@Before public void setUp() { voter = new PreInvocationAuthorizationAdviceVoter(authorizationAdvice); }
public int vote(Authentication authentication, MethodInvocation method, Collection<ConfigAttribute> attributes) { // Find prefilter and preauth (or combined) attributes // if both null, abstain // else call advice with them PreInvocationAttribute preAttr = findPreInvocationAttribute(attributes); if (preAttr == null) { // No expression based metadata, so abstain return ACCESS_ABSTAIN; } boolean allowed = preAdvice.before(authentication, method, preAttr); return allowed ? ACCESS_GRANTED : ACCESS_DENIED; }
@Test public void supportsMethodInvocationAdapter() { assertThat(voter.supports(MethodInvocationAdapter.class)).isTrue(); } }
@Test public void hasRoleExpressionDeniesUserWithoutRole() throws Exception { List<ConfigAttribute> cad = new ArrayList<>(1); cad.add(new PreInvocationExpressionAttribute(null, null, "hasRole('joedoesnt')")); MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingAnArray()); assertThat(am.vote(joe, mi, cad)).isEqualTo(AccessDecisionVoter.ACCESS_DENIED); }
@Test public void ruleDefinedInAClassMethodIsApplied() throws Exception { MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingAString(), "joe"); assertThat( am.vote(joe, mi, createAttributes(new PreInvocationExpressionAttribute(null, null, "T(org.springframework.security.access.expression.method.SecurityRules).isJoe(#argument)")))) .isEqualTo(AccessDecisionVoter.ACCESS_GRANTED); }
if (prePostEnabled()) { decisionVoters .add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice));
public int vote(Authentication authentication, MethodInvocation method, Collection<ConfigAttribute> attributes) { // Find prefilter and preauth (or combined) attributes // if both null, abstain // else call advice with them PreInvocationAttribute preAttr = findPreInvocationAttribute(attributes); if (preAttr == null) { // No expression based metadata, so abstain return ACCESS_ABSTAIN; } boolean allowed = preAdvice.before(authentication, method, preAttr); return allowed ? ACCESS_GRANTED : ACCESS_DENIED; }
@Test public void hasRoleExpressionAllowsUserWithRole() throws Exception { MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingAnArray()); assertThat(am.vote(joe, mi, createAttributes(new PreInvocationExpressionAttribute(null, null, "hasRole('blah')")))).isEqualTo(AccessDecisionVoter.ACCESS_GRANTED); }
@Test public void supportsProxyMethodInvocation() { assertThat(voter.supports(ProxyMethodInvocation.class)).isTrue(); }
@Before public final void setUp() throws Exception { MockitoAnnotations.initMocks(this); interceptor = new AspectJMethodSecurityInterceptor(); AccessDecisionVoter[] voters = new AccessDecisionVoter[] { new RoleVoter(), new PreInvocationAuthorizationAdviceVoter( new ExpressionBasedPreInvocationAdvice()) }; adm = new AffirmativeBased( Arrays.<AccessDecisionVoter<? extends Object>> asList(voters)); interceptor.setAccessDecisionManager(adm); interceptor.setAuthenticationManager(authman); interceptor .setSecurityMetadataSource(new SecuredAnnotationSecurityMetadataSource()); AnnotationSecurityAspect secAspect = AnnotationSecurityAspect.aspectOf(); secAspect.setSecurityInterceptor(interceptor); }
public int vote(Authentication authentication, MethodInvocation method, Collection<ConfigAttribute> attributes) { // Find prefilter and preauth (or combined) attributes // if both null, abstain // else call advice with them PreInvocationAttribute preAttr = findPreInvocationAttribute(attributes); if (preAttr == null) { // No expression based metadata, so abstain return ACCESS_ABSTAIN; } boolean allowed = preAdvice.before(authentication, method, preAttr); return allowed ? ACCESS_GRANTED : ACCESS_DENIED; }
@Test public void matchingArgAgainstAuthenticationNameIsSuccessful() throws Exception { MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingAString(), "joe"); assertThat(am.vote(joe, mi, createAttributes(new PreInvocationExpressionAttribute(null, null, "(#argument == principal) and (principal == 'joe')")))) .isEqualTo(AccessDecisionVoter.ACCESS_GRANTED); }
@Test public void supportsMethodInvocation() { assertThat(voter.supports(MethodInvocation.class)).isTrue(); }
/** * Allows subclasses to provide a custom {@link AccessDecisionManager}. The default is * a {@link AffirmativeBased} with the following voters: * * <ul> * <li>{@link PreInvocationAuthorizationAdviceVoter}</li> * <li>{@link RoleVoter}</li> * <li>{@link AuthenticatedVoter}</li> * </ul> * * @return the {@link AccessDecisionManager} to use */ protected AccessDecisionManager accessDecisionManager() { List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<AccessDecisionVoter<? extends Object>>(); ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice(); expressionAdvice.setExpressionHandler(getExpressionHandler()); if (prePostEnabled()) { decisionVoters .add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice)); } if (jsr250Enabled()) { decisionVoters.add(new Jsr250Voter()); } decisionVoters.add(new RoleVoter()); decisionVoters.add(new AuthenticatedVoter()); return new AffirmativeBased(decisionVoters); }
public int vote(Authentication authentication, MethodInvocation method, Collection<ConfigAttribute> attributes) { // Find prefilter and preauth (or combined) attributes // if both null, abstain // else call advice with them PreInvocationAttribute preAttr = findPreInvocationAttribute(attributes); if (preAttr == null) { // No expression based metadata, so abstain return ACCESS_ABSTAIN; } boolean allowed = preAdvice.before(authentication, method, preAttr); return allowed ? ACCESS_GRANTED : ACCESS_DENIED; }
@Test public void accessIsGrantedIfNoPreAuthorizeAttributeIsUsed() throws Exception { Collection arg = createCollectionArg("joe", "bob", "sam"); MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingACollection(), arg); assertThat(am.vote(joe, mi, createAttributes(new PreInvocationExpressionAttribute( "(filterObject == 'jim')", "collection", null)))) .isEqualTo(AccessDecisionVoter.ACCESS_GRANTED); // All objects should have been removed, because the expression is always false assertThat(arg).isEmpty(); }
/** * Allows subclasses to provide a custom {@link AccessDecisionManager}. The default is a {@link AffirmativeBased} * with the following voters: * * <ul> * <li>{@link PreInvocationAuthorizationAdviceVoter}</li> * <li>{@link RoleVoter} </li> * <li>{@link AuthenticatedVoter} </li> * </ul> * * @return */ @SuppressWarnings("rawtypes") protected AccessDecisionManager accessDecisionManager() { List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>(); ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice(); expressionAdvice.setExpressionHandler(getExpressionHandler()); decisionVoters.add(new PreInvocationAuthorizationAdviceVoter( expressionAdvice)); decisionVoters.add(new RoleVoter()); decisionVoters.add(new AuthenticatedVoter()); return new AffirmativeBased(decisionVoters); }
@Test public void collectionPreFilteringIsSuccessful() throws Exception { List arg = createCollectionArg("joe", "bob", "sam"); MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingACollection(), arg); am.vote(joe, mi, createAttributes(new PreInvocationExpressionAttribute( "(filterObject == 'joe' or filterObject == 'sam')", "collection", "permitAll"))); assertThat(arg).containsExactly("joe", "sam"); }
/** * Allows subclasses to provide a custom {@link AccessDecisionManager}. The default is * a {@link AffirmativeBased} with the following voters: * * <ul> * <li>{@link PreInvocationAuthorizationAdviceVoter}</li> * <li>{@link RoleVoter}</li> * <li>{@link AuthenticatedVoter}</li> * </ul> * * @return the {@link AccessDecisionManager} to use */ protected AccessDecisionManager accessDecisionManager() { List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<AccessDecisionVoter<? extends Object>>(); ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice(); expressionAdvice.setExpressionHandler(getExpressionHandler()); if (prePostEnabled()) { decisionVoters .add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice)); } if (jsr250Enabled()) { decisionVoters.add(new Jsr250Voter()); } decisionVoters.add(new RoleVoter()); decisionVoters.add(new AuthenticatedVoter()); return new AffirmativeBased(decisionVoters); }
@Test(expected = IllegalArgumentException.class) public void nullNamedFilterTargetIsRejected() throws Exception { MethodInvocation mi = new SimpleMethodInvocation(new TargetImpl(), methodTakingACollection(), new Object[] { null }); am.vote(joe, mi, createAttributes(new PreInvocationExpressionAttribute( "(filterObject == 'joe')", "collection", null))); }