@Bean public DelegatingMethodSecurityMetadataSource methodMetadataSource() { ExpressionBasedAnnotationAttributeFactory attributeFactory = new ExpressionBasedAnnotationAttributeFactory( new DefaultMethodSecurityExpressionHandler()); PrePostAnnotationSecurityMetadataSource prePostSource = new PrePostAnnotationSecurityMetadataSource( attributeFactory); return new DelegatingMethodSecurityMetadataSource(Arrays.asList(prePostSource)); }
PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class); PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class); PostFilter postFilter = findAnnotation(method, targetClass, PostFilter.class); PostAuthorize postAuthorize = findAnnotation(method, targetClass, PostAuthorize.class);
@Test public void customAnnotationAtClassLevelIsDetected() throws Exception { ConfigAttribute[] attrs = mds.getAttributes(annotatedAtClassLevel).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); }
sources.add(new PrePostAnnotationSecurityMetadataSource(attributeFactory));
PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class); PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class); PostFilter postFilter = findAnnotation(method, targetClass, PostFilter.class); PostAuthorize postAuthorize = findAnnotation(method, targetClass, PostAuthorize.class);
@Test public void customAnnotationAtInterfaceLevelIsDetected() throws Exception { ConfigAttribute[] attrs = mds.getAttributes(annotatedAtInterfaceLevel).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); }
private void configureForElAnnotations() { DefaultMethodSecurityExpressionHandler eh = new DefaultMethodSecurityExpressionHandler(); interceptor .setSecurityMetadataSource(new PrePostAnnotationSecurityMetadataSource( new ExpressionBasedAnnotationAttributeFactory(eh))); interceptor.setAccessDecisionManager(adm); AfterInvocationProviderManager aim = new AfterInvocationProviderManager(); aim.setProviders(Arrays.asList(new PostInvocationAdviceProvider( new ExpressionBasedPostInvocationAdvice(eh)))); interceptor.setAfterInvocationManager(aim); } }
PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class); PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class); PostFilter postFilter = findAnnotation(method, targetClass, PostFilter.class); PostAuthorize postAuthorize = findAnnotation(method, targetClass, PostAuthorize.class);
@Test public void customAnnotationAtMethodLevelIsDetected() throws Exception { ConfigAttribute[] attrs = mds.getAttributes(annotatedAtMethodLevel).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); }
@Bean public DelegatingMethodSecurityMetadataSource methodMetadataSource() { ExpressionBasedAnnotationAttributeFactory attributeFactory = new ExpressionBasedAnnotationAttributeFactory( new DefaultMethodSecurityExpressionHandler()); PrePostAnnotationSecurityMetadataSource prePostSource = new PrePostAnnotationSecurityMetadataSource( attributeFactory); return new DelegatingMethodSecurityMetadataSource(Arrays.asList(prePostSource)); }
PreFilter preFilter = findAnnotation(method, targetClass, PreFilter.class); PreAuthorize preAuthorize = findAnnotation(method, targetClass, PreAuthorize.class); PostFilter postFilter = findAnnotation(method, targetClass, PostFilter.class); PostAuthorize postAuthorize = findAnnotation(method, targetClass, PostAuthorize.class);
@Test public void mixedClassAndMethodPreAnnotationsAreBothIncluded() { ConfigAttribute[] attrs = mds.getAttributes(voidImpl2).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); assertThat(attrs[0] instanceof PreInvocationExpressionAttribute).isTrue(); PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0]; assertThat(pre.getAuthorizeExpression().getExpressionString()).isEqualTo("someExpression"); assertThat(pre.getFilterExpression()).isNotNull(); assertThat(pre.getFilterExpression().getExpressionString()).isEqualTo("somePreFilterExpression"); }
sources.add(new PrePostAnnotationSecurityMetadataSource(attributeFactory));
@Test public void methodWithPreFilterOnlyIsAllowed() { ConfigAttribute[] attrs = mds.getAttributes(voidImpl3).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); assertThat(attrs[0] instanceof PreInvocationExpressionAttribute).isTrue(); PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0]; assertThat(pre.getAuthorizeExpression().getExpressionString()).isEqualTo("permitAll"); assertThat(pre.getFilterExpression()).isNotNull(); assertThat(pre.getFilterExpression().getExpressionString()).isEqualTo("somePreFilterExpression"); }
@Bean public DelegatingMethodSecurityMetadataSource methodMetadataSource() { ExpressionBasedAnnotationAttributeFactory attributeFactory = new ExpressionBasedAnnotationAttributeFactory( new DefaultMethodSecurityExpressionHandler()); PrePostAnnotationSecurityMetadataSource prePostSource = new PrePostAnnotationSecurityMetadataSource( attributeFactory); return new DelegatingMethodSecurityMetadataSource(Arrays.asList(prePostSource)); }
@Test public void methodWithPostFilterOnlyIsAllowed() { ConfigAttribute[] attrs = mds.getAttributes(listImpl1).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(2); assertThat(attrs[0] instanceof PreInvocationExpressionAttribute).isTrue(); assertThat(attrs[1] instanceof PostInvocationExpressionAttribute).isTrue(); PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0]; PostInvocationExpressionAttribute post = (PostInvocationExpressionAttribute) attrs[1]; assertThat(pre.getAuthorizeExpression().getExpressionString()).isEqualTo("permitAll"); assertThat(post.getFilterExpression()).isNotNull(); assertThat(post.getFilterExpression().getExpressionString()).isEqualTo("somePostFilterExpression"); }
/** * Provides the default {@link MethodSecurityMetadataSource} that will be * used. It creates a {@link DelegatingMethodSecurityMetadataSource} based * upon {@link #customMethodSecurityMetadataSource()} and the attributes on * {@link EnableGlobalMethodSecurity}. * * @return */ @Bean public MethodSecurityMetadataSource methodSecurityMetadataSource() { List<MethodSecurityMetadataSource> sources = new ArrayList<MethodSecurityMetadataSource>(); ExpressionBasedAnnotationAttributeFactory attributeFactory = new ExpressionBasedAnnotationAttributeFactory( methodExpressionHandler()); MethodSecurityMetadataSource customMethodSecurityMetadataSource = customMethodSecurityMetadataSource(); if (customMethodSecurityMetadataSource != null) { sources.add(customMethodSecurityMetadataSource); } if (prePostEnabled()) { sources.add(new PrePostAnnotationSecurityMetadataSource( attributeFactory)); } if (securedEnabled()) { sources.add(new SecuredAnnotationSecurityMetadataSource()); } if (jsr250Enabled()) { sources.add(new Jsr250MethodSecurityMetadataSource()); } return new DelegatingMethodSecurityMetadataSource(sources); }
@Test public void interfaceAttributesAreIncluded() { ConfigAttribute[] attrs = mds.getAttributes(notherListImpl1).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); assertThat(attrs[0] instanceof PreInvocationExpressionAttribute).isTrue(); PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0]; assertThat(pre.getFilterExpression()).isNotNull(); assertThat(pre.getAuthorizeExpression()).isNotNull(); assertThat(pre.getAuthorizeExpression().getExpressionString()).isEqualTo("interfaceMethodAuthzExpression"); assertThat(pre.getFilterExpression().getExpressionString()).isEqualTo("interfacePreFilterExpression"); }
sources.add(new PrePostAnnotationSecurityMetadataSource(attributeFactory));
@Test public void classAttributesTakesPrecedeceOverInterfaceAttributes() { ConfigAttribute[] attrs = mds.getAttributes(notherListImpl2).toArray( new ConfigAttribute[0]); assertThat(attrs).hasSize(1); assertThat(attrs[0] instanceof PreInvocationExpressionAttribute).isTrue(); PreInvocationExpressionAttribute pre = (PreInvocationExpressionAttribute) attrs[0]; assertThat(pre.getFilterExpression()).isNotNull(); assertThat(pre.getAuthorizeExpression()).isNotNull(); assertThat(pre.getAuthorizeExpression().getExpressionString()).isEqualTo("interfaceMethodAuthzExpression"); assertThat(pre.getFilterExpression().getExpressionString()).isEqualTo("classMethodPreFilterExpression"); }