Search in sources :

Example 1 with ErrorViewAwareAccessDeniedException

use of org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException in project deltaspike by apache.

the class SecurityAwareViewHandler method createView.

@Override
public UIViewRoot createView(FacesContext context, String viewId) {
    UIViewRoot result = this.wrapped.createView(context, viewId);
    if (!this.activated) {
        return result;
    }
    if (this.securityModuleActivated == null) {
        lazyInit();
    }
    if (!this.securityModuleActivated) {
        return result;
    }
    UIViewRoot originalViewRoot = context.getViewRoot();
    Map<String, Object> viewMap = null;
    if (originalViewRoot != null) {
        Map<String, Object> originalViewMap = originalViewRoot.getViewMap(false);
        if (originalViewMap != null && !originalViewMap.isEmpty()) {
            viewMap = new HashMap<String, Object>();
            viewMap.putAll(originalViewMap);
        }
    }
    //workaround for PreDestroyViewMapEvent which would be caused by the security check
    deactivatePreDestroyViewMapEvent(context);
    //we have to use it as current view if an AccessDecisionVoter uses the JSF API to check access to the view-id
    context.setViewRoot(result);
    try {
        ViewRootAccessHandler viewRootAccessHandler = BeanProvider.getContextualReference(ViewRootAccessHandler.class);
        viewRootAccessHandler.checkAccessTo(result);
    } catch (ErrorViewAwareAccessDeniedException accessDeniedException) {
        ViewConfigResolver viewConfigResolver = BeanProvider.getContextualReference(ViewConfigResolver.class);
        ViewConfigDescriptor errorViewDescriptor = viewConfigResolver.getViewConfigDescriptor(accessDeniedException.getErrorView());
        try {
            if (errorViewDescriptor != null && View.NavigationMode.REDIRECT == errorViewDescriptor.getMetaData(View.class).iterator().next().navigation() && /*always available*/
            BeanProvider.getContextualReference(JsfModuleConfig.class).isAlwaysUseNavigationHandlerOnSecurityViolation()) {
                SecurityUtils.tryToHandleSecurityViolation(accessDeniedException);
            } else {
                SecurityUtils.handleSecurityViolationWithoutNavigation(accessDeniedException);
            }
        } finally {
            broadcastAccessDeniedException(accessDeniedException);
        }
        if (errorViewDescriptor != null) {
            return this.wrapped.createView(context, errorViewDescriptor.getViewId());
        } else {
            //the previous page (including the error message)
            if (!context.isPostback() && context.getViewRoot() != null) {
                context.getViewRoot().setViewId(null);
            }
        }
        //security exception without error-view
        throw accessDeniedException;
    } finally {
        activatePreDestroyViewMapEvent(context);
        if (originalViewRoot != null) {
            context.setViewRoot(originalViewRoot);
            if (viewMap != null) {
                originalViewRoot.getViewMap().putAll(viewMap);
            }
        }
    }
    return result;
}
Also used : JsfModuleConfig(org.apache.deltaspike.jsf.api.config.JsfModuleConfig) ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException) ViewConfigDescriptor(org.apache.deltaspike.core.api.config.view.metadata.ViewConfigDescriptor) UIViewRoot(javax.faces.component.UIViewRoot) View(org.apache.deltaspike.jsf.api.config.view.View) ViewConfigResolver(org.apache.deltaspike.core.api.config.view.metadata.ViewConfigResolver)

Example 2 with ErrorViewAwareAccessDeniedException

use of org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException in project deltaspike by apache.

the class BridgeExceptionHandlerWrapper method processAccessDeniedException.

private void processAccessDeniedException(Throwable throwable) {
    if (throwable instanceof ErrorViewAwareAccessDeniedException) {
        SecurityUtils.handleSecurityViolationWithoutNavigation((AccessDeniedException) throwable);
    } else {
        ErrorViewAwareAccessDeniedException securityException = new ErrorViewAwareAccessDeniedException(((AccessDeniedException) throwable).getViolations(), DefaultErrorView.class);
        SecurityUtils.handleSecurityViolationWithoutNavigation(securityException);
    }
}
Also used : ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException)

Example 3 with ErrorViewAwareAccessDeniedException

use of org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException in project deltaspike by apache.

the class SecurityUtils method invokeVoters.

public static void invokeVoters(EditableAccessDecisionVoterContext accessDecisionVoterContext, ConfigDescriptor<?> viewConfigDescriptor) {
    if (viewConfigDescriptor == null) {
        return;
    }
    List<Secured> securedMetaData = viewConfigDescriptor.getMetaData(Secured.class);
    if (securedMetaData.isEmpty()) {
        return;
    }
    accessDecisionVoterContext.addMetaData(ViewConfig.class.getName(), viewConfigDescriptor.getConfigClass());
    for (Annotation viewMetaData : viewConfigDescriptor.getMetaData()) {
        if (!viewMetaData.annotationType().equals(Secured.class)) {
            accessDecisionVoterContext.addMetaData(viewMetaData.annotationType().getName(), viewMetaData);
        }
    }
    Secured.Descriptor securedDescriptor = viewConfigDescriptor.getExecutableCallbackDescriptor(Secured.class, Secured.Descriptor.class);
    AccessDecisionState voterState = AccessDecisionState.VOTE_IN_PROGRESS;
    try {
        accessDecisionVoterContext.setState(voterState);
        List<Set<SecurityViolation>> violations = securedDescriptor.execute(accessDecisionVoterContext);
        Set<SecurityViolation> allViolations = createViolationResult(violations);
        if (!allViolations.isEmpty()) {
            voterState = AccessDecisionState.VIOLATION_FOUND;
            for (SecurityViolation violation : allViolations) {
                accessDecisionVoterContext.addViolation(violation);
            }
            Class<? extends ViewConfig> errorView = securedMetaData.iterator().next().errorView();
            throw new ErrorViewAwareAccessDeniedException(allViolations, errorView);
        }
    } finally {
        if (AccessDecisionState.VOTE_IN_PROGRESS.equals(voterState)) {
            voterState = AccessDecisionState.NO_VIOLATION_FOUND;
        }
        accessDecisionVoterContext.setState(voterState);
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Secured(org.apache.deltaspike.security.api.authorization.Secured) ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException) ViewConfig(org.apache.deltaspike.core.api.config.view.ViewConfig) AccessDecisionState(org.apache.deltaspike.security.api.authorization.AccessDecisionState) SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) Annotation(java.lang.annotation.Annotation)

Example 4 with ErrorViewAwareAccessDeniedException

use of org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException in project deltaspike by apache.

the class SecurityUtils method tryToHandleSecurityViolation.

private static void tryToHandleSecurityViolation(RuntimeException runtimeException, boolean allowNavigation) {
    ErrorViewAwareAccessDeniedException exception = extractException(runtimeException);
    if (exception == null) {
        throw runtimeException;
    }
    Class<? extends ViewConfig> errorView = null;
    Class<? extends ViewConfig> inlineErrorView = exception.getErrorView();
    if (inlineErrorView != null && !DefaultErrorView.class.getName().equals(inlineErrorView.getName())) {
        errorView = inlineErrorView;
    }
    if (errorView == null) {
        ViewConfigResolver viewConfigResolver = BeanProvider.getContextualReference(ViewConfigResolver.class);
        ViewConfigDescriptor errorPageDescriptor = viewConfigResolver.getDefaultErrorViewConfigDescriptor();
        if (errorPageDescriptor != null) {
            errorView = errorPageDescriptor.getConfigClass();
        }
    }
    if (errorView == null && allowNavigation) {
        throw exception;
    }
    processApplicationSecurityException(exception, errorView, allowNavigation);
}
Also used : DefaultErrorView(org.apache.deltaspike.core.api.config.view.DefaultErrorView) ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException) ViewConfigDescriptor(org.apache.deltaspike.core.api.config.view.metadata.ViewConfigDescriptor) ViewConfigResolver(org.apache.deltaspike.core.api.config.view.metadata.ViewConfigResolver)

Aggregations

ErrorViewAwareAccessDeniedException (org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException)4 ViewConfigDescriptor (org.apache.deltaspike.core.api.config.view.metadata.ViewConfigDescriptor)2 ViewConfigResolver (org.apache.deltaspike.core.api.config.view.metadata.ViewConfigResolver)2 Annotation (java.lang.annotation.Annotation)1 HashSet (java.util.HashSet)1 Set (java.util.Set)1 UIViewRoot (javax.faces.component.UIViewRoot)1 DefaultErrorView (org.apache.deltaspike.core.api.config.view.DefaultErrorView)1 ViewConfig (org.apache.deltaspike.core.api.config.view.ViewConfig)1 JsfModuleConfig (org.apache.deltaspike.jsf.api.config.JsfModuleConfig)1 View (org.apache.deltaspike.jsf.api.config.view.View)1 AccessDecisionState (org.apache.deltaspike.security.api.authorization.AccessDecisionState)1 Secured (org.apache.deltaspike.security.api.authorization.Secured)1 SecurityViolation (org.apache.deltaspike.security.api.authorization.SecurityViolation)1