Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-01 10:59:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use AuthoritiesAuthorizationManager in Jsr250AuthorizationManager

Browse Source 
Closes gh-12782
This commit is contained in:
kandaguru17 2023-05-25 16:21:51 +12:00 committed by Josh Cummings
parent 208fb62db9
commit fa2bc745f7
2 changed files with 82 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
core/src/main/java/org/springframework/security/authorization/method/Jsr250AuthorizationManager.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ package org.springframework.security.authorization.method;
import java.lang.annotation.Annotation; import java.lang.annotation.Annotation;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.util.Collection;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
@ -30,7 +31,7 @@ import org.aopalliance.intercept.MethodInvocation;
import org.springframework.aop.support.AopUtils; import org.springframework.aop.support.AopUtils;
import org.springframework.core.annotation.AnnotationConfigurationException; import org.springframework.core.annotation.AnnotationConfigurationException;
import org.springframework.lang.NonNull; import org.springframework.lang.NonNull;
import org.springframework.security.authorization.AuthorityAuthorizationManager; import org.springframework.security.authorization.AuthoritiesAuthorizationManager;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
@ -57,8 +58,23 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
private final Jsr250AuthorizationManagerRegistry registry = new Jsr250AuthorizationManagerRegistry(); private final Jsr250AuthorizationManagerRegistry registry = new Jsr250AuthorizationManagerRegistry();
private AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = new AuthoritiesAuthorizationManager();
private String rolePrefix = "ROLE_"; private String rolePrefix = "ROLE_";
/**
* Sets an {@link AuthorizationManager} that accepts a collection of authority
* strings.
* @param authoritiesAuthorizationManager the {@link AuthorizationManager} that
* accepts a collection of authority strings to use
* @since 6.1
*/
public void setAuthoritiesAuthorizationManager(
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager) {
Assert.notNull(authoritiesAuthorizationManager, "authoritiesAuthorizationManager cannot be null");
this.authoritiesAuthorizationManager = authoritiesAuthorizationManager;
}
/** /**
* Sets the role prefix. Defaults to "ROLE_". * Sets the role prefix. Defaults to "ROLE_".
* @param rolePrefix the role prefix to use * @param rolePrefix the role prefix to use
@ -95,10 +111,8 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
if (annotation instanceof PermitAll) { if (annotation instanceof PermitAll) {
return (a, o) -> new AuthorizationDecision(true); return (a, o) -> new AuthorizationDecision(true);
} }
if (annotation instanceof RolesAllowed) { if (annotation instanceof RolesAllowed rolesAllowed) {
RolesAllowed rolesAllowed = (RolesAllowed) annotation; return (a, o) -> Jsr250AuthorizationManager.this.authoritiesAuthorizationManager.check(a, getAllowedRolesWithPrefix(rolesAllowed));
return AuthorityAuthorizationManager.hasAnyRole(Jsr250AuthorizationManager.this.rolePrefix,
rolesAllowed.value());
} }
return NULL_MANAGER; return NULL_MANAGER;
} }
@ -145,6 +159,14 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
return annotations.iterator().next(); return annotations.iterator().next();
} }
private Set<String> getAllowedRolesWithPrefix(RolesAllowed rolesAllowed) {
Set<String> roles = new HashSet<>();
for (int i = 0; i < rolesAllowed.value().length; i++) {
roles.add(Jsr250AuthorizationManager.this.rolePrefix + rolesAllowed.value()[i]);
}
return roles;
}
} }
} }

56
core/src/test/java/org/springframework/security/authorization/method/Jsr250AuthorizationManagerTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2023 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -18,6 +18,8 @@ package org.springframework.security.authorization.method;
import java.lang.annotation.Retention; import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy; import java.lang.annotation.RetentionPolicy;
import java.util.Collection;
import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
import jakarta.annotation.security.DenyAll; import jakarta.annotation.security.DenyAll;
@ -30,11 +32,14 @@ import org.springframework.security.access.intercept.method.MockMethodInvocation
import org.springframework.security.authentication.TestAuthentication; import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
/** /**
* Tests for {@link Jsr250AuthorizationManager}. * Tests for {@link Jsr250AuthorizationManager}.
@ -63,6 +68,27 @@ public class Jsr250AuthorizationManagerTests {
assertThat(manager).extracting("rolePrefix").isEqualTo("CUSTOM_"); assertThat(manager).extracting("rolePrefix").isEqualTo("CUSTOM_");
} }
@Test
public void setAuthoritiesAuthorizationManagerWhenNullThenException() {
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatIllegalArgumentException().isThrownBy(() -> manager.setAuthoritiesAuthorizationManager(null))
.withMessage("authoritiesAuthorizationManager cannot be null");
}
@Test
public void setAuthoritiesAuthorizationManagerWhenNotNullThenVerifyUsage() throws Exception {
AuthorizationManager<Collection<String>> authoritiesAuthorizationManager = mock(AuthorizationManager.class);
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
manager.setAuthoritiesAuthorizationManager(authoritiesAuthorizationManager);
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(),
ClassLevelAnnotations.class, "rolesAllowedAdmin");
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ADMIN");
AuthorizationDecision decision = manager.check(authentication, methodInvocation);
assertThat(decision).isNull();
verify(authoritiesAuthorizationManager).check(authentication, Set.of("ROLE_ADMIN"));
}
@Test @Test
public void checkDoSomethingWhenNoJsr250AnnotationsThenNullDecision() throws Exception { public void checkDoSomethingWhenNoJsr250AnnotationsThenNullDecision() throws Exception {
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
@ -123,7 +149,7 @@ public class Jsr250AuthorizationManagerTests {
} }
@Test @Test
public void checkMultipleAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception { public void checkMultipleMethodAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ANONYMOUS"); "ROLE_ANONYMOUS");
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
@ -133,6 +159,16 @@ public class Jsr250AuthorizationManagerTests {
.isThrownBy(() -> manager.check(authentication, methodInvocation)); .isThrownBy(() -> manager.check(authentication, methodInvocation));
} }
@Test
public void checkMultipleClassAnnotationsWhenInvokedThenAnnotationConfigurationException() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelIllegalAnnotations(),
ClassLevelIllegalAnnotations.class, "inheritedAnnotations");
Jsr250AuthorizationManager manager = new Jsr250AuthorizationManager();
assertThatExceptionOfType(AnnotationConfigurationException.class)
.isThrownBy(() -> manager.check(authentication, methodInvocation));
}
@Test @Test
public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception { public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception {
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER"); Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
@ -247,6 +283,15 @@ public class Jsr250AuthorizationManagerTests {
} }
@MyIllegalRolesAllowed
public static class ClassLevelIllegalAnnotations {
public void inheritedAnnotations() {
}
}
public interface InterfaceAnnotationsOne { public interface InterfaceAnnotationsOne {
@RolesAllowed("ADMIN") @RolesAllowed("ADMIN")
@ -274,4 +319,11 @@ public class Jsr250AuthorizationManagerTests {
} }
@DenyAll
@RolesAllowed("USER")
@Retention(RetentionPolicy.RUNTIME)
public @interface MyIllegalRolesAllowed {
}
} }