GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Use AuthoritiesAuthorizationManager in Jsr250AuthorizationManager 

Closes gh-12782
pull/13418/head
kandaguru17 3 years ago committed by Josh Cummings
parent
208fb62db9
commit
fa2bc745f7
2 changed files with 82 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 34
      core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
  2. 56
      core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java

34
core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ package org.springframework.security.authorization.method;
import java.lang.annotation.Annotation; import java.lang.annotation.Annotation;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.util.Collection;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
@ -30,7 +31,7 @@ import org.aopalliance.intercept.MethodInvocation;
import org.springframework.aop.support.AopUtils; import org.springframework.aop.support.AopUtils;
import org.springframework.core.annotation.AnnotationConfigurationException; import org.springframework.core.annotation.AnnotationConfigurationException;
import org.springframework.lang.NonNull; import org.springframework.lang.NonNull;
import org.springframework.security.authorization.AuthorityAuthorizationManager; import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
@ -57,8 +58,23 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
private final Jsr250AuthorizationManagerRegistry registry = new Jsr250AuthorizationManagerRegistry(); private final Jsr250AuthorizationManagerRegistry registry = new Jsr250AuthorizationManagerRegistry();
private AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = new AuthoritiesAuthorizationManager();
private String rolePrefix = "ROLE_"; private String rolePrefix = "ROLE_";
/**
* Sets an {@link AuthorizationManager} that accepts a collection of authority
* strings.
* @param authoritiesAuthorizationManager the {@link AuthorizationManager} that
* accepts a collection of authority strings to use
* @since 6.1
*/
public void setAuthoritiesAuthorizationManager(
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager) {
Assert.notNull(authoritiesAuthorizationManager, "authoritiesAuthorizationManager cannot be null");
this.authoritiesAuthorizationManager = authoritiesAuthorizationManager;
}
/** /**
* Sets the role prefix. Defaults to "ROLE_". * Sets the role prefix. Defaults to "ROLE_".
* @param rolePrefix the role prefix to use * @param rolePrefix the role prefix to use
@ -95,10 +111,8 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
if (annotation instanceof PermitAll) { if (annotation instanceof PermitAll) {
return (a, o) -> new AuthorizationDecision(true); return (a, o) -> new AuthorizationDecision(true);
} }
if (annotation instanceof RolesAllowed) { if (annotation instanceof RolesAllowed rolesAllowed) {
RolesAllowed rolesAllowed = (RolesAllowed) annotation; return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.check(a, getAllowedRolesWithPrefix(rolesAllowed));
return AuthorityAuthorizationManager.hasAnyRole(Jsr250AuthorizationManager.this.rolePrefix,
rolesAllowed.value());
} }
return NULL_MANAGER; return NULL_MANAGER;
} }
@ -145,6 +159,14 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
return annotations.iterator().next(); return annotations.iterator().next();
} }
private Set<String> getAllowedRolesWithPrefix(RolesAllowed rolesAllowed) {
Set<String> roles = new HashSet<>();
for (int i = 0; i < rolesAllowed.value().length; i++) {
roles.add(Jsr250AuthorizationManager.this.rolePrefix + rolesAllowed.value()[i]);
}
return roles;
}
} }
} }

56
core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -18,6 +18,8 @@ package org.springframework.security.authorization.method;
import java.lang.annotation.Retention; import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy; import java.lang.annotation.RetentionPolicy;
import java.util.Collection;
import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
import jakarta.annotation.security.DenyAll; import jakarta.annotation.security.DenyAll;
@ -30,11 +32,14 @@ import org.springframework.security.access.intercept.method.MockMethodInvocation
import org.springframework.security.authentication.TestAuthentication; import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
/** /**
* Tests for {@link Jsr250AuthorizationManager}. * Tests for {@link Jsr250AuthorizationManager}.
@ -63,6 +68,27 @@ public class Jsr250AuthorizationManagerTests {
assertThat(manager).extracting("rolePrefix").isEqualTo("CUSTOM_"); assertThat(manager).extracting("rolePrefix").isEqualTo("CUSTOM_");
} }
@Test
public void setAuthoritiesAuthorizationManagerWhenNullThenException() {
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatIllegalArgumentException().isThrownBy(() -> manager.setAuthoritiesAuthorizationManager(null))
.withMessage("authoritiesAuthorizationManager cannot be null");
}
@Test
public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception {
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class);
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager);
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "rolesAllowedAdmin");
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ADMIN");
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
assertThat(decision).isNull();
verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_ADMIN"));
}
@Test @Test
public void checkDoSomethingWhenNoJsr250AnnotationsThenNullDecision() throws Exception { public void checkDoSomethingWhenNoJsr250AnnotationsThenNullDecision() throws Exception {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
@ -123,7 +149,7 @@ public class Jsr250AuthorizationManagerTests {
} }
@Test @Test
public void checkMultipleAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception { public void checkMultipleMethodAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ANONYMOUS"); "ROLE_ANONYMOUS");
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
@ -133,6 +159,16 @@ public class Jsr250AuthorizationManagerTests {
.isThrownBy(() -> manager.check(authentication, methodInvocation)); .isThrownBy(() -> manager.check(authentication, methodInvocation));
} }
@Test
public void checkMultipleClassAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelIllegalAnnotations(),
ClassLevelIllegalAnnotations.class, "inheritedAnnotations");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
}
@Test @Test
public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception { public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER"); Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
@ -247,6 +283,15 @@ public class Jsr250AuthorizationManagerTests {
} }
@MyIllegalRolesAllowed
public static class ClassLevelIllegalAnnotations {
public void inheritedAnnotations() {
}
}
public interface InterfaceAnnotationsOne { public interface InterfaceAnnotationsOne {
@RolesAllowed("ADMIN") @RolesAllowed("ADMIN")
@ -274,4 +319,11 @@ public class Jsr250AuthorizationManagerTests {
} }
@DenyAll
@RolesAllowed("USER")
@Retention(RetentionPolicy.RUNTIME)
public @interface MyIllegalRolesAllowed {
}
} }

Write Preview
Loading…
Cancel
Save