Search in sources :

Example 6 with AccessDecisionVoter

use of org.springframework.security.access.AccessDecisionVoter in project spring-security by spring-projects.

the class AbstractSecurityWebSocketMessageBrokerConfigurer method inboundChannelSecurity.

@Bean
public ChannelSecurityInterceptor inboundChannelSecurity() {
    ChannelSecurityInterceptor channelSecurityInterceptor = new ChannelSecurityInterceptor(inboundMessageSecurityMetadataSource());
    MessageExpressionVoter<Object> voter = new MessageExpressionVoter<Object>();
    voter.setExpressionHandler(getMessageExpressionHandler());
    List<AccessDecisionVoter<? extends Object>> voters = new ArrayList<AccessDecisionVoter<? extends Object>>();
    voters.add(voter);
    AffirmativeBased manager = new AffirmativeBased(voters);
    channelSecurityInterceptor.setAccessDecisionManager(manager);
    return channelSecurityInterceptor;
}
Also used : MessageExpressionVoter(org.springframework.security.messaging.access.expression.MessageExpressionVoter) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) ArrayList(java.util.ArrayList) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter) ChannelSecurityInterceptor(org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor) Bean(org.springframework.context.annotation.Bean)

Example 7 with AccessDecisionVoter

use of org.springframework.security.access.AccessDecisionVoter in project spring-security by spring-projects.

the class GlobalMethodSecurityConfiguration method accessDecisionManager.

/**
	 * Allows subclasses to provide a custom {@link AccessDecisionManager}. The default is
	 * a {@link AffirmativeBased} with the following voters:
	 *
	 * <ul>
	 * <li>{@link PreInvocationAuthorizationAdviceVoter}</li>
	 * <li>{@link RoleVoter}</li>
	 * <li>{@link AuthenticatedVoter}</li>
	 * </ul>
	 *
	 * @return
	 */
protected AccessDecisionManager accessDecisionManager() {
    List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<AccessDecisionVoter<? extends Object>>();
    ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
    expressionAdvice.setExpressionHandler(getExpressionHandler());
    if (prePostEnabled()) {
        decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice));
    }
    if (jsr250Enabled()) {
        decisionVoters.add(new Jsr250Voter());
    }
    decisionVoters.add(new RoleVoter());
    decisionVoters.add(new AuthenticatedVoter());
    return new AffirmativeBased(decisionVoters);
}
Also used : AuthenticatedVoter(org.springframework.security.access.vote.AuthenticatedVoter) Jsr250Voter(org.springframework.security.access.annotation.Jsr250Voter) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) ArrayList(java.util.ArrayList) RoleVoter(org.springframework.security.access.vote.RoleVoter) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter) ExpressionBasedPreInvocationAdvice(org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice) PreInvocationAuthorizationAdviceVoter(org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter)

Example 8 with AccessDecisionVoter

use of org.springframework.security.access.AccessDecisionVoter in project spring-security by spring-projects.

the class ConsensusBased method decide.

// ~ Methods
// ========================================================================================================
/**
	 * This concrete implementation simply polls all configured
	 * {@link AccessDecisionVoter}s and upon completion determines the consensus of
	 * granted against denied responses.
	 * <p>
	 * If there were an equal number of grant and deny votes, the decision will be based
	 * on the {@link #isAllowIfEqualGrantedDeniedDecisions()} property (defaults to true).
	 * <p>
	 * If every <code>AccessDecisionVoter</code> abstained from voting, the decision will
	 * be based on the {@link #isAllowIfAllAbstainDecisions()} property (defaults to
	 * false).
	 *
	 * @param authentication the caller invoking the method
	 * @param object the secured object
	 * @param configAttributes the configuration attributes associated with the method
	 * being invoked
	 *
	 * @throws AccessDeniedException if access is denied
	 */
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException {
    int grant = 0;
    int deny = 0;
    int abstain = 0;
    for (AccessDecisionVoter voter : getDecisionVoters()) {
        int result = voter.vote(authentication, object, configAttributes);
        if (logger.isDebugEnabled()) {
            logger.debug("Voter: " + voter + ", returned: " + result);
        }
        switch(result) {
            case AccessDecisionVoter.ACCESS_GRANTED:
                grant++;
                break;
            case AccessDecisionVoter.ACCESS_DENIED:
                deny++;
                break;
            default:
                abstain++;
                break;
        }
    }
    if (grant > deny) {
        return;
    }
    if (deny > grant) {
        throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));
    }
    if ((grant == deny) && (grant != 0)) {
        if (this.allowIfEqualGrantedDeniedDecisions) {
            return;
        } else {
            throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));
        }
    }
    // To get this far, every AccessDecisionVoter abstained
    checkAllowIfAllAbstainDecisions();
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter)

Aggregations

AccessDecisionVoter (org.springframework.security.access.AccessDecisionVoter)8 ArrayList (java.util.ArrayList)5 AccessDeniedException (org.springframework.security.access.AccessDeniedException)3 AffirmativeBased (org.springframework.security.access.vote.AffirmativeBased)3 RoleVoter (org.springframework.security.access.vote.RoleVoter)3 ExpressionBasedPreInvocationAdvice (org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice)2 PreInvocationAuthorizationAdviceVoter (org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter)2 AuthenticatedVoter (org.springframework.security.access.vote.AuthenticatedVoter)2 Before (org.junit.Before)1 Bean (org.springframework.context.annotation.Bean)1 ConfigAttribute (org.springframework.security.access.ConfigAttribute)1 Jsr250Voter (org.springframework.security.access.annotation.Jsr250Voter)1 SecuredAnnotationSecurityMetadataSource (org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource)1 AspectJMethodSecurityInterceptor (org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor)1 MessageExpressionVoter (org.springframework.security.messaging.access.expression.MessageExpressionVoter)1 ChannelSecurityInterceptor (org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor)1 WebExpressionVoter (org.springframework.security.web.access.expression.WebExpressionVoter)1