Search in sources :

Example 71 with Authentication

use of org.springframework.security.core.Authentication in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckWithMultipleACEs.

@Test
public void testSecurityCheckWithMultipleACEs() throws Exception {
    // Create a simple authentication with ROLE_GENERAL
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
    // Authorization strategy will require a different role for each access
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    // Let's give the principal the ADMINISTRATION permission, without
    // granting access
    MutableAcl aclFirstDeny = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
    // The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL
    aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_GENERAL);
    // nor granting access
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    // Add granting access to this principal
    aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    // (false) will deny this access
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    // Create another ACL and give the principal the ADMINISTRATION
    // permission, with granting access
    MutableAcl aclFirstAllow = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    // The CHANGE_AUDITING test should pass as there is one ACE with
    // granting access
    aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
    // Add a deny ACE and test again for CHANGE_AUDITING
    aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
    // Create an ACL with no ACE
    MutableAcl aclNoACE = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    try {
        aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // and still grant access for CHANGE_GENERAL
    try {
        aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_GENERAL);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) NotFoundException(org.springframework.security.acls.model.NotFoundException) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 72 with Authentication

use of org.springframework.security.core.Authentication in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckPrincipalOwner.

@Test
public void testSecurityCheckPrincipalOwner() throws Exception {
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_ONE");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    Acl acl = new AclImpl(identity, 1, aclAuthorizationStrategy, new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()), null, null, false, new PrincipalSid(auth));
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It shouldn't have thrown AccessDeniedException");
    } catch (NotFoundException expected) {
    }
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) Acl(org.springframework.security.acls.model.Acl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication)

Example 73 with Authentication

use of org.springframework.security.core.Authentication in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckWithInheritableACEs.

@Test
public void testSecurityCheckWithInheritableACEs() throws Exception {
    // Create a simple authentication with ROLE_GENERAL
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
    // Authorization strategy will require a different role for each access
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    // Let's give the principal an ADMINISTRATION permission, with granting
    // access
    MutableAcl parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    MutableAcl childAcl = new AclImpl(identity, 2, aclAuthorizationStrategy, new ConsoleAuditLogger());
    // rights on CHANGE_OWNERSHIP
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        fail("It should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Link the child with its parent and test again against the
    // CHANGE_OWNERSHIP right
    childAcl.setParent(parentAcl);
    childAcl.setEntriesInheriting(true);
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
    // Create a root parent and link it to the middle parent
    MutableAcl rootParentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    parentAcl.setEntriesInheriting(true);
    parentAcl.setParent(rootParentAcl);
    childAcl.setParent(parentAcl);
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)

Example 74 with Authentication

use of org.springframework.security.core.Authentication in project spring-security by spring-projects.

the class EhCacheBasedAclCacheTests method putInCacheAclWithParent.

@Test
public void putInCacheAclWithParent() throws Exception {
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(2));
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    MutableAcl parentAcl = new AclImpl(identityParent, Long.valueOf(2), aclAuthorizationStrategy, new ConsoleAuditLogger());
    acl.setParent(parentAcl);
    myCache.putInCache(acl);
    verify(cache, times(4)).put(element.capture());
    List<Element> allValues = element.getAllValues();
    assertThat(allValues.get(0).getKey()).isEqualTo(parentAcl.getObjectIdentity());
    assertThat(allValues.get(0).getObjectValue()).isEqualTo(parentAcl);
    assertThat(allValues.get(1).getKey()).isEqualTo(parentAcl.getId());
    assertThat(allValues.get(1).getObjectValue()).isEqualTo(parentAcl);
    assertThat(allValues.get(2).getKey()).isEqualTo(acl.getObjectIdentity());
    assertThat(allValues.get(2).getObjectValue()).isEqualTo(acl);
    assertThat(allValues.get(3).getKey()).isEqualTo(acl.getId());
    assertThat(allValues.get(3).getObjectValue()).isEqualTo(acl);
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) Element(net.sf.ehcache.Element) MutableAcl(org.springframework.security.acls.model.MutableAcl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) Test(org.junit.Test)

Example 75 with Authentication

use of org.springframework.security.core.Authentication in project spring-security by spring-projects.

the class AclAuthorizationStrategyImpl method securityCheck.

// ~ Methods
// ========================================================================================================
public void securityCheck(Acl acl, int changeType) {
    if ((SecurityContextHolder.getContext() == null) || (SecurityContextHolder.getContext().getAuthentication() == null) || !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
        throw new AccessDeniedException("Authenticated principal required to operate with ACLs");
    }
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    // Check if authorized by virtue of ACL ownership
    Sid currentUser = createCurrentUser(authentication);
    if (currentUser.equals(acl.getOwner()) && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
        return;
    }
    // Not authorized by ACL ownership; try via adminstrative permissions
    GrantedAuthority requiredAuthority;
    if (changeType == CHANGE_AUDITING) {
        requiredAuthority = this.gaModifyAuditing;
    } else if (changeType == CHANGE_GENERAL) {
        requiredAuthority = this.gaGeneralChanges;
    } else if (changeType == CHANGE_OWNERSHIP) {
        requiredAuthority = this.gaTakeOwnership;
    } else {
        throw new IllegalArgumentException("Unknown change type");
    }
    // Iterate this principal's authorities to determine right
    Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
    if (authorities.contains(requiredAuthority.getAuthority())) {
        return;
    }
    // Try to get permission via ACEs within the ACL
    List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
    if (acl.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), sids, false)) {
        return;
    }
    throw new AccessDeniedException("Principal does not have required ACL permissions to perform requested operation");
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) Authentication(org.springframework.security.core.Authentication) GrantedAuthority(org.springframework.security.core.GrantedAuthority) Sid(org.springframework.security.acls.model.Sid)

Aggregations

Authentication (org.springframework.security.core.Authentication)498 Test (org.junit.Test)192 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)114 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)98 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)75 SecurityContext (org.springframework.security.core.context.SecurityContext)63 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)57 GrantedAuthority (org.springframework.security.core.GrantedAuthority)50 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)47 SecurityContextImpl (org.springframework.security.core.context.SecurityContextImpl)42 MifosUser (org.mifos.security.MifosUser)38 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)34 HttpServletRequest (javax.servlet.http.HttpServletRequest)32 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)32 AuthenticationException (org.springframework.security.core.AuthenticationException)31 UserDetails (org.springframework.security.core.userdetails.UserDetails)31 MifosUserBuilder (org.mifos.builders.MifosUserBuilder)29 HashMap (java.util.HashMap)27 HttpServletResponse (javax.servlet.http.HttpServletResponse)27 OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)25