List of usage examples for org.springframework.security.access AuthorizationServiceException AuthorizationServiceException
public AuthorizationServiceException(String msg)
AuthorizationServiceException with the specified message. From source file:net.projectmonkey.spring.acl.util.reflect.MethodUtil.java
public static Method getMethod(final Class<?> clazz, final String internalMethod, final Class<?>... argTypes) { try {/*from w w w. j a v a 2 s. c o m*/ return clazz.getMethod(internalMethod, argTypes); } catch (NoSuchMethodException nsme) { throw new AuthorizationServiceException( "Object of class '" + clazz + "' does not provide the requested method: " + internalMethod); } }
From source file:net.projectmonkey.spring.acl.hbase.repository.AclRecord.java
private Serializable createId(final byte[] idBytes, final byte[] idTypeBytes, final AclIdentifierConverter<?> converter) { Class<?> idClass = resolveClass(idTypeBytes); if (!Serializable.class.isAssignableFrom(idClass)) { throw new AuthorizationServiceException(idClass + " does not implement Serializable"); }//from w w w . j a v a 2s.c o m Serializable identifier = null; if (byte[].class.equals(idClass)) { identifier = idBytes; } else if (converter != null) { verifyConverterType(converter, idClass); try { identifier = converter.fromByteArray(idBytes); } catch (Exception e) { throw new AuthorizationServiceException( "An exception occurred instantiating " + idClass + " from id bytes", e); } } else { throw new AuthorizationServiceException("No converter configured for identifier class " + idClass); } if (identifier == null) { throw new AuthorizationServiceException( "Null identifier returned for byte[] " + idBytes + " and converter " + converter); } return identifier; }
From source file:it.reply.orchestrator.service.security.UserInfoIntrospectingTokenService.java
private UserInfo getUserInfo(OAuth2Authentication authentication, JWT jwtToken) throws ParseException { String accessToken = jwtToken.getParsedString(); String issuer = getIssuer(jwtToken); ServerConfiguration serverConfiguration = getServerConfiguration(issuer); PendingOIDCAuthenticationToken infoKey = new PendingOIDCAuthenticationToken( authentication.getPrincipal().toString(), issuer, serverConfiguration, null, accessToken, null); UserInfo userInfo = userInfoFetcher.loadUserInfo(infoKey); if (userInfo == null) { throw new AuthorizationServiceException("Error retrieving user info"); }/* w ww . ja va2 s.com*/ return userInfo; }
From source file:net.projectmonkey.spring.acl.hbase.repository.AclRecord.java
private void verifyConverterType(final AclIdentifierConverter<?> converter, final Class<?> idClass) { Class<?> convertableType = GenericTypeResolver.getFirstGenericTypeFrom(converter, AclIdentifierConverter.class); if (!idClass.equals(convertableType)) { throw new AuthorizationServiceException( "Converter " + converter + " is not appropriate for " + idClass); }/*from ww w .j a v a 2s. c om*/ }
From source file:org.cloudifysource.rest.security.CustomPermissionEvaluator.java
/** * Checks if the current user should be granted the requested permission on the target object. * @param authDetails The CloudifyAuthorizationDetails object of the current user * @param targetDomainObject The target object the user is attempting to access * @param permission The permission requested on the target object (e.g. view, deploy) * @return boolean value - true if permission is granted, false otherwise. *///from w w w. j a va 2s . c om public boolean hasPermission(final CloudifyAuthorizationDetails authDetails, final Object targetDomainObject, final Object permission) { if (StringUtils.isBlank(SPRING_SECURITY_PROFILE) || SPRING_SECURITY_PROFILE.contains(CloudifyConstants.SPRING_PROFILE_NON_SECURE)) { //security is off return true; } if (logger.isLoggable(Level.FINE)) { logger.fine("Starting \"hasPermission\" for user: " + authDetails.getUsername()); if (authDetails.getRoles() == null) { logger.fine("with roles: null,"); } else { logger.fine("with roles: " + collectionToDelimitedString(authDetails.getRoles(), ",")); } if (authDetails.getAuthGroups() == null) { logger.fine("and with authGroups: null"); } else { logger.fine( "and with authGroups: " + collectionToDelimitedString(authDetails.getAuthGroups(), ",")); } logger.fine("requested permission: " + permission.toString()); logger.fine("on target authGroups: " + targetDomainObject.toString()); } boolean permissionGranted = false; String permissionName, targetAuthGroups; if (permission != null && !(permission instanceof String)) { throw new AuthorizationServiceException("Failed to verify permissions, invalid permission object type: " + permission.getClass().getName()); } permissionName = (String) permission; if (StringUtils.isBlank(permissionName)) { throw new AuthorizationServiceException("Failed to verify permissions, missing permission name"); } if (!permissionName.equalsIgnoreCase(PERMISSION_TO_VIEW) && !permissionName.equalsIgnoreCase(PERMISSION_TO_DEPLOY)) { throw new AuthorizationServiceException("Unsupported permission name: " + permissionName + ". valid permission names are: " + PERMISSION_TO_VIEW + ", " + PERMISSION_TO_DEPLOY); } if (targetDomainObject != null && !(targetDomainObject instanceof String)) { throw new AuthorizationServiceException( "Failed to verify permissions, invalid authorization groups object" + " type: " + targetDomainObject.getClass().getName()); } if (targetDomainObject == null) { targetAuthGroups = ""; } else { targetAuthGroups = ((String) targetDomainObject).trim(); } if (hasRequiredRoles(authDetails, permissionName) && hasAuthGroupAccess(authDetails, targetAuthGroups, permissionName)) { permissionGranted = true; } return permissionGranted; }
From source file:org.cloudifysource.security.CustomPermissionEvaluator.java
/** * Checks if the current user should be granted the requested permission on the target object. * @param authDetails The CloudifyAuthorizationDetails object of the current user * @param targetDomainObject The target object the user is attempting to access * @param permission The permission requested on the target object (e.g. view, deploy) * @return boolean value - true if permission is granted, false otherwise. * @throws IllegalArgumentException Indicates one or more of the passed arguments are null *///from w w w .ja va 2 s. co m public boolean hasPermission(final CloudifyAuthorizationDetails authDetails, final Object targetDomainObject, final Object permission) throws IllegalArgumentException { if (StringUtils.isBlank(SPRING_SECURITY_PROFILE) || SPRING_SECURITY_PROFILE.contains(SecurityConstants.SPRING_PROFILE_NON_SECURE)) { //security is off return true; } if (authDetails == null) { throw new IllegalArgumentException("Null is not a valid value for CloudifyAuthorizationDetails"); } if (permission == null) { throw new IllegalArgumentException("Null is not a valid value for permission"); } if (logger.isLoggable(Level.FINE)) { logger.fine("Starting \"hasPermission\" for user: " + authDetails.getUsername()); if (authDetails.getRoles() == null) { logger.fine("with roles: null,"); } else { logger.fine("with roles: " + collectionToDelimitedString(authDetails.getRoles(), ",")); } if (authDetails.getAuthGroups() == null) { logger.fine("and with authGroups: null"); } else { logger.fine( "and with authGroups: " + collectionToDelimitedString(authDetails.getAuthGroups(), ",")); } logger.fine("requested permission: " + permission.toString()); logger.fine("on target authGroups: " + targetDomainObject == null ? "" : targetDomainObject.toString()); } boolean permissionGranted = false; String permissionName, targetAuthGroups; if (permission != null && !(permission instanceof String)) { throw new AuthorizationServiceException("Failed to verify permissions, invalid permission object type: " + permission.getClass().getName()); } permissionName = (String) permission; if (StringUtils.isBlank(permissionName)) { throw new AuthorizationServiceException("Failed to verify permissions, missing permission name"); } if (!permissionName.equalsIgnoreCase(PERMISSION_TO_VIEW) && !permissionName.equalsIgnoreCase(PERMISSION_TO_DEPLOY)) { throw new AuthorizationServiceException("Unsupported permission name: " + permissionName + ". valid permission names are: " + PERMISSION_TO_VIEW + ", " + PERMISSION_TO_DEPLOY); } if (targetDomainObject != null && !(targetDomainObject instanceof String)) { throw new AuthorizationServiceException( "Failed to verify permissions, invalid authorization groups object" + " type: " + targetDomainObject.getClass().getName()); } if (targetDomainObject == null) { targetAuthGroups = ""; } else { targetAuthGroups = ((String) targetDomainObject).trim(); } if (hasRequiredRoles(authDetails, permissionName) && hasAuthGroupAccess(authDetails, targetAuthGroups, permissionName)) { permissionGranted = true; } return permissionGranted; }
From source file:org.springframework.security.acls.AclEntryVoter.java
public int vote(Authentication authentication, MethodInvocation object, Collection<ConfigAttribute> attributes) { for (ConfigAttribute attr : attributes) { if (!this.supports(attr)) { continue; }//from w w w .java2 s .c o m // Need to make an access decision on this invocation // Attempt to locate the domain object instance to process Object domainObject = getDomainObjectInstance(object); // If domain object is null, vote to abstain if (domainObject == null) { if (logger.isDebugEnabled()) { logger.debug("Voting to abstain - domainObject is null"); } return ACCESS_ABSTAIN; } // Evaluate if we are required to use an inner domain object if (StringUtils.hasText(internalMethod)) { try { Class<?> clazz = domainObject.getClass(); Method method = clazz.getMethod(internalMethod, new Class[0]); domainObject = method.invoke(domainObject); } catch (NoSuchMethodException nsme) { throw new AuthorizationServiceException("Object of class '" + domainObject.getClass() + "' does not provide the requested internalMethod: " + internalMethod); } catch (IllegalAccessException iae) { logger.debug("IllegalAccessException", iae); throw new AuthorizationServiceException( "Problem invoking internalMethod: " + internalMethod + " for object: " + domainObject); } catch (InvocationTargetException ite) { logger.debug("InvocationTargetException", ite); throw new AuthorizationServiceException( "Problem invoking internalMethod: " + internalMethod + " for object: " + domainObject); } } // Obtain the OID applicable to the domain object ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy.getObjectIdentity(domainObject); // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); Acl acl; try { // Lookup only ACLs for SIDs we're interested in acl = aclService.readAclById(objectIdentity, sids); } catch (NotFoundException nfe) { if (logger.isDebugEnabled()) { logger.debug("Voting to deny access - no ACLs apply for this principal"); } return ACCESS_DENIED; } try { if (acl.isGranted(requirePermission, sids, false)) { if (logger.isDebugEnabled()) { logger.debug("Voting to grant access"); } return ACCESS_GRANTED; } else { if (logger.isDebugEnabled()) { logger.debug( "Voting to deny access - ACLs returned, but insufficient permissions for this principal"); } return ACCESS_DENIED; } } catch (NotFoundException nfe) { if (logger.isDebugEnabled()) { logger.debug("Voting to deny access - no ACLs apply for this principal"); } return ACCESS_DENIED; } } // No configuration attribute matched, so abstain return ACCESS_ABSTAIN; }
From source file:org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider.java
@SuppressWarnings("unchecked") public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject) throws AccessDeniedException { if (returnedObject == null) { logger.debug("Return object is null, skipping"); return null; }/*from www. j av a 2s . c om*/ for (ConfigAttribute attr : config) { if (!this.supports(attr)) { continue; } // Need to process the Collection for this invocation Filterer filterer; if (returnedObject instanceof Collection) { filterer = new CollectionFilterer((Collection) returnedObject); } else if (returnedObject.getClass().isArray()) { filterer = new ArrayFilterer((Object[]) returnedObject); } else { throw new AuthorizationServiceException("A Collection or an array (or null) was required as the " + "returnedObject, but the returnedObject was: " + returnedObject); } // Locate unauthorised Collection elements for (Object domainObject : filterer) { // Ignore nulls or entries which aren't instances of the configured domain // object class if (domainObject == null || !getProcessDomainObjectClass().isAssignableFrom(domainObject.getClass())) { continue; } if (!hasPermission(authentication, domainObject)) { filterer.remove(domainObject); if (logger.isDebugEnabled()) { logger.debug("Principal is NOT authorised for element: " + domainObject); } } } return filterer.getFilteredObject(); } return returnedObject; }
From source file:ubic.gemma.security.authorization.acl.AclAfterInvocationMapFilteringProvider.java
@Override @SuppressWarnings("unchecked") public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject) throws AccessDeniedException { Iterator<?> iter = config.iterator(); while (iter.hasNext()) { ConfigAttribute attr = (ConfigAttribute) iter.next(); if (this.supports(attr)) { // Need to process the Collection for this invocation if (returnedObject == null) { if (logger.isDebugEnabled()) { logger.debug("Return object is null, skipping"); }//from w ww . ja v a 2 s. co m return null; } Filterer<Object> filterer = null; Map<? extends Object, Object> map; if (returnedObject instanceof Map) { map = (Map<? extends Object, Object>) returnedObject; filterer = new MapFilterer<Object>((Map<Object, Object>) map); } else { throw new AuthorizationServiceException("A Map was required as the " + "returnedObject, but the returnedObject was: " + returnedObject); } // Locate unauthorised Collection elements Iterator<Object> collectionIter = filterer.iterator(); while (collectionIter.hasNext()) { Object domainObject = collectionIter.next(); boolean hasPermission = false; if (domainObject == null) { hasPermission = true; continue; } /* * If the key is not a securable, it's okay; if it is we need explicit permission */ boolean isSecurable = Securable.class.isAssignableFrom(domainObject.getClass()); hasPermission = !isSecurable || hasPermission(authentication, domainObject); /* * Check the VALUE as well. */ Object value = map.get(domainObject); if (value != null && Securable.class.isAssignableFrom(value.getClass())) { hasPermission = hasPermission(authentication, value) && hasPermission; } if (!hasPermission) { filterer.remove(domainObject); if (logger.isDebugEnabled()) { logger.debug("Principal is NOT authorised for element: " + domainObject); } } } return filterer.getFilteredObject(); } } return returnedObject; }
From source file:ubic.gemma.security.authorization.acl.AclAfterInvocationMapValueFilteringProvider.java
@Override @SuppressWarnings("unchecked") public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject) throws AccessDeniedException { Iterator<?> iter = config.iterator(); while (iter.hasNext()) { ConfigAttribute attr = (ConfigAttribute) iter.next(); if (this.supports(attr)) { // Need to process the Collection for this invocation if (returnedObject == null) { if (logger.isDebugEnabled()) { logger.debug("Return object is null, skipping"); }//from www. ja va 2 s . c o m return null; } Filterer<Object> filterer = null; if (returnedObject instanceof Map) { Map<? extends Object, Object> map = (Map<? extends Object, Object>) returnedObject; filterer = new MapFilterer<Object>((Map<Object, Object>) map); } else { throw new AuthorizationServiceException("A Map was required as the " + "returnedObject, but the returnedObject was: " + returnedObject); } // Locate unauthorised Collection elements Iterator<Object> collectionIter = filterer.iterator(); while (collectionIter.hasNext()) { Object domainObject = collectionIter.next(); boolean hasPermission = false; if (domainObject == null) { hasPermission = true; } else if (!Securable.class.isAssignableFrom(domainObject.getClass())) { hasPermission = true; } else { hasPermission = hasPermission(authentication, domainObject); } if (!hasPermission) { filterer.remove(domainObject); if (logger.isDebugEnabled()) { logger.debug("Principal is NOT authorised for element: " + domainObject); } } } return filterer.getFilteredObject(); } } return returnedObject; }