Example 6 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class SecurityOutFaultInterceptor method handleMessage.
public void handleMessage(Message message) throws Fault {
Fault fault = (Fault) message.getContent(Exception.class);
Throwable ex = fault.getCause();
if (!(ex instanceof SecurityException)) {
throw new RuntimeException("Security Exception is expected");
}
HttpServletResponse response = (HttpServletResponse) message.getExchange().getInMessage().get(AbstractHTTPDestination.HTTP_RESPONSE);
int status = ex instanceof AccessDeniedException ? 403 : 401;
response.setStatus(status);
try {
response.getOutputStream().write(ex.getMessage().getBytes());
response.getOutputStream().flush();
} catch (IOException iex) {
// ignore
}
message.getInterceptorChain().abort();
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Fault(org.apache.cxf.interceptor.Fault)
IOException(java.io.IOException)
IOException(java.io.IOException)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
Example 7 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project ddf by codice.
the class CrlInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
if (!crlChecker.passesCrlCheck(certs)) {
throw new AccessDeniedException("Cannot complete request, certificate was revoked by CRL.");
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
X509Certificate(java.security.cert.X509Certificate)
Example 8 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class ClaimsAuthorizingInterceptorTest method testUserInRoleAndClaims.
@Test
public void testUserInRoleAndClaims() throws Exception {
SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
in.setAnnotationClassName(SecureRole.class.getName());
in.setSecuredObject(new TestService2());
Message m = prepareMessage(TestService2.class, "test", createDefaultClaim("admin"), createClaim("a", "b", "c"));
in.handleMessage(m);
ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
org.apache.cxf.rt.security.saml.claims.SAMLClaim claim = new org.apache.cxf.rt.security.saml.claims.SAMLClaim();
claim.setNameFormat("a");
claim.setName("b");
claim.addValue("c");
in2.setClaims(Collections.singletonMap("test", Collections.singletonList(new ClaimBean(claim))));
in2.handleMessage(m);
try {
in.handleMessage(prepareMessage(TestService2.class, "test", createDefaultClaim("user")));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
Also used :
SAMLClaim(org.apache.cxf.rt.security.saml.claims.SAMLClaim)
Assert(org.junit.Assert)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
Message(org.apache.cxf.message.Message)
SAMLClaim(org.apache.cxf.rt.security.saml.claims.SAMLClaim)
ClaimBean(org.apache.cxf.rt.security.saml.claims.ClaimBean)
SecureAnnotationsInterceptor(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)
Test(org.junit.Test)
Example 9 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class ClaimsAuthorizingInterceptor method handleMessage.
public void handleMessage(Message message) throws Fault {
SecurityContext sc = message.get(SecurityContext.class);
if (!(sc instanceof ClaimsSecurityContext)) {
throw new AccessDeniedException("Security Context is unavailable or unrecognized");
}
Method method = MessageUtils.getTargetMethod(message).orElseThrow(() -> new AccessDeniedException("Method is not available : Unauthorized"));
if (authorize((ClaimsSecurityContext) sc, method)) {
return;
}
throw new AccessDeniedException("Unauthorized");
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
ClaimsSecurityContext(org.apache.cxf.rt.security.claims.ClaimsSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
Method(java.lang.reflect.Method)
ClaimsSecurityContext(org.apache.cxf.rt.security.claims.ClaimsSecurityContext)
Example 10 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class ClaimsAuthorizingInterceptorTest method testNonSAMLClaimDefaultNameAndFormat.
@Test
public void testNonSAMLClaimDefaultNameAndFormat() throws Exception {
org.apache.cxf.rt.security.claims.Claim claim1 = new org.apache.cxf.rt.security.claims.Claim();
claim1.setClaimType("role");
claim1.setValues(Arrays.asList("admin", "user"));
org.apache.cxf.rt.security.claims.Claim claim2 = new org.apache.cxf.rt.security.claims.Claim();
claim2.setClaimType("http://authentication");
claim2.setValues(Arrays.asList("password"));
Message m = prepareMessage(TestService.class, "claimWithSpecificName", "role", claim1, claim2);
interceptor.handleMessage(m);
try {
claim1.setValues(Arrays.asList("user"));
m = prepareMessage(TestService.class, "claimWithSpecificName", "role", claim1, claim2);
interceptor.handleMessage(m);
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
Message(org.apache.cxf.message.Message)
Claim(org.apache.cxf.security.claims.authorization.Claim)
SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim)
Test(org.junit.Test)
Aggregations
AccessDeniedException (org.apache.cxf.interceptor.security.AccessDeniedException)12
SecurityContext (org.apache.cxf.security.SecurityContext)4
Method (java.lang.reflect.Method)3
Message (org.apache.cxf.message.Message)3
Test (org.junit.Test)3
IOException (java.io.IOException)2
Principal (java.security.Principal)2
ArrayList (java.util.ArrayList)2
Fault (org.apache.cxf.interceptor.Fault)2
SecureAnnotationsInterceptor (org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)2
SAMLClaim (org.apache.cxf.rt.security.claims.SAMLClaim)2
LoginSecurityContext (org.apache.cxf.security.LoginSecurityContext)2
HttpRequest (com.google.api.client.http.HttpRequest)1
Subject (ddf.security.Subject)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
CollectionPermission (ddf.security.permission.CollectionPermission)1
KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)1
SecurityServiceException (ddf.security.service.SecurityServiceException)1
InputStream (java.io.InputStream)1
X509Certificate (java.security.cert.X509Certificate)1
