Java源码示例:org.apache.cxf.interceptor.security.AccessDeniedException
示例1
protected Method getTargetMethod(Message m) {
// Used the SOAP
BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
if (bop != null) {
MethodDispatcher md = (MethodDispatcher)
m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
// Used for JAX-RS
// This doesn't work for JAX-RS sub-resources as the lookup is only done on the original method, not the
// sub-resource
Method method = (Method) m.get("org.apache.cxf.resource.method");
if (method != null) {
return method;
}
throw new AccessDeniedException("Method is not available : Unauthorized");
}
示例2
public void handleMessage(Message message) throws Fault
{
SecurityContext sc = message.get(SecurityContext.class);
if (sc == null)
{
return;
}
Method method = getTargetMethod(message);
if (authorize(sc, method))
{
return;
}
throw new AccessDeniedException("Unauthorized");
}
示例3
protected Method getTargetMethod(Message m)
{
BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
if (bop != null)
{
MethodDispatcher md = (MethodDispatcher) m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
Method method = (Method) m.get("org.apache.cxf.resource.method");
if (method != null)
{
return method;
}
throw new AccessDeniedException("Method is not available : Unauthorized");
}
示例4
/**
* Here we are getting the target invocation method. The method get set as a
* properties in the
* message by the
* {@link org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor}
*
* @param message incoming message
* @return
*/
protected Method getTargetMethod(Message message) {
BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
if (bop != null) {
MethodDispatcher md =
(MethodDispatcher) message.getExchange().get(Service.class)
.get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
Method method = (Method) message.get("org.apache.cxf.resource.method");
if (method != null) {
return method;
}
log.error("The requested resource is not found. Please check the resource path etc..");
throw new AccessDeniedException("Method is not available : Unauthorized");
}
示例5
protected Method getTargetMethod(Message m) {
// Used the SOAP
BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
if (bop != null) {
MethodDispatcher md = (MethodDispatcher)
m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
// Used for JAX-RS
// This doesn't work for JAX-RS sub-resources as the lookup is only done on the original method, not the
// sub-resource
Method method = (Method) m.get("org.apache.cxf.resource.method");
if (method != null) {
return method;
}
throw new AccessDeniedException("Method is not available : Unauthorized");
}
示例6
public void handleMessage(Message message) throws Fault {
Fault fault = (Fault)message.getContent(Exception.class);
Throwable ex = fault.getCause();
if (!(ex instanceof SecurityException)) {
throw new RuntimeException("Security Exception is expected");
}
HttpServletResponse response = (HttpServletResponse)message.getExchange().getInMessage()
.get(AbstractHTTPDestination.HTTP_RESPONSE);
int status = ex instanceof AccessDeniedException ? 403 : 401;
response.setStatus(status);
try {
response.getOutputStream().write(ex.getMessage().getBytes());
response.getOutputStream().flush();
} catch (IOException iex) {
// ignore
}
message.getInterceptorChain().abort();
}
示例7
@Test
public void testNonSAMLClaimDefaultNameAndFormat() throws Exception {
org.apache.cxf.rt.security.claims.Claim claim1 = new org.apache.cxf.rt.security.claims.Claim();
claim1.setClaimType("role");
claim1.setValues(Arrays.asList("admin", "user"));
org.apache.cxf.rt.security.claims.Claim claim2 = new org.apache.cxf.rt.security.claims.Claim();
claim2.setClaimType("http://authentication");
claim2.setValues(Arrays.asList("password"));
Message m = prepareMessage(TestService.class, "claimWithSpecificName", "role", claim1, claim2);
interceptor.handleMessage(m);
try {
claim1.setValues(Arrays.asList("user"));
m = prepareMessage(TestService.class, "claimWithSpecificName", "role", claim1, claim2);
interceptor.handleMessage(m);
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例8
@Test
public void testClaimMatchAll() throws Exception {
doTestClaims("claimMatchAll",
createDefaultClaim("admin", "manager"),
createClaim("http://authentication", "http://claims", "password"));
try {
doTestClaims("claimMatchAll",
createDefaultClaim("admin"),
createClaim("http://authentication", "http://claims", "password"));
doTestClaims("claimMatchAll",
createDefaultClaim("manager"),
createClaim("http://authentication", "http://claims", "password"));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例9
@Test
public void testMultipleClaims() throws Exception {
doTestClaims("multipleClaims",
createDefaultClaim("admin"),
createClaim("http://authentication", "http://claims", "smartcard"),
createClaim("http://location", "http://claims", "UK"));
doTestClaims("multipleClaims",
createDefaultClaim("admin"),
createClaim("http://authentication", "http://claims", "password"),
createClaim("http://location", "http://claims", "USA"));
try {
doTestClaims("multipleClaims",
createDefaultClaim("admin"),
createClaim("http://authentication", "http://claims", "unsecuretransport"),
createClaim("http://location", "http://claims", "UK"));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例10
/**
* Here we are getting the target invocation method. The method get set as a property in the
* message by the {@link org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor}
*
* @param message incoming message
* @return
*/
protected Method getTargetMethod(Message message) {
BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
if (bop != null) {
MethodDispatcher md = (MethodDispatcher)
message.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
Method method = (Method) message.get("org.apache.cxf.resource.method");
if (method != null) {
return method;
}
log.error("The requested resource is not found. Please check the resource path, etc");
throw new AccessDeniedException("Method is not available: Unauthorized");
}
示例11
public void handleMessage(Message message) throws Fault {
SecurityContext sc = message.get(SecurityContext.class);
if (!(sc instanceof ClaimsSecurityContext)) {
throw new AccessDeniedException("Security Context is unavailable or unrecognized");
}
Method method = MessageUtils.getTargetMethod(message).orElseThrow(() ->
new AccessDeniedException("Method is not available : Unauthorized"));
if (authorize((ClaimsSecurityContext)sc, method)) {
return;
}
throw new AccessDeniedException("Unauthorized");
}
示例12
@Test
public void testClaimDefaultNameAndFormat() throws Exception {
doTestClaims("claimWithDefaultNameAndFormat",
createDefaultClaim("admin", "user"),
createClaim("http://authentication", "http://claims", "password"));
try {
doTestClaims("claimWithDefaultNameAndFormat",
createDefaultClaim("user"),
createClaim("http://authentication", "http://claims", "password"));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例13
@Test
public void testMissingExpectedClaim() throws Exception {
doTestClaims("claimWithDefaultNameAndFormat",
createDefaultClaim("admin"),
createClaim("http://authentication", "http://claims", "password"));
try {
doTestClaims("claimWithDefaultNameAndFormat",
createDefaultClaim("admin"));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例14
@Test
public void testClaimSpecificNameAndFormat() throws Exception {
doTestClaims("claimWithSpecificNameAndFormat",
createClaim("http://cxf/roles", "http://claims", "admin", "user"),
createClaim("http://authentication", "http://claims", "password"));
try {
doTestClaims("claimWithSpecificNameAndFormat",
createDefaultClaim("admin", "user"),
createClaim("http://authentication", "http://claims", "password"));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例15
@Test
public void testClaimLaxMode() throws Exception {
doTestClaims("claimLaxMode",
createClaim("http://authentication", "http://claims", "password"));
doTestClaims("claimLaxMode");
try {
doTestClaims("claimLaxMode",
createClaim("http://authentication", "http://claims", "smartcard"));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例16
@Test
public void testUserInRoleAndClaims() throws Exception {
SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
in.setAnnotationClassName(SecureRole.class.getName());
in.setSecuredObject(new TestService2());
Message m = prepareMessage(TestService2.class, "test",
createDefaultClaim("admin"),
createClaim("a", "b", "c"));
in.handleMessage(m);
ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
SAMLClaim claim = new SAMLClaim();
claim.setNameFormat("a");
claim.setName("b");
claim.addValue("c");
in2.setClaims(Collections.singletonMap("test",
Collections.singletonList(
new ClaimBean(claim, "a", null, false))));
in2.handleMessage(m);
try {
in.handleMessage(prepareMessage(TestService2.class, "test",
createDefaultClaim("user")));
fail("AccessDeniedException expected");
} catch (AccessDeniedException ex) {
// expected
}
}
示例17
@Override
public void filter(ContainerRequestContext context) {
Message message = JAXRSUtils.getCurrentMessage();
try {
interceptor.handleMessage(message);
} catch (AccessDeniedException ex) {
context.abortWith(Response.status(Response.Status.FORBIDDEN).build());
}
}
示例18
@Override
public void filter(ContainerRequestContext context) {
try {
interceptor.handleMessage(JAXRSUtils.getCurrentMessage());
} catch (AccessDeniedException ex) {
context.abortWith(Response.status(Response.Status.FORBIDDEN).build());
}
}
示例19
public void handleMessage(Message message) throws Fault {
SecurityContext sc = message.get(SecurityContext.class);
if (sc instanceof LoginSecurityContext) {
Principal principal = sc.getUserPrincipal();
String principalName = null;
if (principal != null) {
principalName = principal.getName();
}
LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
List<String> roles = new ArrayList<>();
if (principalRoles != null) {
for (Principal p : principalRoles) {
if (p != null && p.getName() != null && !p.getName().equals(principalName)) {
roles.add(p.getName());
}
}
}
try {
if (authorize(principal, roles, message)) {
return;
}
} catch (Exception e) {
LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
throw new AccessDeniedException("Unauthorized");
}
} else {
LOG.log(
Level.FINE,
"The SecurityContext was not an instance of LoginSecurityContext. No authorization "
+ "is possible as a result"
);
}
throw new AccessDeniedException("Unauthorized");
}
示例20
/**
* Here we are getting the target invocation method. The method get set as a property in the
* message by the {@link org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor}
*
* @param message incoming message
* @return
*/
protected Method getTargetMethod(Message message) {
BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
if (bop != null) {
MethodDispatcher md = (MethodDispatcher) message.getExchange().get(Service.class)
.get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
Method method = (Method) message.get("org.apache.cxf.resource.method");
if (method != null) {
return method;
}
log.error("The requested resource is not found. Please check the resource path etc..");
throw new AccessDeniedException("Method is not available : Unauthorized");
}
示例21
public Response toResponse(AccessDeniedException exception) {
return Response.status(Response.Status.FORBIDDEN).build();
}
