• Home
• org.springframework.security
• spring-security-web
• 5.1.2.RELEASE
• source code
• ExpressionBasedFilterInvocationSecurityMetadataSource.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource Maven / Gradle / Ivy

/*
 * Copyright 2002-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.web.access.expression;

import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedHashMap;
import java.util.Map;

import javax.servlet.http.HttpServletRequest;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.springframework.expression.ExpressionParser;
import org.springframework.expression.ParseException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestVariablesExtractor;
import org.springframework.util.Assert;

/**
 * Expression-based {@code FilterInvocationSecurityMetadataSource}.
 *
 * @author Luke Taylor
 * @since 3.0
 */
public final class ExpressionBasedFilterInvocationSecurityMetadataSource
		extends DefaultFilterInvocationSecurityMetadataSource {
	private final static Log logger = LogFactory
			.getLog(ExpressionBasedFilterInvocationSecurityMetadataSource.class);

	public ExpressionBasedFilterInvocationSecurityMetadataSource(
			LinkedHashMap> requestMap,
			SecurityExpressionHandler expressionHandler) {
		super(processMap(requestMap, expressionHandler.getExpressionParser()));
		Assert.notNull(expressionHandler,
				"A non-null SecurityExpressionHandler is required");
	}

	private static LinkedHashMap> processMap(
			LinkedHashMap> requestMap,
			ExpressionParser parser) {
		Assert.notNull(parser, "SecurityExpressionHandler returned a null parser object");

		LinkedHashMap> requestToExpressionAttributesMap = new LinkedHashMap>(
				requestMap);

		for (Map.Entry> entry : requestMap
				.entrySet()) {
			RequestMatcher request = entry.getKey();
			Assert.isTrue(entry.getValue().size() == 1,
					() -> "Expected a single expression attribute for " + request);
			ArrayList attributes = new ArrayList<>(1);
			String expression = entry.getValue().toArray(new ConfigAttribute[1])[0]
					.getAttribute();
			logger.debug("Adding web access control expression '" + expression + "', for "
					+ request);

			AbstractVariableEvaluationContextPostProcessor postProcessor = createPostProcessor(
					request);
			try {
				attributes.add(new WebExpressionConfigAttribute(
						parser.parseExpression(expression), postProcessor));
			}
			catch (ParseException e) {
				throw new IllegalArgumentException(
						"Failed to parse expression '" + expression + "'");
			}

			requestToExpressionAttributesMap.put(request, attributes);
		}

		return requestToExpressionAttributesMap;
	}

	private static AbstractVariableEvaluationContextPostProcessor createPostProcessor(
			Object request) {
		if (request instanceof RequestVariablesExtractor) {
			return new RequestVariablesExtractorEvaluationContextPostProcessor(
					(RequestVariablesExtractor) request);
		}
		return null;
	}

	static class AntPathMatcherEvaluationContextPostProcessor
			extends AbstractVariableEvaluationContextPostProcessor {
		private final AntPathRequestMatcher matcher;

		public AntPathMatcherEvaluationContextPostProcessor(
				AntPathRequestMatcher matcher) {
			this.matcher = matcher;
		}

		@Override
		Map extractVariables(HttpServletRequest request) {
			return this.matcher.extractUriTemplateVariables(request);
		}
	}

	static class RequestVariablesExtractorEvaluationContextPostProcessor
			extends AbstractVariableEvaluationContextPostProcessor {
		private final RequestVariablesExtractor matcher;

		public RequestVariablesExtractorEvaluationContextPostProcessor(
				RequestVariablesExtractor matcher) {
			this.matcher = matcher;
		}

		@Override
		Map extractVariables(HttpServletRequest request) {
			return this.matcher.extractUriTemplateVariables(request);
		}
	}

}