Examples with FilterInvocation org.springframework.security.web.FilterInvocation used on opensource projects

Example 16 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class DefaultFilterChainValidator method checkLoginPageIsntProtected.

/*
	 * Checks for the common error of having a login page URL protected by the security
	 * interceptor
	 */
private void checkLoginPageIsntProtected(FilterChainProxy fcp, List<Filter> filterStack) {
    ExceptionTranslationFilter etf = getFilter(ExceptionTranslationFilter.class, filterStack);
    if (etf == null || !(etf.getAuthenticationEntryPoint() instanceof LoginUrlAuthenticationEntryPoint)) {
        return;
    }
    String loginPage = ((LoginUrlAuthenticationEntryPoint) etf.getAuthenticationEntryPoint()).getLoginFormUrl();
    logger.info("Checking whether login URL '" + loginPage + "' is accessible with your configuration");
    FilterInvocation loginRequest = new FilterInvocation(loginPage, "POST");
    List<Filter> filters = null;
    try {
        filters = fcp.getFilters(loginPage);
    } catch (Exception e) {
        // May happen legitimately if a filter-chain request matcher requires more
        // request data than that provided
        // by the dummy request used when creating the filter invocation.
        logger.info("Failed to obtain filter chain information for the login page. Unable to complete check.");
    }
    if (filters == null || filters.isEmpty()) {
        logger.debug("Filter chain is empty for the login page");
        return;
    }
    if (getFilter(DefaultLoginPageGeneratingFilter.class, filters) != null) {
        logger.debug("Default generated login page is in use");
        return;
    }
    FilterSecurityInterceptor fsi = getFilter(FilterSecurityInterceptor.class, filters);
    FilterInvocationSecurityMetadataSource fids = fsi.getSecurityMetadataSource();
    Collection<ConfigAttribute> attributes = fids.getAttributes(loginRequest);
    if (attributes == null) {
        logger.debug("No access attributes defined for login page URL");
        if (fsi.isRejectPublicInvocations()) {
            logger.warn("FilterSecurityInterceptor is configured to reject public invocations." + " Your login page may not be accessible.");
        }
        return;
    }
    AnonymousAuthenticationFilter anonPF = getFilter(AnonymousAuthenticationFilter.class, filters);
    if (anonPF == null) {
        logger.warn("The login page is being protected by the filter chain, but you don't appear to have" + " anonymous authentication enabled. This is almost certainly an error.");
        return;
    }
    // Simulate an anonymous access with the supplied attributes.
    AnonymousAuthenticationToken token = new AnonymousAuthenticationToken("key", anonPF.getPrincipal(), anonPF.getAuthorities());
    try {
        fsi.getAccessDecisionManager().decide(token, loginRequest, attributes);
    } catch (AccessDeniedException e) {
        logger.warn("Anonymous access to the login page doesn't appear to be enabled. This is almost certainly " + "an error. Please check your configuration allows unauthenticated access to the configured " + "login page. (Simulated access was rejected: " + e + ")");
    } catch (Exception e) {
        // May happen legitimately if a filter-chain request matcher requires more
        // request data than that provided
        // by the dummy request used when creating the filter invocation. See SEC-1878
        logger.info("Unable to check access to the login page to determine if anonymous access is allowed. This might be an error, but can happen under normal circumstances.", e);
    }
}

Example 17 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class ChannelProcessingFilter method doFilter.

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    FilterInvocation fi = new FilterInvocation(request, response, chain);
    Collection<ConfigAttribute> attr = this.securityMetadataSource.getAttributes(fi);
    if (attr != null) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Request: " + fi.toString() + "; ConfigAttributes: " + attr);
        }
        this.channelDecisionManager.decide(fi, attr);
        if (fi.getResponse().isCommitted()) {
            return;
        }
    }
    chain.doFilter(request, response);
}

Example 18 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class AbstractAuthorizeTag method authorizeUsingAccessExpression.

/**
	 * Make an authorization decision based on a Spring EL expression. See the
	 * "Expression-Based Access Control" chapter in Spring Security for details on what
	 * expressions can be used.
	 *
	 * @return the result of the authorization decision
	 * @throws IOException
	 */
public boolean authorizeUsingAccessExpression() throws IOException {
    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        return false;
    }
    SecurityExpressionHandler<FilterInvocation> handler = getExpressionHandler();
    Expression accessExpression;
    try {
        accessExpression = handler.getExpressionParser().parseExpression(getAccess());
    } catch (ParseException e) {
        IOException ioException = new IOException();
        ioException.initCause(e);
        throw ioException;
    }
    return ExpressionUtils.evaluateAsBoolean(accessExpression, createExpressionEvaluationContext(handler));
}

Example 19 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class FilterInvocationTests method testRejectsNullServletRequest.

@Test(expected = IllegalArgumentException.class)
public void testRejectsNullServletRequest() {
    MockHttpServletResponse response = new MockHttpServletResponse();
    new FilterInvocation(null, response, mock(FilterChain.class));
}

Example 20 with FilterInvocation

use of org.springframework.security.web.FilterInvocation in project spring-security by spring-projects.

the class FilterInvocationTests method testGettersAndStringMethods.

// ~ Methods
// ========================================================================================================
@Test
public void testGettersAndStringMethods() {
    MockHttpServletRequest request = new MockHttpServletRequest(null, null);
    request.setServletPath("/HelloWorld");
    request.setPathInfo("/some/more/segments.html");
    request.setServerName("www.example.com");
    request.setScheme("http");
    request.setServerPort(80);
    request.setContextPath("/mycontext");
    request.setRequestURI("/mycontext/HelloWorld/some/more/segments.html");
    MockHttpServletResponse response = new MockHttpServletResponse();
    FilterChain chain = mock(FilterChain.class);
    FilterInvocation fi = new FilterInvocation(request, response, chain);
    assertThat(fi.getRequest()).isEqualTo(request);
    assertThat(fi.getHttpRequest()).isEqualTo(request);
    assertThat(fi.getResponse()).isEqualTo(response);
    assertThat(fi.getHttpResponse()).isEqualTo(response);
    assertThat(fi.getChain()).isEqualTo(chain);
    assertThat(fi.getRequestUrl()).isEqualTo("/HelloWorld/some/more/segments.html");
    assertThat(fi.toString()).isEqualTo("FilterInvocation: URL: /HelloWorld/some/more/segments.html");
    assertThat(fi.getFullRequestUrl()).isEqualTo("http://www.example.com/mycontext/HelloWorld/some/more/segments.html");
}