|
|
|
@ -19,9 +19,8 @@ package org.springframework.security.config.annotation.web.configurers; |
|
|
|
import java.io.IOException; |
|
|
|
import java.io.IOException; |
|
|
|
import java.util.Collection; |
|
|
|
import java.util.Collection; |
|
|
|
import java.util.LinkedHashMap; |
|
|
|
import java.util.LinkedHashMap; |
|
|
|
|
|
|
|
import java.util.List; |
|
|
|
import java.util.Map; |
|
|
|
import java.util.Map; |
|
|
|
import java.util.function.Function; |
|
|
|
|
|
|
|
import java.util.stream.Collectors; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import jakarta.servlet.ServletException; |
|
|
|
import jakarta.servlet.ServletException; |
|
|
|
import jakarta.servlet.http.HttpServletRequest; |
|
|
|
import jakarta.servlet.http.HttpServletRequest; |
|
|
|
@ -35,29 +34,22 @@ import org.springframework.security.authorization.AuthorizationDeniedException; |
|
|
|
import org.springframework.security.config.Customizer; |
|
|
|
import org.springframework.security.config.Customizer; |
|
|
|
import org.springframework.security.config.annotation.web.HttpSecurityBuilder; |
|
|
|
import org.springframework.security.config.annotation.web.HttpSecurityBuilder; |
|
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity; |
|
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity; |
|
|
|
import org.springframework.security.core.Authentication; |
|
|
|
|
|
|
|
import org.springframework.security.core.AuthenticationException; |
|
|
|
import org.springframework.security.core.AuthenticationException; |
|
|
|
import org.springframework.security.core.GrantedAuthority; |
|
|
|
import org.springframework.security.core.GrantedAuthority; |
|
|
|
import org.springframework.security.core.context.SecurityContextHolder; |
|
|
|
|
|
|
|
import org.springframework.security.core.context.SecurityContextHolderStrategy; |
|
|
|
|
|
|
|
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint; |
|
|
|
|
|
|
|
import org.springframework.security.web.AuthenticationEntryPoint; |
|
|
|
import org.springframework.security.web.AuthenticationEntryPoint; |
|
|
|
import org.springframework.security.web.FormPostRedirectStrategy; |
|
|
|
|
|
|
|
import org.springframework.security.web.RedirectStrategy; |
|
|
|
|
|
|
|
import org.springframework.security.web.access.AccessDeniedHandler; |
|
|
|
import org.springframework.security.web.access.AccessDeniedHandler; |
|
|
|
import org.springframework.security.web.access.AccessDeniedHandlerImpl; |
|
|
|
import org.springframework.security.web.access.AccessDeniedHandlerImpl; |
|
|
|
import org.springframework.security.web.access.ExceptionTranslationFilter; |
|
|
|
import org.springframework.security.web.access.ExceptionTranslationFilter; |
|
|
|
import org.springframework.security.web.access.RequestMatcherDelegatingAccessDeniedHandler; |
|
|
|
import org.springframework.security.web.access.RequestMatcherDelegatingAccessDeniedHandler; |
|
|
|
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint; |
|
|
|
import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint; |
|
|
|
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint; |
|
|
|
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint; |
|
|
|
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint; |
|
|
|
|
|
|
|
import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenFilter; |
|
|
|
|
|
|
|
import org.springframework.security.web.csrf.CsrfToken; |
|
|
|
|
|
|
|
import org.springframework.security.web.savedrequest.HttpSessionRequestCache; |
|
|
|
import org.springframework.security.web.savedrequest.HttpSessionRequestCache; |
|
|
|
|
|
|
|
import org.springframework.security.web.savedrequest.NullRequestCache; |
|
|
|
import org.springframework.security.web.savedrequest.RequestCache; |
|
|
|
import org.springframework.security.web.savedrequest.RequestCache; |
|
|
|
|
|
|
|
import org.springframework.security.web.util.ThrowableAnalyzer; |
|
|
|
|
|
|
|
import org.springframework.security.web.util.matcher.AnyRequestMatcher; |
|
|
|
import org.springframework.security.web.util.matcher.RequestMatcher; |
|
|
|
import org.springframework.security.web.util.matcher.RequestMatcher; |
|
|
|
import org.springframework.util.Assert; |
|
|
|
import org.springframework.util.Assert; |
|
|
|
import org.springframework.web.util.UriComponentsBuilder; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
/** |
|
|
|
* Adds exception handling for Spring Security related exceptions to an application. All |
|
|
|
* Adds exception handling for Spring Security related exceptions to an application. All |
|
|
|
@ -102,6 +94,8 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>> |
|
|
|
|
|
|
|
|
|
|
|
private LinkedHashMap<RequestMatcher, AccessDeniedHandler> defaultDeniedHandlerMappings = new LinkedHashMap<>(); |
|
|
|
private LinkedHashMap<RequestMatcher, AccessDeniedHandler> defaultDeniedHandlerMappings = new LinkedHashMap<>(); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private Map<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entryPoints = new LinkedHashMap<>(); |
|
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
/** |
|
|
|
* Creates a new instance |
|
|
|
* Creates a new instance |
|
|
|
* @see HttpSecurity#exceptionHandling(Customizer) |
|
|
|
* @see HttpSecurity#exceptionHandling(Customizer) |
|
|
|
@ -195,6 +189,26 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>> |
|
|
|
return this; |
|
|
|
return this; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public ExceptionHandlingConfigurer<H> defaultAuthenticationEntryPointFor(AuthenticationEntryPoint entryPoint, |
|
|
|
|
|
|
|
RequestMatcher preferredMatcher, String authority) { |
|
|
|
|
|
|
|
this.defaultEntryPointMappings.put(preferredMatcher, entryPoint); |
|
|
|
|
|
|
|
LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> byMatcher = this.entryPoints.get(authority); |
|
|
|
|
|
|
|
if (byMatcher == null) { |
|
|
|
|
|
|
|
byMatcher = new LinkedHashMap<>(); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
byMatcher.put(preferredMatcher, entryPoint); |
|
|
|
|
|
|
|
this.entryPoints.put(authority, byMatcher); |
|
|
|
|
|
|
|
return this; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public ExceptionHandlingConfigurer<H> defaultAuthenticationEntryPointFor(AuthenticationEntryPoint entryPoint, |
|
|
|
|
|
|
|
String authority) { |
|
|
|
|
|
|
|
LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> byMatcher = new LinkedHashMap<>(); |
|
|
|
|
|
|
|
byMatcher.put(AnyRequestMatcher.INSTANCE, entryPoint); |
|
|
|
|
|
|
|
this.entryPoints.put(authority, byMatcher); |
|
|
|
|
|
|
|
return this; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
/** |
|
|
|
* Gets any explicitly configured {@link AuthenticationEntryPoint} |
|
|
|
* Gets any explicitly configured {@link AuthenticationEntryPoint} |
|
|
|
* @return |
|
|
|
* @return |
|
|
|
@ -254,21 +268,60 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>> |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private AccessDeniedHandler createDefaultDeniedHandler(H http) { |
|
|
|
private AccessDeniedHandler createDefaultDeniedHandler(H http) { |
|
|
|
|
|
|
|
AccessDeniedHandler defaults = createDefaultAccessDeniedHandler(http); |
|
|
|
|
|
|
|
if (this.entryPoints.isEmpty()) { |
|
|
|
|
|
|
|
return defaults; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
Map<String, AccessDeniedHandler> deniedHandlers = new LinkedHashMap<>(); |
|
|
|
|
|
|
|
for (Map.Entry<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entry : this.entryPoints |
|
|
|
|
|
|
|
.entrySet()) { |
|
|
|
|
|
|
|
AuthenticationEntryPoint entryPoint = entryPointFrom(entry.getValue()); |
|
|
|
|
|
|
|
AuthenticationEntryPointAccessDeniedHandlerAdapter deniedHandler = new AuthenticationEntryPointAccessDeniedHandlerAdapter( |
|
|
|
|
|
|
|
entryPoint); |
|
|
|
|
|
|
|
RequestCache requestCache = http.getSharedObject(RequestCache.class); |
|
|
|
|
|
|
|
if (requestCache != null) { |
|
|
|
|
|
|
|
deniedHandler.setRequestCache(requestCache); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
deniedHandlers.put(entry.getKey(), deniedHandler); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return new AuthenticationFactorDelegatingAccessDeniedHandler(deniedHandlers, defaults); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private AccessDeniedHandler createDefaultAccessDeniedHandler(H http) { |
|
|
|
if (this.defaultDeniedHandlerMappings.isEmpty()) { |
|
|
|
if (this.defaultDeniedHandlerMappings.isEmpty()) { |
|
|
|
return new AuthenticationFactorDelegatingAccessDeniedHandler(); |
|
|
|
return new AccessDeniedHandlerImpl(); |
|
|
|
} |
|
|
|
} |
|
|
|
if (this.defaultDeniedHandlerMappings.size() == 1) { |
|
|
|
if (this.defaultDeniedHandlerMappings.size() == 1) { |
|
|
|
return this.defaultDeniedHandlerMappings.values().iterator().next(); |
|
|
|
return this.defaultDeniedHandlerMappings.values().iterator().next(); |
|
|
|
} |
|
|
|
} |
|
|
|
return new RequestMatcherDelegatingAccessDeniedHandler(this.defaultDeniedHandlerMappings, |
|
|
|
return new RequestMatcherDelegatingAccessDeniedHandler(this.defaultDeniedHandlerMappings, |
|
|
|
new AuthenticationFactorDelegatingAccessDeniedHandler()); |
|
|
|
new AccessDeniedHandlerImpl()); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private AuthenticationEntryPoint createDefaultEntryPoint(H http) { |
|
|
|
private AuthenticationEntryPoint createDefaultEntryPoint(H http) { |
|
|
|
if (this.defaultEntryPoint == null) { |
|
|
|
AuthenticationEntryPoint defaults = entryPointFrom(this.defaultEntryPointMappings); |
|
|
|
|
|
|
|
if (this.entryPoints.isEmpty()) { |
|
|
|
|
|
|
|
return defaults; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
Map<String, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>(); |
|
|
|
|
|
|
|
for (Map.Entry<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entry : this.entryPoints |
|
|
|
|
|
|
|
.entrySet()) { |
|
|
|
|
|
|
|
entryPoints.put(entry.getKey(), entryPointFrom(entry.getValue())); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return new AuthenticationFactorDelegatingAuthenticationEntryPoint(entryPoints, defaults); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private AuthenticationEntryPoint entryPointFrom( |
|
|
|
|
|
|
|
LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints) { |
|
|
|
|
|
|
|
if (entryPoints.isEmpty()) { |
|
|
|
return new Http403ForbiddenEntryPoint(); |
|
|
|
return new Http403ForbiddenEntryPoint(); |
|
|
|
} |
|
|
|
} |
|
|
|
return this.defaultEntryPoint.build(); |
|
|
|
if (entryPoints.size() == 1) { |
|
|
|
|
|
|
|
return entryPoints.values().iterator().next(); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPoints); |
|
|
|
|
|
|
|
entryPoint.setDefaultEntryPoint(entryPoints.values().iterator().next()); |
|
|
|
|
|
|
|
return entryPoint; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
/** |
|
|
|
@ -287,94 +340,126 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>> |
|
|
|
return new HttpSessionRequestCache(); |
|
|
|
return new HttpSessionRequestCache(); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private static final class AuthenticationFactorDelegatingAccessDeniedHandler implements AccessDeniedHandler { |
|
|
|
private static final class AuthenticationFactorDelegatingAuthenticationEntryPoint |
|
|
|
|
|
|
|
implements AuthenticationEntryPoint { |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer(); |
|
|
|
|
|
|
|
|
|
|
|
private final Map<String, AuthenticationEntryPoint> entryPoints = Map.of("FACTOR_PASSWORD", |
|
|
|
private final Map<String, AuthenticationEntryPoint> entryPoints; |
|
|
|
new LoginUrlAuthenticationEntryPoint("/login"), "FACTOR_AUTHORIZATION_CODE", |
|
|
|
|
|
|
|
new LoginUrlAuthenticationEntryPoint("/login"), "FACTOR_SAML_RESPONSE", |
|
|
|
|
|
|
|
new LoginUrlAuthenticationEntryPoint("/login"), "FACTOR_WEBAUTHN", |
|
|
|
|
|
|
|
new LoginUrlAuthenticationEntryPoint("/login"), "FACTOR_BEARER", |
|
|
|
|
|
|
|
new BearerTokenAuthenticationEntryPoint(), "FACTOR_OTT", |
|
|
|
|
|
|
|
new PostAuthenticationEntryPoint(GenerateOneTimeTokenFilter.DEFAULT_GENERATE_URL + "?username={u}", |
|
|
|
|
|
|
|
Map.of("u", Authentication::getName))); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private final AccessDeniedHandler defaults = new AccessDeniedHandlerImpl(); |
|
|
|
private final AuthenticationEntryPoint defaults; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private AuthenticationFactorDelegatingAuthenticationEntryPoint( |
|
|
|
|
|
|
|
Map<String, AuthenticationEntryPoint> entryPoints, AuthenticationEntryPoint defaults) { |
|
|
|
|
|
|
|
this.entryPoints = new LinkedHashMap<>(entryPoints); |
|
|
|
|
|
|
|
this.defaults = defaults; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException ex) |
|
|
|
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException ex) |
|
|
|
throws IOException, ServletException { |
|
|
|
throws IOException, ServletException { |
|
|
|
Collection<String> needed = authorizationRequest(ex); |
|
|
|
Collection<GrantedAuthority> authorization = authorizationRequest(ex); |
|
|
|
if (needed == null) { |
|
|
|
entryPoint(authorization).commence(request, response, ex); |
|
|
|
this.defaults.handle(request, response, ex); |
|
|
|
} |
|
|
|
return; |
|
|
|
|
|
|
|
|
|
|
|
private AuthenticationEntryPoint entryPoint(Collection<GrantedAuthority> authorities) { |
|
|
|
|
|
|
|
if (authorities == null) { |
|
|
|
|
|
|
|
return this.defaults; |
|
|
|
} |
|
|
|
} |
|
|
|
for (String authority : needed) { |
|
|
|
for (GrantedAuthority needed : authorities) { |
|
|
|
AuthenticationEntryPoint entryPoint = this.entryPoints.get(authority); |
|
|
|
AuthenticationEntryPoint entryPoint = this.entryPoints.get(needed.getAuthority()); |
|
|
|
if (entryPoint != null) { |
|
|
|
if (entryPoint != null) { |
|
|
|
AuthenticationException insufficient = new InsufficientAuthenticationException(ex.getMessage(), ex); |
|
|
|
return entryPoint; |
|
|
|
entryPoint.commence(request, response, insufficient); |
|
|
|
|
|
|
|
return; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
this.defaults.handle(request, response, ex); |
|
|
|
return this.defaults; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private Collection<String> authorizationRequest(AccessDeniedException access) { |
|
|
|
private Collection<GrantedAuthority> authorizationRequest(Exception ex) { |
|
|
|
if (!(access instanceof AuthorizationDeniedException denied)) { |
|
|
|
Throwable[] chain = this.throwableAnalyzer.determineCauseChain(ex); |
|
|
|
return null; |
|
|
|
AuthorizationDeniedException denied = (AuthorizationDeniedException) this.throwableAnalyzer |
|
|
|
|
|
|
|
.getFirstThrowableOfType(AuthorizationDeniedException.class, chain); |
|
|
|
|
|
|
|
if (denied == null) { |
|
|
|
|
|
|
|
return List.of(); |
|
|
|
} |
|
|
|
} |
|
|
|
if (!(denied.getAuthorizationResult() instanceof AuthorityAuthorizationDecision decision)) { |
|
|
|
if (!(denied.getAuthorizationResult() instanceof AuthorityAuthorizationDecision authorization)) { |
|
|
|
return null; |
|
|
|
return List.of(); |
|
|
|
} |
|
|
|
} |
|
|
|
return decision.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList(); |
|
|
|
return authorization.getAuthorities(); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private static final class PostAuthenticationEntryPoint implements AuthenticationEntryPoint { |
|
|
|
private static final class AuthenticationEntryPointAccessDeniedHandlerAdapter implements AccessDeniedHandler { |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private final AuthenticationEntryPoint entryPoint; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private RequestCache requestCache = new NullRequestCache(); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private AuthenticationEntryPointAccessDeniedHandlerAdapter(AuthenticationEntryPoint entryPoint) { |
|
|
|
|
|
|
|
this.entryPoint = entryPoint; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void setRequestCache(RequestCache requestCache) { |
|
|
|
|
|
|
|
Assert.notNull(requestCache, "requestCache cannot be null"); |
|
|
|
|
|
|
|
this.requestCache = requestCache; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
|
|
|
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException denied) |
|
|
|
|
|
|
|
throws IOException, ServletException { |
|
|
|
|
|
|
|
AuthenticationException ex = new InsufficientAuthenticationException("access denied", denied); |
|
|
|
|
|
|
|
this.requestCache.saveRequest(request, response); |
|
|
|
|
|
|
|
this.entryPoint.commence(request, response, ex); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private final String entryPointUri; |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private static final class AuthenticationFactorDelegatingAccessDeniedHandler implements AccessDeniedHandler { |
|
|
|
|
|
|
|
|
|
|
|
private final Map<String, Function<Authentication, String>> params; |
|
|
|
private final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer(); |
|
|
|
|
|
|
|
|
|
|
|
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder |
|
|
|
private final Map<String, AccessDeniedHandler> deniedHandlers; |
|
|
|
.getContextHolderStrategy(); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private RedirectStrategy redirectStrategy = new FormPostRedirectStrategy(); |
|
|
|
private final AccessDeniedHandler defaults; |
|
|
|
|
|
|
|
|
|
|
|
private PostAuthenticationEntryPoint(String entryPointUri, |
|
|
|
private AuthenticationFactorDelegatingAccessDeniedHandler(Map<String, AccessDeniedHandler> deniedHandlers, |
|
|
|
Map<String, Function<Authentication, String>> params) { |
|
|
|
AccessDeniedHandler defaults) { |
|
|
|
this.entryPointUri = entryPointUri; |
|
|
|
this.deniedHandlers = new LinkedHashMap<>(deniedHandlers); |
|
|
|
this.params = params; |
|
|
|
this.defaults = defaults; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public void commence(HttpServletRequest request, HttpServletResponse response, |
|
|
|
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException ex) |
|
|
|
AuthenticationException authException) throws IOException, ServletException { |
|
|
|
throws IOException, ServletException { |
|
|
|
Authentication authentication = getAuthentication(authException); |
|
|
|
Collection<GrantedAuthority> authorization = authorizationRequest(ex); |
|
|
|
Assert.notNull(authentication, "could not find authentication in order to perform post"); |
|
|
|
deniedHandler(authorization).handle(request, response, ex); |
|
|
|
Map<String, String> params = this.params.entrySet() |
|
|
|
} |
|
|
|
.stream() |
|
|
|
|
|
|
|
.collect(Collectors.toMap(Map.Entry::getKey, (entry) -> entry.getValue().apply(authentication))); |
|
|
|
private AccessDeniedHandler deniedHandler(Collection<GrantedAuthority> authorities) { |
|
|
|
UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(this.entryPointUri); |
|
|
|
if (authorities == null) { |
|
|
|
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); |
|
|
|
return this.defaults; |
|
|
|
if (csrf != null) { |
|
|
|
} |
|
|
|
builder.queryParam(csrf.getParameterName(), csrf.getToken()); |
|
|
|
for (GrantedAuthority needed : authorities) { |
|
|
|
|
|
|
|
AccessDeniedHandler deniedHandler = this.deniedHandlers.get(needed.getAuthority()); |
|
|
|
|
|
|
|
if (deniedHandler != null) { |
|
|
|
|
|
|
|
return deniedHandler; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
String entryPointUrl = builder.build(false).expand(params).toUriString(); |
|
|
|
return this.defaults; |
|
|
|
this.redirectStrategy.sendRedirect(request, response, entryPointUrl); |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private Authentication getAuthentication(AuthenticationException authException) { |
|
|
|
private Collection<GrantedAuthority> authorizationRequest(Exception ex) { |
|
|
|
Authentication authentication = authException.getAuthenticationRequest(); |
|
|
|
Throwable[] chain = this.throwableAnalyzer.determineCauseChain(ex); |
|
|
|
if (authentication != null && authentication.isAuthenticated()) { |
|
|
|
AuthorizationDeniedException denied = (AuthorizationDeniedException) this.throwableAnalyzer |
|
|
|
return authentication; |
|
|
|
.getFirstThrowableOfType(AuthorizationDeniedException.class, chain); |
|
|
|
|
|
|
|
if (denied == null) { |
|
|
|
|
|
|
|
return List.of(); |
|
|
|
} |
|
|
|
} |
|
|
|
authentication = this.securityContextHolderStrategy.getContext().getAuthentication(); |
|
|
|
if (!(denied.getAuthorizationResult() instanceof AuthorityAuthorizationDecision authorization)) { |
|
|
|
if (authentication != null && authentication.isAuthenticated()) { |
|
|
|
return List.of(); |
|
|
|
return authentication; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
return null; |
|
|
|
return authorization.getAuthorities(); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
Josh Cummings
4 months ago