org.apache.cxf.interceptor.security.AccessDeniedException Java Examples

The following examples show how to use org.apache.cxf.interceptor.security.AccessDeniedException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AuthorizationHandler.java    From geofence with GNU General Public License v2.0 6 votes vote down vote up
public void handleMessage(Message message) throws Fault
{
    SecurityContext sc = message.get(SecurityContext.class);
    if (sc == null)
    {
        return;
    }

    Method method = getTargetMethod(message);

    if (authorize(sc, method))
    {
        return;
    }

    throw new AccessDeniedException("Unauthorized");
}
 
Example #2
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void testMultipleClaims() throws Exception {
    doTestClaims("multipleClaims",
                 createDefaultClaim("admin"),
                 createClaim("http://authentication", "http://claims", "smartcard"),
                 createClaim("http://location", "http://claims", "UK"));
    doTestClaims("multipleClaims",
            createDefaultClaim("admin"),
            createClaim("http://authentication", "http://claims", "password"),
            createClaim("http://location", "http://claims", "USA"));
    try {
        doTestClaims("multipleClaims",
                createDefaultClaim("admin"),
                createClaim("http://authentication", "http://claims", "unsecuretransport"),
                createClaim("http://location", "http://claims", "UK"));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #3
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void testClaimMatchAll() throws Exception {
    doTestClaims("claimMatchAll",
            createDefaultClaim("admin", "manager"),
            createClaim("http://authentication", "http://claims", "password"));
    try {
        doTestClaims("claimMatchAll",
                createDefaultClaim("admin"),
                createClaim("http://authentication", "http://claims", "password"));
        doTestClaims("claimMatchAll",
                createDefaultClaim("manager"),
                createClaim("http://authentication", "http://claims", "password"));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #4
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Test
public void testNonSAMLClaimDefaultNameAndFormat() throws Exception {
    org.apache.cxf.rt.security.claims.Claim claim1 = new org.apache.cxf.rt.security.claims.Claim();
    claim1.setClaimType("role");
    claim1.setValues(Arrays.asList("admin", "user"));
    org.apache.cxf.rt.security.claims.Claim claim2 = new org.apache.cxf.rt.security.claims.Claim();
    claim2.setClaimType("http://authentication");
    claim2.setValues(Arrays.asList("password"));

    Message m = prepareMessage(TestService.class, "claimWithSpecificName", "role", claim1, claim2);
    interceptor.handleMessage(m);

    try {
        claim1.setValues(Arrays.asList("user"));
        m = prepareMessage(TestService.class, "claimWithSpecificName", "role", claim1, claim2);
        interceptor.handleMessage(m);
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #5
Source File: SecurityOutFaultInterceptor.java    From cxf with Apache License 2.0 6 votes vote down vote up
public void handleMessage(Message message) throws Fault {
    Fault fault = (Fault)message.getContent(Exception.class);
    Throwable ex = fault.getCause();
    if (!(ex instanceof SecurityException)) {
        throw new RuntimeException("Security Exception is expected");
    }

    HttpServletResponse response = (HttpServletResponse)message.getExchange().getInMessage()
        .get(AbstractHTTPDestination.HTTP_RESPONSE);
    int status = ex instanceof AccessDeniedException ? 403 : 401;
    response.setStatus(status);
    try {
        response.getOutputStream().write(ex.getMessage().getBytes());
        response.getOutputStream().flush();
    } catch (IOException iex) {
        // ignore
    }

    message.getInterceptorChain().abort();
}
 
Example #6
Source File: NetworkAddressValidatingInterceptor.java    From sakai with Educational Community License v2.0 6 votes vote down vote up
protected Method getTargetMethod(Message m) {
    // Used the SOAP
    BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
    if (bop != null) {
        MethodDispatcher md = (MethodDispatcher)
                m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
        return md.getMethod(bop);
    }
    // Used for JAX-RS
    // This doesn't work for JAX-RS sub-resources as the lookup is only done on the original method, not the
    // sub-resource
    Method method = (Method) m.get("org.apache.cxf.resource.method");
    if (method != null) {
        return method;
    }
    throw new AccessDeniedException("Method is not available : Unauthorized");
}
 
Example #7
Source File: StratosAuthorizingHandler.java    From attic-stratos with Apache License 2.0 6 votes vote down vote up
/**
 * Here we are getting the target invocation method. The method get set as a
 * properties in the
 * message by the
 * {@link org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor}
 *
 * @param message incoming message
 * @return
 */
protected Method getTargetMethod(Message message) {
    BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
    if (bop != null) {
        MethodDispatcher md =
                (MethodDispatcher) message.getExchange().get(Service.class)
                        .get(MethodDispatcher.class.getName());
        return md.getMethod(bop);
    }
    Method method = (Method) message.get("org.apache.cxf.resource.method");
    if (method != null) {
        return method;
    }
    log.error("The requested resource is not found. Please check the resource path etc..");
    throw new AccessDeniedException("Method is not available : Unauthorized");
}
 
Example #8
Source File: AuthorizationHandler.java    From geofence with GNU General Public License v2.0 6 votes vote down vote up
protected Method getTargetMethod(Message m)
{
    BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
    if (bop != null)
    {
        MethodDispatcher md = (MethodDispatcher) m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());

        return md.getMethod(bop);
    }

    Method method = (Method) m.get("org.apache.cxf.resource.method");
    if (method != null)
    {
        return method;
    }
    throw new AccessDeniedException("Method is not available : Unauthorized");
}
 
Example #9
Source File: NetworkAddressValidatingInterceptor.java    From sakai with Educational Community License v2.0 6 votes vote down vote up
protected Method getTargetMethod(Message m) {
    // Used the SOAP
    BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
    if (bop != null) {
        MethodDispatcher md = (MethodDispatcher)
                m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
        return md.getMethod(bop);
    }
    // Used for JAX-RS
    // This doesn't work for JAX-RS sub-resources as the lookup is only done on the original method, not the
    // sub-resource
    Method method = (Method) m.get("org.apache.cxf.resource.method");
    if (method != null) {
        return method;
    }
    throw new AccessDeniedException("Method is not available : Unauthorized");
}
 
Example #10
Source File: ClaimsAuthorizingInterceptor.java    From cxf with Apache License 2.0 5 votes vote down vote up
public void handleMessage(Message message) throws Fault {
    SecurityContext sc = message.get(SecurityContext.class);
    if (!(sc instanceof ClaimsSecurityContext)) {
        throw new AccessDeniedException("Security Context is unavailable or unrecognized");
    }

    Method method = MessageUtils.getTargetMethod(message).orElseThrow(() ->
        new AccessDeniedException("Method is not available : Unauthorized"));

    if (authorize((ClaimsSecurityContext)sc, method)) {
        return;
    }

    throw new AccessDeniedException("Unauthorized");
}
 
Example #11
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testClaimDefaultNameAndFormat() throws Exception {
    doTestClaims("claimWithDefaultNameAndFormat",
                 createDefaultClaim("admin", "user"),
                 createClaim("http://authentication", "http://claims", "password"));
    try {
        doTestClaims("claimWithDefaultNameAndFormat",
                     createDefaultClaim("user"),
                     createClaim("http://authentication", "http://claims", "password"));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #12
Source File: StratosAuthorizingHandler.java    From attic-stratos with Apache License 2.0 5 votes vote down vote up
/**
 * Here we are getting the target invocation method. The method get set as a property in the
 * message by the {@link org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor}
 *
 * @param message incoming message
 * @return
 */
protected Method getTargetMethod(Message message) {
    BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
    if (bop != null) {
        MethodDispatcher md = (MethodDispatcher)
                message.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
        return md.getMethod(bop);
    }
    Method method = (Method) message.get("org.apache.cxf.resource.method");
    if (method != null) {
        return method;
    }
    log.error("The requested resource is not found. Please check the resource path, etc");
    throw new AccessDeniedException("Method is not available: Unauthorized");
}
 
Example #13
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testMissingExpectedClaim() throws Exception {
    doTestClaims("claimWithDefaultNameAndFormat",
            createDefaultClaim("admin"),
            createClaim("http://authentication", "http://claims", "password"));
    try {
        doTestClaims("claimWithDefaultNameAndFormat",
                createDefaultClaim("admin"));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #14
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testClaimSpecificNameAndFormat() throws Exception {
    doTestClaims("claimWithSpecificNameAndFormat",
            createClaim("http://cxf/roles", "http://claims", "admin", "user"),
            createClaim("http://authentication", "http://claims", "password"));
    try {
        doTestClaims("claimWithSpecificNameAndFormat",
                createDefaultClaim("admin", "user"),
                createClaim("http://authentication", "http://claims", "password"));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #15
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testClaimLaxMode() throws Exception {
    doTestClaims("claimLaxMode",
            createClaim("http://authentication", "http://claims", "password"));
    doTestClaims("claimLaxMode");
    try {
        doTestClaims("claimLaxMode",
                     createClaim("http://authentication", "http://claims", "smartcard"));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #16
Source File: ClaimsAuthorizingInterceptorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testUserInRoleAndClaims() throws Exception {
    SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
    in.setAnnotationClassName(SecureRole.class.getName());
    in.setSecuredObject(new TestService2());

    Message m = prepareMessage(TestService2.class, "test",
            createDefaultClaim("admin"),
            createClaim("a", "b", "c"));

    in.handleMessage(m);

    ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
    SAMLClaim claim = new SAMLClaim();
    claim.setNameFormat("a");
    claim.setName("b");
    claim.addValue("c");
    in2.setClaims(Collections.singletonMap("test",
            Collections.singletonList(
               new ClaimBean(claim, "a", null, false))));
    in2.handleMessage(m);

    try {
        in.handleMessage(prepareMessage(TestService2.class, "test",
                createDefaultClaim("user")));
        fail("AccessDeniedException expected");
    } catch (AccessDeniedException ex) {
        // expected
    }
}
 
Example #17
Source File: ClaimsAuthorizingFilter.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
public void filter(ContainerRequestContext context) {
    Message message = JAXRSUtils.getCurrentMessage();
    try {
        interceptor.handleMessage(message);
    } catch (AccessDeniedException ex) {
        context.abortWith(Response.status(Response.Status.FORBIDDEN).build());
    }
}
 
Example #18
Source File: SimpleAuthorizingFilter.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
public void filter(ContainerRequestContext context) {
    try {
        interceptor.handleMessage(JAXRSUtils.getCurrentMessage());
    } catch (AccessDeniedException ex) {
        context.abortWith(Response.status(Response.Status.FORBIDDEN).build());
    }
}
 
Example #19
Source File: AbstractXACMLAuthorizingInterceptor.java    From cxf with Apache License 2.0 5 votes vote down vote up
public void handleMessage(Message message) throws Fault {
    SecurityContext sc = message.get(SecurityContext.class);

    if (sc instanceof LoginSecurityContext) {
        Principal principal = sc.getUserPrincipal();
        String principalName = null;
        if (principal != null) {
            principalName = principal.getName();
        }

        LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
        Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
        List<String> roles = new ArrayList<>();
        if (principalRoles != null) {
            for (Principal p : principalRoles) {
                if (p != null && p.getName() != null && !p.getName().equals(principalName)) {
                    roles.add(p.getName());
                }
            }
        }

        try {
            if (authorize(principal, roles, message)) {
                return;
            }
        } catch (Exception e) {
            LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
            throw new AccessDeniedException("Unauthorized");
        }
    } else {
        LOG.log(
            Level.FINE,
            "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
            + "is possible as a result"
        );
    }

    throw new AccessDeniedException("Unauthorized");
}
 
Example #20
Source File: StratosAuthorizingHandler.java    From product-private-paas with Apache License 2.0 5 votes vote down vote up
/**
 * Here we are getting the target invocation method. The method get set as a property in the
 * message by the {@link org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor}
 *
 * @param message incoming message
 * @return
 */
protected Method getTargetMethod(Message message) {
    BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
    if (bop != null) {
        MethodDispatcher md = (MethodDispatcher) message.getExchange().get(Service.class)
                .get(MethodDispatcher.class.getName());
        return md.getMethod(bop);
    }
    Method method = (Method) message.get("org.apache.cxf.resource.method");
    if (method != null) {
        return method;
    }
    log.error("The requested resource is not found. Please check the resource path etc..");
    throw new AccessDeniedException("Method is not available : Unauthorized");
}
 
Example #21
Source File: FedizExceptionMapper.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
public Response toResponse(AccessDeniedException exception) {
    return Response.status(Response.Status.FORBIDDEN).build();
}