public void execute(FilterSecurityInterceptor filterSecurityInterceptor, Map<String, String> resourceMap) { Assert.notNull(filterSecurityInterceptor); Assert.notNull(resourceMap); logger.info("refresh url resource"); LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = null; requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>(); for (Map.Entry<String, String> entry : resourceMap.entrySet()) { String key = entry.getKey(); String value = entry.getValue(); requestMap.put(new AntPathRequestMatcher(key), SecurityConfig.createListFromCommaDelimitedString(value)); } FilterInvocationSecurityMetadataSource source = new DefaultFilterInvocationSecurityMetadataSource( requestMap); filterSecurityInterceptor.setSecurityMetadataSource(source); }
@Test public void testgetAttributesFilter() throws Exception { try { // CibetFilterInvocationSecurityMetadataSource fs = new CibetFilterInvocationSecurityMetadataSource( // new DefaultFilterInvocationSecurityMetadataSource(null, // new LinkedHashMap<RequestKey, Collection<ConfigAttribute>>())); CibetFilterInvocationSecurityMetadataSource fs = new CibetFilterInvocationSecurityMetadataSource( new DefaultFilterInvocationSecurityMetadataSource(new LinkedHashMap())); fs.getAttributes("nixi"); Assert.fail(); } catch (ClassCastException e) { // Spring 3.0.3 : IllegalArgumentException // Spring 3.2: ClassCastException log.info(e.getMessage()); } }
/**** * 基于url匹配拦截时,转换为ExpressionBasedFilterInvocationSecurityMetadataSource * @param source * @return */ @Override @SuppressWarnings("unchecked") public void buildSecurityMetadataSource(){ Assert.notNull(filterSecurityInterceptor); this.buildRequestMap(); DefaultFilterInvocationSecurityMetadataSource originMetadata = (DefaultFilterInvocationSecurityMetadataSource)filterSecurityInterceptor.getSecurityMetadataSource(); //这个内置实现不支持一个url映射到多个表达式 // ExpressionBasedFilterInvocationSecurityMetadataSource fism = new ExpressionBasedFilterInvocationSecurityMetadataSource(requestMap, securityExpressionHandler); Map<RequestMatcher, Collection<ConfigAttribute>> originRequestMap = (Map<RequestMatcher, Collection<ConfigAttribute>>)ReflectUtils.getFieldValue(originMetadata, "requestMap", false); if(originRequestMap!=null && !originRequestMap.isEmpty()){ this.requestMap.putAll(originRequestMap); } DefaultFilterInvocationSecurityMetadataSource fism = new DefaultFilterInvocationSecurityMetadataSource(requestMap); this.filterSecurityInterceptor.setSecurityMetadataSource(fism); }
/** * Gets the filter security interceptor. * * @return the filter security interceptor */ @Bean(name = "fsi") public FilterSecurityInterceptor getFilterSecurityInterceptor() { FilterSecurityInterceptor interceptor = new FilterSecurityInterceptor(); interceptor.setAuthenticationManager(getProviderManager()); interceptor.setAccessDecisionManager(getAffirmativeBased()); LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>(); requestMap.put(new AntPathRequestMatcher("/adm/**"), SecurityConfig.createListFromCommaDelimitedString("ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/adm/restartvm.ajax"), SecurityConfig .createListFromCommaDelimitedString("ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/sql/**"), SecurityConfig .createListFromCommaDelimitedString("ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/app/**"), SecurityConfig.createListFromCommaDelimitedString( "ROLE_POWERUSER,ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); requestMap.put(new AntPathRequestMatcher("/**"), SecurityConfig.createListFromCommaDelimitedString( "ROLE_PROBEUSER,ROLE_POWERUSER,ROLE_POWERUSERPLUS,ROLE_MANAGER,ROLE_MANAGER-GUI")); interceptor .setSecurityMetadataSource(new DefaultFilterInvocationSecurityMetadataSource(requestMap)); return interceptor; }
private void addSecureChannel(List<Filter> filters, Protocol protocol) { ChannelProcessingFilter channelProcessingFilter = new ChannelProcessingFilter(); channelProcessingFilter.setChannelDecisionManager(channelDecisionManager); RequestMatcher anyRequest = AnyRequestMatcher.INSTANCE; LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>(); Collection<ConfigAttribute> configAtts = new ArrayList<>(); switch (protocol) { case HTTP: configAtts.add(new SecurityConfig("ANY_CHANNEL")); break; case HTTPS: configAtts.add(new SecurityConfig("REQUIRES_SECURE_CHANNEL")); break; default: } requestMap.put(anyRequest, configAtts); FilterInvocationSecurityMetadataSource securityMetadataSource = new DefaultFilterInvocationSecurityMetadataSource(requestMap); channelProcessingFilter.setSecurityMetadataSource(securityMetadataSource); filters.add(channelProcessingFilter); }
public void refresh() { if ((filterSecurityInterceptor == null) || (urlSourceFetcher == null)) { logger.info( "filterSecurityInterceptor : {}, urlSourceFetcher : {}", filterSecurityInterceptor, urlSourceFetcher); return; } logger.info("execute refresh"); Map<String, String> resourceMap = urlSourceFetcher.getSource(null); LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap = null; requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>(); for (Map.Entry<String, String> entry : resourceMap.entrySet()) { String key = entry.getKey(); String value = entry.getValue(); requestMap.put(new AntPathRequestMatcher(key), SecurityConfig.createListFromCommaDelimitedString(value)); } FilterInvocationSecurityMetadataSource source = new DefaultFilterInvocationSecurityMetadataSource( requestMap); filterSecurityInterceptor.setSecurityMetadataSource(source); }
@Test public void testgetCibetAttributesExpression() throws Exception { // CibetFilterInvocationSecurityMetadataSource fs = new CibetFilterInvocationSecurityMetadataSource( // new DefaultFilterInvocationSecurityMetadataSource(null, // new LinkedHashMap<RequestKey, Collection<ConfigAttribute>>())); CibetFilterInvocationSecurityMetadataSource fs = new CibetFilterInvocationSecurityMetadataSource( new DefaultFilterInvocationSecurityMetadataSource(new LinkedHashMap())); CibetFilterInvocation fi = new CibetFilterInvocation(req, resp, chain); fi.setAccessRuleExpression("hasRole('Walter')"); Collection<ConfigAttribute> c = fs.getAttributes(fi); Assert.assertEquals(1, c.size()); ConfigAttribute ca = c.iterator().next(); Assert.assertTrue(ca instanceof CibetWebExpressionConfigAttribute); }
@Test public void testgetCibetAttributes() throws Exception { // CibetFilterInvocationSecurityMetadataSource fs = new CibetFilterInvocationSecurityMetadataSource( // new DefaultFilterInvocationSecurityMetadataSource(null, // new LinkedHashMap<RequestKey, Collection<ConfigAttribute>>())); CibetFilterInvocationSecurityMetadataSource fs = new CibetFilterInvocationSecurityMetadataSource( new DefaultFilterInvocationSecurityMetadataSource(new LinkedHashMap())); CibetFilterInvocation fi = new CibetFilterInvocation(req, resp, chain); fi.setAccessRule("ROLE_VIEH"); Collection<ConfigAttribute> c = fs.getAttributes(fi); Assert.assertEquals(1, c.size()); ConfigAttribute ca = c.iterator().next(); Assert.assertTrue(ca instanceof SecurityConfig); }
private void addFilterSecurityInterceptor(List<Filter> filters, MotechURLSecurityRule securityRule) { Map<RequestMatcher, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>(); List<AccessDecisionVoter> voters = new ArrayList<>(); Collection<ConfigAttribute> configAtts = new ArrayList<>(); if (CollectionUtils.isEmpty(securityRule.getPermissionAccess()) && CollectionUtils.isEmpty(securityRule.getUserAccess())) { configAtts.add(new SecurityConfig("IS_AUTHENTICATED_FULLY")); AuthenticatedVoter authVoter = new AuthenticatedVoter(); voters.add(authVoter); } else { if (!CollectionUtils.isEmpty(securityRule.getPermissionAccess())) { for (String permission : securityRule.getPermissionAccess()) { configAtts.add(new SecurityConfig(permission)); } } if (!CollectionUtils.isEmpty(securityRule.getUserAccess())) { for (String userAccess : securityRule.getUserAccess()) { configAtts.add(new SecurityConfig(SecurityConfigConstants.USER_ACCESS_PREFIX + userAccess)); } } } buildRequestMap(requestMap, configAtts, securityRule); FilterInvocationSecurityMetadataSource metadataSource = new DefaultFilterInvocationSecurityMetadataSource((LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>) requestMap); FilterSecurityInterceptor interceptor = new FilterSecurityInterceptor(); interceptor.setSecurityMetadataSource(metadataSource); RoleVoter roleVoter = new RoleVoter(); roleVoter.setRolePrefix(SecurityConfigConstants.ROLE_ACCESS_PREFIX); voters.add(roleVoter); voters.add(new MotechAccessVoter()); AccessDecisionManager decisionManager = new AffirmativeBased(voters); interceptor.setAccessDecisionManager(decisionManager); interceptor.setAuthenticationManager(authenticationManager); filters.add(interceptor); }
@Override public FilterInvocationSecurityMetadataSource getObject() { logger.info("###### DefaultFilterInvocationSecurityMetadataSource has changed. ######"); return new DefaultFilterInvocationSecurityMetadataSource(buildRequestMap()); }
public static BeanDefinition createSecurityMetadataSource(Element element, ParserContext pc) { List<Element> filterPatterns = DomUtils.getChildElementsByTagName(element, "url"); if (filterPatterns.isEmpty()) { return null; } // TODO : add support for lowercase-comparisons String patternType = element.getAttribute("path-type"); if (!StringUtils.hasText(patternType)) { patternType = "ant"; } MatcherType matcherType = MatcherType.valueOf(patternType); ManagedMap<BeanDefinition, BeanDefinition> invocationDefinitionMap = new ManagedMap<BeanDefinition, BeanDefinition>(); for (Element filterPattern : filterPatterns) { String path = filterPattern.getAttribute("pattern"); if (!StringUtils.hasText(path)) { pc.getReaderContext().error("pattern attribute cannot be empty or null", filterPattern); } String method = filterPattern.getAttribute("httpMethod"); if (!StringUtils.hasText(method)) { method = null; } String access = filterPattern.getAttribute("resources"); if (StringUtils.hasText(access)) { BeanDefinition matcher = matcherType.createMatcher(path, method); if (access.equals("none")) { invocationDefinitionMap.put(matcher, BeanDefinitionBuilder.rootBeanDefinition(Collections.class).setFactoryMethod("emptyList").getBeanDefinition()); } else { BeanDefinitionBuilder attributeBuilder = BeanDefinitionBuilder.rootBeanDefinition(SecurityConfig.class); attributeBuilder.addConstructorArgValue(access); attributeBuilder.setFactoryMethod("createListFromCommaDelimitedString"); if (invocationDefinitionMap.containsKey(matcher)) { pc.getReaderContext().warning("Duplicate URL defined: " + path + ". The original attribute values will be overwritten", pc.extractSource(filterPattern)); } invocationDefinitionMap.put(matcher, attributeBuilder.getBeanDefinition()); } } } BeanDefinitionBuilder fidsBuilder = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class); fidsBuilder.addConstructorArgValue(invocationDefinitionMap); fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(element)); return fidsBuilder.getBeanDefinition(); }
public static BeanDefinition createSecurityMetadataSource(Element element, ParserContext pc) { List<Element> filterPatterns = DomUtils.getChildElementsByTagName(element, "url"); if (filterPatterns.isEmpty()) { return null; } String patternType = element.getAttribute("path-type"); if (!StringUtils.hasText(patternType)) { patternType = "ant"; } MatcherType matcherType = MatcherType.valueOf(patternType); ManagedMap<BeanDefinition, BeanDefinition> invocationDefinitionMap = new ManagedMap<BeanDefinition, BeanDefinition>(); for (Element filterPattern : filterPatterns) { String path = filterPattern.getAttribute("pattern"); if (!StringUtils.hasText(path)) { pc.getReaderContext().error("pattern attribute cannot be empty or null", filterPattern); } String method = filterPattern.getAttribute("httpMethod"); if (!StringUtils.hasText(method)) { method = null; } String access = filterPattern.getAttribute("resources"); if (StringUtils.hasText(access)) { BeanDefinition matcher = matcherType.createMatcher(path, method); if (access.equals("none")) { invocationDefinitionMap.put(matcher, BeanDefinitionBuilder.rootBeanDefinition(Collections.class).setFactoryMethod("emptyList").getBeanDefinition()); } else { BeanDefinitionBuilder attributeBuilder = BeanDefinitionBuilder.rootBeanDefinition(SecurityConfig.class); attributeBuilder.addConstructorArgValue(access); attributeBuilder.setFactoryMethod("createListFromCommaDelimitedString"); if (invocationDefinitionMap.containsKey(matcher)) { pc.getReaderContext().warning("Duplicate URL defined: " + path + ". The original attribute values will be overwritten", pc.extractSource(filterPattern)); } invocationDefinitionMap.put(matcher, attributeBuilder.getBeanDefinition()); } } } BeanDefinitionBuilder fidsBuilder = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class); fidsBuilder.addConstructorArgValue(invocationDefinitionMap); fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(element)); return fidsBuilder.getBeanDefinition(); }
