Search in sources :

Example 11 with SimpleGrantedAuthority

use of org.springframework.security.core.authority.SimpleGrantedAuthority in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckWithMultipleACEs.

@Test
public void testSecurityCheckWithMultipleACEs() throws Exception {
    // Create a simple authentication with ROLE_GENERAL
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
    // Authorization strategy will require a different role for each access
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    // Let's give the principal the ADMINISTRATION permission, without
    // granting access
    MutableAcl aclFirstDeny = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
    // The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL
    aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_GENERAL);
    // nor granting access
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    // Add granting access to this principal
    aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    // (false) will deny this access
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    // Create another ACL and give the principal the ADMINISTRATION
    // permission, with granting access
    MutableAcl aclFirstAllow = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    // The CHANGE_AUDITING test should pass as there is one ACE with
    // granting access
    aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
    // Add a deny ACE and test again for CHANGE_AUDITING
    aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
    // Create an ACL with no ACE
    MutableAcl aclNoACE = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    try {
        aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // and still grant access for CHANGE_GENERAL
    try {
        aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_GENERAL);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) NotFoundException(org.springframework.security.acls.model.NotFoundException) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 12 with SimpleGrantedAuthority

use of org.springframework.security.core.authority.SimpleGrantedAuthority in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckPrincipalOwner.

@Test
public void testSecurityCheckPrincipalOwner() throws Exception {
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_ONE");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    Acl acl = new AclImpl(identity, 1, aclAuthorizationStrategy, new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()), null, null, false, new PrincipalSid(auth));
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It shouldn't have thrown AccessDeniedException");
    } catch (NotFoundException expected) {
    }
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) Acl(org.springframework.security.acls.model.Acl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication)

Example 13 with SimpleGrantedAuthority

use of org.springframework.security.core.authority.SimpleGrantedAuthority in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckWithInheritableACEs.

@Test
public void testSecurityCheckWithInheritableACEs() throws Exception {
    // Create a simple authentication with ROLE_GENERAL
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
    // Authorization strategy will require a different role for each access
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    // Let's give the principal an ADMINISTRATION permission, with granting
    // access
    MutableAcl parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    MutableAcl childAcl = new AclImpl(identity, 2, aclAuthorizationStrategy, new ConsoleAuditLogger());
    // rights on CHANGE_OWNERSHIP
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        fail("It should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Link the child with its parent and test again against the
    // CHANGE_OWNERSHIP right
    childAcl.setParent(parentAcl);
    childAcl.setEntriesInheriting(true);
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
    // Create a root parent and link it to the middle parent
    MutableAcl rootParentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    parentAcl.setEntriesInheriting(true);
    parentAcl.setParent(rootParentAcl);
    childAcl.setParent(parentAcl);
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)

Example 14 with SimpleGrantedAuthority

use of org.springframework.security.core.authority.SimpleGrantedAuthority in project spring-security by spring-projects.

the class EhCacheBasedAclCacheTests method putInCacheAclWithParent.

@Test
public void putInCacheAclWithParent() throws Exception {
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(2));
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    MutableAcl parentAcl = new AclImpl(identityParent, Long.valueOf(2), aclAuthorizationStrategy, new ConsoleAuditLogger());
    acl.setParent(parentAcl);
    myCache.putInCache(acl);
    verify(cache, times(4)).put(element.capture());
    List<Element> allValues = element.getAllValues();
    assertThat(allValues.get(0).getKey()).isEqualTo(parentAcl.getObjectIdentity());
    assertThat(allValues.get(0).getObjectValue()).isEqualTo(parentAcl);
    assertThat(allValues.get(1).getKey()).isEqualTo(parentAcl.getId());
    assertThat(allValues.get(1).getObjectValue()).isEqualTo(parentAcl);
    assertThat(allValues.get(2).getKey()).isEqualTo(acl.getObjectIdentity());
    assertThat(allValues.get(2).getObjectValue()).isEqualTo(acl);
    assertThat(allValues.get(3).getKey()).isEqualTo(acl.getId());
    assertThat(allValues.get(3).getObjectValue()).isEqualTo(acl);
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) Element(net.sf.ehcache.Element) MutableAcl(org.springframework.security.acls.model.MutableAcl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) Test(org.junit.Test)

Example 15 with SimpleGrantedAuthority

use of org.springframework.security.core.authority.SimpleGrantedAuthority in project spring-security by spring-projects.

the class SidTests method testGrantedAuthoritySidHashCode.

@Test
public void testGrantedAuthoritySidHashCode() throws Exception {
    GrantedAuthority ga = new SimpleGrantedAuthority("ROLE_TEST");
    Sid gaSid = new GrantedAuthoritySid(ga);
    assertThat(gaSid.hashCode()).isEqualTo("ROLE_TEST".hashCode());
    assertThat(gaSid.hashCode()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST").hashCode());
    assertThat(gaSid.hashCode()).isNotEqualTo(new GrantedAuthoritySid("ROLE_TEST_2").hashCode());
    assertThat(gaSid.hashCode()).isNotEqualTo(new GrantedAuthoritySid(new SimpleGrantedAuthority("ROLE_TEST_2")).hashCode());
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) Sid(org.springframework.security.acls.model.Sid) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) Test(org.junit.Test)

Aggregations

SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)96 GrantedAuthority (org.springframework.security.core.GrantedAuthority)56 Test (org.junit.Test)45 ArrayList (java.util.ArrayList)24 Authentication (org.springframework.security.core.Authentication)23 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)16 HashSet (java.util.HashSet)13 User (org.springframework.security.core.userdetails.User)11 ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)8 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)8 MutableAcl (org.springframework.security.acls.model.MutableAcl)7 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)7 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)7 Before (org.junit.Before)6 OrcidOAuth2Authentication (org.orcid.core.oauth.OrcidOAuth2Authentication)6 ScopePathType (org.orcid.jaxb.model.message.ScopePathType)6 AnonymousAuthenticationToken (org.springframework.security.authentication.AnonymousAuthenticationToken)6 DBUnitTest (org.orcid.test.DBUnitTest)5 UserDetails (org.springframework.security.core.userdetails.UserDetails)5 HashMap (java.util.HashMap)4