Examples with ConfigAttribute org.springframework.security.access.ConfigAttribute used on opensource projects

Example 16 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security-oauth by spring-projects.

the class ScopeVoter method vote.

public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
    int result = ACCESS_ABSTAIN;
    if (!(authentication instanceof OAuth2Authentication)) {
        return result;
    }
    for (ConfigAttribute attribute : attributes) {
        if (denyAccess.equals(attribute.getAttribute())) {
            return ACCESS_DENIED;
        }
    }
    OAuth2Request clientAuthentication = ((OAuth2Authentication) authentication).getOAuth2Request();
    for (ConfigAttribute attribute : attributes) {
        if (this.supports(attribute)) {
            result = ACCESS_DENIED;
            Set<String> scopes = clientAuthentication.getScope();
            for (String scope : scopes) {
                if (attribute.getAttribute().toUpperCase().equals((scopePrefix + scope).toUpperCase())) {
                    return ACCESS_GRANTED;
                }
            }
            if (result == ACCESS_DENIED && throwException) {
                InsufficientScopeException failure = new InsufficientScopeException("Insufficient scope for this resource", Collections.singleton(attribute.getAttribute().substring(scopePrefix.length())));
                throw new AccessDeniedException(failure.getMessage(), failure);
            }
        }
    }
    return result;
}

Example 17 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class MethodSecurityMetadataSourceBeanDefinitionParser method parseInternal.

public AbstractBeanDefinition parseInternal(Element elt, ParserContext pc) {
    // Parse the included methods
    List<Element> methods = DomUtils.getChildElementsByTagName(elt, Elements.PROTECT);
    Map<String, List<ConfigAttribute>> mappings = new LinkedHashMap<String, List<ConfigAttribute>>();
    for (Element protectmethodElt : methods) {
        String[] tokens = StringUtils.commaDelimitedListToStringArray(protectmethodElt.getAttribute(ATT_ACCESS));
        String methodName = protectmethodElt.getAttribute(ATT_METHOD);
        mappings.put(methodName, SecurityConfig.createList(tokens));
    }
    RootBeanDefinition metadataSource = new RootBeanDefinition(MapBasedMethodSecurityMetadataSource.class);
    metadataSource.getConstructorArgumentValues().addGenericArgumentValue(mappings);
    return metadataSource;
}

Example 18 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class ExpressionBasedMessageSecurityMetadataSourceFactory method createExpressionMessageMetadataSource.

/**
	 * Create a {@link MessageSecurityMetadataSource} that uses {@link MessageMatcher}
	 * mapped to Spring Expressions. Each entry is considered in order and only the first
	 * match is used.
	 *
	 * For example:
	 *
	 * <pre>
	 *     LinkedHashMap&lt;MessageMatcher&lt;?&gt;,String&gt; matcherToExpression = new LinkedHashMap&lt;MessageMatcher&lt;Object&gt;,String&gt;();
	 *     matcherToExpression.put(new SimDestinationMessageMatcher("/public/**"), "permitAll");
	 *     matcherToExpression.put(new SimDestinationMessageMatcher("/admin/**"), "hasRole('ROLE_ADMIN')");
	 *     matcherToExpression.put(new SimDestinationMessageMatcher("/**"), "authenticated");
	 *
	 *     MessageSecurityMetadataSource metadataSource = createExpressionMessageMetadataSource(matcherToExpression);
	 * </pre>
	 *
	 * <p>
	 * If our destination is "/public/hello", it would match on "/public/**" and on "/**".
	 * However, only "/public/**" would be used since it is the first entry. That means
	 * that a destination of "/public/hello" will be mapped to "permitAll".
	 * </p>
	 *
	 * <p>
	 * For a complete listing of expressions see {@link MessageSecurityExpressionRoot}
	 * </p>
	 *
	 * @param matcherToExpression an ordered mapping of {@link MessageMatcher} to Strings
	 * that are turned into an Expression using
	 * {@link DefaultMessageSecurityExpressionHandler#getExpressionParser()}
	 * @param handler the {@link SecurityExpressionHandler} to use
	 * @return the {@link MessageSecurityMetadataSource} to use. Cannot be null.
	 */
public static MessageSecurityMetadataSource createExpressionMessageMetadataSource(LinkedHashMap<MessageMatcher<?>, String> matcherToExpression, SecurityExpressionHandler<Message<Object>> handler) {
    LinkedHashMap<MessageMatcher<?>, Collection<ConfigAttribute>> matcherToAttrs = new LinkedHashMap<MessageMatcher<?>, Collection<ConfigAttribute>>();
    for (Map.Entry<MessageMatcher<?>, String> entry : matcherToExpression.entrySet()) {
        MessageMatcher<?> matcher = entry.getKey();
        String rawExpression = entry.getValue();
        Expression expression = handler.getExpressionParser().parseExpression(rawExpression);
        ConfigAttribute attribute = new MessageExpressionConfigAttribute(expression);
        matcherToAttrs.put(matcher, Arrays.asList(attribute));
    }
    return new DefaultMessageSecurityMetadataSource(matcherToAttrs);
}

Example 19 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class ExpressionBasedMessageSecurityMetadataSourceFactoryTests method createExpressionMessageMetadataSourceMatchSecond.

@Test
public void createExpressionMessageMetadataSourceMatchSecond() {
    when(matcher2.matches(message)).thenReturn(true);
    Collection<ConfigAttribute> attrs = source.getAttributes(message);
    assertThat(attrs.size()).isEqualTo(1);
    ConfigAttribute attr = attrs.iterator().next();
    assertThat(attr).isInstanceOf(MessageExpressionConfigAttribute.class);
    assertThat(((MessageExpressionConfigAttribute) attr).getAuthorizeExpression().getValue(rootObject)).isEqualTo(false);
}

Example 20 with ConfigAttribute

use of org.springframework.security.access.ConfigAttribute in project spring-security by spring-projects.

the class AclEntryVoter method vote.

public int vote(Authentication authentication, MethodInvocation object, Collection<ConfigAttribute> attributes) {
    for (ConfigAttribute attr : attributes) {
        if (!this.supports(attr)) {
            continue;
        }
        // Need to make an access decision on this invocation
        // Attempt to locate the domain object instance to process
        Object domainObject = getDomainObjectInstance(object);
        // If domain object is null, vote to abstain
        if (domainObject == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("Voting to abstain - domainObject is null");
            }
            return ACCESS_ABSTAIN;
        }
        // Evaluate if we are required to use an inner domain object
        if (StringUtils.hasText(internalMethod)) {
            try {
                Class<?> clazz = domainObject.getClass();
                Method method = clazz.getMethod(internalMethod, new Class[0]);
                domainObject = method.invoke(domainObject);
            } catch (NoSuchMethodException nsme) {
                throw new AuthorizationServiceException("Object of class '" + domainObject.getClass() + "' does not provide the requested internalMethod: " + internalMethod);
            } catch (IllegalAccessException iae) {
                logger.debug("IllegalAccessException", iae);
                throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod + " for object: " + domainObject);
            } catch (InvocationTargetException ite) {
                logger.debug("InvocationTargetException", ite);
                throw new AuthorizationServiceException("Problem invoking internalMethod: " + internalMethod + " for object: " + domainObject);
            }
        }
        // Obtain the OID applicable to the domain object
        ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy.getObjectIdentity(domainObject);
        // Obtain the SIDs applicable to the principal
        List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
        Acl acl;
        try {
            // Lookup only ACLs for SIDs we're interested in
            acl = aclService.readAclById(objectIdentity, sids);
        } catch (NotFoundException nfe) {
            if (logger.isDebugEnabled()) {
                logger.debug("Voting to deny access - no ACLs apply for this principal");
            }
            return ACCESS_DENIED;
        }
        try {
            if (acl.isGranted(requirePermission, sids, false)) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Voting to grant access");
                }
                return ACCESS_GRANTED;
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Voting to deny access - ACLs returned, but insufficient permissions for this principal");
                }
                return ACCESS_DENIED;
            }
        } catch (NotFoundException nfe) {
            if (logger.isDebugEnabled()) {
                logger.debug("Voting to deny access - no ACLs apply for this principal");
            }
            return ACCESS_DENIED;
        }
    }
    // No configuration attribute matched, so abstain
    return ACCESS_ABSTAIN;
}