/** * Creates the {@link FilterSecurityInterceptor} * * @param http the builder to use * @param metadataSource the {@link FilterInvocationSecurityMetadataSource} to use * @param authenticationManager the {@link AuthenticationManager} to use * @return the {@link FilterSecurityInterceptor} * @throws Exception */ private FilterSecurityInterceptor createFilterSecurityInterceptor(H http, FilterInvocationSecurityMetadataSource metadataSource, AuthenticationManager authenticationManager) throws Exception { FilterSecurityInterceptor securityInterceptor = new FilterSecurityInterceptor(); securityInterceptor.setSecurityMetadataSource(metadataSource); securityInterceptor.setAccessDecisionManager(getAccessDecisionManager(http)); securityInterceptor.setAuthenticationManager(authenticationManager); securityInterceptor.afterPropertiesSet(); return securityInterceptor; } }
public <O extends FilterSecurityInterceptor> O postProcess( O fsi) { fsi.setPublishAuthorizationSuccess(true); return fsi; } });
/** * Creates the {@link FilterInvocationSecurityMetadataSource} to use. The * implementation is a {@link DefaultFilterInvocationSecurityMetadataSource}. * * @param http the builder to use */ @Override FilterInvocationSecurityMetadataSource createMetadataSource(H http) { return new DefaultFilterInvocationSecurityMetadataSource( REGISTRY.createRequestMap()); }
/** * Gets the filter security interceptor. * * @return the filter security interceptor */ @Bean(name = "fsi") public FilterSecurityInterceptor getFilterSecurityInterceptor() { FilterSecurityInterceptor interceptor = new FilterSecurityInterceptor(); interceptor.setAuthenticationManager(getProviderManager()); interceptor.setAccessDecisionManager(getAffirmativeBased()); LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>(); requestMap.put(new AntPathRequestMatcher("/adm/**"), SecurityConfig.createListFromCommaDelimitedString("ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/adm/restartvm.ajax"), SecurityConfig .createListFromCommaDelimitedString("ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/sql/**"), SecurityConfig .createListFromCommaDelimitedString("ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/app/**"), SecurityConfig.createListFromCommaDelimitedString( "ROLE_POWERUSER,ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/**"), SecurityConfig.createListFromCommaDelimitedString( "ROLE_PROBEUSER,ROLE_POWERUSER,ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); interceptor .setSecurityMetadataSource(new DefaultFilterInvocationSecurityMetadataSource(requestMap)); return interceptor; }
@Before public void setUp() throws Exception { AnonymousAuthenticationFilter aaf = new AnonymousAuthenticationFilter("anonymous"); fsi = new FilterSecurityInterceptor(); fsi.setAccessDecisionManager(accessDecisionManager); fsi.setSecurityMetadataSource(metadataSource); AuthenticationEntryPoint authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint( "/login"); ExceptionTranslationFilter etf = new ExceptionTranslationFilter( authenticationEntryPoint); DefaultSecurityFilterChain securityChain = new DefaultSecurityFilterChain( AnyRequestMatcher.INSTANCE, aaf, etf, fsi); fcp = new FilterChainProxy(securityChain); validator = new DefaultFilterChainValidator(); ReflectionTestUtils.setField(validator, "logger", logger); }
FilterInvocationSecurityMetadataSource fids = fsi.getSecurityMetadataSource(); Collection<ConfigAttribute> attributes = fids.getAttributes(loginRequest); if (fsi.isRejectPublicInvocations()) { logger.warn("FilterSecurityInterceptor is configured to reject public invocations." + " Your login page may not be accessible."); anonPF.getPrincipal(), anonPF.getAuthorities()); try { fsi.getAccessDecisionManager().decide(token, loginRequest, attributes);
@Test public void validateCustomMetadataSource() { FilterInvocationSecurityMetadataSource customMetaDataSource = mock(FilterInvocationSecurityMetadataSource.class); fsi.setSecurityMetadataSource(customMetaDataSource); validator.validate(fcp); verify(customMetaDataSource).getAttributes(any()); } }
/** * Loads the access token dependencies for the given request. This will be a set of {@link ProtectedResourceDetails#getId() resource ids} * for which an OAuth access token is required. * * @param request The request. * @param response The response * @param filterChain The filter chain * @return The access token dependencies (could be empty). */ protected Set<String> getAccessTokenDependencies(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) { Set<String> deps = new TreeSet<String>(); if (getObjectDefinitionSource() != null) { FilterInvocation invocation = new FilterInvocation(request, response, filterChain); Collection<ConfigAttribute> attributes = getObjectDefinitionSource().getAttributes(invocation); if (attributes != null) { for (ConfigAttribute attribute : attributes) { deps.add(attribute.getAttribute()); } } } return deps; }
@Override public void init(final WebSecurity web) throws Exception { super.init(web); final HttpSecurity http = this.getHttp(); web.postBuildAction(() -> { FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class); DisableUseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor.getSecurityMetadataSource().getClass(); }); } }
@Override public void configure(H http) throws Exception { FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http); if (metadataSource == null) { return; } FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor( http, metadataSource, http.getSharedObject(AuthenticationManager.class)); if (filterSecurityInterceptorOncePerRequest != null) { securityInterceptor .setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest); } securityInterceptor = postProcess(securityInterceptor); http.addFilter(securityInterceptor); http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor); }
@Test public void interceptUrlsSupportPropertyPlaceholders() { System.setProperty("secure.url", "/secure"); System.setProperty("secure.role", "ROLE_A"); setContext( "<b:bean class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>" + "<filter-security-metadata-source id='fids' use-expressions='false'>" + " <intercept-url pattern='${secure.url}' access='${secure.role}'/>" + "</filter-security-metadata-source>"); DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) this.appContext .getBean("fids"); Collection<ConfigAttribute> cad = fids .getAttributes(createFilterInvocation("/secure", "GET")); assertThat(cad).containsExactly(new SecurityConfig("ROLE_A")); }
@Test public void configureWhenOncePerRequestIsFalseThenFilterSecurityInterceptorExercisedForForwards() { this.spring.configLocations(xml("OncePerRequest")).autowire(); FilterSecurityInterceptor filterSecurityInterceptor = getFilter(FilterSecurityInterceptor.class); assertThat(filterSecurityInterceptor.isObserveOncePerRequest()).isFalse(); }
FilterSecurityInterceptor filter = new FilterSecurityInterceptor(); filter.setAuthenticationManager(getSecurityManager().authenticationManager()); accessDecisionManager.setAllowIfAllAbstainDecisions( siConfig.isAllowIfAllAbstainDecisions()); filter.setAccessDecisionManager(accessDecisionManager); filter.setSecurityMetadataSource( (FilterInvocationSecurityMetadataSource) GeoServerExtensions.bean(siConfig.getSecurityMetadataSource())); try { filter.afterPropertiesSet(); } catch (Exception e) { throw new RuntimeException(e);
@Override public void configure(H http) throws Exception { ChannelDecisionManagerImpl channelDecisionManager = new ChannelDecisionManagerImpl(); channelDecisionManager.setChannelProcessors(getChannelProcessors(http)); channelDecisionManager = postProcess(channelDecisionManager); channelFilter.setChannelDecisionManager(channelDecisionManager); DefaultFilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource = new DefaultFilterInvocationSecurityMetadataSource( requestMap); channelFilter.setSecurityMetadataSource(filterInvocationSecurityMetadataSource); channelFilter = postProcess(channelFilter); http.addFilter(channelFilter); }
@Override public void init(final WebSecurity web) throws Exception { super.init(web); final HttpSecurity http = this.getHttp(); web.postBuildAction(() -> { FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class); UseExpressionsConfig.this.filterInvocationSecurityMetadataSourceType = securityInterceptor.getSecurityMetadataSource().getClass(); }); } }
@Override public void configure(H http) throws Exception { FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http); if (metadataSource == null) { return; } FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor( http, metadataSource, http.getSharedObject(AuthenticationManager.class)); if (filterSecurityInterceptorOncePerRequest != null) { securityInterceptor .setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest); } securityInterceptor = postProcess(securityInterceptor); http.addFilter(securityInterceptor); http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor); }
@Test public void parsingMinimalConfigurationIsSuccessful() { setContext("<filter-security-metadata-source id='fids' use-expressions='false'>" + " <intercept-url pattern='/**' access='ROLE_A'/>" + "</filter-security-metadata-source>"); DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) this.appContext .getBean("fids"); Collection<ConfigAttribute> cad = fids .getAttributes(createFilterInvocation("/anything", "GET")); assertThat(cad).contains(new SecurityConfig("ROLE_A")); }
/** * Creates the {@link FilterSecurityInterceptor} * * @param http the builder to use * @param metadataSource the {@link FilterInvocationSecurityMetadataSource} to use * @param authenticationManager the {@link AuthenticationManager} to use * @return the {@link FilterSecurityInterceptor} * @throws Exception */ private FilterSecurityInterceptor createFilterSecurityInterceptor(H http, FilterInvocationSecurityMetadataSource metadataSource, AuthenticationManager authenticationManager) throws Exception { FilterSecurityInterceptor securityInterceptor = new FilterSecurityInterceptor(); securityInterceptor.setSecurityMetadataSource(metadataSource); securityInterceptor.setAccessDecisionManager(getAccessDecisionManager(http)); securityInterceptor.setAuthenticationManager(authenticationManager); securityInterceptor.afterPropertiesSet(); return securityInterceptor; } }
/** * Creates the {@link FilterInvocationSecurityMetadataSource} to use. The * implementation is a {@link DefaultFilterInvocationSecurityMetadataSource}. * * @param http the builder to use */ @Override FilterInvocationSecurityMetadataSource createMetadataSource(H http) { return new DefaultFilterInvocationSecurityMetadataSource( REGISTRY.createRequestMap()); }
@Override public void configure(H http) throws Exception { ChannelDecisionManagerImpl channelDecisionManager = new ChannelDecisionManagerImpl(); channelDecisionManager.setChannelProcessors(getChannelProcessors(http)); channelDecisionManager = postProcess(channelDecisionManager); channelFilter.setChannelDecisionManager(channelDecisionManager); DefaultFilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource = new DefaultFilterInvocationSecurityMetadataSource( requestMap); channelFilter.setSecurityMetadataSource(filterInvocationSecurityMetadataSource); channelFilter = postProcess(channelFilter); http.addFilter(channelFilter); }