Search in sources :

Example 1 with ClaimBean

use of org.apache.cxf.rt.security.claims.ClaimBean in project cxf by apache.

the class ClaimsAuthorizingInterceptorTest method testUserInRoleAndClaims.

@Test
public void testUserInRoleAndClaims() throws Exception {
    SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
    in.setAnnotationClassName(SecureRole.class.getName());
    in.setSecuredObject(new TestService2());
    Message m = prepareMessage(TestService2.class, "test", createDefaultClaim("admin"), createClaim("a", "b", "c"));
    in.handleMessage(m);
    ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
    SAMLClaim claim = new SAMLClaim();
    claim.setNameFormat("a");
    claim.setName("b");
    claim.addValue("c");
    in2.setClaims(Collections.singletonMap("test", Collections.singletonList(new ClaimBean(claim, "a", null, false))));
    in2.handleMessage(m);
    try {
        in.handleMessage(prepareMessage(TestService2.class, "test", createDefaultClaim("user")));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
    // expected
    }
}
Also used : SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim) AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) Message(org.apache.cxf.message.Message) ClaimBean(org.apache.cxf.rt.security.claims.ClaimBean) SecureAnnotationsInterceptor(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor) Test(org.junit.Test)

Example 2 with ClaimBean

use of org.apache.cxf.rt.security.claims.ClaimBean in project cxf by apache.

the class ClaimsAuthorizingInterceptor method getClaims.

private List<ClaimBean> getClaims(Claims claimsAnn, Claim claimAnn) {
    List<ClaimBean> claimsList = new ArrayList<>();
    final List<Claim> annClaims;
    if (claimsAnn != null) {
        annClaims = Arrays.asList(claimsAnn.value());
    } else if (claimAnn != null) {
        annClaims = Collections.singletonList(claimAnn);
    } else {
        annClaims = Collections.emptyList();
    }
    for (Claim ann : annClaims) {
        org.apache.cxf.rt.security.claims.Claim claim = new org.apache.cxf.rt.security.claims.Claim();
        String claimName = ann.name();
        if (nameAliases.containsKey(claimName)) {
            claimName = nameAliases.get(claimName);
        }
        String claimFormat = ann.format();
        if (formatAliases.containsKey(claimFormat)) {
            claimFormat = formatAliases.get(claimFormat);
        }
        claim.setClaimType(claimName);
        for (String value : ann.value()) {
            claim.addValue(value);
        }
        claimsList.add(new ClaimBean(claim, claimFormat, ann.mode(), ann.matchAll()));
    }
    return claimsList;
}
Also used : ArrayList(java.util.ArrayList) ClaimBean(org.apache.cxf.rt.security.claims.ClaimBean) Claim(org.apache.cxf.security.claims.authorization.Claim) SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim)

Example 3 with ClaimBean

use of org.apache.cxf.rt.security.claims.ClaimBean in project cxf by apache.

the class ClaimsAuthorizingInterceptor method findClaims.

protected void findClaims(Class<?> cls) {
    if (cls == null || cls == Object.class) {
        return;
    }
    List<ClaimBean> clsClaims = getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
    for (Method m : cls.getMethods()) {
        if (SKIP_METHODS.contains(m.getName())) {
            continue;
        }
        List<ClaimBean> methodClaims = getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
        List<ClaimBean> allClaims = new ArrayList<>(methodClaims);
        for (ClaimBean bean : clsClaims) {
            if (isClaimOverridden(bean, methodClaims)) {
                continue;
            }
            allClaims.add(bean);
        }
        claims.put(m.getName(), allClaims);
    }
    if (!claims.isEmpty()) {
        return;
    }
    findClaims(cls.getSuperclass());
    if (!claims.isEmpty()) {
        return;
    }
    for (Class<?> interfaceCls : cls.getInterfaces()) {
        findClaims(interfaceCls);
    }
}
Also used : Claims(org.apache.cxf.security.claims.authorization.Claims) ArrayList(java.util.ArrayList) Method(java.lang.reflect.Method) ClaimBean(org.apache.cxf.rt.security.claims.ClaimBean) Claim(org.apache.cxf.security.claims.authorization.Claim) SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim)

Example 4 with ClaimBean

use of org.apache.cxf.rt.security.claims.ClaimBean in project cxf by apache.

the class ClaimsAuthorizingInterceptor method authorize.

protected boolean authorize(ClaimsSecurityContext sc, Method method) {
    List<ClaimBean> list = claims.get(method.getName());
    org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
    for (ClaimBean claimBean : list) {
        org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
        for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
            if (cl instanceof SAMLClaim) {
                // If it's a SAMLClaim the name + nameformat must match what's configured
                if (((SAMLClaim) cl).getName().equals(claimBean.getClaim().getClaimType()) && ((SAMLClaim) cl).getNameFormat().equals(claimBean.getClaimFormat())) {
                    matchingClaim = cl;
                    break;
                }
            } else if (cl.getClaimType().equals(claimBean.getClaim().getClaimType())) {
                matchingClaim = cl;
                break;
            }
        }
        if (matchingClaim == null) {
            if (claimBean.getClaimMode() == ClaimMode.STRICT) {
                return false;
            }
            continue;
        }
        List<Object> claimValues = claimBean.getClaim().getValues();
        List<Object> matchingClaimValues = matchingClaim.getValues();
        if (claimBean.isMatchAll() && !matchingClaimValues.containsAll(claimValues)) {
            return false;
        }
        boolean matched = false;
        for (Object value : matchingClaimValues) {
            if (claimValues.contains(value)) {
                matched = true;
                break;
            }
        }
        if (!matched) {
            return false;
        }
    }
    return true;
}
Also used : SAMLClaim(org.apache.cxf.rt.security.claims.SAMLClaim) ClaimBean(org.apache.cxf.rt.security.claims.ClaimBean)

Aggregations

ClaimBean (org.apache.cxf.rt.security.claims.ClaimBean)4 SAMLClaim (org.apache.cxf.rt.security.claims.SAMLClaim)4 ArrayList (java.util.ArrayList)2 Claim (org.apache.cxf.security.claims.authorization.Claim)2 Method (java.lang.reflect.Method)1 AccessDeniedException (org.apache.cxf.interceptor.security.AccessDeniedException)1 SecureAnnotationsInterceptor (org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)1 Message (org.apache.cxf.message.Message)1 Claims (org.apache.cxf.security.claims.authorization.Claims)1 Test (org.junit.Test)1