use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.
the class LogicalOrAccessDecisionManager method decide.
// -------------------------------------------------------------------------
// Interface implementation
// -------------------------------------------------------------------------
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
AccessDeniedException ade = null;
InsufficientAuthenticationException iae = null;
for (AccessDecisionManager accessDecisionManager : accessDecisionManagers) {
if (accessDecisionManager.supports(object.getClass())) {
try {
accessDecisionManager.decide(authentication, object, configAttributes);
LOG.debug("ACCESS GRANTED [" + object.toString() + "]");
return;
} catch (AccessDeniedException e) {
ade = e;
} catch (InsufficientAuthenticationException e) {
iae = e;
}
}
}
LOG.debug("ACCESS DENIED [" + object.toString() + "]");
if (ade != null) {
throw ade;
}
if (iae != null) {
throw iae;
}
}
use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.
the class SharingController method setSharing.
@RequestMapping(method = { RequestMethod.POST, RequestMethod.PUT }, consumes = MediaType.APPLICATION_JSON_VALUE)
public void setSharing(@RequestParam String type, @RequestParam String id, HttpServletResponse response, HttpServletRequest request) throws IOException, WebMessageException {
Class<? extends IdentifiableObject> sharingClass = aclService.classForType(type);
if (sharingClass == null || !aclService.isShareable(sharingClass)) {
throw new WebMessageException(WebMessageUtils.conflict("Type " + type + " is not supported."));
}
BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get(sharingClass, id);
if (object == null) {
throw new WebMessageException(WebMessageUtils.notFound("Object of type " + type + " with ID " + id + " was not found."));
}
User user = currentUserService.getCurrentUser();
if (!aclService.canManage(user, object)) {
throw new AccessDeniedException("You do not have manage access to this object.");
}
Sharing sharing = renderService.fromJson(request.getInputStream(), Sharing.class);
if (!AccessStringHelper.isValid(sharing.getObject().getPublicAccess())) {
throw new WebMessageException(WebMessageUtils.conflict("Invalid public access string: " + sharing.getObject().getPublicAccess()));
}
if (aclService.canMakeExternal(user, object.getClass())) {
object.setExternalAccess(sharing.getObject().hasExternalAccess());
}
if (aclService.canMakePublic(user, object.getClass())) {
object.setPublicAccess(sharing.getObject().getPublicAccess());
}
if (object.getUser() == null) {
object.setUser(user);
}
Iterator<UserGroupAccess> userGroupAccessIterator = object.getUserGroupAccesses().iterator();
while (userGroupAccessIterator.hasNext()) {
UserGroupAccess userGroupAccess = userGroupAccessIterator.next();
userGroupAccessIterator.remove();
userGroupAccessService.deleteUserGroupAccess(userGroupAccess);
}
for (SharingUserGroupAccess sharingUserGroupAccess : sharing.getObject().getUserGroupAccesses()) {
UserGroupAccess userGroupAccess = new UserGroupAccess();
if (!AccessStringHelper.isValid(sharingUserGroupAccess.getAccess())) {
throw new WebMessageException(WebMessageUtils.conflict("Invalid user group access string: " + sharingUserGroupAccess.getAccess()));
}
userGroupAccess.setAccess(sharingUserGroupAccess.getAccess());
UserGroup userGroup = manager.get(UserGroup.class, sharingUserGroupAccess.getId());
if (userGroup != null) {
userGroupAccess.setUserGroup(userGroup);
userGroupAccessService.addUserGroupAccess(userGroupAccess);
object.getUserGroupAccesses().add(userGroupAccess);
}
}
Iterator<UserAccess> userAccessIterator = object.getUserAccesses().iterator();
while (userAccessIterator.hasNext()) {
UserAccess userAccess = userAccessIterator.next();
userAccessIterator.remove();
userAccessService.deleteUserAccess(userAccess);
}
for (SharingUserAccess sharingUserAccess : sharing.getObject().getUserAccesses()) {
UserAccess userAccess = new UserAccess();
if (!AccessStringHelper.isValid(sharingUserAccess.getAccess())) {
throw new WebMessageException(WebMessageUtils.conflict("Invalid user access string: " + sharingUserAccess.getAccess()));
}
userAccess.setAccess(sharingUserAccess.getAccess());
User sharingUser = manager.get(User.class, sharingUserAccess.getId());
if (sharingUser != null) {
userAccess.setUser(sharingUser);
userAccessService.addUserAccess(userAccess);
object.getUserAccesses().add(userAccess);
}
}
manager.updateNoAcl(object);
log.info(sharingToString(object));
webMessageService.send(WebMessageUtils.ok("Access control set"), response, request);
}
use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.
the class SharingController method getSharing.
// -------------------------------------------------------------------------
// Resources
// -------------------------------------------------------------------------
@RequestMapping(method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
public void getSharing(@RequestParam String type, @RequestParam String id, HttpServletResponse response) throws IOException, WebMessageException {
if (!aclService.isShareable(type)) {
throw new WebMessageException(WebMessageUtils.conflict("Type " + type + " is not supported."));
}
Class<? extends IdentifiableObject> klass = aclService.classForType(type);
IdentifiableObject object = manager.get(klass, id);
if (object == null) {
throw new WebMessageException(WebMessageUtils.notFound("Object of type " + type + " with ID " + id + " was not found."));
}
User user = currentUserService.getCurrentUser();
if (!aclService.canRead(user, object)) {
throw new AccessDeniedException("You do not have manage access to this object.");
}
Sharing sharing = new Sharing();
sharing.getMeta().setAllowPublicAccess(aclService.canMakePublic(user, object.getClass()));
sharing.getMeta().setAllowExternalAccess(aclService.canMakeExternal(user, object.getClass()));
sharing.getObject().setId(object.getUid());
sharing.getObject().setName(object.getDisplayName());
sharing.getObject().setDisplayName(object.getDisplayName());
sharing.getObject().setExternalAccess(object.getExternalAccess());
if (object.getPublicAccess() == null) {
String access;
if (aclService.canMakePublic(user, klass)) {
access = AccessStringHelper.newInstance().enable(AccessStringHelper.Permission.READ).enable(AccessStringHelper.Permission.WRITE).build();
} else {
access = AccessStringHelper.newInstance().build();
}
sharing.getObject().setPublicAccess(access);
} else {
sharing.getObject().setPublicAccess(object.getPublicAccess());
}
if (object.getUser() != null) {
sharing.getObject().getUser().setId(object.getUser().getUid());
sharing.getObject().getUser().setName(object.getUser().getDisplayName());
}
for (UserGroupAccess userGroupAccess : object.getUserGroupAccesses()) {
SharingUserGroupAccess sharingUserGroupAccess = new SharingUserGroupAccess();
sharingUserGroupAccess.setId(userGroupAccess.getUserGroup().getUid());
sharingUserGroupAccess.setName(userGroupAccess.getUserGroup().getDisplayName());
sharingUserGroupAccess.setDisplayName(userGroupAccess.getUserGroup().getDisplayName());
sharingUserGroupAccess.setAccess(userGroupAccess.getAccess());
sharing.getObject().getUserGroupAccesses().add(sharingUserGroupAccess);
}
for (UserAccess userAccess : object.getUserAccesses()) {
SharingUserAccess sharingUserAccess = new SharingUserAccess();
sharingUserAccess.setId(userAccess.getUser().getUid());
sharingUserAccess.setName(userAccess.getUser().getDisplayName());
sharingUserAccess.setDisplayName(userAccess.getUser().getDisplayName());
sharingUserAccess.setAccess(userAccess.getAccess());
sharing.getObject().getUserAccesses().add(sharingUserAccess);
}
sharing.getObject().getUserGroupAccesses().sort(SharingUserGroupAccessNameComparator.INSTANCE);
response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
renderService.toJson(response.getOutputStream(), sharing);
}
use of org.springframework.security.access.AccessDeniedException in project summerb by skarpushin.
the class RestExceptionTranslator method determineFailureResult.
private DtoBase determineFailureResult(Exception ex, HttpServletRequest request, HttpServletResponse response) {
// first see if it is FVE
FieldValidationException fve = ExceptionUtils.findExceptionOfType(ex, FieldValidationException.class);
if (fve != null) {
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return fve.getErrorDescriptionObject();
}
boolean translateAuthErrors = Boolean.TRUE.equals(Boolean.valueOf(request.getHeader(X_TRANSLATE_AUTHORIZATION_ERRORS)));
GenericServerErrorResult ret = null;
if (translateAuthErrors) {
ret = new GenericServerErrorResult(exceptionTranslator.buildUserMessage(ex, LocaleContextHolder.getLocale()), new ExceptionInfo(ex));
}
NotAuthorizedException naex = ExceptionUtils.findExceptionOfType(ex, NotAuthorizedException.class);
if (naex != null) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return ret != null ? ret : naex.getResult();
}
AuthenticationException ae = ExceptionUtils.findExceptionOfType(ex, AuthenticationException.class);
if (ae != null) {
// NOTE: See how we did that in AuthenticationFailureHandlerImpl...
// Looks like we need to augment our custom RestLoginFilter so it
// will put username to request
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return ret != null ? ret : new NotAuthorizedResult("(username not resolved)", SecurityMessageCodes.AUTH_FATAL);
}
AccessDeniedException ade = ExceptionUtils.findExceptionOfType(ex, AccessDeniedException.class);
if (ade != null) {
if (authenticationTrustResolver.isAnonymous(SecurityContextHolder.getContext().getAuthentication())) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.LOGIN_REQUIRED);
}
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.ACCESS_DENIED);
}
CurrentUserNotFoundException cunfe = ExceptionUtils.findExceptionOfType(ex, CurrentUserNotFoundException.class);
if (cunfe != null) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.LOGIN_REQUIRED);
}
// TODO: Do we really need to send whole stack trace to client ??? I think we
// should do it only during development
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return new GenericServerErrorResult(exceptionTranslator.buildUserMessage(ex, LocaleContextHolder.getLocale()), new ExceptionInfo(ex));
}
use of org.springframework.security.access.AccessDeniedException in project jhipster-registry by jhipster.
the class ExceptionTranslatorTest method processAccessDeniedExceptionTest.
@Test
public void processAccessDeniedExceptionTest() throws Exception {
// These lines will throw the wanted exception
SecurityContext securityContext = Mockito.mock(SecurityContext.class);
Mockito.when(securityContext.getAuthentication()).thenThrow(new AccessDeniedException(null));
SecurityContextHolder.setContext(securityContext);
MvcResult res = mock.perform(get("/api/account")).andExpect(status().isForbidden()).andReturn();
assertThat(res.getResolvedException(), instanceOf(AccessDeniedException.class));
}
Aggregations