Examples with AuthorizationFailureEvent org.springframework.security.access.event.AuthorizationFailureEvent used on opensource projects

Example 1 with AuthorizationFailureEvent

use of org.springframework.security.access.event.AuthorizationFailureEvent in project spring-boot by spring-projects.

the class AuthorizationAuditListenerTests method testAuthorizationFailure.

@Test
public void testAuthorizationFailure() {
    AuditApplicationEvent event = handleAuthorizationEvent(new AuthorizationFailureEvent(this, Collections.<ConfigAttribute>singletonList(new SecurityConfig("USER")), new UsernamePasswordAuthenticationToken("user", "password"), new AccessDeniedException("Bad user")));
    assertThat(event.getAuditEvent().getType()).isEqualTo(AuthorizationAuditListener.AUTHORIZATION_FAILURE);
}

Example 2 with AuthorizationFailureEvent

use of org.springframework.security.access.event.AuthorizationFailureEvent in project camel by apache.

the class SpringSecurityAuthorizationPolicy method beforeProcess.

protected void beforeProcess(Exchange exchange) throws Exception {
    List<ConfigAttribute> attributes = accessPolicy.getConfigAttributes();
    try {
        Authentication authToken = getAuthentication(exchange.getIn());
        if (authToken == null) {
            CamelAuthorizationException authorizationException = new CamelAuthorizationException("Cannot find the Authentication instance.", exchange);
            throw authorizationException;
        }
        Authentication authenticated = authenticateIfRequired(authToken);
        // Attempt authorization with exchange
        try {
            this.accessDecisionManager.decide(authenticated, exchange, attributes);
        } catch (AccessDeniedException accessDeniedException) {
            exchange.getIn().setHeader(Exchange.AUTHENTICATION_FAILURE_POLICY_ID, getId());
            AuthorizationFailureEvent event = new AuthorizationFailureEvent(exchange, attributes, authenticated, accessDeniedException);
            publishEvent(event);
            throw accessDeniedException;
        }
        publishEvent(new AuthorizedEvent(exchange, attributes, authenticated));
    } catch (RuntimeException exception) {
        exchange.getIn().setHeader(Exchange.AUTHENTICATION_FAILURE_POLICY_ID, getId());
        CamelAuthorizationException authorizationException = new CamelAuthorizationException("Cannot access the processor which has been protected.", exchange, exception);
        throw authorizationException;
    }
}

Example 3 with AuthorizationFailureEvent

use of org.springframework.security.access.event.AuthorizationFailureEvent in project spring-security by spring-projects.

the class AuthorizationFailureEventTests method gettersReturnCtorSuppliedData.

@Test
public void gettersReturnCtorSuppliedData() throws Exception {
    AuthorizationFailureEvent event = new AuthorizationFailureEvent(new Object(), attributes, foo, exception);
    assertThat(event.getConfigAttributes()).isSameAs(attributes);
    assertThat(event.getAccessDeniedException()).isSameAs(exception);
    assertThat(event.getAuthentication()).isSameAs(foo);
}

Example 4 with AuthorizationFailureEvent

use of org.springframework.security.access.event.AuthorizationFailureEvent in project spring-security by spring-projects.

the class AbstractSecurityInterceptor method beforeInvocation.

protected InterceptorStatusToken beforeInvocation(Object object) {
    Assert.notNull(object, "Object was null");
    final boolean debug = logger.isDebugEnabled();
    if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
        throw new IllegalArgumentException("Security invocation attempted for object " + object.getClass().getName() + " but AbstractSecurityInterceptor only configured to support secure objects of type: " + getSecureObjectClass());
    }
    Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
    if (attributes == null || attributes.isEmpty()) {
        if (rejectPublicInvocations) {
            throw new IllegalArgumentException("Secure object invocation " + object + " was denied as public invocations are not allowed via this interceptor. " + "This indicates a configuration error because the " + "rejectPublicInvocations property is set to 'true'");
        }
        if (debug) {
            logger.debug("Public object - authentication not attempted");
        }
        publishEvent(new PublicInvocationEvent(object));
        // no further work post-invocation
        return null;
    }
    if (debug) {
        logger.debug("Secure object: " + object + "; Attributes: " + attributes);
    }
    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound", "An Authentication object was not found in the SecurityContext"), object, attributes);
    }
    Authentication authenticated = authenticateIfRequired();
    // Attempt authorization
    try {
        this.accessDecisionManager.decide(authenticated, object, attributes);
    } catch (AccessDeniedException accessDeniedException) {
        publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, accessDeniedException));
        throw accessDeniedException;
    }
    if (debug) {
        logger.debug("Authorization successful");
    }
    if (publishAuthorizationSuccess) {
        publishEvent(new AuthorizedEvent(object, attributes, authenticated));
    }
    // Attempt to run as a different user
    Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attributes);
    if (runAs == null) {
        if (debug) {
            logger.debug("RunAsManager did not change Authentication object");
        }
        // no further work post-invocation
        return new InterceptorStatusToken(SecurityContextHolder.getContext(), false, attributes, object);
    } else {
        if (debug) {
            logger.debug("Switching to RunAs Authentication: " + runAs);
        }
        SecurityContext origCtx = SecurityContextHolder.getContext();
        SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
        SecurityContextHolder.getContext().setAuthentication(runAs);
        // need to revert to token.Authenticated post-invocation
        return new InterceptorStatusToken(origCtx, true, attributes, object);
    }
}

Example 5 with AuthorizationFailureEvent

use of org.springframework.security.access.event.AuthorizationFailureEvent in project spring-boot by spring-projects.

the class AuthorizationAuditListenerTests method testDetailsAreIncludedInAuditEvent.

@Test
public void testDetailsAreIncludedInAuditEvent() throws Exception {
    Object details = new Object();
    UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("user", "password");
    authentication.setDetails(details);
    AuditApplicationEvent event = handleAuthorizationEvent(new AuthorizationFailureEvent(this, Collections.<ConfigAttribute>singletonList(new SecurityConfig("USER")), authentication, new AccessDeniedException("Bad user")));
    assertThat(event.getAuditEvent().getType()).isEqualTo(AuthorizationAuditListener.AUTHORIZATION_FAILURE);
    assertThat(event.getAuditEvent().getData()).containsEntry("details", details);
}