Example 1 with AccessDeniedHandler
use of org.springframework.security.web.access.AccessDeniedHandler in project spring-security by spring-projects.
the class CsrfConfigurer method createAccessDeniedHandler.
/**
* Creates the {@link AccessDeniedHandler} from the result of
* {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)} and
* {@link #getInvalidSessionStrategy(HttpSecurityBuilder)}. If
* {@link #getInvalidSessionStrategy(HttpSecurityBuilder)} is non-null, then a
* {@link DelegatingAccessDeniedHandler} is used in combination with
* {@link InvalidSessionAccessDeniedHandler} and the
* {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)}. Otherwise, only
* {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)} is used.
*
* @param http the {@link HttpSecurityBuilder}
* @return the {@link AccessDeniedHandler}
*/
private AccessDeniedHandler createAccessDeniedHandler(H http) {
InvalidSessionStrategy invalidSessionStrategy = getInvalidSessionStrategy(http);
AccessDeniedHandler defaultAccessDeniedHandler = getDefaultAccessDeniedHandler(http);
if (invalidSessionStrategy == null) {
return defaultAccessDeniedHandler;
}
InvalidSessionAccessDeniedHandler invalidSessionDeniedHandler = new InvalidSessionAccessDeniedHandler(invalidSessionStrategy);
LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler> handlers = new LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler>();
handlers.put(MissingCsrfTokenException.class, invalidSessionDeniedHandler);
return new DelegatingAccessDeniedHandler(handlers, defaultAccessDeniedHandler);
}
Also used :
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
InvalidSessionAccessDeniedHandler(org.springframework.security.web.session.InvalidSessionAccessDeniedHandler)
DelegatingAccessDeniedHandler(org.springframework.security.web.access.DelegatingAccessDeniedHandler)
InvalidSessionAccessDeniedHandler(org.springframework.security.web.session.InvalidSessionAccessDeniedHandler)
AccessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)
DelegatingAccessDeniedHandler(org.springframework.security.web.access.DelegatingAccessDeniedHandler)
InvalidSessionStrategy(org.springframework.security.web.session.InvalidSessionStrategy)
LinkedHashMap(java.util.LinkedHashMap)
Example 2 with AccessDeniedHandler
use of org.springframework.security.web.access.AccessDeniedHandler in project spring-security by spring-projects.
the class CsrfConfigurer method getDefaultAccessDeniedHandler.
/**
* Gets the default {@link AccessDeniedHandler} from the
* {@link ExceptionHandlingConfigurer#getAccessDeniedHandler()} or create a
* {@link AccessDeniedHandlerImpl} if not available.
*
* @param http the {@link HttpSecurityBuilder}
* @return the {@link AccessDeniedHandler}
*/
@SuppressWarnings("unchecked")
private AccessDeniedHandler getDefaultAccessDeniedHandler(H http) {
ExceptionHandlingConfigurer<H> exceptionConfig = http.getConfigurer(ExceptionHandlingConfigurer.class);
AccessDeniedHandler handler = null;
if (exceptionConfig != null) {
handler = exceptionConfig.getAccessDeniedHandler();
}
if (handler == null) {
handler = new AccessDeniedHandlerImpl();
}
return handler;
}
Also used :
AccessDeniedHandlerImpl(org.springframework.security.web.access.AccessDeniedHandlerImpl)
DelegatingAccessDeniedHandler(org.springframework.security.web.access.DelegatingAccessDeniedHandler)
InvalidSessionAccessDeniedHandler(org.springframework.security.web.session.InvalidSessionAccessDeniedHandler)
AccessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)
Example 3 with AccessDeniedHandler
use of org.springframework.security.web.access.AccessDeniedHandler in project spring-security by spring-projects.
the class CsrfConfigurer method configure.
@SuppressWarnings("unchecked")
@Override
public void configure(H http) throws Exception {
CsrfFilter filter = new CsrfFilter(this.csrfTokenRepository);
RequestMatcher requireCsrfProtectionMatcher = getRequireCsrfProtectionMatcher();
if (requireCsrfProtectionMatcher != null) {
filter.setRequireCsrfProtectionMatcher(requireCsrfProtectionMatcher);
}
AccessDeniedHandler accessDeniedHandler = createAccessDeniedHandler(http);
if (accessDeniedHandler != null) {
filter.setAccessDeniedHandler(accessDeniedHandler);
}
LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
if (logoutConfigurer != null) {
logoutConfigurer.addLogoutHandler(new CsrfLogoutHandler(this.csrfTokenRepository));
}
SessionManagementConfigurer<H> sessionConfigurer = http.getConfigurer(SessionManagementConfigurer.class);
if (sessionConfigurer != null) {
sessionConfigurer.addSessionAuthenticationStrategy(new CsrfAuthenticationStrategy(this.csrfTokenRepository));
}
filter = postProcess(filter);
http.addFilter(filter);
}
Also used :
AndRequestMatcher(org.springframework.security.web.util.matcher.AndRequestMatcher)
NegatedRequestMatcher(org.springframework.security.web.util.matcher.NegatedRequestMatcher)
RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher)
OrRequestMatcher(org.springframework.security.web.util.matcher.OrRequestMatcher)
MvcRequestMatcher(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)
DelegatingAccessDeniedHandler(org.springframework.security.web.access.DelegatingAccessDeniedHandler)
InvalidSessionAccessDeniedHandler(org.springframework.security.web.session.InvalidSessionAccessDeniedHandler)
AccessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)
CsrfLogoutHandler(org.springframework.security.web.csrf.CsrfLogoutHandler)
CsrfFilter(org.springframework.security.web.csrf.CsrfFilter)
CsrfAuthenticationStrategy(org.springframework.security.web.csrf.CsrfAuthenticationStrategy)
Aggregations
AccessDeniedHandler (org.springframework.security.web.access.AccessDeniedHandler)3
DelegatingAccessDeniedHandler (org.springframework.security.web.access.DelegatingAccessDeniedHandler)3
InvalidSessionAccessDeniedHandler (org.springframework.security.web.session.InvalidSessionAccessDeniedHandler)3
LinkedHashMap (java.util.LinkedHashMap)1
AccessDeniedException (org.springframework.security.access.AccessDeniedException)1
AccessDeniedHandlerImpl (org.springframework.security.web.access.AccessDeniedHandlerImpl)1
CsrfAuthenticationStrategy (org.springframework.security.web.csrf.CsrfAuthenticationStrategy)1
CsrfFilter (org.springframework.security.web.csrf.CsrfFilter)1
CsrfLogoutHandler (org.springframework.security.web.csrf.CsrfLogoutHandler)1
MvcRequestMatcher (org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher)1
InvalidSessionStrategy (org.springframework.security.web.session.InvalidSessionStrategy)1
AndRequestMatcher (org.springframework.security.web.util.matcher.AndRequestMatcher)1
NegatedRequestMatcher (org.springframework.security.web.util.matcher.NegatedRequestMatcher)1
OrRequestMatcher (org.springframework.security.web.util.matcher.OrRequestMatcher)1
RequestMatcher (org.springframework.security.web.util.matcher.RequestMatcher)1
