/** * Gets the {@link WebInvocationPrivilegeEvaluator} to be used. * @return the {@link WebInvocationPrivilegeEvaluator} for further customizations */ public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() { if (privilegeEvaluator != null) { return privilegeEvaluator; } return filterSecurityInterceptor == null ? null : new DefaultWebInvocationPrivilegeEvaluator(filterSecurityInterceptor); }
private AccessDeniedHandler createDefaultDeniedHandler(H http) { if (this.defaultDeniedHandlerMappings.isEmpty()) { return new AccessDeniedHandlerImpl(); } if (this.defaultDeniedHandlerMappings.size() == 1) { return this.defaultDeniedHandlerMappings.values().iterator().next(); } return new RequestMatcherDelegatingAccessDeniedHandler( this.defaultDeniedHandlerMappings, new AccessDeniedHandlerImpl()); }
/** * Shortcut to specify the {@link AccessDeniedHandler} to be used is a specific error * page * * @param accessDeniedUrl the URL to the access denied page (i.e. /errors/401) * @return the {@link ExceptionHandlingConfigurer} for further customization * @see AccessDeniedHandlerImpl * @see #accessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler) */ public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) { AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl(); accessDeniedHandler.setErrorPage(accessDeniedUrl); return accessDeniedHandler(accessDeniedHandler); }
@Before public void setUp() throws Exception { AnonymousAuthenticationFilter aaf = new AnonymousAuthenticationFilter("anonymous"); fsi = new FilterSecurityInterceptor(); fsi.setAccessDecisionManager(accessDecisionManager); fsi.setSecurityMetadataSource(metadataSource); AuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint( "/login"); ExceptionTranslationFilter etf = new ExceptionTranslationFilter( authenticationEntryPoint); DefaultSecurityFilterChain securityChain = new DefaultSecurityFilterChain( AnyRequestMatcher.INSTANCE, aaf, etf, fsi); fcp = new FilterChainProxy(securityChain); validator = new DefaultFilterChainValidator(); ReflectionTestUtils.setField(validator, "logger", logger); }
ExceptionTranslationFilter filter = new ExceptionTranslationFilter(ep, cache); AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl(); accessDeniedHandler.setErrorPage(authConfig.getAccessDeniedErrorPage()); else LOGGER.warning("Cannot find: " + authConfig.getAccessDeniedErrorPage()); filter.setAccessDeniedHandler(accessDeniedHandler); filter.afterPropertiesSet(); getNestedFilters().add(filter);
|| !(etf.getAuthenticationEntryPoint() instanceof LoginUrlAuthenticationEntryPoint)) { return; .getAuthenticationEntryPoint()).getLoginFormUrl(); logger.info("Checking whether login URL '" + loginPage + "' is accessible with your configuration"); FilterInvocationSecurityMetadataSource fids = fsi.getSecurityMetadataSource(); Collection<ConfigAttribute> attributes = fids.getAttributes(loginRequest); if (fsi.isRejectPublicInvocations()) { logger.warn("FilterSecurityInterceptor is configured to reject public invocations." + " Your login page may not be accessible."); anonPF.getPrincipal(), anonPF.getAuthorities()); try { fsi.getAccessDecisionManager().decide(token, loginRequest, attributes);
@Override public void configure(H http) throws Exception { AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint(http); ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter( entryPoint, getRequestCache(http)); AccessDeniedHandler deniedHandler = getAccessDeniedHandler(http); exceptionTranslationFilter.setAccessDeniedHandler(deniedHandler); exceptionTranslationFilter = postProcess(exceptionTranslationFilter); http.addFilter(exceptionTranslationFilter); }
/** * Gets the default {@link AccessDeniedHandler} from the * {@link ExceptionHandlingConfigurer#getAccessDeniedHandler()} or create a * {@link AccessDeniedHandlerImpl} if not available. * * @param http the {@link HttpSecurityBuilder} * @return the {@link AccessDeniedHandler} */ @SuppressWarnings("unchecked") private AccessDeniedHandler getDefaultAccessDeniedHandler(H http) { ExceptionHandlingConfigurer<H> exceptionConfig = http .getConfigurer(ExceptionHandlingConfigurer.class); AccessDeniedHandler handler = null; if (exceptionConfig != null) { handler = exceptionConfig.getAccessDeniedHandler(); } if (handler == null) { handler = new AccessDeniedHandlerImpl(); } return handler; }
/** * Gets the exception translation filter. * * @return the exception translation filter */ @Bean(name = "etf") public ExceptionTranslationFilter getExceptionTranslationFilter() { return new ExceptionTranslationFilter(getHttp403ForbiddenEntryPoint()); }
/** * Common logic for OAuth failed. (Note that the default logic doesn't pass the failure through so as to not mess * with the current authentication.) * * @param request The request. * @param response The response. * @param failure The failure. * @throws ServletException in the case of an underlying Servlet API exception * @throws IOException in the case of general IO exceptions */ protected void fail(HttpServletRequest request, HttpServletResponse response, OAuthRequestFailedException failure) throws IOException, ServletException { try { //attempt to set the last exception. request.getSession().setAttribute(OAUTH_FAILURE_KEY, failure); } catch (Exception e) { //fall through.... } if (LOG.isDebugEnabled()) { LOG.debug(failure); } if (getOAuthFailureHandler() != null) { getOAuthFailureHandler().handle(request, response, failure); } else { throw failure; } }
/** * Creates the {@link AccessDeniedHandler} from the result of * {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)} and * {@link #getInvalidSessionStrategy(HttpSecurityBuilder)}. If * {@link #getInvalidSessionStrategy(HttpSecurityBuilder)} is non-null, then a * {@link DelegatingAccessDeniedHandler} is used in combination with * {@link InvalidSessionAccessDeniedHandler} and the * {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)}. Otherwise, only * {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)} is used. * * @param http the {@link HttpSecurityBuilder} * @return the {@link AccessDeniedHandler} */ private AccessDeniedHandler createAccessDeniedHandler(H http) { InvalidSessionStrategy invalidSessionStrategy = getInvalidSessionStrategy(http); AccessDeniedHandler defaultAccessDeniedHandler = getDefaultAccessDeniedHandler( http); if (invalidSessionStrategy == null) { return defaultAccessDeniedHandler; } InvalidSessionAccessDeniedHandler invalidSessionDeniedHandler = new InvalidSessionAccessDeniedHandler( invalidSessionStrategy); LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler> handlers = new LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler>(); handlers.put(MissingCsrfTokenException.class, invalidSessionDeniedHandler); return new DelegatingAccessDeniedHandler(handlers, defaultAccessDeniedHandler); }
String failurePage = element.getAttribute("oauth-failure-page"); if (StringUtils.hasText(failurePage)) { AccessDeniedHandlerImpl failureHandler = new AccessDeniedHandlerImpl(); failureHandler.setErrorPage(failurePage); consumerContextFilterBean.addPropertyValue("OAuthFailureHandler", failureHandler);
@Override public void configure(H http) throws Exception { AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint(http); ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter( entryPoint, getRequestCache(http)); AccessDeniedHandler deniedHandler = getAccessDeniedHandler(http); exceptionTranslationFilter.setAccessDeniedHandler(deniedHandler); exceptionTranslationFilter = postProcess(exceptionTranslationFilter); http.addFilter(exceptionTranslationFilter); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().denyAll() .and() .exceptionHandling() .defaultAccessDeniedHandlerFor( this.teapotDeniedHandler, new AntPathRequestMatcher("/hello/**")) .defaultAccessDeniedHandlerFor( new AccessDeniedHandlerImpl(), AnyRequestMatcher.INSTANCE); // @formatter:on } }
private AccessDeniedHandler createDefaultDeniedHandler(H http) { if (this.defaultDeniedHandlerMappings.isEmpty()) { return new AccessDeniedHandlerImpl(); } if (this.defaultDeniedHandlerMappings.size() == 1) { return this.defaultDeniedHandlerMappings.values().iterator().next(); } return new RequestMatcherDelegatingAccessDeniedHandler( this.defaultDeniedHandlerMappings, new AccessDeniedHandlerImpl()); }
/** * Gets the {@link WebInvocationPrivilegeEvaluator} to be used. * @return the {@link WebInvocationPrivilegeEvaluator} for further customizations */ public WebInvocationPrivilegeEvaluator getPrivilegeEvaluator() { if (privilegeEvaluator != null) { return privilegeEvaluator; } return filterSecurityInterceptor == null ? null : new DefaultWebInvocationPrivilegeEvaluator(filterSecurityInterceptor); }
/** * Creates the {@link AccessDeniedHandler} from the result of * {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)} and * {@link #getInvalidSessionStrategy(HttpSecurityBuilder)}. If * {@link #getInvalidSessionStrategy(HttpSecurityBuilder)} is non-null, then a * {@link DelegatingAccessDeniedHandler} is used in combination with * {@link InvalidSessionAccessDeniedHandler} and the * {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)}. Otherwise, only * {@link #getDefaultAccessDeniedHandler(HttpSecurityBuilder)} is used. * * @param http the {@link HttpSecurityBuilder} * @return the {@link AccessDeniedHandler} */ private AccessDeniedHandler createAccessDeniedHandler(H http) { InvalidSessionStrategy invalidSessionStrategy = getInvalidSessionStrategy(http); AccessDeniedHandler defaultAccessDeniedHandler = getDefaultAccessDeniedHandler( http); if (invalidSessionStrategy == null) { return defaultAccessDeniedHandler; } InvalidSessionAccessDeniedHandler invalidSessionDeniedHandler = new InvalidSessionAccessDeniedHandler( invalidSessionStrategy); LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler> handlers = new LinkedHashMap<Class<? extends AccessDeniedException>, AccessDeniedHandler>(); handlers.put(MissingCsrfTokenException.class, invalidSessionDeniedHandler); return new DelegatingAccessDeniedHandler(handlers, defaultAccessDeniedHandler); }
/** * Shortcut to specify the {@link AccessDeniedHandler} to be used is a specific error * page * * @param accessDeniedUrl the URL to the access denied page (i.e. /errors/401) * @return the {@link ExceptionHandlingConfigurer} for further customization * @see AccessDeniedHandlerImpl * @see #accessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler) */ public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) { AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl(); accessDeniedHandler.setErrorPage(accessDeniedUrl); return accessDeniedHandler(accessDeniedHandler); }
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .anyRequest().denyAll() .and() .exceptionHandling() .defaultAccessDeniedHandlerFor(new AccessDeniedHandlerImpl(), request -> false) .and() .httpBasic() .and() .oauth2ResourceServer() .jwt(); // @formatter:on }
/** * Gets the default {@link AccessDeniedHandler} from the * {@link ExceptionHandlingConfigurer#getAccessDeniedHandler()} or create a * {@link AccessDeniedHandlerImpl} if not available. * * @param http the {@link HttpSecurityBuilder} * @return the {@link AccessDeniedHandler} */ @SuppressWarnings("unchecked") private AccessDeniedHandler getDefaultAccessDeniedHandler(H http) { ExceptionHandlingConfigurer<H> exceptionConfig = http .getConfigurer(ExceptionHandlingConfigurer.class); AccessDeniedHandler handler = null; if (exceptionConfig != null) { handler = exceptionConfig.getAccessDeniedHandler(); } if (handler == null) { handler = new AccessDeniedHandlerImpl(); } return handler; }