Examples with FilterSecurityInterceptor org.springframework.security.web.access.intercept.FilterSecurityInterceptor used on opensource projects

Search in sources :

Example 6 with FilterSecurityInterceptor

use of org.springframework.security.web.access.intercept.FilterSecurityInterceptor in project spring-security by spring-projects.

the class DefaultWebInvocationPrivilegeEvaluatorTests method setUp.

@BeforeEach
public final void setUp() {
    this.interceptor = new FilterSecurityInterceptor();
    this.ods = mock(FilterInvocationSecurityMetadataSource.class);
    this.adm = mock(AccessDecisionManager.class);
    this.ram = mock(RunAsManager.class);
    this.interceptor.setAuthenticationManager(mock(AuthenticationManager.class));
    this.interceptor.setSecurityMetadataSource(this.ods);
    this.interceptor.setAccessDecisionManager(this.adm);
    this.interceptor.setRunAsManager(this.ram);
    this.interceptor.setApplicationEventPublisher(mock(ApplicationEventPublisher.class));
    SecurityContextHolder.clearContext();
}
Also used : AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) AccessDecisionManager(org.springframework.security.access.AccessDecisionManager) RunAsManager(org.springframework.security.access.intercept.RunAsManager) FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) ApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher) FilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 7 with FilterSecurityInterceptor

use of org.springframework.security.web.access.intercept.FilterSecurityInterceptor in project spring-security by spring-projects.

the class UrlAuthorizationsTests method configureWhenNoAccessDecisionManagerThenDefaultsToAffirmativeBased.

@Test
public void configureWhenNoAccessDecisionManagerThenDefaultsToAffirmativeBased() {
    this.spring.register(NoSpecificAccessDecisionManagerConfig.class).autowire();
    FilterSecurityInterceptor interceptor = getFilter(FilterSecurityInterceptor.class);
    assertThat(interceptor).isNotNull();
    assertThat(interceptor).extracting("accessDecisionManager").isInstanceOf(AffirmativeBased.class);
}
Also used : FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) Test(org.junit.jupiter.api.Test)

Example 8 with FilterSecurityInterceptor

use of org.springframework.security.web.access.intercept.FilterSecurityInterceptor in project spring-security by spring-projects.

the class DefaultFilterChainValidator method checkLoginPageIsntProtected.

/*
	 * Checks for the common error of having a login page URL protected by the security
	 * interceptor
	 */
private void checkLoginPageIsntProtected(FilterChainProxy fcp, List<Filter> filterStack) {
    ExceptionTranslationFilter etf = getFilter(ExceptionTranslationFilter.class, filterStack);
    if (etf == null || !(etf.getAuthenticationEntryPoint() instanceof LoginUrlAuthenticationEntryPoint)) {
        return;
    }
    String loginPage = ((LoginUrlAuthenticationEntryPoint) etf.getAuthenticationEntryPoint()).getLoginFormUrl();
    this.logger.info("Checking whether login URL '" + loginPage + "' is accessible with your configuration");
    FilterInvocation loginRequest = new FilterInvocation(loginPage, "POST");
    List<Filter> filters = null;
    try {
        filters = fcp.getFilters(loginPage);
    } catch (Exception ex) {
        // May happen legitimately if a filter-chain request matcher requires more
        // request data than that provided
        // by the dummy request used when creating the filter invocation.
        this.logger.info("Failed to obtain filter chain information for the login page. Unable to complete check.");
    }
    if (filters == null || filters.isEmpty()) {
        this.logger.debug("Filter chain is empty for the login page");
        return;
    }
    if (getFilter(DefaultLoginPageGeneratingFilter.class, filters) != null) {
        this.logger.debug("Default generated login page is in use");
        return;
    }
    FilterSecurityInterceptor fsi = getFilter(FilterSecurityInterceptor.class, filters);
    FilterInvocationSecurityMetadataSource fids = fsi.getSecurityMetadataSource();
    Collection<ConfigAttribute> attributes = fids.getAttributes(loginRequest);
    if (attributes == null) {
        this.logger.debug("No access attributes defined for login page URL");
        if (fsi.isRejectPublicInvocations()) {
            this.logger.warn("FilterSecurityInterceptor is configured to reject public invocations." + " Your login page may not be accessible.");
        }
        return;
    }
    AnonymousAuthenticationFilter anonPF = getFilter(AnonymousAuthenticationFilter.class, filters);
    if (anonPF == null) {
        this.logger.warn("The login page is being protected by the filter chain, but you don't appear to have" + " anonymous authentication enabled. This is almost certainly an error.");
        return;
    }
    // Simulate an anonymous access with the supplied attributes.
    AnonymousAuthenticationToken token = new AnonymousAuthenticationToken("key", anonPF.getPrincipal(), anonPF.getAuthorities());
    try {
        fsi.getAccessDecisionManager().decide(token, loginRequest, attributes);
    } catch (AccessDeniedException ex) {
        this.logger.warn("Anonymous access to the login page doesn't appear to be enabled. " + "This is almost certainly an error. Please check your configuration allows unauthenticated " + "access to the configured login page. (Simulated access was rejected: " + ex + ")");
    } catch (Exception ex) {
        // May happen legitimately if a filter-chain request matcher requires more
        // request data than that provided
        // by the dummy request used when creating the filter invocation. See SEC-1878
        this.logger.info("Unable to check access to the login page to determine if anonymous access is allowed. " + "This might be an error, but can happen under normal circumstances.", ex);
    }
}
Also used : DefaultLoginPageGeneratingFilter(org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter) AccessDeniedException(org.springframework.security.access.AccessDeniedException) ConfigAttribute(org.springframework.security.access.ConfigAttribute) FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) ExceptionTranslationFilter(org.springframework.security.web.access.ExceptionTranslationFilter) AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken) LoginUrlAuthenticationEntryPoint(org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint) FilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource) AccessDeniedException(org.springframework.security.access.AccessDeniedException) SecurityContextPersistenceFilter(org.springframework.security.web.context.SecurityContextPersistenceFilter) Filter(jakarta.servlet.Filter) DefaultLoginPageGeneratingFilter(org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter) SessionManagementFilter(org.springframework.security.web.session.SessionManagementFilter) JaasApiIntegrationFilter(org.springframework.security.web.jaasapi.JaasApiIntegrationFilter) AnonymousAuthenticationFilter(org.springframework.security.web.authentication.AnonymousAuthenticationFilter) BasicAuthenticationFilter(org.springframework.security.web.authentication.www.BasicAuthenticationFilter) SecurityContextHolderAwareRequestFilter(org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter) ExceptionTranslationFilter(org.springframework.security.web.access.ExceptionTranslationFilter) UsernamePasswordAuthenticationFilter(org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter) AnonymousAuthenticationFilter(org.springframework.security.web.authentication.AnonymousAuthenticationFilter) FilterInvocation(org.springframework.security.web.FilterInvocation)

Example 9 with FilterSecurityInterceptor

use of org.springframework.security.web.access.intercept.FilterSecurityInterceptor in project spring-security by spring-projects.

the class WebSecurityConfiguration method springSecurityFilterChain.

/**
 * Creates the Spring Security Filter Chain
 * @return the {@link Filter} that represents the security filter chain
 * @throws Exception
 */
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
    boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();
    boolean hasFilterChain = !this.securityFilterChains.isEmpty();
    Assert.state(!(hasConfigurers && hasFilterChain), "Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.");
    if (!hasConfigurers && !hasFilterChain) {
        WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor.postProcess(new WebSecurityConfigurerAdapter() {
        });
        this.webSecurity.apply(adapter);
    }
    for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
        this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
        for (Filter filter : securityFilterChain.getFilters()) {
            if (filter instanceof FilterSecurityInterceptor) {
                this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
                break;
            }
        }
    }
    for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
        customizer.customize(this.webSecurity);
    }
    return this.webSecurity.build();
}
Also used : SecurityFilterChain(org.springframework.security.web.SecurityFilterChain) Filter(jakarta.servlet.Filter) FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) Bean(org.springframework.context.annotation.Bean)

Example 10 with FilterSecurityInterceptor

use of org.springframework.security.web.access.intercept.FilterSecurityInterceptor in project spring-security by spring-projects.

the class AbstractInterceptUrlConfigurer method configure.

@Override
public void configure(H http) throws Exception {
    FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http);
    if (metadataSource == null) {
        return;
    }
    FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(http, metadataSource, http.getSharedObject(AuthenticationManager.class));
    if (this.filterSecurityInterceptorOncePerRequest != null) {
        securityInterceptor.setObserveOncePerRequest(this.filterSecurityInterceptorOncePerRequest);
    }
    securityInterceptor = postProcess(securityInterceptor);
    http.addFilter(securityInterceptor);
    http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);
}
Also used : AuthenticationManager(org.springframework.security.authentication.AuthenticationManager) FilterSecurityInterceptor(org.springframework.security.web.access.intercept.FilterSecurityInterceptor) FilterInvocationSecurityMetadataSource(org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource)

Aggregations

FilterSecurityInterceptor (org.springframework.security.web.access.intercept.FilterSecurityInterceptor)13 Test (org.junit.jupiter.api.Test)4 FilterInvocationSecurityMetadataSource (org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource)4 Filter (jakarta.servlet.Filter)3 ArrayList (java.util.ArrayList)2 BeforeEach (org.junit.jupiter.api.BeforeEach)2 AccessDecisionManager (org.springframework.security.access.AccessDecisionManager)2 ConfigAttribute (org.springframework.security.access.ConfigAttribute)2 AuthenticationManager (org.springframework.security.authentication.AuthenticationManager)2 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)2 ExceptionTranslationFilter (org.springframework.security.web.access.ExceptionTranslationFilter)2 AnonymousAuthenticationFilter (org.springframework.security.web.authentication.AnonymousAuthenticationFilter)2 LoginUrlAuthenticationEntryPoint (org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint)2 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)1 Collection (java.util.Collection)1 LinkedHashMap (java.util.LinkedHashMap)1 MotechAccessVoter (org.motechproject.security.authentication.MotechAccessVoter)1 ApplicationEventPublisher (org.springframework.context.ApplicationEventPublisher)1 Bean (org.springframework.context.annotation.Bean)1 AccessDecisionVoter (org.springframework.security.access.AccessDecisionVoter)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial