Examples with ConfigAttribute org.springframework.security.access.ConfigAttribute used on opensource projects

Example 56 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class AbstractSecurityInterceptor method beforeInvocation.

protected InterceptorStatusToken beforeInvocation(Object object) {
    Assert.notNull(object, "Object was null");
    final boolean debug = logger.isDebugEnabled();
    if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
        throw new IllegalArgumentException("Security invocation attempted for object " + object.getClass().getName() + " but AbstractSecurityInterceptor only configured to support secure objects of type: " + getSecureObjectClass());
    }
    Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
    if (attributes == null || attributes.isEmpty()) {
        if (rejectPublicInvocations) {
            throw new IllegalArgumentException("Secure object invocation " + object + " was denied as public invocations are not allowed via this interceptor. " + "This indicates a configuration error because the " + "rejectPublicInvocations property is set to 'true'");
        }
        if (debug) {
            logger.debug("Public object - authentication not attempted");
        }
        publishEvent(new PublicInvocationEvent(object));
        // no further work post-invocation
        return null;
    }
    if (debug) {
        logger.debug("Secure object: " + object + "; Attributes: " + attributes);
    }
    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound", "An Authentication object was not found in the SecurityContext"), object, attributes);
    }
    Authentication authenticated = authenticateIfRequired();
    // Attempt authorization
    try {
        this.accessDecisionManager.decide(authenticated, object, attributes);
    } catch (AccessDeniedException accessDeniedException) {
        publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, accessDeniedException));
        throw accessDeniedException;
    }
    if (debug) {
        logger.debug("Authorization successful");
    }
    if (publishAuthorizationSuccess) {
        publishEvent(new AuthorizedEvent(object, attributes, authenticated));
    }
    // Attempt to run as a different user
    Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attributes);
    if (runAs == null) {
        if (debug) {
            logger.debug("RunAsManager did not change Authentication object");
        }
        // no further work post-invocation
        return new InterceptorStatusToken(SecurityContextHolder.getContext(), false, attributes, object);
    } else {
        if (debug) {
            logger.debug("Switching to RunAs Authentication: " + runAs);
        }
        SecurityContext origCtx = SecurityContextHolder.getContext();
        SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
        SecurityContextHolder.getContext().setAuthentication(runAs);
        // need to revert to token.Authenticated post-invocation
        return new InterceptorStatusToken(origCtx, true, attributes, object);
    }
}

Example 57 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class RoleVoter method vote.

public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
    if (authentication == null) {
        return ACCESS_DENIED;
    }
    int result = ACCESS_ABSTAIN;
    Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
    for (ConfigAttribute attribute : attributes) {
        if (this.supports(attribute)) {
            result = ACCESS_DENIED;
            // Attempt to find a matching granted authority
            for (GrantedAuthority authority : authorities) {
                if (attribute.getAttribute().equals(authority.getAuthority())) {
                    return ACCESS_GRANTED;
                }
            }
        }
    }
    return result;
}

Example 58 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class MethodExpressionVoterTests method hasRoleExpressionDeniesUserWithoutRole.

@Test
public void hasRoleExpressionDeniesUserWithoutRole() throws Exception {
    List<ConfigAttribute> cad = new ArrayList<ConfigAttribute>(1);
    cad.add(new PreInvocationExpressionAttribute(null, null, "hasRole('joedoesnt')"));
    MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingAnArray());
    assertThat(am.vote(joe, mi, cad)).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
}

Example 59 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class Jsr250MethodSecurityMetadataSourceTests method classLevelAnnotationsImpactMemberLevel.

@Test
public void classLevelAnnotationsImpactMemberLevel() throws Exception {
    Child target = new Child();
    MockMethodInvocation mi = new MockMethodInvocation(target, target.getClass(), "defaults");
    Collection<ConfigAttribute> accessAttributes = this.mds.getAttributes(mi);
    assertThat(accessAttributes).hasSize(1);
    assertThat(accessAttributes.toArray()[0].toString()).isEqualTo("ROLE_DERIVED");
}

Example 60 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class Jsr250MethodSecurityMetadataSourceTests method interfacesNeverContributeAnnotationsClassLevel.

@Test
public void interfacesNeverContributeAnnotationsClassLevel() throws Exception {
    Parent target = new Parent();
    MockMethodInvocation mi = new MockMethodInvocation(target, target.getClass(), "notOverriden");
    Collection<ConfigAttribute> accessAttributes = this.mds.getAttributes(mi);
    assertThat(accessAttributes).isEmpty();
}