use of won.node.springsecurity.userdetails.WebIdUserDetails in project webofneeds by researchstudio-sat.
the class DefaultWoNAccessDecisionVoter method vote.
@Override
public int vote(final Authentication authentication, final Object object, final Collection collection) {
StopWatch stopWatch = new StopWatch();
stopWatch.start();
if (!(authentication instanceof PreAuthenticatedAuthenticationToken)) {
return ACCESS_ABSTAIN;
}
Object principal = authentication.getPrincipal();
if (!(principal instanceof WebIdUserDetails)) {
return ACCESS_ABSTAIN;
}
WebIdUserDetails userDetails = (WebIdUserDetails) principal;
if (!(object instanceof FilterInvocation)) {
return ACCESS_ABSTAIN;
}
String webId = userDetails.getUsername();
String resource = ((FilterInvocation) object).getRequest().getRequestURL().toString();
if (authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).filter(r -> "ROLE_WEBID".equals(r)).findAny().isPresent()) {
// perform our hard coded access control checks
List<String> webIDs = new ArrayList<>(1);
webIDs.add(webId);
if (defaultAccessControlRules.isAccessPermitted(resource, webIDs)) {
stopWatch.stop();
logger.debug("access control check took " + stopWatch.getLastTaskTimeMillis() + " millis");
return ACCESS_GRANTED;
}
return ACCESS_DENIED;
}
return ACCESS_DENIED;
}
use of won.node.springsecurity.userdetails.WebIdUserDetails in project webofneeds by researchstudio-sat.
the class UserDetailsService method handleClientCertificate.
private UserDetails handleClientCertificate(Certificate certificate, String principal) {
List<GrantedAuthority> authorities = new ArrayList<>(3);
authorities.add(new SimpleGrantedAuthority("ROLE_CLIENT_CERTIFICATE"));
logger.debug("checking if principal '" + principal + "' is a webId");
URI webID = toUriIfPossible(principal);
if (webID != null) {
// principal is an URI, try to verify:
try {
if (webIDVerificationAgent.verify(certificate.getPublicKey(), webID)) {
authorities.add(new SimpleGrantedAuthority("ROLE_WEBID"));
logger.debug("webId '" + principal + "' successfully verified - ROLE_WEBID granted");
return new WebIdUserDetails(webID, authorities);
} else {
logger.debug("could not verify webId '" + principal + "'. ROLE_WEBID not granted");
}
} catch (Exception e) {
logger.debug("could not verify webId '" + principal + "' because of an error during verification. ROLE_WEBID " + "not granted. Cause is logged", e);
}
}
// certificate
return new ClientCertificateUserDetails(principal, authorities);
}
use of won.node.springsecurity.userdetails.WebIdUserDetails in project webofneeds by researchstudio-sat.
the class WonAclAccessDecisionVoter method vote.
@Override
@Transactional
public int vote(final Authentication authentication, final FilterInvocation filterInvocation, final Collection<ConfigAttribute> configAttributes) {
StopWatch stopWatch = new StopWatch();
stopWatch.start();
if (configAttributes.stream().map(Object::toString).anyMatch(x -> x.equals("permitAll"))) {
// check ACLs
return ACCESS_GRANTED;
}
String webId = null;
AuthToken authToken = null;
if (authentication instanceof PreAuthenticatedAuthenticationToken) {
Object principal = authentication.getPrincipal();
if (principal instanceof WebIdUserDetails) {
WebIdUserDetails userDetails = (WebIdUserDetails) principal;
// check if the WebId was verified successfully, otherwise treat as anonymous
if (authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).filter(r -> "ROLE_WEBID".equals(r)).findAny().isPresent()) {
// if the webid was not verified, use none
webId = userDetails.getUsername();
}
}
} else if (authentication instanceof WonAclTokenAuthentication) {
authToken = (AuthToken) ((WonAclTokenAuthentication) authentication).getDetails();
}
if (webId != null && webId.equals(cryptographyService.getDefaultPrivateKeyAlias())) {
// if the WoN node itself is the requestor, bypass all checks and allow
if (logger.isDebugEnabled()) {
logger.debug("Requestor is WonNode itself, authenticated by its WebID. Bypassing any ACL checks");
}
WonAclRequestHelper.setWonAclEvaluationContext(filterInvocation.getRequest(), WonAclEvalContext.allowAll());
return ACCESS_GRANTED;
}
String resource = filterInvocation.getRequest().getRequestURL().toString();
URI resourceUri = null;
try {
resourceUri = uriService.toResourceURIIfPossible(new URI(resource));
} catch (URISyntaxException e) {
logger.debug("Cannot process ACL for resource {}", resource);
return ACCESS_DENIED;
}
if (logger.isDebugEnabled()) {
logger.debug("Processing WoN ACL for request to resource {}", resourceUri);
}
int result = ACCESS_DENIED;
// perform our hard coded access control checks
// prepare the legacy implementation in case the target atom(s) have no acl
// graph
final List<String> webids = webId != null ? List.of(webId) : Collections.emptyList();
Supplier<Integer> legacyImpl = () -> {
if (defaultAccessControlRules.isAccessPermitted(resource, webids)) {
return ACCESS_GRANTED;
}
return ACCESS_DENIED;
};
if (WonMessageUriHelper.isLocalMessageURI(resourceUri, uriService.getMessageResourceURIPrefix())) {
// handle request for message
result = voteForMessageRequest(webId, authToken, resourceUri, filterInvocation, legacyImpl);
} else {
// handle other requests
result = voteForNonMessageRequest(webId, authToken, resourceUri, filterInvocation, legacyImpl);
}
stopWatch.stop();
if (logger.isDebugEnabled()) {
logger.debug("access control check for {} with webid {}, token {} took {} millis, result: {} ", new Object[] { resourceUri, webId, authToken == null ? "(no token)" : "present", stopWatch.getLastTaskTimeMillis(), (result == ACCESS_GRANTED ? "granted" : (result == ACCESS_DENIED ? "denied" : (result == ACCESS_ABSTAIN ? "abstain" : result))) });
}
return result;
}
Aggregations