Add Support SingleResultAuthorizationManager
Closes gh-16590 Signed-off-by: Max Batischev <mblancer@mail.ru>
This commit is contained in:
Max Batischev
committed by
Josh Cummings
Josh Cummings
parent
29f1ea50b6
commit
58a665e5aa
+69
@@ -0,0 +1,69 @@
|
||||
/*
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.authorization;
|
||||
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An {@link AuthorizationManager} which creates permit-all and deny-all
|
||||
* {@link AuthorizationManager} instances.
|
||||
*
|
||||
* @author Max Batischev
|
||||
* @since 6.5
|
||||
*/
|
||||
public final class SingleResultAuthorizationManager<C> implements AuthorizationManager<C> {
|
||||
|
||||
private static final SingleResultAuthorizationManager<?> DENY_MANAGER = new SingleResultAuthorizationManager<>(
|
||||
new AuthorizationDecision(false));
|
||||
|
||||
private static final SingleResultAuthorizationManager<?> PERMIT_MANAGER = new SingleResultAuthorizationManager<>(
|
||||
new AuthorizationDecision(true));
|
||||
|
||||
private final AuthorizationResult result;
|
||||
|
||||
public SingleResultAuthorizationManager(AuthorizationResult result) {
|
||||
Assert.notNull(result, "result cannot be null");
|
||||
this.result = result;
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, C object) {
|
||||
if (!(this.result instanceof AuthorizationDecision)) {
|
||||
throw new IllegalArgumentException("result should be AuthorizationDecision");
|
||||
}
|
||||
return (AuthorizationDecision) this.result;
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, C object) {
|
||||
return this.result;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public static <C> SingleResultAuthorizationManager<C> denyAll() {
|
||||
return (SingleResultAuthorizationManager<C>) DENY_MANAGER;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public static <C> SingleResultAuthorizationManager<C> permitAll() {
|
||||
return (SingleResultAuthorizationManager<C>) PERMIT_MANAGER;
|
||||
}
|
||||
|
||||
}
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -34,6 +34,7 @@ import org.springframework.security.authorization.AuthoritiesAuthorizationManage
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.authorization.AuthorizationResult;
|
||||
import org.springframework.security.authorization.SingleResultAuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.annotation.SecurityAnnotationScanner;
|
||||
import org.springframework.security.core.annotation.SecurityAnnotationScanners;
|
||||
@@ -106,10 +107,10 @@ public final class Jsr250AuthorizationManager implements AuthorizationManager<Me
|
||||
AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> targetClass) {
|
||||
Annotation annotation = findJsr250Annotation(method, targetClass);
|
||||
if (annotation instanceof DenyAll) {
|
||||
return (a, o) -> new AuthorizationDecision(false);
|
||||
return SingleResultAuthorizationManager.denyAll();
|
||||
}
|
||||
if (annotation instanceof PermitAll) {
|
||||
return (a, o) -> new AuthorizationDecision(true);
|
||||
return SingleResultAuthorizationManager.permitAll();
|
||||
}
|
||||
if (annotation instanceof RolesAllowed rolesAllowed) {
|
||||
return (AuthorizationManagerCheckAdapter<MethodInvocation>) (a,
|
||||
|
||||
+3
-7
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -33,12 +33,10 @@ public class AuthorizationManagerTests {
|
||||
|
||||
@Test
|
||||
public void verifyWhenCheckReturnedGrantedDecisionThenPasses() {
|
||||
AuthorizationManager<Object> manager = (a, o) -> new AuthorizationDecision(true);
|
||||
|
||||
Authentication authentication = new TestingAuthenticationToken("user", "password", "ROLE_1", "ROLE_2");
|
||||
Object object = new Object();
|
||||
|
||||
manager.verify(() -> authentication, object);
|
||||
SingleResultAuthorizationManager.permitAll().verify(() -> authentication, object);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -53,13 +51,11 @@ public class AuthorizationManagerTests {
|
||||
|
||||
@Test
|
||||
public void verifyWhenCheckReturnedDeniedDecisionThenAccessDeniedException() {
|
||||
AuthorizationManager<Object> manager = (a, o) -> new AuthorizationDecision(false);
|
||||
|
||||
Authentication authentication = new TestingAuthenticationToken("user", "password", "ROLE_1", "ROLE_2");
|
||||
Object object = new Object();
|
||||
|
||||
assertThatExceptionOfType(AccessDeniedException.class)
|
||||
.isThrownBy(() -> manager.verify(() -> authentication, object))
|
||||
.isThrownBy(() -> SingleResultAuthorizationManager.denyAll().verify(() -> authentication, object))
|
||||
.withMessage("Access Denied");
|
||||
}
|
||||
|
||||
|
||||
+6
-6
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -29,8 +29,8 @@ class AuthorizationManagersTests {
|
||||
|
||||
@Test
|
||||
void checkAnyOfWhenOneGrantedThenGrantedDecision() {
|
||||
AuthorizationManager<?> composed = AuthorizationManagers.anyOf((a, o) -> new AuthorizationDecision(false),
|
||||
(a, o) -> new AuthorizationDecision(true));
|
||||
AuthorizationManager<?> composed = AuthorizationManagers.anyOf(SingleResultAuthorizationManager.permitAll(),
|
||||
SingleResultAuthorizationManager.permitAll());
|
||||
AuthorizationDecision decision = composed.check(null, null);
|
||||
assertThat(decision).isNotNull();
|
||||
assertThat(decision.isGranted()).isTrue();
|
||||
@@ -118,8 +118,8 @@ class AuthorizationManagersTests {
|
||||
|
||||
@Test
|
||||
void checkAllOfWhenAllGrantedThenGrantedDecision() {
|
||||
AuthorizationManager<?> composed = AuthorizationManagers.allOf((a, o) -> new AuthorizationDecision(true),
|
||||
(a, o) -> new AuthorizationDecision(true));
|
||||
AuthorizationManager<?> composed = AuthorizationManagers.allOf(SingleResultAuthorizationManager.permitAll(),
|
||||
SingleResultAuthorizationManager.permitAll());
|
||||
AuthorizationDecision decision = composed.check(null, null);
|
||||
assertThat(decision).isNotNull();
|
||||
assertThat(decision.isGranted()).isTrue();
|
||||
@@ -158,7 +158,7 @@ class AuthorizationManagersTests {
|
||||
void checkAllOfWithAllAbstainDefaultDecisionWhenOneDeniedThenDeniedDecision() {
|
||||
AuthorizationDecision allAbstainDefaultDecision = new AuthorizationDecision(true);
|
||||
AuthorizationManager<?> composed = AuthorizationManagers.allOf(allAbstainDefaultDecision,
|
||||
(a, o) -> new AuthorizationDecision(true), (a, o) -> new AuthorizationDecision(false));
|
||||
SingleResultAuthorizationManager.permitAll(), SingleResultAuthorizationManager.denyAll());
|
||||
AuthorizationDecision decision = composed.check(null, null);
|
||||
assertThat(decision).isNotNull();
|
||||
assertThat(decision.isGranted()).isFalse();
|
||||
|
||||
+77
@@ -0,0 +1,77 @@
|
||||
/*
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.authorization;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Tests for {@link SingleResultAuthorizationManager}.
|
||||
*
|
||||
* @author Max Batischev
|
||||
*/
|
||||
public class SingleResultAuthorizationManagerTests {
|
||||
|
||||
private SingleResultAuthorizationManager<?> manager;
|
||||
|
||||
@Test
|
||||
void authorizeWhenManagerWithGrantedAuthorizationResultIsCreatedThenAuthorizes() {
|
||||
this.manager = new SingleResultAuthorizationManager<>(new AuthorizationDecision(true));
|
||||
|
||||
AuthorizationResult result = this.manager.authorize(null, null);
|
||||
|
||||
assertThat(result.isGranted()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void checkWhenManagerWithGrantedDecisionIsCreatedThenAuthorizes() {
|
||||
this.manager = new SingleResultAuthorizationManager<>(new AuthorizationDecision(true));
|
||||
|
||||
AuthorizationResult result = this.manager.check(null, null);
|
||||
|
||||
assertThat(result.isGranted()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void checkWhenManagerWithGrantedCustomAuthorizationResultIsCreatedThenFails() {
|
||||
this.manager = new SingleResultAuthorizationManager<>((AuthorizationResult) () -> true);
|
||||
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.manager.check(null, null));
|
||||
}
|
||||
|
||||
@Test
|
||||
void authorizeWhenPermitManagerUsesThenAuthorize() {
|
||||
AuthorizationResult result = SingleResultAuthorizationManager.permitAll().authorize(null, null);
|
||||
|
||||
assertThat(result.isGranted()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void authorizeWhenDenyManagerUsesThenDeny() {
|
||||
AuthorizationResult result = SingleResultAuthorizationManager.denyAll().authorize(null, null);
|
||||
|
||||
assertThat(result.isGranted()).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void constructWhenNullResultIsPresentThenFails() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> new SingleResultAuthorizationManager<>(null));
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user