@Override public void executePolicy(String policyStatement, Errors.Collector collector, ProviderRequest request) { StandardELContext context = new StandardELContext(ef); context.addELResolver(ATTRIBUTE_RESOLVER); FunctionMapper functions = context.getFunctionMapper(); VariableMapper variables = context.getVariableMapper(); customMethods.forEach(customFunction -> functions.mapFunction(customFunction.prefix, customFunction.localName, customFunction.method)); Subject userSubject = request.subject().orElse(SecurityContext.ANONYMOUS); variable(variables, "user", userSubject, Subject.class); variable(variables, "subject", userSubject, Subject.class); variable(variables, "service", request.service().orElse(SecurityContext.ANONYMOUS), Subject.class); variable(variables, "env", request.env(), SecurityEnvironment.class); variable(variables, "object", request.getObject().orElse(null), Object.class); variable(variables, "request", request, ProviderRequest.class); try { ValueExpression expression = ef.createValueExpression(context, policyStatement, boolean.class); boolean value = (boolean) expression.getValue(context); if (!value) { collector.fatal(this, "Policy statement \"" + policyStatement + "\" evaluated to false"); } } catch (Exception e) { collector.fatal(this, "Policy statement \"" + policyStatement + "\" evaluated to an exception " + e.getClass() .getName() + " with message: " + e.getMessage()); LOGGER.log(Level.FINEST, e, () -> "Statement " + policyStatement + " evaluation failed"); } }
@Override public void validate(RoleConfig config, Errors.Collector collector, ProviderRequest request) { if (config.denyAll()) { collector.fatal(this, "Access denied by DenyAll."); return; } if (config.permitAll()) { return; } validate(config.userRolesAllowed(), collector, request.subject(), SubjectType.USER); validate(config.serviceRolesAllowed(), collector, request.service(), SubjectType.SERVICE); }
@Override public void validate(RoleConfig config, Errors.Collector collector, ProviderRequest request) { validate(config.userRolesAllowed(), collector, request.subject(), SubjectType.USER); validate(config.serviceRolesAllowed(), collector, request.service(), SubjectType.SERVICE); }
@Override public void executePolicy(String policyStatement, Errors.Collector collector, ProviderRequest request) { StandardELContext context = new StandardELContext(ef); context.addELResolver(ATTRIBUTE_RESOLVER); FunctionMapper functions = context.getFunctionMapper(); VariableMapper variables = context.getVariableMapper(); customMethods.forEach(customFunction -> functions.mapFunction(customFunction.prefix, customFunction.localName, customFunction.method)); Subject userSubject = request.subject().orElse(SecurityContext.ANONYMOUS); variable(variables, "user", userSubject, Subject.class); variable(variables, "subject", userSubject, Subject.class); variable(variables, "service", request.service().orElse(SecurityContext.ANONYMOUS), Subject.class); variable(variables, "env", request.env(), SecurityEnvironment.class); variable(variables, "object", request.getObject().orElse(null), Object.class); variable(variables, "request", request, ProviderRequest.class); try { ValueExpression expression = ef.createValueExpression(context, policyStatement, boolean.class); boolean value = (boolean) expression.getValue(context); if (!value) { collector.fatal(this, "Policy statement \"" + policyStatement + "\" evaluated to false"); } } catch (Exception e) { collector.fatal(this, "Policy statement \"" + policyStatement + "\" evaluated to an exception " + e.getClass() .getName() + " with message: " + e.getMessage()); LOGGER.log(Level.FINEST, e, () -> "Statement " + policyStatement + " evaluation failed"); } }