use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.
the class GlobalMethodSecurityConfiguration method afterSingletonsInstantiated.
@Override
public void afterSingletonsInstantiated() {
try {
initializeMethodSecurityInterceptor();
} catch (Exception ex) {
throw new RuntimeException(ex);
}
PermissionEvaluator permissionEvaluator = getSingleBeanOrNull(PermissionEvaluator.class);
if (permissionEvaluator != null) {
this.defaultMethodExpressionHandler.setPermissionEvaluator(permissionEvaluator);
}
RoleHierarchy roleHierarchy = getSingleBeanOrNull(RoleHierarchy.class);
if (roleHierarchy != null) {
this.defaultMethodExpressionHandler.setRoleHierarchy(roleHierarchy);
}
AuthenticationTrustResolver trustResolver = getSingleBeanOrNull(AuthenticationTrustResolver.class);
if (trustResolver != null) {
this.defaultMethodExpressionHandler.setTrustResolver(trustResolver);
}
GrantedAuthorityDefaults grantedAuthorityDefaults = getSingleBeanOrNull(GrantedAuthorityDefaults.class);
if (grantedAuthorityDefaults != null) {
this.defaultMethodExpressionHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
}
this.defaultMethodExpressionHandler = this.objectPostProcessor.postProcess(this.defaultMethodExpressionHandler);
}
use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.
the class MiscHttpConfigTests method getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly.
@Test
public void getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly() throws Exception {
this.spring.configLocations(xml("ExpressionHandler")).autowire();
PermissionEvaluator permissionEvaluator = this.spring.getContext().getBean(PermissionEvaluator.class);
given(permissionEvaluator.hasPermission(any(Authentication.class), any(Object.class), any(Object.class))).willReturn(false);
// @formatter:off
this.mvc.perform(get("/").with(userCredentials())).andExpect(status().isForbidden());
// @formatter:on
verify(permissionEvaluator).hasPermission(any(Authentication.class), any(Object.class), any(Object.class));
}
use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.
the class GlobalMethodSecurityConfigurationTests method globalMethodSecurityConfigurationAutowiresPermissionEvaluator.
@Test
@WithMockUser
public void globalMethodSecurityConfigurationAutowiresPermissionEvaluator() {
this.spring.register(AutowirePermissionEvaluatorConfig.class).autowire();
PermissionEvaluator permission = this.spring.getContext().getBean(PermissionEvaluator.class);
given(permission.hasPermission(any(), eq("something"), eq("read"))).willReturn(true, false);
this.service.hasPermission("something");
// no exception
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> this.service.hasPermission("something"));
}
use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.
the class MethodSecurityExpressionRootTests method hasPermissionOnDomainObjectWorksWithIntegerExpressions.
@Test
public void hasPermissionOnDomainObjectWorksWithIntegerExpressions() {
final Object dummyDomainObject = new Object();
this.ctx.setVariable("domainObject", dummyDomainObject);
final PermissionEvaluator pe = mock(PermissionEvaluator.class);
this.root.setPermissionEvaluator(pe);
given(pe.hasPermission(eq(this.user), eq(dummyDomainObject), any(Integer.class))).willReturn(true, true, false);
Expression e = this.parser.parseExpression("hasPermission(#domainObject, 0xA)");
// evaluator returns true
assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
e = this.parser.parseExpression("hasPermission(#domainObject, 10)");
// evaluator returns true
assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
e = this.parser.parseExpression("hasPermission(#domainObject, 0xFF)");
// evaluator returns false, make sure return value matches
assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isFalse();
}
use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.
the class MethodSecurityExpressionRootTests method hasPermissionWorksWithThisObject.
@Test
public void hasPermissionWorksWithThisObject() {
Object targetObject = new Object() {
public String getX() {
return "x";
}
};
this.root.setThis(targetObject);
Integer i = 2;
PermissionEvaluator pe = mock(PermissionEvaluator.class);
this.root.setPermissionEvaluator(pe);
given(pe.hasPermission(this.user, targetObject, i)).willReturn(true, false);
given(pe.hasPermission(this.user, "x", i)).willReturn(true);
Expression e = this.parser.parseExpression("hasPermission(this, 2)");
assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
e = this.parser.parseExpression("hasPermission(this, 2)");
assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isFalse();
e = this.parser.parseExpression("hasPermission(this.x, 2)");
assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
}
Aggregations