Search in sources :

Example 1 with PreInvocationAuthorizationAdviceVoter

use of org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter in project spring-security by spring-projects.

the class PrePostSecured method setUp.

@Before
public final void setUp() throws Exception {
    MockitoAnnotations.initMocks(this);
    interceptor = new AspectJMethodSecurityInterceptor();
    AccessDecisionVoter[] voters = new AccessDecisionVoter[] { new RoleVoter(), new PreInvocationAuthorizationAdviceVoter(new ExpressionBasedPreInvocationAdvice()) };
    adm = new AffirmativeBased(Arrays.<AccessDecisionVoter<? extends Object>>asList(voters));
    interceptor.setAccessDecisionManager(adm);
    interceptor.setAuthenticationManager(authman);
    interceptor.setSecurityMetadataSource(new SecuredAnnotationSecurityMetadataSource());
    AnnotationSecurityAspect secAspect = AnnotationSecurityAspect.aspectOf();
    secAspect.setSecurityInterceptor(interceptor);
}
Also used : SecuredAnnotationSecurityMetadataSource(org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource) AspectJMethodSecurityInterceptor(org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) RoleVoter(org.springframework.security.access.vote.RoleVoter) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter) ExpressionBasedPreInvocationAdvice(org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice) PreInvocationAuthorizationAdviceVoter(org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter) Before(org.junit.Before)

Example 2 with PreInvocationAuthorizationAdviceVoter

use of org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter in project spring-security by spring-projects.

the class AnnotationSecurityAspectTests method setUp.

@BeforeEach
public final void setUp() {
    MockitoAnnotations.initMocks(this);
    this.interceptor = new AspectJMethodSecurityInterceptor();
    AccessDecisionVoter[] voters = new AccessDecisionVoter[] { new RoleVoter(), new PreInvocationAuthorizationAdviceVoter(new ExpressionBasedPreInvocationAdvice()) };
    this.adm = new AffirmativeBased(Arrays.<AccessDecisionVoter<? extends Object>>asList(voters));
    this.interceptor.setAccessDecisionManager(this.adm);
    this.interceptor.setAuthenticationManager(this.authman);
    this.interceptor.setSecurityMetadataSource(new SecuredAnnotationSecurityMetadataSource());
    AnnotationSecurityAspect secAspect = AnnotationSecurityAspect.aspectOf();
    secAspect.setSecurityInterceptor(this.interceptor);
}
Also used : SecuredAnnotationSecurityMetadataSource(org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource) AspectJMethodSecurityInterceptor(org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) RoleVoter(org.springframework.security.access.vote.RoleVoter) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter) ExpressionBasedPreInvocationAdvice(org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice) PreInvocationAuthorizationAdviceVoter(org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 3 with PreInvocationAuthorizationAdviceVoter

use of org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter in project spring-security by spring-projects.

the class GlobalMethodSecurityConfiguration method accessDecisionManager.

/**
 * Allows subclasses to provide a custom {@link AccessDecisionManager}. The default is
 * a {@link AffirmativeBased} with the following voters:
 *
 * <ul>
 * <li>{@link PreInvocationAuthorizationAdviceVoter}</li>
 * <li>{@link RoleVoter}</li>
 * <li>{@link AuthenticatedVoter}</li>
 * </ul>
 * @return the {@link AccessDecisionManager} to use
 */
protected AccessDecisionManager accessDecisionManager() {
    List<AccessDecisionVoter<?>> decisionVoters = new ArrayList<>();
    if (prePostEnabled()) {
        ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
        expressionAdvice.setExpressionHandler(getExpressionHandler());
        decisionVoters.add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice));
    }
    if (jsr250Enabled()) {
        decisionVoters.add(new Jsr250Voter());
    }
    RoleVoter roleVoter = new RoleVoter();
    GrantedAuthorityDefaults grantedAuthorityDefaults = getSingleBeanOrNull(GrantedAuthorityDefaults.class);
    if (grantedAuthorityDefaults != null) {
        roleVoter.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
    }
    decisionVoters.add(roleVoter);
    decisionVoters.add(new AuthenticatedVoter());
    return new AffirmativeBased(decisionVoters);
}
Also used : AuthenticatedVoter(org.springframework.security.access.vote.AuthenticatedVoter) Jsr250Voter(org.springframework.security.access.annotation.Jsr250Voter) GrantedAuthorityDefaults(org.springframework.security.config.core.GrantedAuthorityDefaults) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) ArrayList(java.util.ArrayList) RoleVoter(org.springframework.security.access.vote.RoleVoter) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter) ExpressionBasedPreInvocationAdvice(org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice) PreInvocationAuthorizationAdviceVoter(org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter)

Example 4 with PreInvocationAuthorizationAdviceVoter

use of org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter in project spring-security by spring-projects.

the class GlobalMethodSecurityBeanDefinitionParserTests method expressionVoterAndAfterInvocationProviderUseSameExpressionHandlerInstance.

// Expression configuration tests
@SuppressWarnings("unchecked")
@Test
public void expressionVoterAndAfterInvocationProviderUseSameExpressionHandlerInstance() throws Exception {
    setContext("<global-method-security pre-post-annotations='enabled'/>" + ConfigTestUtils.AUTH_PROVIDER_XML);
    AffirmativeBased adm = (AffirmativeBased) this.appContext.getBeansOfType(AffirmativeBased.class).values().toArray()[0];
    List voters = (List) FieldUtils.getFieldValue(adm, "decisionVoters");
    PreInvocationAuthorizationAdviceVoter mev = (PreInvocationAuthorizationAdviceVoter) voters.get(0);
    MethodSecurityMetadataSourceAdvisor msi = (MethodSecurityMetadataSourceAdvisor) this.appContext.getBeansOfType(MethodSecurityMetadataSourceAdvisor.class).values().toArray()[0];
    AfterInvocationProviderManager pm = (AfterInvocationProviderManager) ((MethodSecurityInterceptor) msi.getAdvice()).getAfterInvocationManager();
    PostInvocationAdviceProvider aip = (PostInvocationAdviceProvider) pm.getProviders().get(0);
    assertThat(FieldUtils.getFieldValue(mev, "preAdvice.expressionHandler")).isSameAs(FieldUtils.getFieldValue(aip, "postAdvice.expressionHandler"));
}
Also used : PostInvocationAdviceProvider(org.springframework.security.access.prepost.PostInvocationAdviceProvider) MethodSecurityMetadataSourceAdvisor(org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor) AfterInvocationProviderManager(org.springframework.security.access.intercept.AfterInvocationProviderManager) AffirmativeBased(org.springframework.security.access.vote.AffirmativeBased) ArrayList(java.util.ArrayList) List(java.util.List) PreInvocationAuthorizationAdviceVoter(org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter) Test(org.junit.jupiter.api.Test)

Aggregations

PreInvocationAuthorizationAdviceVoter (org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter)4 AffirmativeBased (org.springframework.security.access.vote.AffirmativeBased)4 AccessDecisionVoter (org.springframework.security.access.AccessDecisionVoter)3 ExpressionBasedPreInvocationAdvice (org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice)3 RoleVoter (org.springframework.security.access.vote.RoleVoter)3 ArrayList (java.util.ArrayList)2 SecuredAnnotationSecurityMetadataSource (org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource)2 AspectJMethodSecurityInterceptor (org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor)2 List (java.util.List)1 Before (org.junit.Before)1 BeforeEach (org.junit.jupiter.api.BeforeEach)1 Test (org.junit.jupiter.api.Test)1 Jsr250Voter (org.springframework.security.access.annotation.Jsr250Voter)1 AfterInvocationProviderManager (org.springframework.security.access.intercept.AfterInvocationProviderManager)1 MethodSecurityMetadataSourceAdvisor (org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor)1 PostInvocationAdviceProvider (org.springframework.security.access.prepost.PostInvocationAdviceProvider)1 AuthenticatedVoter (org.springframework.security.access.vote.AuthenticatedVoter)1 GrantedAuthorityDefaults (org.springframework.security.config.core.GrantedAuthorityDefaults)1