/** * Return true if current user is in the specified role. * Only providers that support role based access should implement this method. * For others it checks the subject for the presence of {@link Role} grant of the specified name. * * This method is defined to conform with one of the most commonly spread authorization concept, as it is required * for frameworks such as Servlet and JAX-RS. * * @param subject current subject * @param role role name * @return true if current user is in this role */ default boolean isUserInRole(Subject subject, String role) { return Security.getRoles(subject).contains(role); } }
/** * Check if subject has the specified roles (must have all of them). * If you need to check that subject is in EITHER of the roles, you should combine this will or operator (e.g. * inRole(user, "manager") || inRole(user, "admin")) * * @param subject subject of a user or a service * @param roles roles the subject should be in * @return true if the subject is in all the specified roles */ public static boolean inRoles(Subject subject, String... roles) { Set<String> grants = Security.getRoles(subject); for (String role : roles) { if (!grants.contains(role)) { return false; } } return true; }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
/** * Check if subject has the specified roles (must have all of them). * If you need to check that subject is in EITHER of the roles, you should combine this will or operator (e.g. * inRole(user, "manager") || inRole(user, "admin")) * * @param subject subject of a user or a service * @param roles roles the subject should be in * @return true if the subject is in all the specified roles */ public static boolean inRoles(Subject subject, String... roles) { Set<String> grants = Security.getRoles(subject); for (String role : roles) { if (!grants.contains(role)) { return false; } } return true; }
/** * Check if subject has the specified roles (must have all of them). * If you need to check that subject is in EITHER of the roles, you should combine this will or operator (e.g. * inRole(user, "manager") || inRole(user, "admin")) * * @param subject subject of a user or a service * @param roles roles the subject should be in * @return true if the subject is in all the specified roles */ public static boolean inRoles(Subject subject, String... roles) { Set<String> grants = Security.getRoles(subject); for (String role : roles) { if (!grants.contains(role)) { return false; } } return true; }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }