private boolean addAccessChecksFromFields( final Class<?> c, final AdminCommand command, final List<AccessCheckWork> accessChecks, final boolean isTaggable) throws IllegalArgumentException, IllegalAccessException { boolean isAnnotatedOnFields = false; for (Field f : c.getDeclaredFields()) { isAnnotatedOnFields |= addAccessChecksFromAnno(f, command, accessChecks, isTaggable); } return isAnnotatedOnFields; }
private List<AccessCheckWork> assembleAccessCheckWork( final AdminCommand command, final Subject subject) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException { final boolean isTaggable = ADMSEC_AUTHZ_LOGGER.isLoggable(PROGRESS_LEVEL); final List<AccessCheckWork> accessChecks = new ArrayList<AccessCheckWork>(); /* * The CRUD classes such as GenericCreateCommand implement AccessRequired.AccessCheckProvider * and so provide their own AccessCheck objects. So the addChecksFromAccessCheckProvider * method will cover the CRUD commands. */ final boolean isCommandAccessCheckProvider = addChecksFromAccessCheckProvider(command, accessChecks, isTaggable, subject); addChecksFromExplicitAccessRequiredAnnos(command, accessChecks, isTaggable); addChecksFromReSTEndpoints(command, accessChecks, isTaggable); /* * If this command has no access requirements specified and does not * implement AccessCheckProvider, use * one from the "unguarded" part of the resource tree. */ if (accessChecks.isEmpty() && ! isCommandAccessCheckProvider) { accessChecks.add(new UnguardedCommandAccessCheckWork(command)); } return accessChecks; }
/** * Returns all AccessCheck objects which apply to the specified command. * @param command the AdminCommand for which the AccessChecks are needed * @param subject the Subject resulting from successful authentication * @return the AccessChecks resulting from analyzing the command * @throws NoSuchFieldException * @throws IllegalArgumentException * @throws IllegalAccessException */ public Collection<? extends AccessCheck> getAccessChecks(final AdminCommand command, final Subject subject) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException { final List<AccessCheckWork> work = assembleAccessCheckWork(command, subject); final Collection<AccessCheck> accessChecks = new ArrayList<AccessCheck>(); for (AccessCheckWork w : work) { accessChecks.add(w.accessCheck()); } return accessChecks; }
private String processTokens(final String expr, final AdminCommand command) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException { final Matcher m = TOKEN_PATTERN.matcher(expr); final StringBuffer translated = new StringBuffer(); while (m.find()) { final String token = (m.group(1) != null ? m.group(1) : m.group(2)); String replacementValue = token; // in case we can't find or process the field final Field f = findField(command, token); if (f != null) { f.setAccessible(true); replacementValue = resourceNameFromField(f, command); } m.appendReplacement(translated, replacementValue); } m.appendTail(translated); return translated.toString(); }
if ( ! commandSecurityChecker.authorize(context.getSubject(), env, command, context)) {
private boolean addChecksFromExplicitAccessRequiredAnnos(final AdminCommand command, final List<AccessCheckWork> accessChecks, final boolean isTaggable) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException { boolean isAnnotated = false; for (ClassLineageIterator cIt = new ClassLineageIterator(command.getClass()); cIt.hasNext();) { final Class<?> c = cIt.next(); final AccessRequired ar = c.getAnnotation(AccessRequired.class); if (ar != null) { isAnnotated = true; addAccessChecksFromAnno(ar, command, accessChecks, c, isTaggable); } final AccessRequired.List arList = c.getAnnotation(AccessRequired.List.class); if (arList != null) { isAnnotated = true; for (final AccessRequired repeatedAR : arList.value()) { addAccessChecksFromAnno(repeatedAR, command, accessChecks, c, isTaggable); } } isAnnotated |= addAccessChecksFromFields(c, command, accessChecks, isTaggable); } return isAnnotated; }
final List<AccessCheckWork> accessChecks = assembleAccessCheckWork(command, subject); result = (embeddedSystemAdministrator.matches(subject)) || checkAccessRequired(subject, env, command, accessChecks);
private void addChecksFromReSTEndpoints(final AdminCommand command, final List<AccessCheckWork> accessChecks, final boolean isTaggable) { for (ClassLineageIterator cIt = new ClassLineageIterator(command.getClass()); cIt.hasNext();) { final Class<?> c = cIt.next(); final RestEndpoint restEndpoint; if ((restEndpoint = c.getAnnotation(RestEndpoint.class)) != null) { addAccessChecksFromReSTEndpoint(restEndpoint, accessChecks, isTaggable); } final RestEndpoints restEndpoints = c.getAnnotation(RestEndpoints.class); if (restEndpoints != null) { for (RestEndpoint re : restEndpoints.value()) { addAccessChecksFromReSTEndpoint(re, accessChecks, isTaggable); } } } }
if ( ! commandSecurityChecker.authorize(context.getSubject(), env, command, context)) {