Example 36 with ConfigAttribute
use of org.springframework.security.access.ConfigAttribute in project spring-security-oauth by spring-projects.
the class ScopeVoterTests method testAccessDeniedIfWrongScopesPresent.
@Test
public void testAccessDeniedIfWrongScopesPresent() throws Exception {
OAuth2Request clientAuthentication = RequestTokenFactory.createOAuth2Request("foo", false, Collections.singleton("read"));
Authentication userAuthentication = null;
OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(clientAuthentication, userAuthentication);
voter.setThrowException(false);
assertEquals(AccessDecisionVoter.ACCESS_DENIED, voter.vote(oAuth2Authentication, null, Collections.<ConfigAttribute>singleton(new SecurityConfig("SCOPE_WRITE"))));
}
Also used :
OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
SecurityConfig(org.springframework.security.access.SecurityConfig)
OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)
Authentication(org.springframework.security.core.Authentication)
OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)
Test(org.junit.Test)
Example 37 with ConfigAttribute
use of org.springframework.security.access.ConfigAttribute in project spring-security-oauth by spring-projects.
the class ClientScopeVoter method vote.
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
int result = ACCESS_ABSTAIN;
if (!(authentication instanceof OAuth2Authentication)) {
return result;
}
OAuth2Authentication oauth2Authentication = (OAuth2Authentication) authentication;
OAuth2Request clientAuthentication = oauth2Authentication.getOAuth2Request();
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuthentication.getClientId());
Set<String> scopes = clientAuthentication.getScope();
if (oauth2Authentication.isClientOnly() && clientAuthoritiesAreScopes) {
scopes = AuthorityUtils.authorityListToSet(clientAuthentication.getAuthorities());
}
for (ConfigAttribute attribute : attributes) {
if (this.supports(attribute)) {
result = ACCESS_GRANTED;
for (String scope : scopes) {
if (!client.getScope().contains(scope)) {
result = ACCESS_DENIED;
break;
}
}
if (result == ACCESS_DENIED && throwException) {
InsufficientScopeException failure = new InsufficientScopeException("Insufficient scope for this resource", client.getScope());
throw new AccessDeniedException(failure.getMessage(), failure);
}
return result;
}
}
return result;
}
Also used :
InsufficientScopeException(org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)
OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
ClientDetails(org.springframework.security.oauth2.provider.ClientDetails)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)
Example 38 with ConfigAttribute
use of org.springframework.security.access.ConfigAttribute in project midpoint by Evolveum.
the class AbstractModelIntegrationTest method createConfigAttributes.
protected Collection<ConfigAttribute> createConfigAttributes(String action) {
Collection<ConfigAttribute> attrs = new ArrayList<ConfigAttribute>();
attrs.add(new SecurityConfig(action));
return attrs;
}
Also used :
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
SecurityConfig(org.springframework.security.access.SecurityConfig)
ArrayList(java.util.ArrayList)
Example 39 with ConfigAttribute
use of org.springframework.security.access.ConfigAttribute in project spring-boot by spring-projects.
the class AuthorizationAuditListenerTests method testAuthenticationCredentialsNotFound.
@Test
public void testAuthenticationCredentialsNotFound() {
AuditApplicationEvent event = handleAuthorizationEvent(new AuthenticationCredentialsNotFoundEvent(this, Collections.<ConfigAttribute>singletonList(new SecurityConfig("USER")), new AuthenticationCredentialsNotFoundException("Bad user")));
assertThat(event.getAuditEvent().getType()).isEqualTo(AuthenticationAuditListener.AUTHENTICATION_FAILURE);
}
Also used :
AuthenticationCredentialsNotFoundEvent(org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent)
AuthenticationCredentialsNotFoundException(org.springframework.security.authentication.AuthenticationCredentialsNotFoundException)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
SecurityConfig(org.springframework.security.access.SecurityConfig)
AuditApplicationEvent(org.springframework.boot.actuate.audit.listener.AuditApplicationEvent)
Test(org.junit.Test)
Example 40 with ConfigAttribute
use of org.springframework.security.access.ConfigAttribute in project spring-boot by spring-projects.
the class AuthorizationAuditListenerTests method testAuthorizationFailure.
@Test
public void testAuthorizationFailure() {
AuditApplicationEvent event = handleAuthorizationEvent(new AuthorizationFailureEvent(this, Collections.<ConfigAttribute>singletonList(new SecurityConfig("USER")), new UsernamePasswordAuthenticationToken("user", "password"), new AccessDeniedException("Bad user")));
assertThat(event.getAuditEvent().getType()).isEqualTo(AuthorizationAuditListener.AUTHORIZATION_FAILURE);
}
Also used :
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
SecurityConfig(org.springframework.security.access.SecurityConfig)
AuditApplicationEvent(org.springframework.boot.actuate.audit.listener.AuditApplicationEvent)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
AuthorizationFailureEvent(org.springframework.security.access.event.AuthorizationFailureEvent)
Test(org.junit.Test)
Aggregations
ConfigAttribute (org.springframework.security.access.ConfigAttribute)88
Test (org.junit.Test)54
SecurityConfig (org.springframework.security.access.SecurityConfig)21
FilterInvocation (org.springframework.security.web.FilterInvocation)15
AccessDeniedException (org.springframework.security.access.AccessDeniedException)13
MockMethodInvocation (org.springframework.security.access.intercept.method.MockMethodInvocation)12
TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)10
ArrayList (java.util.ArrayList)9
LinkedHashMap (java.util.LinkedHashMap)8
Authentication (org.springframework.security.core.Authentication)8
OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)8
Collection (java.util.Collection)6
OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)6
Method (java.lang.reflect.Method)5
List (java.util.List)5
MethodInvocation (org.aopalliance.intercept.MethodInvocation)5
GrantedAuthority (org.springframework.security.core.GrantedAuthority)5
RequestMatcher (org.springframework.security.web.util.matcher.RequestMatcher)5
AuthorizationFailureEvent (org.springframework.security.access.event.AuthorizationFailureEvent)4
SimpleMethodInvocation (org.springframework.security.util.SimpleMethodInvocation)4
