Search in sources :

Example 1 with AccessDeniedException

use of org.apache.deltaspike.security.api.authorization.AccessDeniedException in project deltaspike by apache.

the class SecuredAnnotationAuthorizer method invokeVoters.

/**
     * Helper for invoking the given {@link AccessDecisionVoter}s
     *
     * @param invocationContext    current invocation-context (might be null in case of secured views)
     * @param accessDecisionVoters current access-decision-voters
     */
private void invokeVoters(InvocationContext invocationContext, List<Class<? extends AccessDecisionVoter>> accessDecisionVoters) {
    if (accessDecisionVoters.isEmpty()) {
        return;
    }
    AccessDecisionState voterState = AccessDecisionState.VOTE_IN_PROGRESS;
    try {
        if (voterContext instanceof EditableAccessDecisionVoterContext) {
            ((EditableAccessDecisionVoterContext) voterContext).setState(voterState);
            ((EditableAccessDecisionVoterContext) voterContext).setSource(invocationContext);
        }
        Set<SecurityViolation> violations;
        AccessDecisionVoter voter;
        for (Class<? extends AccessDecisionVoter> voterClass : accessDecisionVoters) {
            voter = BeanProvider.getContextualReference(voterClass, false);
            violations = voter.checkPermission(voterContext);
            if (violations != null && !violations.isEmpty()) {
                if (voterContext instanceof EditableAccessDecisionVoterContext) {
                    voterState = AccessDecisionState.VIOLATION_FOUND;
                    for (SecurityViolation securityViolation : violations) {
                        ((EditableAccessDecisionVoterContext) voterContext).addViolation(securityViolation);
                    }
                }
                this.exceptionBroadcaster.broadcastAccessDeniedException(new AccessDeniedException(violations));
            }
        }
    } finally {
        if (voterContext instanceof EditableAccessDecisionVoterContext) {
            if (AccessDecisionState.VOTE_IN_PROGRESS.equals(voterState)) {
                voterState = AccessDecisionState.NO_VIOLATION_FOUND;
            }
            ((EditableAccessDecisionVoterContext) voterContext).setState(voterState);
        }
    }
}
Also used : AccessDeniedException(org.apache.deltaspike.security.api.authorization.AccessDeniedException) AccessDecisionState(org.apache.deltaspike.security.api.authorization.AccessDecisionState) AccessDecisionVoter(org.apache.deltaspike.security.api.authorization.AccessDecisionVoter) SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) EditableAccessDecisionVoterContext(org.apache.deltaspike.security.spi.authorization.EditableAccessDecisionVoterContext)

Example 2 with AccessDeniedException

use of org.apache.deltaspike.security.api.authorization.AccessDeniedException in project deltaspike by apache.

the class Authorizer method authorize.

void authorize(final InvocationContext ic, final Object returnValue, BeanManager beanManager) throws IllegalAccessException, IllegalArgumentException {
    if (boundAuthorizerBean == null) {
        lazyInitTargetBean(beanManager);
    }
    final CreationalContext<?> creationalContext = beanManager.createCreationalContext(boundAuthorizerBean);
    Object reference = beanManager.getReference(boundAuthorizerBean, boundAuthorizerMethod.getJavaMember().getDeclaringClass(), creationalContext);
    Object result = boundAuthorizerMethodProxy.invoke(reference, creationalContext, new SecurityParameterValueRedefiner(creationalContext, ic, returnValue));
    if (Boolean.FALSE.equals(result)) {
        Set<SecurityViolation> violations = new HashSet<SecurityViolation>();
        violations.add(new SecurityViolation() {

            private static final long serialVersionUID = 2358753444038521129L;

            @Override
            public String getReason() {
                return "Authorization check failed";
            }
        });
        throw new AccessDeniedException(violations);
    }
}
Also used : AccessDeniedException(org.apache.deltaspike.security.api.authorization.AccessDeniedException) SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) SecurityParameterValueRedefiner(org.apache.deltaspike.security.impl.authorization.SecurityParameterValueRedefiner) HashSet(java.util.HashSet)

Example 3 with AccessDeniedException

use of org.apache.deltaspike.security.api.authorization.AccessDeniedException in project deltaspike by apache.

the class BridgeExceptionHandlerWrapper method processEvent.

@Override
public void processEvent(SystemEvent event) throws AbortProcessingException {
    //needed because #handle gets called too late in this case
    if (event instanceof ExceptionQueuedEvent) {
        ExceptionQueuedEvent exceptionQueuedEvent = (ExceptionQueuedEvent) event;
        FacesContext facesContext = exceptionQueuedEvent.getContext().getContext();
        if (facesContext.getCurrentPhaseId() == PhaseId.RENDER_RESPONSE && exceptionQueuedEvent.getContext().inBeforePhase()) {
            Throwable exception = getRootCause(exceptionQueuedEvent.getContext().getException());
            if (exception instanceof AccessDeniedException) {
                processAccessDeniedException(exception);
            } else {
                ExceptionToCatchEvent exceptionToCatchEvent = new ExceptionToCatchEvent(exception);
                exceptionToCatchEvent.setOptional(true);
                this.beanManager.fireEvent(exceptionToCatchEvent);
                if (exceptionToCatchEvent.isHandled()) {
                    return;
                }
            }
        }
    }
    super.processEvent(event);
}
Also used : ExceptionQueuedEvent(javax.faces.event.ExceptionQueuedEvent) FacesContext(javax.faces.context.FacesContext) ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException) AccessDeniedException(org.apache.deltaspike.security.api.authorization.AccessDeniedException) ExceptionToCatchEvent(org.apache.deltaspike.core.api.exception.control.event.ExceptionToCatchEvent)

Example 4 with AccessDeniedException

use of org.apache.deltaspike.security.api.authorization.AccessDeniedException in project deltaspike by apache.

the class BridgeExceptionHandlerWrapper method handle.

@Override
public void handle() throws FacesException {
    FacesContext context = FacesContext.getCurrentInstance();
    if (context == null || context.getResponseComplete()) {
        return;
    }
    Iterable<ExceptionQueuedEvent> exceptionQueuedEvents = getUnhandledExceptionQueuedEvents();
    if (exceptionQueuedEvents != null && exceptionQueuedEvents.iterator() != null) {
        Iterator<ExceptionQueuedEvent> iterator = exceptionQueuedEvents.iterator();
        while (iterator.hasNext()) {
            Throwable throwable = iterator.next().getContext().getException();
            Throwable rootCause = getRootCause(throwable);
            if (rootCause instanceof AccessDeniedException) {
                processAccessDeniedException(rootCause);
                iterator.remove();
                continue;
            } else {
                ExceptionToCatchEvent event = new ExceptionToCatchEvent(rootCause, exceptionQualifier);
                event.setOptional(true);
                beanManager.fireEvent(event);
                if (event.isHandled()) {
                    iterator.remove();
                }
            }
            // a handle method might redirect and set responseComplete
            if (context.getResponseComplete()) {
                break;
            }
        }
    }
    super.handle();
}
Also used : FacesContext(javax.faces.context.FacesContext) ExceptionQueuedEvent(javax.faces.event.ExceptionQueuedEvent) ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException) AccessDeniedException(org.apache.deltaspike.security.api.authorization.AccessDeniedException) ExceptionToCatchEvent(org.apache.deltaspike.core.api.exception.control.event.ExceptionToCatchEvent)

Aggregations

AccessDeniedException (org.apache.deltaspike.security.api.authorization.AccessDeniedException)4 FacesContext (javax.faces.context.FacesContext)2 ExceptionQueuedEvent (javax.faces.event.ExceptionQueuedEvent)2 ExceptionToCatchEvent (org.apache.deltaspike.core.api.exception.control.event.ExceptionToCatchEvent)2 ErrorViewAwareAccessDeniedException (org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException)2 SecurityViolation (org.apache.deltaspike.security.api.authorization.SecurityViolation)2 HashSet (java.util.HashSet)1 AccessDecisionState (org.apache.deltaspike.security.api.authorization.AccessDecisionState)1 AccessDecisionVoter (org.apache.deltaspike.security.api.authorization.AccessDecisionVoter)1 SecurityParameterValueRedefiner (org.apache.deltaspike.security.impl.authorization.SecurityParameterValueRedefiner)1 EditableAccessDecisionVoterContext (org.apache.deltaspike.security.spi.authorization.EditableAccessDecisionVoterContext)1