Search in sources :

Example 1 with SecurityDefinitionException

use of org.apache.deltaspike.security.api.authorization.SecurityDefinitionException in project deltaspike by apache.

the class SecurityExtension method validateBindings.

public void validateBindings(@Observes AfterBeanDiscovery event, BeanManager beanManager) {
    if (!isActivated) {
        return;
    }
    SecurityMetaDataStorage metaDataStorage = getMetaDataStorage();
    SecurityExtension parentExtension = ParentExtensionStorage.getParentExtension(this);
    if (parentExtension != null) {
        // also add the authorizers from the parent extension
        Set<Authorizer> parentAuthorizers = parentExtension.getMetaDataStorage().getAuthorizers();
        for (Authorizer parentAuthorizer : parentAuthorizers) {
            metaDataStorage.addAuthorizer(parentAuthorizer);
        }
    }
    metaDataStorage.registerSecuredMethods();
    for (final AnnotatedMethod<?> method : metaDataStorage.getSecuredMethods()) {
        // Here we simply want to validate that each method that is annotated with
        // one or more security bindings has a valid authorizer for each binding
        Class<?> targetClass = method.getDeclaringType().getJavaClass();
        Method targetMethod = method.getJavaMember();
        for (final Annotation annotation : SecurityUtils.getSecurityBindingTypes(targetClass, targetMethod)) {
            boolean found = false;
            Set<AuthorizationParameter> authorizationParameters = new HashSet<AuthorizationParameter>();
            for (AnnotatedParameter<?> parameter : (List<AnnotatedParameter<?>>) (List<?>) method.getParameters()) {
                Set<Annotation> securityParameterBindings = null;
                for (Annotation a : parameter.getAnnotations()) {
                    if (SecurityUtils.isMetaAnnotatedWithSecurityParameterBinding(a)) {
                        if (securityParameterBindings == null) {
                            securityParameterBindings = new HashSet<Annotation>();
                        }
                        securityParameterBindings.add(a);
                    }
                }
                if (securityParameterBindings != null) {
                    AuthorizationParameter authorizationParameter = new AuthorizationParameter(parameter.getBaseType(), securityParameterBindings);
                    authorizationParameters.add(authorizationParameter);
                }
            }
            // Validate the authorizer
            for (Authorizer auth : metaDataStorage.getAuthorizers()) {
                if (auth.matchesBindings(annotation, authorizationParameters, targetMethod.getReturnType())) {
                    found = true;
                    break;
                }
            }
            if (!found) {
                event.addDefinitionError(new SecurityDefinitionException("Secured type " + method.getDeclaringType().getJavaClass().getName() + " has no matching authorizer method for security binding @" + annotation.annotationType().getName()));
            }
        }
        for (final Annotation annotation : method.getAnnotations()) {
            if (SecurityUtils.isMetaAnnotatedWithSecurityBindingType(annotation)) {
                metaDataStorage.registerSecuredMethod(targetClass, targetMethod);
                break;
            }
        }
    }
    // Clear securedTypes, we don't require it any more
    metaDataStorage.resetSecuredMethods();
}
Also used : Method(java.lang.reflect.Method) AnnotatedMethod(javax.enterprise.inject.spi.AnnotatedMethod) Annotation(java.lang.annotation.Annotation) SecurityDefinitionException(org.apache.deltaspike.security.api.authorization.SecurityDefinitionException) List(java.util.List) HashSet(java.util.HashSet)

Example 2 with SecurityDefinitionException

use of org.apache.deltaspike.security.api.authorization.SecurityDefinitionException in project deltaspike by apache.

the class SecurityExtension method registerAuthorizer.

/**
     * Registers the specified authorizer method (i.e. a method annotated with
     * the @Secures annotation)
     *
     * @throws SecurityDefinitionException
     */
private void registerAuthorizer(AnnotatedMethod<?> annotatedMethod) {
    if (!annotatedMethod.getJavaMember().getReturnType().equals(Boolean.class) && !annotatedMethod.getJavaMember().getReturnType().equals(Boolean.TYPE)) {
        throw new SecurityDefinitionException("Invalid authorizer method [" + annotatedMethod.getJavaMember().getDeclaringClass().getName() + "." + annotatedMethod.getJavaMember().getName() + "] - does not return a boolean.");
    }
    // Locate the binding type
    Annotation binding = null;
    for (Annotation annotation : annotatedMethod.getAnnotations()) {
        if (SecurityUtils.isMetaAnnotatedWithSecurityBindingType(annotation)) {
            if (binding != null) {
                throw new SecurityDefinitionException("Invalid authorizer method [" + annotatedMethod.getJavaMember().getDeclaringClass().getName() + "." + annotatedMethod.getJavaMember().getName() + "] - declares multiple security binding types");
            }
            binding = annotation;
        }
    }
    Authorizer authorizer = new Authorizer(binding, annotatedMethod);
    getMetaDataStorage().addAuthorizer(authorizer);
}
Also used : SecurityDefinitionException(org.apache.deltaspike.security.api.authorization.SecurityDefinitionException) Annotation(java.lang.annotation.Annotation)

Example 3 with SecurityDefinitionException

use of org.apache.deltaspike.security.api.authorization.SecurityDefinitionException in project deltaspike by apache.

the class SecurityMetaDataStorage method registerSecuredMethod.

synchronized <T> void registerSecuredMethod(Class<T> targetClass, Method targetMethod) {
    ensureInitializedAuthorizersForClass(targetClass);
    if (!containsMethodAuthorizers(targetClass, targetMethod)) {
        Set<AuthorizationParameter> parameterBindings = new HashSet<AuthorizationParameter>();
        Class<?>[] parameterTypes = targetMethod.getParameterTypes();
        Annotation[][] parameterAnnotations = targetMethod.getParameterAnnotations();
        for (int i = 0; i < parameterTypes.length; i++) {
            Set<Annotation> securityBindings = null;
            for (final Annotation parameterAnnotation : parameterAnnotations[i]) {
                if (SecurityUtils.isMetaAnnotatedWithSecurityParameterBinding(parameterAnnotation)) {
                    if (securityBindings == null) {
                        securityBindings = new HashSet<Annotation>();
                    }
                    securityBindings.add(parameterAnnotation);
                }
            }
            if (securityBindings != null) {
                parameterBindings.add(new AuthorizationParameter(parameterTypes[i], securityBindings));
            }
        }
        Set<Authorizer> authorizerStack = new HashSet<Authorizer>();
        for (Annotation binding : SecurityUtils.getSecurityBindingTypes(targetClass, targetMethod)) {
            boolean found = false;
            // For each security binding, find a valid authorizer
            for (Authorizer authorizer : authorizers) {
                if (authorizer.matchesBindings(binding, parameterBindings, targetMethod.getReturnType())) {
                    if (found) {
                        StringBuilder sb = new StringBuilder();
                        sb.append("Matching authorizer methods found: [");
                        sb.append(authorizer.getBoundAuthorizerMethod().getDeclaringClass().getName());
                        sb.append(".");
                        sb.append(authorizer.getBoundAuthorizerMethod().getName());
                        sb.append("]");
                        for (Authorizer a : authorizerStack) {
                            if (a.matchesBindings(binding, parameterBindings, targetMethod.getReturnType())) {
                                sb.append(", [");
                                sb.append(a.getBoundAuthorizerMethod().getDeclaringClass().getName());
                                sb.append(".");
                                sb.append(a.getBoundAuthorizerMethod().getName());
                                sb.append("]");
                            }
                        }
                        throw new SecurityDefinitionException("Ambiguous authorizers found for security binding type [@" + binding.annotationType().getName() + "] on method [" + targetMethod.getDeclaringClass().getName() + "." + targetMethod.getName() + "]. " + sb.toString());
                    }
                    authorizerStack.add(authorizer);
                    found = true;
                }
            }
            if (!found) {
                throw new SecurityDefinitionException("No matching authorizer found for security binding type [@" + binding.annotationType().getName() + "] on method [" + targetMethod.getDeclaringClass().getName() + "." + targetMethod.getName() + "].");
            }
        }
        addMethodAuthorizer(targetClass, targetMethod, authorizerStack);
    }
}
Also used : Annotation(java.lang.annotation.Annotation) SecurityDefinitionException(org.apache.deltaspike.security.api.authorization.SecurityDefinitionException) HashSet(java.util.HashSet)

Aggregations

Annotation (java.lang.annotation.Annotation)3 SecurityDefinitionException (org.apache.deltaspike.security.api.authorization.SecurityDefinitionException)3 HashSet (java.util.HashSet)2 Method (java.lang.reflect.Method)1 List (java.util.List)1 AnnotatedMethod (javax.enterprise.inject.spi.AnnotatedMethod)1