org.springframework.security.access.prepost.PostAuthorize Java Examples

The following examples show how to use org.springframework.security.access.prepost.PostAuthorize. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: CustomPermissionAllowedMethodSecurityMetadataSource.java    From tutorials with MIT License 6 votes vote down vote up
@Override
protected Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass) {
    Annotation[] annotations = AnnotationUtils.getAnnotations(method);
    List<ConfigAttribute> attributes = new ArrayList<>();

    // if the class is annotated as @Controller we should by default deny access to every method
    if (AnnotationUtils.findAnnotation(targetClass, Controller.class) != null) {
        attributes.add(DENY_ALL_ATTRIBUTE);
    }

    if (annotations != null) {
        for (Annotation a : annotations) {
            // but not if the method has at least a PreAuthorize or PostAuthorize annotation
            if (a instanceof PreAuthorize || a instanceof PostAuthorize) {
                return null;
            }
        }
    }
    return attributes;
}
 
Example #2
Source File: DataPointController.java    From omh-dsu-ri with Apache License 2.0 6 votes vote down vote up
/**
 * Reads a data point.
 *
 * @param id the identifier of the data point to read
 * @return a matching data point, if found
 */
// TODO can identifiers be relative, e.g. to a namespace?
// TODO confirm if HEAD handling needs anything additional
// only allow clients with read scope to read a data point
@PreAuthorize("#oauth2.clientHasRole('" + CLIENT_ROLE + "') and #oauth2.hasScope('" + DATA_POINT_READ_SCOPE + "')")
// ensure that the returned data point belongs to the user associated with the access token
@PostAuthorize("returnObject.body == null || returnObject.body.header.userId == principal.username")
@RequestMapping(value = "/dataPoints/{id}", method = {HEAD, GET}, produces = APPLICATION_JSON_VALUE)
public
@ResponseBody
ResponseEntity<DataPoint> readDataPoint(@PathVariable String id) {

    Optional<DataPoint> dataPoint = dataPointService.findOne(id);

    if (!dataPoint.isPresent()) {
        return new ResponseEntity<>(NOT_FOUND);
    }

    // FIXME test @PostAuthorize
    return new ResponseEntity<>(dataPoint.get(), OK);
}
 
Example #3
Source File: ApplicationsController.java    From front50 with Apache License 2.0 6 votes vote down vote up
@PostAuthorize("hasPermission(#applicationName, 'APPLICATION', 'READ')")
@ApiOperation(value = "", notes = "Fetch a single application by name")
@RequestMapping(method = RequestMethod.GET, value = "/{applicationName:.+}")
public Application get(@PathVariable final String applicationName) {
  Application app = applicationDAO.findByName(applicationName.toUpperCase());

  try {
    Application.Permission perm =
        applicationPermissionDAO.map(it -> it.findById(app.getName())).orElse(null);
    if (perm != null && perm.getPermissions().isRestricted()) {
      app.details().put("permissions", perm.getPermissions());
    } else {
      app.details().remove("permissions");
    }
  } catch (NotFoundException nfe) {
    // ignored.
  }

  return app;
}
 
Example #4
Source File: NotificationController.java    From front50 with Apache License 2.0 6 votes vote down vote up
@PostAuthorize("hasPermission(#name, 'APPLICATION', 'READ')")
@RequestMapping(value = "{type}/{name}", method = RequestMethod.GET)
public Notification listByApplication(
    @PathVariable(value = "type") String type, @PathVariable(value = "name") String name) {
  HierarchicalLevel level = getLevel(type);
  final Notification notification = notificationDAO.get(level, name);

  if (level.equals(HierarchicalLevel.APPLICATION)) {
    final Object global = getGlobal();

    NotificationDAO.NOTIFICATION_FORMATS.forEach(
        it -> {
          if (UntypedUtils.hasProperty(global, it)) {
            if (!UntypedUtils.hasProperty(notification, it)) {
              UntypedUtils.setProperty(notification, it, new ArrayList<>());
            }

            ((List) UntypedUtils.getProperty(notification, it))
                .addAll((List) UntypedUtils.getProperty(global, it));
          }
        });
  }

  return notification;
}
 
Example #5
Source File: DashboardRepository.java    From SMSC with Apache License 2.0 5 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"dashboardBoxes"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('DASHBOARD_READ')")
Dashboard findOne(Predicate predicate);
 
Example #6
Source File: DashboardBoxRepository.java    From SMSC with Apache License 2.0 5 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"dashboardBoxType", "width", "height"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('DASHBOARD_BOX_READ')")
DashboardBox findOne(Predicate predicate);
 
Example #7
Source File: ProjectController.java    From AbacSpringSecurity with MIT License 5 votes vote down vote up
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = {"application/json"})
@ResponseStatus(HttpStatus.OK)
@PostAuthorize("hasPermission(returnObject,'PROJECTS_VIEW')")
public Project getProject(@PathVariable Integer id) {
	logger.info("[getProject({})] started ...", id);
	Project result = projectsService.getProject(id);
	logger.info("[getProject({})] done, result: {}", id, result);
	return result;
}
 
Example #8
Source File: SnapshotsController.java    From front50 with Apache License 2.0 5 votes vote down vote up
@PostAuthorize("hasPermission(returnObject.application, 'APPLICATION', 'READ')")
@RequestMapping(value = "/{id:.+}/{timestamp:.+}", method = RequestMethod.GET)
public Snapshot getVersionByTimestamp(
    @PathVariable String id,
    @PathVariable String timestamp,
    @RequestParam(value = "limit", defaultValue = "20") int limit) {
  final Long creationTime = Long.parseLong(timestamp);
  return snapshotDAO.history(id, limit).stream()
      .filter(it -> Objects.equals(it.getTimestamp(), creationTime))
      .findFirst()
      .orElseThrow(() -> new NotFoundException("Snapshot not found"));
}
 
Example #9
Source File: UserController.java    From digag-server with Apache License 2.0 5 votes vote down vote up
@ApiOperation(value="获取用户", notes="根据url的id来获取用户详细信息")
@ApiImplicitParam(name = "id", value = "用户ID", required = true, dataType = "String", paramType = "path")
@PostAuthorize("returnObject.username == principal.username or hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/{id}", method = RequestMethod.GET)
public User getUser(@PathVariable String id) {
    return repository.findOne(id);
}
 
Example #10
Source File: DashboardBoxTypeRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@EntityGraph(attributePaths = {"kind", "type"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('DASHBOARD_BOX_TYPE_READ')")
DashboardBoxType findByName(@Param("name") String name);
 
Example #11
Source File: RoleRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('ADMIN_USER_ROLE_READ')")
Role findOne(Long id);
 
Example #12
Source File: SnapshotsController.java    From front50 with Apache License 2.0 4 votes vote down vote up
@PostAuthorize("hasPermission(returnObject.application, 'APPLICATION', 'READ')")
@RequestMapping(value = "/{id:.+}", method = RequestMethod.GET)
public Snapshot getCurrent(@PathVariable String id) {
  return snapshotDAO.findById(id);
}
 
Example #13
Source File: DeliveryController.java    From front50 with Apache License 2.0 4 votes vote down vote up
@PostAuthorize("hasPermission(returnObject.application, 'APPLICATION', 'READ')")
@ApiOperation(value = "", notes = "Get a delivery config by id")
@RequestMapping(method = RequestMethod.GET, value = "deliveries/{id}")
Delivery getConfigById(@PathVariable String id) {
  return deliveryRepository.findById(id);
}
 
Example #14
Source File: WidgetService.java    From attic-rave with Apache License 2.0 4 votes vote down vote up
@PostAuthorize("hasPermission(returnObject, 'read')")
WidgetComment getWidgetComment(String widgetId, String id);
 
Example #15
Source File: UserRoleService.java    From tutorials with MIT License 4 votes vote down vote up
@PostAuthorize("#username == authentication.principal.username")
public String getMyRoles2(String username) {
    SecurityContext securityContext = SecurityContextHolder.getContext();
    return securityContext.getAuthentication().getAuthorities().stream().map(auth -> auth.getAuthority()).collect(Collectors.joining(","));
}
 
Example #16
Source File: UserRoleService.java    From tutorials with MIT License 4 votes vote down vote up
@PostAuthorize("returnObject.username == authentication.principal.nickName")
public CustomUser loadUserDetail(String username) {
    return userRoleRepository.loadUserByUserName(username);
}
 
Example #17
Source File: UserRoleService.java    From tutorials with MIT License 4 votes vote down vote up
@PreAuthorize("#username == authentication.principal.username")
@PostAuthorize("returnObject.username == authentication.principal.nickName")
public CustomUser securedLoadUserDetail(String username) {
    return userRoleRepository.loadUserByUserName(username);
}
 
Example #18
Source File: PipelineController.java    From front50 with Apache License 2.0 4 votes vote down vote up
@PreAuthorize("@fiatPermissionEvaluator.storeWholePermission()")
@PostAuthorize("hasPermission(returnObject.application, 'APPLICATION', 'READ')")
@RequestMapping(value = "{id:.+}/get", method = RequestMethod.GET)
public Pipeline get(@PathVariable String id) {
  return pipelineDAO.findById(id);
}
 
Example #19
Source File: GroupRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"authorities"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('GROUP_READ')")
Group findOne(Predicate predicate);
 
Example #20
Source File: UserRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"dashboards", "roles", "authorities", "groups", "salutation"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or (hasRole('ADMIN_USER') and hasAuthority('ADMIN_USER_READ'))")
User findOne(Predicate predicate);
 
Example #21
Source File: UserRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"dashboards", "roles", "authorities", "groups", "salutation"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or (hasRole('ADMIN_USER') and hasAuthority('ADMIN_USER_READ'))")
User findOne(Long id);
 
Example #22
Source File: AuthorityRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('AUTHORITY_READ')")
Authority findOne(Predicate predicate);
 
Example #23
Source File: AuthorityRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('AUTHORITY_READ')")
Authority findByName(@Param("name") String name);
 
Example #24
Source File: AuthorityRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('AUTHORITY_READ')")
Authority findOne(Long id);
 
Example #25
Source File: UserRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"customer"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or (hasRole('ADMIN_USER') and hasAuthority('CUSTOMER_USER_READ'))")
User findOne(Predicate predicate);
 
Example #26
Source File: RoleRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('ADMIN_USER_ROLE_READ')")
Role findOne(Predicate predicate);
 
Example #27
Source File: GroupRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@Override
@EntityGraph(attributePaths = {"authorities"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('GROUP_READ')")
Group findOne(Long id);
 
Example #28
Source File: GroupRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@EntityGraph(attributePaths = {"authorities"})
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('GROUP_READ')")
Group findByName(@Param("name") String name);
 
Example #29
Source File: RoleRepository.java    From SMSC with Apache License 2.0 4 votes vote down vote up
@PostAuthorize("hasRole('POWER_ADMIN_USER') or hasAuthority('ADMIN_USER_ROLE_READ')")
Role findByName(@Param("name") String name);
 
Example #30
Source File: LeaveRequestService.java    From spring-security-samples with MIT License 4 votes vote down vote up
@PostAuthorize("returnObject.orElse(null)?.employee == authentication.name or hasRole('HR')")
public Optional<LeaveRequest> retrieve(UUID id) {
	return repo.findById(id);
}