Examples with FilterInvocation org.springframework.security.web.FilterInvocation used on opensource projects

Example 1 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class FilterSecurityMetadataSourceBeanDefinitionParserTests method createFilterInvocation.

private FilterInvocation createFilterInvocation(String path, String method) {
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.setRequestURI(null);
    request.setMethod(method);
    request.setServletPath(path);
    return new FilterInvocation(request, new MockHttpServletResponse(), new MockFilterChain());
}

Example 2 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security-oauth by spring-projects.

the class OAuth2WebSecurityExpressionHandlerTests method testScopes.

@Test
public void testScopes() throws Exception {
    OAuth2Request clientAuthentication = RequestTokenFactory.createOAuth2Request("foo", false, Collections.singleton("read"));
    Authentication userAuthentication = null;
    OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(clientAuthentication, userAuthentication);
    FilterInvocation invocation = new FilterInvocation("/foo", "GET");
    Expression expression = handler.getExpressionParser().parseExpression("#oauth2.hasAnyScope('read')");
    assertTrue((Boolean) expression.getValue(handler.createEvaluationContext(oAuth2Authentication, invocation)));
}

Example 3 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security-oauth by spring-projects.

the class OAuth2WebSecurityExpressionHandlerTests method testOauthClient.

@Test
public void testOauthClient() throws Exception {
    AuthorizationRequest request = new AuthorizationRequest("foo", Collections.singleton("read"));
    request.setResourceIdsAndAuthoritiesFromClientDetails(new BaseClientDetails("foo", "", "", "client_credentials", "ROLE_CLIENT"));
    OAuth2Request clientAuthentication = RequestTokenFactory.createOAuth2Request(request.getRequestParameters(), request.getClientId(), request.getAuthorities(), request.isApproved(), request.getScope(), request.getResourceIds(), request.getRedirectUri(), request.getResponseTypes(), request.getExtensions());
    Authentication userAuthentication = null;
    OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(clientAuthentication, userAuthentication);
    FilterInvocation invocation = new FilterInvocation("/foo", "GET");
    Expression expression = handler.getExpressionParser().parseExpression("#oauth2.clientHasAnyRole('ROLE_CLIENT')");
    assertTrue((Boolean) expression.getValue(handler.createEvaluationContext(oAuth2Authentication, invocation)));
}

Example 4 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class DefaultWebInvocationPrivilegeEvaluator method isAllowed.

/**
	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
	 * object is allowed to invoke the supplied URI, with the given .
	 * <p>
	 * Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
	 * disregards the <code>contextPath</code> when evaluating which secure object
	 * metadata applies to a given request URI, so generally the <code>contextPath</code>
	 * is unimportant unless you are using a custom
	 * <code>FilterInvocationSecurityMetadataSource</code>.
	 *
	 * @param uri the URI excluding the context path
	 * @param contextPath the context path (may be null, in which case a default value
	 * will be used).
	 * @param method the HTTP method (or null, for any method)
	 * @param authentication the <tt>Authentication</tt> instance whose authorities should
	 * be used in evaluation whether access should be granted.
	 * @return true if access is allowed, false if denied
	 */
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
    Assert.notNull(uri, "uri parameter is required");
    FilterInvocation fi = new FilterInvocation(contextPath, uri, method);
    Collection<ConfigAttribute> attrs = securityInterceptor.obtainSecurityMetadataSource().getAttributes(fi);
    if (attrs == null) {
        if (securityInterceptor.isRejectPublicInvocations()) {
            return false;
        }
        return true;
    }
    if (authentication == null) {
        return false;
    }
    try {
        securityInterceptor.getAccessDecisionManager().decide(authentication, fi, attrs);
    } catch (AccessDeniedException unauthorized) {
        if (logger.isDebugEnabled()) {
            logger.debug(fi.toString() + " denied for " + authentication.toString(), unauthorized);
        }
        return false;
    }
    return true;
}

Example 5 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class FilterInvocationTests method testRejectsNullServletResponse.

@Test(expected = IllegalArgumentException.class)
public void testRejectsNullServletResponse() {
    MockHttpServletRequest request = new MockHttpServletRequest(null, null);
    new FilterInvocation(request, null, mock(FilterChain.class));
}