Example 11 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class ClaimsAuthorizingInterceptorTest method testUserInRoleAndClaims.
@Test
public void testUserInRoleAndClaims() throws Exception {
SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
in.setAnnotationClassName(SecureRole.class.getName());
in.setSecuredObject(new TestService2());
Message m = prepareMessage(TestService2.class, "test", createDefaultClaim("admin"), createClaim("a", "b", "c"));
in.handleMessage(m);
ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
SAMLClaim claim = new SAMLClaim();
claim.setNameFormat("a");
claim.setName("b");
claim.addValue("c");
in2.setClaims(Collections.singletonMap("test", Collections.singletonList(new ClaimBean(claim, "a", null, false))));
in2.handleMessage(m);
try {
in.handleMessage(prepareMessage(TestService2.class, "test", createDefaultClaim("user")));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
Also used :
SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
Message(org.apache.cxf.message.Message)
ClaimBean(org.apache.cxf.rt.security.claims.ClaimBean)
SecureAnnotationsInterceptor(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)
Test(org.junit.Test)
Example 12 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project ddf by codice.
the class PEPAuthorizingInterceptor method handleMessage.
/**
* Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next
* interceptor - the interceptor chain will take care of this.
*
* @param message
*/
@Override
public void handleMessage(Message message) throws Fault {
if (message != null) {
// grab the SAML assertion associated with this Message from the
// token store
SecurityAssertion assertion = assertionRetriever.apply(message);
boolean isPermitted = false;
if ((assertion != null) && (assertion.getToken() != null)) {
Subject user = null;
CollectionPermission action = null;
String actionURI = getActionUri(message);
try {
user = securityManager.getSubject(assertion.getToken());
if (user == null) {
throw new AccessDeniedException(UNAUTH);
}
LOGGER.debug("Is user authenticated: {}", user.isAuthenticated());
LOGGER.debug("Checking for permission");
securityLogger.audit("Is Subject authenticated? " + user.isAuthenticated(), user);
if (StringUtils.isEmpty(actionURI)) {
securityLogger.audit("Denying access to Subject for unknown action.", user);
throw new AccessDeniedException(UNAUTH);
}
action = new KeyValueCollectionPermissionImpl(actionURI);
LOGGER.debug("Permission: {}", action);
isPermitted = user.isPermitted(action);
LOGGER.debug("Result of permission: {}", isPermitted);
securityLogger.audit("Is Subject permitted? " + isPermitted, user);
// store the subject so the DDF framework can use it later
ThreadContext.bind(user);
message.put(SecurityConstants.SECURITY_TOKEN_KEY, user);
LOGGER.debug("Added assertion information to message at key {}", SecurityConstants.SECURITY_TOKEN_KEY);
} catch (SecurityServiceException e) {
securityLogger.audit("Denying access : Caught exception when trying to authenticate user for service [" + actionURI + "]", e);
throw new AccessDeniedException(UNAUTH);
}
if (!isPermitted) {
securityLogger.audit("Denying access to Subject for service: " + action.getAction(), user);
throw new AccessDeniedException(UNAUTH);
}
} else {
securityLogger.audit("Unable to retrieve the security assertion associated with the web service call.");
throw new AccessDeniedException(UNAUTH);
}
} else {
securityLogger.audit("Unable to retrieve the current message associated with the web service call.");
throw new AccessDeniedException(UNAUTH);
}
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
CollectionPermission(ddf.security.permission.CollectionPermission)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
Aggregations
AccessDeniedException (org.apache.cxf.interceptor.security.AccessDeniedException)12
SecurityContext (org.apache.cxf.security.SecurityContext)4
Method (java.lang.reflect.Method)3
Message (org.apache.cxf.message.Message)3
Test (org.junit.Test)3
IOException (java.io.IOException)2
Principal (java.security.Principal)2
ArrayList (java.util.ArrayList)2
Fault (org.apache.cxf.interceptor.Fault)2
SecureAnnotationsInterceptor (org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)2
SAMLClaim (org.apache.cxf.rt.security.claims.SAMLClaim)2
LoginSecurityContext (org.apache.cxf.security.LoginSecurityContext)2
HttpRequest (com.google.api.client.http.HttpRequest)1
Subject (ddf.security.Subject)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
CollectionPermission (ddf.security.permission.CollectionPermission)1
KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)1
SecurityServiceException (ddf.security.service.SecurityServiceException)1
InputStream (java.io.InputStream)1
X509Certificate (java.security.cert.X509Certificate)1
