org.granite.spring.security.SpringSecurity3Service Maven / Gradle / Ivy
The newest version!
/**
* GRANITE DATA SERVICES
* Copyright (C) 2006-2014 GRANITE DATA SERVICES S.A.S.
*
* This file is part of the Granite Data Services Platform.
*
* Granite Data Services is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* Granite Data Services is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
* General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
* USA, or see params) {
log.debug("Configuring with parameters %s: ", params);
if (params.containsKey("authentication-manager-bean-name"))
authenticationExtension.setAuthenticationManagerBeanName(params.get("authentication-manager-bean-name"));
if (Boolean.TRUE.toString().equals(params.get("allow-anonymous-access")))
allowAnonymousAccess = true;
}
public Principal login(Object credentials, String charset) {
List decodedCredentials = Arrays.asList(decodeBase64Credentials(credentials, charset));
if (!(GraniteContext.getCurrentInstance() instanceof HttpGraniteContext)) {
log.debug("Login from non HTTP granite context ignored");
return null;
}
HttpGraniteContext graniteContext = (HttpGraniteContext)GraniteContext.getCurrentInstance();
HttpServletRequest httpRequest = graniteContext.getRequest();
boolean springFilterNotApplied = graniteContext.getRequest().getAttribute(FILTER_APPLIED) == null;
ApplicationContext appContext = applicationContext != null ? applicationContext
: WebApplicationContextUtils.getWebApplicationContext(graniteContext.getServletContext());
if (appContext == null)
throw new IllegalStateException("No application context defined for Spring security service");
authenticationExtension.setApplicationContext(appContext);
String user = decodedCredentials.get(0);
String password = decodedCredentials.get(1);
if (passwordEncoder != null)
password = passwordEncoder.encodePassword(password, null);
Authentication auth = authenticationExtension.buildAuthentication(user, password);
Principal principal = null;
AuthenticationManager authenticationManager = authenticationExtension.selectAuthenticationManager(auth);
try {
Authentication authentication = authenticationManager.authenticate(auth);
if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
try {
sessionAuthenticationStrategy.onAuthentication(authentication, httpRequest, graniteContext.getResponse());
}
catch (SessionAuthenticationException e) {
log.debug(e, "SessionAuthenticationStrategy rejected the authentication object");
SecurityContextHolder.clearContext();
handleAuthenticationExceptions(e);
return null;
}
}
log.debug("Define authentication and save to repo: %s", authentication != null ? authentication.getName() : "none");
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(graniteContext.getRequest(), graniteContext.getResponse());
SecurityContext securityContext = securityContextRepository.loadContext(holder);
securityContext.setAuthentication(authentication);
SecurityContextHolder.setContext(securityContext);
principal = authentication;
graniteContext.setPrincipal(principal);
try {
securityContextRepository.saveContext(securityContext, (HttpServletRequest)getRequest.invoke(holder), (HttpServletResponse)getResponse.invoke(holder));
}
catch (Exception e) {
log.error(e, "Could not save context after authentication");
}
if (eventPublisher != null)
eventPublisher.publishEvent(new AuthenticationSuccessEvent(authentication));
endLogin(credentials, charset);
}
catch (AuthenticationException e) {
handleAuthenticationExceptions(e);
}
finally {
// Should not cleanup when authentication managed by the Spring filter
if (springFilterNotApplied) {
log.debug("Clear authentication after login");
SecurityContextHolder.clearContext();
}
}
log.debug("User %s logged in", user);
return principal;
}
protected void handleAuthenticationExceptions(AuthenticationException e) {
if (e instanceof BadCredentialsException || e instanceof UsernameNotFoundException)
throw SecurityServiceException.newInvalidCredentialsException(e.getMessage());
throw SecurityServiceException.newAuthenticationFailedException(e.getMessage());
}
public Object authorize(AbstractSecurityContext context) throws Exception {
log.debug("Authorize %s on destination %s (secured: %b)", context, context.getDestination().getId(), context.getDestination().isSecured());
startAuthorization(context);
ServletGraniteContext graniteContext = (ServletGraniteContext)GraniteContext.getCurrentInstance();
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
HttpRequestResponseHolder holder = null;
boolean springFilterNotApplied = graniteContext.getRequest().getAttribute(FILTER_APPLIED) == null;
boolean reentrant = graniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED) != null;
// Manage security context here only if the Spring security filter has not already been applied and if we are not reentrant
try {
if (springFilterNotApplied && !reentrant) {
holder = new HttpRequestResponseHolder(graniteContext.getRequest(), graniteContext.getResponse());
SecurityContext contextBeforeChainExecution = securityContextRepository.loadContext(holder);
SecurityContextHolder.setContext(contextBeforeChainExecution);
graniteContext.getRequest().setAttribute(SECURITY_SERVICE_APPLIED, true);
if (isAuthenticated(authentication)) {
log.debug("Thread was already authenticated: %s", authentication.getName());
contextBeforeChainExecution.setAuthentication(authentication);
}
else {
authentication = contextBeforeChainExecution.getAuthentication();
log.debug("Restore authentication from repository: %s", authentication != null ? authentication.getName() : "none");
}
graniteContext.setPrincipal(authentication);
}
if (context.getDestination().isSecured()) {
if (!isAuthenticated(authentication) || (!allowAnonymousAccess && authentication instanceof AnonymousAuthenticationToken)) {
log.debug("User not authenticated!");
throw SecurityServiceException.newNotLoggedInException("User not logged in");
}
if (!userCanAccessService(context, authentication)) {
log.debug("Access denied for user %s", authentication != null ? authentication.getName() : "not authenticated");
throw SecurityServiceException.newAccessDeniedException("User not in required role");
}
}
Object returnedObject = securityInterceptor != null
? securityInterceptor.invoke(context)
: endAuthorization(context);
return returnedObject;
}
catch (SecurityServiceException e) {
throw e;
}
catch (AccessDeniedException e) {
throw SecurityServiceException.newAccessDeniedException(e.getMessage());
}
catch (InvocationTargetException e) {
handleAuthorizationExceptions(e);
throw e;
}
finally {
if (springFilterNotApplied && !reentrant) {
SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();
log.debug("Clear authentication and save to repo: %s", contextAfterChainExecution.getAuthentication() != null ? contextAfterChainExecution.getAuthentication().getName() : "none");
SecurityContextHolder.clearContext();
try {
securityContextRepository.saveContext(contextAfterChainExecution, (HttpServletRequest)getRequest.invoke(holder), (HttpServletResponse)getResponse.invoke(holder));
}
catch (Exception e) {
log.error(e, "Could not extract wrapped context from holder");
}
graniteContext.getRequest().removeAttribute(SECURITY_SERVICE_APPLIED);
}
}
}
@Override
public boolean acceptsContext() {
return GraniteContext.getCurrentInstance() instanceof ServletGraniteContext;
}
public void logout() {
ServletGraniteContext graniteContext = (ServletGraniteContext)GraniteContext.getCurrentInstance();
boolean springFilterNotApplied = graniteContext.getRequest().getAttribute(FILTER_APPLIED) == null;
HttpSession session = graniteContext.getSession(false);
try {
if (session != null && securityContextRepository.containsContext(graniteContext.getRequest())) {
authenticationExtension.endSession(session);
session.invalidate();
}
}
catch (IllegalStateException e) {
// Session already invalid
}
if (springFilterNotApplied)
SecurityContextHolder.clearContext();
}
protected boolean isUserInRole(Authentication authentication, String role) {
for (GrantedAuthority ga : authentication.getAuthorities()) {
if (ga.getAuthority().matches(role))
return true;
}
return false;
}
protected boolean isAuthenticated(Authentication authentication) {
return authentication != null && authentication.isAuthenticated();
}
protected boolean userCanAccessService(AbstractSecurityContext context, Authentication authentication) {
log.debug("Is authenticated as: %s", authentication.getName());
for (String role : context.getDestination().getRoles()) {
if (isUserInRole(authentication, role)) {
log.debug("Allowed access to %s in role %s", authentication.getName(), role);
return true;
}
log.debug("Access denied for %s not in role %s", authentication.getName(), role);
}
return false;
}
protected void handleAuthorizationExceptions(InvocationTargetException e) {
for (Throwable t = e; t != null; t = t.getCause()) {
// Don't create a dependency to javax.ejb in SecurityService...
if (t instanceof SecurityException ||
t instanceof AccessDeniedException ||
"javax.ejb.EJBAccessException".equals(t.getClass().getName())) {
throw SecurityServiceException.newAccessDeniedException(t.getMessage());
}
else if (t instanceof AuthenticationException) {
throw SecurityServiceException.newNotLoggedInException(t.getMessage());
}
}
}
public static class DefaultAuthenticationExtension implements AuthenticationExtension {
private ApplicationContext applicationContext = null;
private AuthenticationManager authenticationManager = null;
private String authenticationManagerBeanName = null;
public void setApplicationContext(ApplicationContext applicationContext) {
this.applicationContext = applicationContext;
}
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
public void setAuthenticationManagerBeanName(String authenticationManagerBeanName) {
this.authenticationManagerBeanName = authenticationManagerBeanName;
}
@Override
public Authentication buildAuthentication(String user, String password) {
return new UsernamePasswordAuthenticationToken(user, password);
}
@Override
public AuthenticationManager selectAuthenticationManager(Authentication authentication) {
if (this.authenticationManager != null)
return this.authenticationManager;
Map authManagers = BeanFactoryUtils.beansOfTypeIncludingAncestors(applicationContext, AuthenticationManager.class);
if (authenticationManagerBeanName != null) {
AuthenticationManager authenticationManager = authManagers.get(authenticationManagerBeanName);
if (authenticationManager == null) {
log.error("AuthenticationManager bean not found " + authenticationManagerBeanName);
throw SecurityServiceException.newAuthenticationFailedException("Authentication failed");
}
return authenticationManager;
}
else if (authManagers.size() > 1) {
log.error("More than one AuthenticationManager beans found, specify which one to use in Spring config © 2015 - 2025 Weber Informatics LLC | Privacy Policy