SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles.
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
This commit is contained in:
Luke Taylor
parent
d5df53f1db
commit
e60108ca8c
|
|
@ -37,6 +37,9 @@ public class Jsr250Voter implements AccessDecisionVoter {
|
|||
|
||||
/**
|
||||
* Votes according to JSR 250.
|
||||
* <p>
|
||||
* If no JSR-250 attributes are found, it will abstain, otherwise it will grant or deny access
|
||||
* based on the attributes that are found.
|
||||
*
|
||||
* @param authentication The authentication object.
|
||||
* @param object The access object.
|
||||
|
|
@ -44,6 +47,8 @@ public class Jsr250Voter implements AccessDecisionVoter {
|
|||
* @return The vote.
|
||||
*/
|
||||
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> definition) {
|
||||
boolean jsr250AttributeFound = false;
|
||||
|
||||
for (ConfigAttribute attribute : definition) {
|
||||
if (Jsr250SecurityConfig.PERMIT_ALL_ATTRIBUTE.equals(attribute)) {
|
||||
return ACCESS_GRANTED;
|
||||
|
|
@ -54,18 +59,17 @@ public class Jsr250Voter implements AccessDecisionVoter {
|
|||
}
|
||||
|
||||
if (supports(attribute)) {
|
||||
jsr250AttributeFound = true;
|
||||
// Attempt to find a matching granted authority
|
||||
for (GrantedAuthority authority : authentication.getAuthorities()) {
|
||||
if (attribute.getAttribute().equals(authority.getAuthority())) {
|
||||
return ACCESS_GRANTED;
|
||||
}
|
||||
}
|
||||
// No match - deny access
|
||||
return ACCESS_DENIED;
|
||||
}
|
||||
}
|
||||
|
||||
return ACCESS_ABSTAIN;
|
||||
return jsr250AttributeFound ? ACCESS_DENIED : ACCESS_ABSTAIN;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,44 @@
|
|||
package org.springframework.security.access.annotation;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.security.access.AccessDecisionVoter;
|
||||
import org.springframework.security.access.ConfigAttribute;
|
||||
import org.springframework.security.access.SecurityConfig;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Luke Taylor
|
||||
*/
|
||||
public class Jsr250VoterTests {
|
||||
|
||||
// SEC-1443
|
||||
@Test
|
||||
public void supportsMultipleRolesCorrectly() throws Exception {
|
||||
List<ConfigAttribute> attrs = new ArrayList<ConfigAttribute>();
|
||||
Jsr250Voter voter = new Jsr250Voter();
|
||||
|
||||
attrs.add(new Jsr250SecurityConfig("A"));
|
||||
attrs.add(new Jsr250SecurityConfig("B"));
|
||||
attrs.add(new Jsr250SecurityConfig("C"));
|
||||
|
||||
assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
|
||||
voter.vote(new TestingAuthenticationToken("user", "pwd", "A"), new Object(), attrs));
|
||||
assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
|
||||
voter.vote(new TestingAuthenticationToken("user", "pwd", "B"), new Object(), attrs));
|
||||
assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
|
||||
voter.vote(new TestingAuthenticationToken("user", "pwd", "C"), new Object(), attrs));
|
||||
|
||||
assertEquals(AccessDecisionVoter.ACCESS_DENIED,
|
||||
voter.vote(new TestingAuthenticationToken("user", "pwd", "NONE"), new Object(), attrs));
|
||||
|
||||
assertEquals(AccessDecisionVoter.ACCESS_ABSTAIN,
|
||||
voter.vote(new TestingAuthenticationToken("user", "pwd", "A"), new Object(),
|
||||
SecurityConfig.createList("A","B","C")));
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue