Search in sources :

Example 1 with SecurityViolation

use of org.apache.deltaspike.security.api.authorization.SecurityViolation in project deltaspike by apache.

the class SecuredAnnotationAuthorizer method invokeVoters.

/**
     * Helper for invoking the given {@link AccessDecisionVoter}s
     *
     * @param invocationContext    current invocation-context (might be null in case of secured views)
     * @param accessDecisionVoters current access-decision-voters
     */
private void invokeVoters(InvocationContext invocationContext, List<Class<? extends AccessDecisionVoter>> accessDecisionVoters) {
    if (accessDecisionVoters.isEmpty()) {
        return;
    }
    AccessDecisionState voterState = AccessDecisionState.VOTE_IN_PROGRESS;
    try {
        if (voterContext instanceof EditableAccessDecisionVoterContext) {
            ((EditableAccessDecisionVoterContext) voterContext).setState(voterState);
            ((EditableAccessDecisionVoterContext) voterContext).setSource(invocationContext);
        }
        Set<SecurityViolation> violations;
        AccessDecisionVoter voter;
        for (Class<? extends AccessDecisionVoter> voterClass : accessDecisionVoters) {
            voter = BeanProvider.getContextualReference(voterClass, false);
            violations = voter.checkPermission(voterContext);
            if (violations != null && !violations.isEmpty()) {
                if (voterContext instanceof EditableAccessDecisionVoterContext) {
                    voterState = AccessDecisionState.VIOLATION_FOUND;
                    for (SecurityViolation securityViolation : violations) {
                        ((EditableAccessDecisionVoterContext) voterContext).addViolation(securityViolation);
                    }
                }
                this.exceptionBroadcaster.broadcastAccessDeniedException(new AccessDeniedException(violations));
            }
        }
    } finally {
        if (voterContext instanceof EditableAccessDecisionVoterContext) {
            if (AccessDecisionState.VOTE_IN_PROGRESS.equals(voterState)) {
                voterState = AccessDecisionState.NO_VIOLATION_FOUND;
            }
            ((EditableAccessDecisionVoterContext) voterContext).setState(voterState);
        }
    }
}
Also used : AccessDeniedException(org.apache.deltaspike.security.api.authorization.AccessDeniedException) AccessDecisionState(org.apache.deltaspike.security.api.authorization.AccessDecisionState) AccessDecisionVoter(org.apache.deltaspike.security.api.authorization.AccessDecisionVoter) SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) EditableAccessDecisionVoterContext(org.apache.deltaspike.security.spi.authorization.EditableAccessDecisionVoterContext)

Example 2 with SecurityViolation

use of org.apache.deltaspike.security.api.authorization.SecurityViolation in project deltaspike by apache.

the class Authorizer method authorize.

void authorize(final InvocationContext ic, final Object returnValue, BeanManager beanManager) throws IllegalAccessException, IllegalArgumentException {
    if (boundAuthorizerBean == null) {
        lazyInitTargetBean(beanManager);
    }
    final CreationalContext<?> creationalContext = beanManager.createCreationalContext(boundAuthorizerBean);
    Object reference = beanManager.getReference(boundAuthorizerBean, boundAuthorizerMethod.getJavaMember().getDeclaringClass(), creationalContext);
    Object result = boundAuthorizerMethodProxy.invoke(reference, creationalContext, new SecurityParameterValueRedefiner(creationalContext, ic, returnValue));
    if (Boolean.FALSE.equals(result)) {
        Set<SecurityViolation> violations = new HashSet<SecurityViolation>();
        violations.add(new SecurityViolation() {

            private static final long serialVersionUID = 2358753444038521129L;

            @Override
            public String getReason() {
                return "Authorization check failed";
            }
        });
        throw new AccessDeniedException(violations);
    }
}
Also used : AccessDeniedException(org.apache.deltaspike.security.api.authorization.AccessDeniedException) SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) SecurityParameterValueRedefiner(org.apache.deltaspike.security.impl.authorization.SecurityParameterValueRedefiner) HashSet(java.util.HashSet)

Example 3 with SecurityViolation

use of org.apache.deltaspike.security.api.authorization.SecurityViolation in project deltaspike by apache.

the class SecurityUtils method invokeVoters.

public static void invokeVoters(EditableAccessDecisionVoterContext accessDecisionVoterContext, ConfigDescriptor<?> viewConfigDescriptor) {
    if (viewConfigDescriptor == null) {
        return;
    }
    List<Secured> securedMetaData = viewConfigDescriptor.getMetaData(Secured.class);
    if (securedMetaData.isEmpty()) {
        return;
    }
    accessDecisionVoterContext.addMetaData(ViewConfig.class.getName(), viewConfigDescriptor.getConfigClass());
    for (Annotation viewMetaData : viewConfigDescriptor.getMetaData()) {
        if (!viewMetaData.annotationType().equals(Secured.class)) {
            accessDecisionVoterContext.addMetaData(viewMetaData.annotationType().getName(), viewMetaData);
        }
    }
    Secured.Descriptor securedDescriptor = viewConfigDescriptor.getExecutableCallbackDescriptor(Secured.class, Secured.Descriptor.class);
    AccessDecisionState voterState = AccessDecisionState.VOTE_IN_PROGRESS;
    try {
        accessDecisionVoterContext.setState(voterState);
        List<Set<SecurityViolation>> violations = securedDescriptor.execute(accessDecisionVoterContext);
        Set<SecurityViolation> allViolations = createViolationResult(violations);
        if (!allViolations.isEmpty()) {
            voterState = AccessDecisionState.VIOLATION_FOUND;
            for (SecurityViolation violation : allViolations) {
                accessDecisionVoterContext.addViolation(violation);
            }
            Class<? extends ViewConfig> errorView = securedMetaData.iterator().next().errorView();
            throw new ErrorViewAwareAccessDeniedException(allViolations, errorView);
        }
    } finally {
        if (AccessDecisionState.VOTE_IN_PROGRESS.equals(voterState)) {
            voterState = AccessDecisionState.NO_VIOLATION_FOUND;
        }
        accessDecisionVoterContext.setState(voterState);
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Secured(org.apache.deltaspike.security.api.authorization.Secured) ErrorViewAwareAccessDeniedException(org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException) ViewConfig(org.apache.deltaspike.core.api.config.view.ViewConfig) AccessDecisionState(org.apache.deltaspike.security.api.authorization.AccessDecisionState) SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) Annotation(java.lang.annotation.Annotation)

Example 4 with SecurityViolation

use of org.apache.deltaspike.security.api.authorization.SecurityViolation in project deltaspike by apache.

the class DenyAllAccessDecisionVoter method checkPermission.

@Override
public Set<SecurityViolation> checkPermission(AccessDecisionVoterContext accessDecisionVoterContext) {
    Set<SecurityViolation> violations = new HashSet<SecurityViolation>();
    violations.add(new SecurityViolation() {

        @Override
        public String getReason() {
            return "This is a deny all AccessDecisionVoter";
        }
    });
    return violations;
}
Also used : SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation) HashSet(java.util.HashSet)

Example 5 with SecurityViolation

use of org.apache.deltaspike.security.api.authorization.SecurityViolation in project deltaspike by apache.

the class LoggedInAccessDecisionVoter method checkPermission.

@Override
protected void checkPermission(AccessDecisionVoterContext context, Set<SecurityViolation> violations) {
    if (loginController.isLoggedIn()) {
    // no violations, pass
    } else {
        violations.add(new SecurityViolation() {

            @Override
            public String getReason() {
                return "User must be logged in to access this resource";
            }
        });
        // remember the requested page
        deniedPage = viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
    }
}
Also used : SecurityViolation(org.apache.deltaspike.security.api.authorization.SecurityViolation)

Aggregations

SecurityViolation (org.apache.deltaspike.security.api.authorization.SecurityViolation)7 HashSet (java.util.HashSet)3 AccessDecisionState (org.apache.deltaspike.security.api.authorization.AccessDecisionState)2 AccessDeniedException (org.apache.deltaspike.security.api.authorization.AccessDeniedException)2 Annotation (java.lang.annotation.Annotation)1 Set (java.util.Set)1 FacesMessage (javax.faces.application.FacesMessage)1 ViewConfig (org.apache.deltaspike.core.api.config.view.ViewConfig)1 AccessDecisionVoter (org.apache.deltaspike.security.api.authorization.AccessDecisionVoter)1 ErrorViewAwareAccessDeniedException (org.apache.deltaspike.security.api.authorization.ErrorViewAwareAccessDeniedException)1 Secured (org.apache.deltaspike.security.api.authorization.Secured)1 SecurityParameterValueRedefiner (org.apache.deltaspike.security.impl.authorization.SecurityParameterValueRedefiner)1 EditableAccessDecisionVoterContext (org.apache.deltaspike.security.spi.authorization.EditableAccessDecisionVoterContext)1