Search in sources :

Example 1 with PermissionEvaluator

use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.

the class GlobalMethodSecurityConfiguration method afterSingletonsInstantiated.

@Override
public void afterSingletonsInstantiated() {
    try {
        initializeMethodSecurityInterceptor();
    } catch (Exception ex) {
        throw new RuntimeException(ex);
    }
    PermissionEvaluator permissionEvaluator = getSingleBeanOrNull(PermissionEvaluator.class);
    if (permissionEvaluator != null) {
        this.defaultMethodExpressionHandler.setPermissionEvaluator(permissionEvaluator);
    }
    RoleHierarchy roleHierarchy = getSingleBeanOrNull(RoleHierarchy.class);
    if (roleHierarchy != null) {
        this.defaultMethodExpressionHandler.setRoleHierarchy(roleHierarchy);
    }
    AuthenticationTrustResolver trustResolver = getSingleBeanOrNull(AuthenticationTrustResolver.class);
    if (trustResolver != null) {
        this.defaultMethodExpressionHandler.setTrustResolver(trustResolver);
    }
    GrantedAuthorityDefaults grantedAuthorityDefaults = getSingleBeanOrNull(GrantedAuthorityDefaults.class);
    if (grantedAuthorityDefaults != null) {
        this.defaultMethodExpressionHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
    }
    this.defaultMethodExpressionHandler = this.objectPostProcessor.postProcess(this.defaultMethodExpressionHandler);
}
Also used : PermissionEvaluator(org.springframework.security.access.PermissionEvaluator) GrantedAuthorityDefaults(org.springframework.security.config.core.GrantedAuthorityDefaults) RoleHierarchy(org.springframework.security.access.hierarchicalroles.RoleHierarchy) AuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver) BeansException(org.springframework.beans.BeansException) NoSuchBeanDefinitionException(org.springframework.beans.factory.NoSuchBeanDefinitionException)

Example 2 with PermissionEvaluator

use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.

the class MiscHttpConfigTests method getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly.

@Test
public void getWhenUsingCustomExpressionHandlerThenAuthorizesAccordingly() throws Exception {
    this.spring.configLocations(xml("ExpressionHandler")).autowire();
    PermissionEvaluator permissionEvaluator = this.spring.getContext().getBean(PermissionEvaluator.class);
    given(permissionEvaluator.hasPermission(any(Authentication.class), any(Object.class), any(Object.class))).willReturn(false);
    // @formatter:off
    this.mvc.perform(get("/").with(userCredentials())).andExpect(status().isForbidden());
    // @formatter:on
    verify(permissionEvaluator).hasPermission(any(Authentication.class), any(Object.class), any(Object.class));
}
Also used : PermissionEvaluator(org.springframework.security.access.PermissionEvaluator) Authentication(org.springframework.security.core.Authentication) Test(org.junit.jupiter.api.Test)

Example 3 with PermissionEvaluator

use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.

the class GlobalMethodSecurityConfigurationTests method globalMethodSecurityConfigurationAutowiresPermissionEvaluator.

@Test
@WithMockUser
public void globalMethodSecurityConfigurationAutowiresPermissionEvaluator() {
    this.spring.register(AutowirePermissionEvaluatorConfig.class).autowire();
    PermissionEvaluator permission = this.spring.getContext().getBean(PermissionEvaluator.class);
    given(permission.hasPermission(any(), eq("something"), eq("read"))).willReturn(true, false);
    this.service.hasPermission("something");
    // no exception
    assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> this.service.hasPermission("something"));
}
Also used : PermissionEvaluator(org.springframework.security.access.PermissionEvaluator) AccessDeniedException(org.springframework.security.access.AccessDeniedException) WithMockUser(org.springframework.security.test.context.support.WithMockUser) Test(org.junit.jupiter.api.Test)

Example 4 with PermissionEvaluator

use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.

the class MethodSecurityExpressionRootTests method hasPermissionOnDomainObjectWorksWithIntegerExpressions.

@Test
public void hasPermissionOnDomainObjectWorksWithIntegerExpressions() {
    final Object dummyDomainObject = new Object();
    this.ctx.setVariable("domainObject", dummyDomainObject);
    final PermissionEvaluator pe = mock(PermissionEvaluator.class);
    this.root.setPermissionEvaluator(pe);
    given(pe.hasPermission(eq(this.user), eq(dummyDomainObject), any(Integer.class))).willReturn(true, true, false);
    Expression e = this.parser.parseExpression("hasPermission(#domainObject, 0xA)");
    // evaluator returns true
    assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
    e = this.parser.parseExpression("hasPermission(#domainObject, 10)");
    // evaluator returns true
    assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
    e = this.parser.parseExpression("hasPermission(#domainObject, 0xFF)");
    // evaluator returns false, make sure return value matches
    assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isFalse();
}
Also used : PermissionEvaluator(org.springframework.security.access.PermissionEvaluator) Expression(org.springframework.expression.Expression) Test(org.junit.jupiter.api.Test)

Example 5 with PermissionEvaluator

use of org.springframework.security.access.PermissionEvaluator in project spring-security by spring-projects.

the class MethodSecurityExpressionRootTests method hasPermissionWorksWithThisObject.

@Test
public void hasPermissionWorksWithThisObject() {
    Object targetObject = new Object() {

        public String getX() {
            return "x";
        }
    };
    this.root.setThis(targetObject);
    Integer i = 2;
    PermissionEvaluator pe = mock(PermissionEvaluator.class);
    this.root.setPermissionEvaluator(pe);
    given(pe.hasPermission(this.user, targetObject, i)).willReturn(true, false);
    given(pe.hasPermission(this.user, "x", i)).willReturn(true);
    Expression e = this.parser.parseExpression("hasPermission(this, 2)");
    assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
    e = this.parser.parseExpression("hasPermission(this, 2)");
    assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isFalse();
    e = this.parser.parseExpression("hasPermission(this.x, 2)");
    assertThat(ExpressionUtils.evaluateAsBoolean(e, this.ctx)).isTrue();
}
Also used : PermissionEvaluator(org.springframework.security.access.PermissionEvaluator) Expression(org.springframework.expression.Expression) Test(org.junit.jupiter.api.Test)

Aggregations

PermissionEvaluator (org.springframework.security.access.PermissionEvaluator)9 Test (org.junit.jupiter.api.Test)6 Expression (org.springframework.expression.Expression)2 RoleHierarchy (org.springframework.security.access.hierarchicalroles.RoleHierarchy)2 AuthenticationTrustResolver (org.springframework.security.authentication.AuthenticationTrustResolver)2 GrantedAuthorityDefaults (org.springframework.security.config.core.GrantedAuthorityDefaults)2 Test (org.junit.Test)1 BeansException (org.springframework.beans.BeansException)1 NoSuchBeanDefinitionException (org.springframework.beans.factory.NoSuchBeanDefinitionException)1 AnnotationConfigServletWebServerApplicationContext (org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext)1 ApplicationContext (org.springframework.context.ApplicationContext)1 AccessDeniedException (org.springframework.security.access.AccessDeniedException)1 MethodSecurityExpressionHandler (org.springframework.security.access.expression.method.MethodSecurityExpressionHandler)1 PreInvocationAuthorizationAdvice (org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice)1 Authentication (org.springframework.security.core.Authentication)1 OAuth2MethodSecurityExpressionHandler (org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler)1 WithMockUser (org.springframework.security.test.context.support.WithMockUser)1 DefaultWebSecurityExpressionHandler (org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler)1