Examples with AccessControlException java.security.AccessControlException used on opensource projects

Example 46 with AccessControlException

use of java.security.AccessControlException in project jetbrick-template-1x by subchen.

the class SecurityManagerTestCase method pkgAccess.

@Test
public void pkgAccess() throws Exception {
    try {
        JetTemplate template = engine.createTemplate("${new HashMap()}");
        UnsafeCharArrayWriter out = new UnsafeCharArrayWriter();
        template.render(new JetContext(), out);
    } catch (AccessControlException e) {
        return;
    }
    Assert.fail();
}

Example 47 with AccessControlException

use of java.security.AccessControlException in project jetbrick-template-1x by subchen.

the class SecurityManagerTestCase method fieldAccess.

@Test
public void fieldAccess() throws Exception {
    try {
        JetTemplate template = engine.createTemplate("${@Integer.MAX_VALUE}");
        UnsafeCharArrayWriter out = new UnsafeCharArrayWriter();
        template.render(new JetContext(), out);
    } catch (AccessControlException e) {
        return;
    }
    Assert.fail();
}

Example 48 with AccessControlException

use of java.security.AccessControlException in project ORCID-Source by ORCID.

the class MemberV2ApiServiceDelegator_GeneralTest method testSearchByQueryBadScope.

@Test(expected = AccessControlException.class)
public void testSearchByQueryBadScope() {
    OrcidSecurityManager orcidSecurityManager = Mockito.mock(OrcidSecurityManagerImpl.class);
    Mockito.doThrow(new AccessControlException("some problem with scope")).when(orcidSecurityManager).checkScopes(Mockito.any(ScopePathType.class));
    MemberV2ApiServiceDelegatorImpl delegator = new MemberV2ApiServiceDelegatorImpl();
    ReflectionTestUtils.setField(delegator, "orcidSecurityManager", orcidSecurityManager);
    delegator.searchByQuery(new HashMap<>());
}

Example 49 with AccessControlException

use of java.security.AccessControlException in project ORCID-Source by ORCID.

the class DefaultPermissionChecker method getVisibilitiesForOauth2Authentication.

private Set<Visibility> getVisibilitiesForOauth2Authentication(OAuth2Authentication oAuth2Authentication, OrcidMessage orcidMessage, ScopePathType requiredScope) {
    Set<Visibility> visibilities = new HashSet<Visibility>();
    visibilities.add(Visibility.PUBLIC);
    String orcid = orcidMessage.getOrcidProfile().getOrcidIdentifier().getPath();
    // effectively means that the user can only see the public data
    try {
        checkScopes(oAuth2Authentication, requiredScope);
    } catch (AccessControlException e) {
        return visibilities;
    }
    // we can allow for access of protected data
    if (!oAuth2Authentication.isClientOnly() && oAuth2Authentication.getPrincipal() != null && ProfileEntity.class.isAssignableFrom(oAuth2Authentication.getPrincipal().getClass())) {
        ProfileEntity principal = (ProfileEntity) oAuth2Authentication.getPrincipal();
        visibilities.add(Visibility.REGISTERED_ONLY);
        if (principal != null && principal.getId().equals(orcid)) {
            Set<String> requestedScopes = oAuth2Authentication.getOAuth2Request().getScope();
            for (String scope : requestedScopes) {
                if (ScopePathType.hasStringScope(scope, requiredScope)) {
                    visibilities.add(Visibility.LIMITED);
                    break;
                }
            }
        }
    // This is a client credential authenticated client. If the profile
    // was created using this client and it
    // hasn't been claimed, it's theirs to read
    } else if (oAuth2Authentication.isClientOnly()) {
        OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
        String clientId = authorizationRequest.getClientId();
        String sponsorOrcid = getSponsorOrcid(orcidMessage);
        if (StringUtils.isNotBlank(sponsorOrcid) && clientId.equals(sponsorOrcid) && !orcidMessage.getOrcidProfile().getOrcidHistory().isClaimed()) {
            visibilities.add(Visibility.LIMITED);
            visibilities.add(Visibility.PRIVATE);
        }
    }
    return visibilities;
}

Example 50 with AccessControlException

use of java.security.AccessControlException in project ORCID-Source by ORCID.

the class DefaultPermissionChecker method performClientChecks.

private void performClientChecks(OAuth2Authentication oAuth2Authentication, ScopePathType requiredScope, OrcidMessage orcidMessage, String orcid) {
    OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
    // as an update
    if (orcidMessage != null && orcidMessage.getOrcidProfile() != null && StringUtils.isNotBlank(orcid)) {
        OrcidIdentifier orcidOb = orcidMessage.getOrcidProfile().getOrcidIdentifier();
        String messageOrcid = orcidOb != null ? orcidOb.getPath() : orcid;
        if (StringUtils.isNotBlank(messageOrcid) && !orcid.equals(messageOrcid)) {
            throw new IllegalArgumentException("The ORCID in the body and the URI do NOT match. Body ORCID: " + messageOrcid + " URI ORCID: " + orcid + " do NOT match.");
        }
        profileEntityCacheManager.retrieve(messageOrcid);
        if (!profileEntityManager.existsAndNotClaimedAndBelongsTo(messageOrcid, authorizationRequest.getClientId())) {
            throw new AccessControlException("You cannot update this profile as it has been claimed, or you are not the owner.");
        }
    }
}