mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-03-01 10:59:16 +00:00
Use AuthoritiesAuthorizationManager in Jsr250AuthorizationManager
Closes gh-12782
This commit is contained in:
kandaguru17
Josh Cummings
parent
208fb62db9
commit
fa2bc745f7
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -18,6 +18,7 @@ package org.springframework.security.authorization.method;
|
||||
|
||||
import java.lang.annotation.Annotation;
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import java.util.function.Supplier;
|
||||
@ -30,7 +31,7 @@ import org.aopalliance.intercept.MethodInvocation;
|
||||
import org.springframework.aop.support.AopUtils;
|
||||
import org.springframework.core.annotation.AnnotationConfigurationException;
|
||||
import org.springframework.lang.NonNull;
|
||||
import org.springframework.security.authorization.AuthorityAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
@ -57,8 +58,23 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
|
||||
private final Jsr250AuthorizationManagerRegistry registry = new Jsr250AuthorizationManagerRegistry();
|
||||
|
||||
private AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = new AuthoritiesAuthorizationManager();
|
||||
|
||||
private String rolePrefix = "ROLE_";
|
||||
|
||||
/**
|
||||
* Sets an {@link AuthorizationManager} that accepts a collection of authority
|
||||
* strings.
|
||||
* @param authoritiesAuthorizationManager the {@link AuthorizationManager} that
|
||||
* accepts a collection of authority strings to use
|
||||
* @since 6.1
|
||||
*/
|
||||
public void setAuthoritiesAuthorizationManager(
|
||||
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager) {
|
||||
Assert.notNull(authoritiesAuthorizationManager, "authoritiesAuthorizationManager cannot be null");
|
||||
this.authoritiesAuthorizationManager = authoritiesAuthorizationManager;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the role prefix. Defaults to "ROLE_".
|
||||
* @param rolePrefix the role prefix to use
|
||||
@ -95,10 +111,8 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
if (annotation instanceof PermitAll) {
|
||||
return (a, o) -> new AuthorizationDecision(true);
|
||||
}
|
||||
if (annotation instanceof RolesAllowed) {
|
||||
RolesAllowed rolesAllowed = (RolesAllowed) annotation;
|
||||
return AuthorityAuthorizationManager.hasAnyRole(Jsr250AuthorizationManager.this.rolePrefix,
|
||||
rolesAllowed.value());
|
||||
if (annotation instanceof RolesAllowed rolesAllowed) {
|
||||
return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.check(a, getAllowedRolesWithPrefix(rolesAllowed));
|
||||
}
|
||||
return NULL_MANAGER;
|
||||
}
|
||||
@ -145,6 +159,14 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
return annotations.iterator().next();
|
||||
}
|
||||
|
||||
private Set<String> getAllowedRolesWithPrefix(RolesAllowed rolesAllowed) {
|
||||
Set<String> roles = new HashSet<>();
|
||||
for (int i = 0; i < rolesAllowed.value().length; i++) {
|
||||
roles.add(Jsr250AuthorizationManager.this.rolePrefix + rolesAllowed.value()[i]);
|
||||
}
|
||||
return roles;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -18,6 +18,8 @@ package org.springframework.security.authorization.method;
|
||||
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.util.Collection;
|
||||
import java.util.Set;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import jakarta.annotation.security.DenyAll;
|
||||
@ -30,11 +32,14 @@ import org.springframework.security.access.intercept.method.MockMethodInvocation
|
||||
import org.springframework.security.authentication.TestAuthentication;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
* Tests for {@link Jsr250AuthorizationManager}.
|
||||
@ -63,6 +68,27 @@ public class Jsr250AuthorizationManagerTests {
|
||||
assertThat(manager).extracting("rolePrefix").isEqualTo("CUSTOM_");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setAuthoritiesAuthorizationManagerWhenNullThenException() {
|
||||
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> manager.setAuthoritiesAuthorizationManager(null))
|
||||
.withMessage("authoritiesAuthorizationManager cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception {
|
||||
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class);
|
||||
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
|
||||
manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager);
|
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
|
||||
ClassLevelAnnotations.class, "rolesAllowedAdmin");
|
||||
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
|
||||
"ROLE_ADMIN");
|
||||
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
|
||||
assertThat(decision).isNull();
|
||||
verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_ADMIN"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkDoSomethingWhenNoJsr250AnnotationsThenNullDecision() throws Exception {
|
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
|
||||
@ -123,7 +149,7 @@ public class Jsr250AuthorizationManagerTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkMultipleAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
|
||||
public void checkMultipleMethodAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
|
||||
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
|
||||
"ROLE_ANONYMOUS");
|
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
|
||||
@ -133,6 +159,16 @@ public class Jsr250AuthorizationManagerTests {
|
||||
.isThrownBy(() -> manager.check(authentication, methodInvocation));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkMultipleClassAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
|
||||
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelIllegalAnnotations(),
|
||||
ClassLevelIllegalAnnotations.class, "inheritedAnnotations");
|
||||
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
|
||||
assertThatExceptionOfType(AnnotationConfigurationException.class)
|
||||
.isThrownBy(() -> manager.check(authentication, methodInvocation));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception {
|
||||
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
|
||||
@ -247,6 +283,15 @@ public class Jsr250AuthorizationManagerTests {
|
||||
|
||||
}
|
||||
|
||||
@MyIllegalRolesAllowed
|
||||
public static class ClassLevelIllegalAnnotations {
|
||||
|
||||
public void inheritedAnnotations() {
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public interface InterfaceAnnotationsOne {
|
||||
|
||||
@RolesAllowed("ADMIN")
|
||||
@ -274,4 +319,11 @@ public class Jsr250AuthorizationManagerTests {
|
||||
|
||||
}
|
||||
|
||||
@DenyAll
|
||||
@RolesAllowed("USER")
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
public @interface MyIllegalRolesAllowed {
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user