java.lang.reflect.Method)
Example 8 with RolesAllowed
use of jakarta.annotation.security.RolesAllowed in project resteasy by resteasy.
the class RoleBasedSecurityFeature method configure.
@SuppressWarnings(value = "unchecked")
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext configurable) {
@SuppressWarnings("rawtypes") final Class declaring = resourceInfo.getResourceClass();
final Method method = resourceInfo.getResourceMethod();
if (declaring == null || method == null)
return;
String[] rolesAllowed = null;
boolean denyAll;
boolean permitAll;
RolesAllowed allowed = (RolesAllowed) declaring.getAnnotation(RolesAllowed.class);
RolesAllowed methodAllowed = method.getAnnotation(RolesAllowed.class);
if (methodAllowed != null)
allowed = methodAllowed;
if (allowed != null) {
rolesAllowed = allowed.value();
}
denyAll = (declaring.isAnnotationPresent(DenyAll.class) && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(PermitAll.class) == false) || method.isAnnotationPresent(DenyAll.class);
permitAll = (declaring.isAnnotationPresent(PermitAll.class) == true && method.isAnnotationPresent(RolesAllowed.class) == false && method.isAnnotationPresent(DenyAll.class) == false) || method.isAnnotationPresent(PermitAll.class);
if (rolesAllowed != null || denyAll || permitAll) {
RoleBasedSecurityFilter filter = new RoleBasedSecurityFilter(rolesAllowed, denyAll, permitAll);
configurable.register(filter);
}
}
Also used :
RolesAllowed(jakarta.annotation.security.RolesAllowed)
DenyAll(jakarta.annotation.security.DenyAll)
Method(java.lang.reflect.Method)
PermitAll(jakarta.annotation.security.PermitAll)
Example 9 with RolesAllowed
use of jakarta.annotation.security.RolesAllowed in project helidon by oracle.
the class AbacProviderTest method testMissingRoleValidator.
@Test
public void testMissingRoleValidator() {
AbacProvider provider = AbacProvider.create();
// this must be implicitly considered an attribute annotation
RolesAllowed attrib = Mockito.mock(RolesAllowed.class);
doReturn(RolesAllowed.class).when(attrib).annotationType();
SecurityLevel level = SecurityLevel.create("mock").withClassAnnotations(Map.of(RolesAllowed.class, List.of(attrib))).build();
EndpointConfig ec = EndpointConfig.builder().securityLevels(List.of(level)).build();
ProviderRequest request = Mockito.mock(ProviderRequest.class);
when(request.endpointConfig()).thenReturn(ec);
AuthorizationResponse response = provider.syncAuthorize(request);
assertThat(response.status(), is(SecurityResponse.SecurityStatus.FAILURE));
assertThat(response.description(), not(Optional.empty()));
response.description().ifPresent(desc -> assertThat(desc, containsString("RolesAllowed attribute annotation is not supported")));
}
Also used :
RolesAllowed(jakarta.annotation.security.RolesAllowed)
SecurityLevel(io.helidon.security.SecurityLevel)
EndpointConfig(io.helidon.security.EndpointConfig)
ProviderRequest(io.helidon.security.ProviderRequest)
AuthorizationResponse(io.helidon.security.AuthorizationResponse)
Test(org.junit.jupiter.api.Test)
Example 10 with RolesAllowed
use of jakarta.annotation.security.RolesAllowed in project helidon by oracle.
the class RoleValidatorTest method testRolesAllowedDeny.
@Test
void testRolesAllowedDeny() {
RoleValidator validator = RoleValidator.create();
RolesAllowed annot = mock(RolesAllowed.class);
String[] roleArray = new String[] { "admin" };
when(annot.value()).thenReturn(roleArray);
SecurityLevel appSecurityLevel = mock(SecurityLevel.class);
SecurityLevel classSecurityLevel = mock(SecurityLevel.class);
List<SecurityLevel> securityLevels = new ArrayList<>();
securityLevels.add(appSecurityLevel);
securityLevels.add(classSecurityLevel);
EndpointConfig ep = mock(EndpointConfig.class);
when(ep.securityLevels()).thenReturn(securityLevels);
when(classSecurityLevel.filterAnnotations(RolesAllowed.class, EndpointConfig.AnnotationScope.METHOD)).thenReturn(List.of(annot));
RoleValidator.RoleConfig rConfig = validator.fromAnnotations(ep);
Errors.Collector collector = Errors.collector();
ProviderRequest request = mock(ProviderRequest.class);
when(request.subject()).thenReturn(Optional.of(Subject.builder().principal(Principal.create("myAdmin")).addGrant(Role.create("user")).build()));
when(request.service()).thenReturn(Optional.empty());
validator.validate(rConfig, collector, request);
if (collector.collect().isValid()) {
fail("User is not in admin role, should have failed");
}
}
Also used :
Errors(io.helidon.common.Errors)
RolesAllowed(jakarta.annotation.security.RolesAllowed)
SecurityLevel(io.helidon.security.SecurityLevel)
ArrayList(java.util.ArrayList)
EndpointConfig(io.helidon.security.EndpointConfig)
ProviderRequest(io.helidon.security.ProviderRequest)
Test(org.junit.jupiter.api.Test)
Aggregations
RolesAllowed (jakarta.annotation.security.RolesAllowed)12
EndpointConfig (io.helidon.security.EndpointConfig)7
SecurityLevel (io.helidon.security.SecurityLevel)7
ArrayList (java.util.ArrayList)7
ProviderRequest (io.helidon.security.ProviderRequest)6
DenyAll (jakarta.annotation.security.DenyAll)6
Test (org.junit.jupiter.api.Test)6
Errors (io.helidon.common.Errors)5
PermitAll (jakarta.annotation.security.PermitAll)5
SecurityContext (jakarta.ws.rs.core.SecurityContext)3
Annotation (java.lang.annotation.Annotation)3
Method (java.lang.reflect.Method)2
AuthorizationResponse (io.helidon.security.AuthorizationResponse)1
AbacAnnotation (io.helidon.security.providers.abac.AbacAnnotation)1
ForbiddenException (jakarta.ws.rs.ForbiddenException)1
NotAuthorizedException (jakarta.ws.rs.NotAuthorizedException)1
ConfigAttribute (org.springframework.security.access.ConfigAttribute)1
