Search in sources :

Example 81 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class SpringSecurityActionAccessResolver method hasAccess.

// -------------------------------------------------------------------------
// ActionAccessResolver implementation
// -------------------------------------------------------------------------
@Override
public boolean hasAccess(String module, String name) {
    // ---------------------------------------------------------------------
    // Get ObjectDefinitionSource
    // ---------------------------------------------------------------------
    Configuration config = Dispatcher.getInstance().getConfigurationManager().getConfiguration();
    PackageConfig packageConfig = config.getPackageConfig(module);
    if (packageConfig == null) {
        throw new IllegalArgumentException("Module doesn't exist: '" + module + "'");
    }
    ActionConfig actionConfig = packageConfig.getActionConfigs().get(name);
    if (actionConfig == null) {
        throw new IllegalArgumentException("Module " + module + " doesn't have an action named: '" + name + "'");
    }
    SecurityMetadataSource securityMetadataSource = requiredAuthoritiesProvider.createSecurityMetadataSource(actionConfig);
    // ---------------------------------------------------------------------
    // Test access
    // ---------------------------------------------------------------------
    SecurityContext securityContext = SecurityContextHolder.getContext();
    Authentication authentication = securityContext.getAuthentication();
    try {
        if (securityMetadataSource.getAttributes(actionConfig) != null) {
            if (authentication == null || !authentication.isAuthenticated()) {
                return false;
            }
            accessDecisionManager.decide(authentication, actionConfig, securityMetadataSource.getAttributes(actionConfig));
        }
        log.debug("Access to [" + module + ", " + name + "]: TRUE");
        return true;
    } catch (AccessDeniedException e) {
        log.debug("Access to [" + module + ", " + name + "]: FALSE (access denied)");
        return false;
    } catch (InsufficientAuthenticationException e) {
        log.debug("Access to [" + module + ", " + name + "]: FALSE (insufficient authentication)");
        return false;
    }
}
Also used : ActionConfig(com.opensymphony.xwork2.config.entities.ActionConfig) AccessDeniedException(org.springframework.security.access.AccessDeniedException) Configuration(com.opensymphony.xwork2.config.Configuration) SecurityMetadataSource(org.springframework.security.access.SecurityMetadataSource) Authentication(org.springframework.security.core.Authentication) SecurityContext(org.springframework.security.core.context.SecurityContext) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) PackageConfig(com.opensymphony.xwork2.config.entities.PackageConfig)

Example 82 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class LogicalOrAccessDecisionManager method decide.

// -------------------------------------------------------------------------
// Interface implementation
// -------------------------------------------------------------------------
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
    AccessDeniedException ade = null;
    InsufficientAuthenticationException iae = null;
    for (AccessDecisionManager accessDecisionManager : accessDecisionManagers) {
        if (accessDecisionManager.supports(object.getClass())) {
            try {
                accessDecisionManager.decide(authentication, object, configAttributes);
                log.debug("ACCESS GRANTED [" + object.toString() + "]");
                return;
            } catch (AccessDeniedException e) {
                ade = e;
            } catch (InsufficientAuthenticationException e) {
                iae = e;
            }
        }
    }
    log.debug("ACCESS DENIED [" + object.toString() + "]");
    if (ade != null) {
        throw ade;
    }
    if (iae != null) {
        throw iae;
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) AccessDecisionManager(org.springframework.security.access.AccessDecisionManager) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException)

Example 83 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project engine by craftercms.

the class CrafterPageAccessManager method checkAccess.

/**
 * Checks if the user has sufficient rights to access the specified page:
 *
 * <ol>
 *     <li>If the page doesn't contain any required role, no authentication is needed.</li>
 *     <li>If the page has the role "Anonymous", no authentication is needed.</li>
 *     <li>If the page has the role "Authenticated", just authentication is needed.</li>
 *     <li>If the page has any other the roles, the user needs to have any of those roles.</li>
 * </ol>
 */
@RunIfSecurityEnabled
public void checkAccess(SiteItem page) {
    String pageUrl = page.getStoreUrl();
    Authentication auth = null;
    SecurityContext context = SecurityContextHolder.getContext();
    if (context != null && context.getAuthentication() != null) {
        auth = context.getAuthentication();
    }
    List<String> authorizedRoles = getAuthorizedRolesForPage(page);
    if (CollectionUtils.isNotEmpty(authorizedRoles) && !containsRole("anonymous", authorizedRoles)) {
        // If auth == null it is anonymous
        if (auth == null || auth instanceof AnonymousAuthenticationToken) {
            throw new AccessDeniedException("User is anonymous but page '" + pageUrl + "' requires authentication");
        }
        if (!containsRole("authenticated", authorizedRoles) && !hasAnyRole(auth, authorizedRoles)) {
            throw new AccessDeniedException("User '" + auth.getName() + "' is not authorized " + "to view page '" + pageUrl + "'");
        }
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) Authentication(org.springframework.security.core.Authentication) SecurityContext(org.springframework.security.core.context.SecurityContext) AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken) RunIfSecurityEnabled(org.craftercms.security.annotations.RunIfSecurityEnabled)

Example 84 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project ontrack by nemerosa.

the class StructureServiceImpl method getProjectList.

@Override
public List<Project> getProjectList() {
    SecuritySettings securitySettings = securityService.getSecuritySettings();
    List<Project> list = structureRepository.getProjectList();
    if (securitySettings.isGrantProjectViewToAll() || securityService.isGlobalFunctionGranted(ProjectList.class)) {
        return list;
    } else if (securityService.isLogged()) {
        return list.stream().filter(p -> securityService.isProjectFunctionGranted(p.id(), ProjectView.class)).collect(Collectors.toList());
    } else {
        throw new AccessDeniedException("Authentication is required.");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) SecuritySettings(net.nemerosa.ontrack.model.settings.SecuritySettings)

Example 85 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project ontrack by nemerosa.

the class PropertyServiceImpl method editProperty.

private <T> Ack editProperty(ProjectEntity entity, PropertyType<T> propertyType, T value) {
    // Checks for edition
    if (!propertyType.canEdit(entity, securityService)) {
        throw new AccessDeniedException("Property is not opened for edition.");
    }
    // Gets the JSON for the storage
    JsonNode storage = propertyType.forStorage(value);
    // Search key
    String searchKey = propertyType.getSearchKey(value);
    // Stores the property
    propertyRepository.saveProperty(propertyType.getClass().getName(), entity.getProjectEntityType(), entity.getId(), storage, searchKey);
    // Property change event
    eventPostService.post(eventFactory.propertyChange(entity, propertyType));
    // Listener
    propertyType.onPropertyChanged(entity, value);
    // OK
    return Ack.OK;
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) JsonNode(com.fasterxml.jackson.databind.JsonNode)

Aggregations

AccessDeniedException (org.springframework.security.access.AccessDeniedException)189 Test (org.junit.Test)32 Test (org.junit.jupiter.api.Test)21 Authentication (org.springframework.security.core.Authentication)18 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)17 ArrayList (java.util.ArrayList)15 ApplicationUser (org.finra.herd.model.dto.ApplicationUser)14 SecurityUserWrapper (org.finra.herd.model.dto.SecurityUserWrapper)14 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)14 AbstractServiceTest (org.finra.herd.service.AbstractServiceTest)13 Method (java.lang.reflect.Method)12 JoinPoint (org.aspectj.lang.JoinPoint)11 MethodSignature (org.aspectj.lang.reflect.MethodSignature)11 SecurityContext (org.springframework.security.core.context.SecurityContext)11 NamespaceAuthorization (org.finra.herd.model.api.xml.NamespaceAuthorization)10 Credential (com.sequenceiq.cloudbreak.domain.Credential)8 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)8 HttpServletResponse (jakarta.servlet.http.HttpServletResponse)8 ModelAndView (org.springframework.web.servlet.ModelAndView)8 WebMessageException (org.hisp.dhis.dxf2.webmessage.WebMessageException)7