Search in sources :

Example 11 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class LogicalOrAccessDecisionManager method decide.

// -------------------------------------------------------------------------
// Interface implementation
// -------------------------------------------------------------------------
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
    AccessDeniedException ade = null;
    InsufficientAuthenticationException iae = null;
    for (AccessDecisionManager accessDecisionManager : accessDecisionManagers) {
        if (accessDecisionManager.supports(object.getClass())) {
            try {
                accessDecisionManager.decide(authentication, object, configAttributes);
                LOG.debug("ACCESS GRANTED [" + object.toString() + "]");
                return;
            } catch (AccessDeniedException e) {
                ade = e;
            } catch (InsufficientAuthenticationException e) {
                iae = e;
            }
        }
    }
    LOG.debug("ACCESS DENIED [" + object.toString() + "]");
    if (ade != null) {
        throw ade;
    }
    if (iae != null) {
        throw iae;
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) AccessDecisionManager(org.springframework.security.access.AccessDecisionManager) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException)

Example 12 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class SharingController method setSharing.

@RequestMapping(method = { RequestMethod.POST, RequestMethod.PUT }, consumes = MediaType.APPLICATION_JSON_VALUE)
public void setSharing(@RequestParam String type, @RequestParam String id, HttpServletResponse response, HttpServletRequest request) throws IOException, WebMessageException {
    Class<? extends IdentifiableObject> sharingClass = aclService.classForType(type);
    if (sharingClass == null || !aclService.isShareable(sharingClass)) {
        throw new WebMessageException(WebMessageUtils.conflict("Type " + type + " is not supported."));
    }
    BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get(sharingClass, id);
    if (object == null) {
        throw new WebMessageException(WebMessageUtils.notFound("Object of type " + type + " with ID " + id + " was not found."));
    }
    User user = currentUserService.getCurrentUser();
    if (!aclService.canManage(user, object)) {
        throw new AccessDeniedException("You do not have manage access to this object.");
    }
    Sharing sharing = renderService.fromJson(request.getInputStream(), Sharing.class);
    if (!AccessStringHelper.isValid(sharing.getObject().getPublicAccess())) {
        throw new WebMessageException(WebMessageUtils.conflict("Invalid public access string: " + sharing.getObject().getPublicAccess()));
    }
    if (aclService.canMakeExternal(user, object.getClass())) {
        object.setExternalAccess(sharing.getObject().hasExternalAccess());
    }
    if (aclService.canMakePublic(user, object.getClass())) {
        object.setPublicAccess(sharing.getObject().getPublicAccess());
    }
    if (object.getUser() == null) {
        object.setUser(user);
    }
    Iterator<UserGroupAccess> userGroupAccessIterator = object.getUserGroupAccesses().iterator();
    while (userGroupAccessIterator.hasNext()) {
        UserGroupAccess userGroupAccess = userGroupAccessIterator.next();
        userGroupAccessIterator.remove();
        userGroupAccessService.deleteUserGroupAccess(userGroupAccess);
    }
    for (SharingUserGroupAccess sharingUserGroupAccess : sharing.getObject().getUserGroupAccesses()) {
        UserGroupAccess userGroupAccess = new UserGroupAccess();
        if (!AccessStringHelper.isValid(sharingUserGroupAccess.getAccess())) {
            throw new WebMessageException(WebMessageUtils.conflict("Invalid user group access string: " + sharingUserGroupAccess.getAccess()));
        }
        userGroupAccess.setAccess(sharingUserGroupAccess.getAccess());
        UserGroup userGroup = manager.get(UserGroup.class, sharingUserGroupAccess.getId());
        if (userGroup != null) {
            userGroupAccess.setUserGroup(userGroup);
            userGroupAccessService.addUserGroupAccess(userGroupAccess);
            object.getUserGroupAccesses().add(userGroupAccess);
        }
    }
    Iterator<UserAccess> userAccessIterator = object.getUserAccesses().iterator();
    while (userAccessIterator.hasNext()) {
        UserAccess userAccess = userAccessIterator.next();
        userAccessIterator.remove();
        userAccessService.deleteUserAccess(userAccess);
    }
    for (SharingUserAccess sharingUserAccess : sharing.getObject().getUserAccesses()) {
        UserAccess userAccess = new UserAccess();
        if (!AccessStringHelper.isValid(sharingUserAccess.getAccess())) {
            throw new WebMessageException(WebMessageUtils.conflict("Invalid user access string: " + sharingUserAccess.getAccess()));
        }
        userAccess.setAccess(sharingUserAccess.getAccess());
        User sharingUser = manager.get(User.class, sharingUserAccess.getId());
        if (sharingUser != null) {
            userAccess.setUser(sharingUser);
            userAccessService.addUserAccess(userAccess);
            object.getUserAccesses().add(userAccess);
        }
    }
    manager.updateNoAcl(object);
    log.info(sharingToString(object));
    webMessageService.send(WebMessageUtils.ok("Access control set"), response, request);
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) User(org.hisp.dhis.user.User) WebMessageException(org.hisp.dhis.dxf2.webmessage.WebMessageException) SharingUserAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserAccess) UserAccess(org.hisp.dhis.user.UserAccess) SharingUserGroupAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserGroupAccess) UserGroup(org.hisp.dhis.user.UserGroup) BaseIdentifiableObject(org.hisp.dhis.common.BaseIdentifiableObject) Sharing(org.hisp.dhis.webapi.webdomain.sharing.Sharing) SharingUserAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserAccess) SharingUserGroupAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserGroupAccess) UserGroupAccess(org.hisp.dhis.user.UserGroupAccess) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 13 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project dhis2-core by dhis2.

the class SharingController method getSharing.

// -------------------------------------------------------------------------
// Resources
// -------------------------------------------------------------------------
@RequestMapping(method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
public void getSharing(@RequestParam String type, @RequestParam String id, HttpServletResponse response) throws IOException, WebMessageException {
    if (!aclService.isShareable(type)) {
        throw new WebMessageException(WebMessageUtils.conflict("Type " + type + " is not supported."));
    }
    Class<? extends IdentifiableObject> klass = aclService.classForType(type);
    IdentifiableObject object = manager.get(klass, id);
    if (object == null) {
        throw new WebMessageException(WebMessageUtils.notFound("Object of type " + type + " with ID " + id + " was not found."));
    }
    User user = currentUserService.getCurrentUser();
    if (!aclService.canRead(user, object)) {
        throw new AccessDeniedException("You do not have manage access to this object.");
    }
    Sharing sharing = new Sharing();
    sharing.getMeta().setAllowPublicAccess(aclService.canMakePublic(user, object.getClass()));
    sharing.getMeta().setAllowExternalAccess(aclService.canMakeExternal(user, object.getClass()));
    sharing.getObject().setId(object.getUid());
    sharing.getObject().setName(object.getDisplayName());
    sharing.getObject().setDisplayName(object.getDisplayName());
    sharing.getObject().setExternalAccess(object.getExternalAccess());
    if (object.getPublicAccess() == null) {
        String access;
        if (aclService.canMakePublic(user, klass)) {
            access = AccessStringHelper.newInstance().enable(AccessStringHelper.Permission.READ).enable(AccessStringHelper.Permission.WRITE).build();
        } else {
            access = AccessStringHelper.newInstance().build();
        }
        sharing.getObject().setPublicAccess(access);
    } else {
        sharing.getObject().setPublicAccess(object.getPublicAccess());
    }
    if (object.getUser() != null) {
        sharing.getObject().getUser().setId(object.getUser().getUid());
        sharing.getObject().getUser().setName(object.getUser().getDisplayName());
    }
    for (UserGroupAccess userGroupAccess : object.getUserGroupAccesses()) {
        SharingUserGroupAccess sharingUserGroupAccess = new SharingUserGroupAccess();
        sharingUserGroupAccess.setId(userGroupAccess.getUserGroup().getUid());
        sharingUserGroupAccess.setName(userGroupAccess.getUserGroup().getDisplayName());
        sharingUserGroupAccess.setDisplayName(userGroupAccess.getUserGroup().getDisplayName());
        sharingUserGroupAccess.setAccess(userGroupAccess.getAccess());
        sharing.getObject().getUserGroupAccesses().add(sharingUserGroupAccess);
    }
    for (UserAccess userAccess : object.getUserAccesses()) {
        SharingUserAccess sharingUserAccess = new SharingUserAccess();
        sharingUserAccess.setId(userAccess.getUser().getUid());
        sharingUserAccess.setName(userAccess.getUser().getDisplayName());
        sharingUserAccess.setDisplayName(userAccess.getUser().getDisplayName());
        sharingUserAccess.setAccess(userAccess.getAccess());
        sharing.getObject().getUserAccesses().add(sharingUserAccess);
    }
    sharing.getObject().getUserGroupAccesses().sort(SharingUserGroupAccessNameComparator.INSTANCE);
    response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
    renderService.toJson(response.getOutputStream(), sharing);
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) User(org.hisp.dhis.user.User) WebMessageException(org.hisp.dhis.dxf2.webmessage.WebMessageException) Sharing(org.hisp.dhis.webapi.webdomain.sharing.Sharing) SharingUserAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserAccess) UserAccess(org.hisp.dhis.user.UserAccess) SharingUserGroupAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserGroupAccess) SharingUserAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserAccess) IdentifiableObject(org.hisp.dhis.common.IdentifiableObject) BaseIdentifiableObject(org.hisp.dhis.common.BaseIdentifiableObject) SharingUserGroupAccess(org.hisp.dhis.webapi.webdomain.sharing.SharingUserGroupAccess) UserGroupAccess(org.hisp.dhis.user.UserGroupAccess) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 14 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project summerb by skarpushin.

the class RestExceptionTranslator method determineFailureResult.

private DtoBase determineFailureResult(Exception ex, HttpServletRequest request, HttpServletResponse response) {
    // first see if it is FVE
    FieldValidationException fve = ExceptionUtils.findExceptionOfType(ex, FieldValidationException.class);
    if (fve != null) {
        response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
        return fve.getErrorDescriptionObject();
    }
    boolean translateAuthErrors = Boolean.TRUE.equals(Boolean.valueOf(request.getHeader(X_TRANSLATE_AUTHORIZATION_ERRORS)));
    GenericServerErrorResult ret = null;
    if (translateAuthErrors) {
        ret = new GenericServerErrorResult(exceptionTranslator.buildUserMessage(ex, LocaleContextHolder.getLocale()), new ExceptionInfo(ex));
    }
    NotAuthorizedException naex = ExceptionUtils.findExceptionOfType(ex, NotAuthorizedException.class);
    if (naex != null) {
        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
        return ret != null ? ret : naex.getResult();
    }
    AuthenticationException ae = ExceptionUtils.findExceptionOfType(ex, AuthenticationException.class);
    if (ae != null) {
        // NOTE: See how we did that in AuthenticationFailureHandlerImpl...
        // Looks like we need to augment our custom RestLoginFilter so it
        // will put username to request
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        return ret != null ? ret : new NotAuthorizedResult("(username not resolved)", SecurityMessageCodes.AUTH_FATAL);
    }
    AccessDeniedException ade = ExceptionUtils.findExceptionOfType(ex, AccessDeniedException.class);
    if (ade != null) {
        if (authenticationTrustResolver.isAnonymous(SecurityContextHolder.getContext().getAuthentication())) {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.LOGIN_REQUIRED);
        }
        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
        return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.ACCESS_DENIED);
    }
    CurrentUserNotFoundException cunfe = ExceptionUtils.findExceptionOfType(ex, CurrentUserNotFoundException.class);
    if (cunfe != null) {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.LOGIN_REQUIRED);
    }
    // TODO: Do we really need to send whole stack trace to client ??? I think we
    // should do it only during development
    response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    return new GenericServerErrorResult(exceptionTranslator.buildUserMessage(ex, LocaleContextHolder.getLocale()), new ExceptionInfo(ex));
}
Also used : FieldValidationException(org.summerb.approaches.validation.FieldValidationException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) AuthenticationException(org.springframework.security.core.AuthenticationException) NotAuthorizedResult(org.summerb.approaches.security.api.dto.NotAuthorizedResult) CurrentUserNotFoundException(org.summerb.approaches.security.api.CurrentUserNotFoundException) NotAuthorizedException(org.summerb.approaches.security.api.exceptions.NotAuthorizedException) GenericServerErrorResult(org.summerb.utils.exceptions.dto.GenericServerErrorResult) ExceptionInfo(org.summerb.utils.exceptions.dto.ExceptionInfo)

Example 15 with AccessDeniedException

use of org.springframework.security.access.AccessDeniedException in project jhipster-registry by jhipster.

the class ExceptionTranslatorTest method processAccessDeniedExceptionTest.

@Test
public void processAccessDeniedExceptionTest() throws Exception {
    // These lines will throw the wanted exception
    SecurityContext securityContext = Mockito.mock(SecurityContext.class);
    Mockito.when(securityContext.getAuthentication()).thenThrow(new AccessDeniedException(null));
    SecurityContextHolder.setContext(securityContext);
    MvcResult res = mock.perform(get("/api/account")).andExpect(status().isForbidden()).andReturn();
    assertThat(res.getResolvedException(), instanceOf(AccessDeniedException.class));
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) SecurityContext(org.springframework.security.core.context.SecurityContext) MvcResult(org.springframework.test.web.servlet.MvcResult) Test(org.junit.Test)

Aggregations

AccessDeniedException (org.springframework.security.access.AccessDeniedException)186 Test (org.junit.Test)33 Test (org.junit.jupiter.api.Test)20 Authentication (org.springframework.security.core.Authentication)18 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)17 ArrayList (java.util.ArrayList)15 ApplicationUser (org.finra.herd.model.dto.ApplicationUser)14 SecurityUserWrapper (org.finra.herd.model.dto.SecurityUserWrapper)14 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)14 AbstractServiceTest (org.finra.herd.service.AbstractServiceTest)13 Method (java.lang.reflect.Method)12 JoinPoint (org.aspectj.lang.JoinPoint)11 MethodSignature (org.aspectj.lang.reflect.MethodSignature)11 SecurityContext (org.springframework.security.core.context.SecurityContext)11 NamespaceAuthorization (org.finra.herd.model.api.xml.NamespaceAuthorization)10 Credential (com.sequenceiq.cloudbreak.domain.Credential)8 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)8 HttpServletResponse (jakarta.servlet.http.HttpServletResponse)8 WebMessageException (org.hisp.dhis.dxf2.webmessage.WebMessageException)7 Interpretation (org.hisp.dhis.interpretation.Interpretation)7