use of org.apache.cxf.rt.security.saml.claims.ClaimBean in project cxf by apache.
the class ClaimsAuthorizingInterceptor method authorize.
protected boolean authorize(SAMLSecurityContext sc, Method method) {
List<ClaimBean> list = claims.get(method.getName());
org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
for (ClaimBean claimBean : list) {
org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim();
org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
if (cl instanceof SAMLClaim && ((SAMLClaim) cl).getName().equals(((SAMLClaim) claim).getName()) && ((SAMLClaim) cl).getNameFormat().equals(((SAMLClaim) claim).getNameFormat())) {
matchingClaim = cl;
break;
}
}
if (matchingClaim == null) {
if (claimBean.getClaimMode() == ClaimMode.STRICT) {
return false;
}
continue;
}
List<Object> claimValues = claim.getValues();
List<Object> matchingClaimValues = matchingClaim.getValues();
if (claimBean.isMatchAll() && !matchingClaimValues.containsAll(claimValues)) {
return false;
}
boolean matched = false;
for (Object value : matchingClaimValues) {
if (claimValues.contains(value)) {
matched = true;
break;
}
}
if (!matched) {
return false;
}
}
return true;
}
use of org.apache.cxf.rt.security.saml.claims.ClaimBean in project cxf by apache.
the class ClaimsAuthorizingInterceptor method getClaims.
private List<ClaimBean> getClaims(Claims claimsAnn, Claim claimAnn) {
List<ClaimBean> claimsList = new ArrayList<>();
List<Claim> annClaims = new ArrayList<>();
if (claimsAnn != null) {
annClaims.addAll(Arrays.asList(claimsAnn.value()));
} else if (claimAnn != null) {
annClaims.add(claimAnn);
}
for (Claim ann : annClaims) {
SAMLClaim claim = new SAMLClaim();
String claimName = ann.name();
if (nameAliases.containsKey(claimName)) {
claimName = nameAliases.get(claimName);
}
String claimFormat = ann.format();
if (formatAliases.containsKey(claimFormat)) {
claimFormat = formatAliases.get(claimFormat);
}
claim.setName(claimName);
claim.setNameFormat(claimFormat);
for (String value : ann.value()) {
claim.addValue(value);
}
claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
}
return claimsList;
}
use of org.apache.cxf.rt.security.saml.claims.ClaimBean in project cxf by apache.
the class ClaimsAuthorizingInterceptorTest method testUserInRoleAndClaims.
@Test
public void testUserInRoleAndClaims() throws Exception {
SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
in.setAnnotationClassName(SecureRole.class.getName());
in.setSecuredObject(new TestService2());
Message m = prepareMessage(TestService2.class, "test", createDefaultClaim("admin"), createClaim("a", "b", "c"));
in.handleMessage(m);
ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
org.apache.cxf.rt.security.saml.claims.SAMLClaim claim = new org.apache.cxf.rt.security.saml.claims.SAMLClaim();
claim.setNameFormat("a");
claim.setName("b");
claim.addValue("c");
in2.setClaims(Collections.singletonMap("test", Collections.singletonList(new ClaimBean(claim))));
in2.handleMessage(m);
try {
in.handleMessage(prepareMessage(TestService2.class, "test", createDefaultClaim("user")));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
use of org.apache.cxf.rt.security.saml.claims.ClaimBean in project cxf by apache.
the class ClaimsAuthorizingInterceptor method findClaims.
protected void findClaims(Class<?> cls) {
if (cls == null || cls == Object.class) {
return;
}
List<ClaimBean> clsClaims = getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
for (Method m : cls.getMethods()) {
if (SKIP_METHODS.contains(m.getName())) {
continue;
}
List<ClaimBean> methodClaims = getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
List<ClaimBean> allClaims = new ArrayList<>(methodClaims);
for (ClaimBean bean : clsClaims) {
if (isClaimOverridden(bean, methodClaims)) {
continue;
}
allClaims.add(bean);
}
claims.put(m.getName(), allClaims);
}
if (!claims.isEmpty()) {
return;
}
findClaims(cls.getSuperclass());
if (!claims.isEmpty()) {
return;
}
for (Class<?> interfaceCls : cls.getInterfaces()) {
findClaims(interfaceCls);
}
}
Aggregations