Revert "Add AuthorizationManager to Messaging"
This reverts commit 77a6e014a9.
This commit is contained in:
Josh Cummings
+1
-4
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -27,10 +27,7 @@ import org.springframework.expression.EvaluationContext;
|
||||
*
|
||||
* @author Daniel Bustamante Ospina
|
||||
* @since 5.2
|
||||
* @deprecated Since {@link MessageExpressionVoter} is deprecated, there is no more need
|
||||
* for this class
|
||||
*/
|
||||
@Deprecated
|
||||
interface EvaluationContextPostProcessor<I> {
|
||||
|
||||
/**
|
||||
|
||||
+1
-5
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -35,11 +35,7 @@ import org.springframework.security.messaging.util.matcher.MessageMatcher;
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 4.0
|
||||
* @deprecated Use
|
||||
* {@link org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
|
||||
|
||||
private ExpressionBasedMessageSecurityMetadataSourceFactory() {
|
||||
|
||||
+1
-5
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -32,11 +32,7 @@ import org.springframework.util.Assert;
|
||||
* @author Rob Winch
|
||||
* @author Daniel Bustamante Ospina
|
||||
* @since 4.0
|
||||
* @deprecated Use
|
||||
* {@link org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
@SuppressWarnings("serial")
|
||||
class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor<Message<?>> {
|
||||
|
||||
|
||||
+1
-5
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -37,11 +37,7 @@ import org.springframework.util.Assert;
|
||||
* @author Rob Winch
|
||||
* @author Daniel Bustamante Ospina
|
||||
* @since 4.0
|
||||
* @deprecated Use
|
||||
* {@link org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public class MessageExpressionVoter<T> implements AccessDecisionVoter<Message<T>> {
|
||||
|
||||
private SecurityExpressionHandler<Message<T>> expressionHandler = new DefaultMessageSecurityExpressionHandler<>();
|
||||
|
||||
-95
@@ -1,95 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.messaging.access.intercept;
|
||||
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.messaging.Message;
|
||||
import org.springframework.messaging.MessageChannel;
|
||||
import org.springframework.messaging.support.ChannelInterceptor;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationEventPublisher;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* Authorizes {@link Message} resources using the provided {@link AuthorizationManager}
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.7
|
||||
*/
|
||||
public final class AuthorizationChannelInterceptor implements ChannelInterceptor {
|
||||
|
||||
static final Supplier<Authentication> AUTHENTICATION_SUPPLIER = () -> {
|
||||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
if (authentication == null) {
|
||||
throw new AuthenticationCredentialsNotFoundException(
|
||||
"An Authentication object was not found in the SecurityContext");
|
||||
}
|
||||
return authentication;
|
||||
};
|
||||
|
||||
private final Log logger = LogFactory.getLog(this.getClass());
|
||||
|
||||
private final AuthorizationManager<Message<?>> preSendAuthorizationManager;
|
||||
|
||||
private AuthorizationEventPublisher eventPublisher;
|
||||
|
||||
/**
|
||||
* Creates a new instance
|
||||
* @param preSendAuthorizationManager the {@link AuthorizationManager} to use. Cannot
|
||||
* be null.
|
||||
*
|
||||
*/
|
||||
public AuthorizationChannelInterceptor(AuthorizationManager<Message<?>> preSendAuthorizationManager) {
|
||||
Assert.notNull(preSendAuthorizationManager, "preSendAuthorizationManager cannot be null");
|
||||
this.preSendAuthorizationManager = preSendAuthorizationManager;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Message<?> preSend(Message<?> message, MessageChannel channel) {
|
||||
this.logger.debug(LogMessage.of(() -> "Authorizing message send"));
|
||||
AuthorizationDecision decision = this.preSendAuthorizationManager.check(AUTHENTICATION_SUPPLIER, message);
|
||||
this.eventPublisher.publishAuthorizationEvent(AUTHENTICATION_SUPPLIER, message, decision);
|
||||
if (decision == null || !decision.isGranted()) { // default deny
|
||||
this.logger.debug(LogMessage.of(() -> "Failed to authorize message with authorization manager "
|
||||
+ this.preSendAuthorizationManager + " and decision " + decision));
|
||||
throw new AccessDeniedException("Access Denied");
|
||||
}
|
||||
this.logger.debug(LogMessage.of(() -> "Authorized message send"));
|
||||
return message;
|
||||
}
|
||||
|
||||
/**
|
||||
* Use this {@link AuthorizationEventPublisher} to publish the
|
||||
* {@link AuthorizationManager} result.
|
||||
* @param eventPublisher
|
||||
*/
|
||||
public void setAuthorizationEventPublisher(AuthorizationEventPublisher eventPublisher) {
|
||||
Assert.notNull(eventPublisher, "eventPublisher cannot be null");
|
||||
this.eventPublisher = eventPublisher;
|
||||
}
|
||||
|
||||
}
|
||||
+1
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -36,9 +36,7 @@ import org.springframework.util.Assert;
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 4.0
|
||||
* @deprecated Use {@link AuthorizationChannelInterceptor} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public final class ChannelSecurityInterceptor extends AbstractSecurityInterceptor implements ChannelInterceptor {
|
||||
|
||||
private static final ThreadLocal<InterceptorStatusToken> tokenHolder = new ThreadLocal<>();
|
||||
|
||||
+1
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -40,9 +40,7 @@ import org.springframework.security.messaging.util.matcher.MessageMatcher;
|
||||
* @since 4.0
|
||||
* @see ChannelSecurityInterceptor
|
||||
* @see ExpressionBasedMessageSecurityMetadataSourceFactory
|
||||
* @deprecated Use {@link MessageMatcherDelegatingAuthorizationManager} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public final class DefaultMessageSecurityMetadataSource implements MessageSecurityMetadataSource {
|
||||
|
||||
private final Map<MessageMatcher<?>, Collection<ConfigAttribute>> messageMap;
|
||||
|
||||
-75
@@ -1,75 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.messaging.access.intercept;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.messaging.Message;
|
||||
|
||||
/**
|
||||
* An {@link Message} authorization context.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.7
|
||||
*/
|
||||
public final class MessageAuthorizationContext<T> {
|
||||
|
||||
private final Message<T> message;
|
||||
|
||||
private final Map<String, String> variables;
|
||||
|
||||
/**
|
||||
* Creates an instance.
|
||||
* @param message the {@link HttpServletRequest} to use
|
||||
*/
|
||||
public MessageAuthorizationContext(Message<T> message) {
|
||||
this(message, Collections.emptyMap());
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates an instance.
|
||||
* @param message the {@link HttpServletRequest} to use
|
||||
* @param variables a map containing key-value pairs representing extracted variable
|
||||
* names and variable values
|
||||
*/
|
||||
public MessageAuthorizationContext(Message<T> message, Map<String, String> variables) {
|
||||
this.message = message;
|
||||
this.variables = variables;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link HttpServletRequest}.
|
||||
* @return the {@link HttpServletRequest} to use
|
||||
*/
|
||||
public Message<T> getMessage() {
|
||||
return this.message;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the extracted variable values where the key is the variable name and the
|
||||
* value is the variable value.
|
||||
* @return a map containing key-value pairs representing extracted variable names and
|
||||
* variable values
|
||||
*/
|
||||
public Map<String, String> getVariables() {
|
||||
return this.variables;
|
||||
}
|
||||
|
||||
}
|
||||
-136
@@ -1,136 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.messaging.access.intercept;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.messaging.Message;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.messaging.util.matcher.MessageMatcher;
|
||||
import org.springframework.security.messaging.util.matcher.MessageMatcherEntry;
|
||||
import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An {@link AuthorizationManager} which delegates to a specific
|
||||
* {@link AuthorizationManager} based on a {@link MessageMatcher} evaluation.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.7
|
||||
*/
|
||||
public final class MessageMatcherDelegatingAuthorizationManager implements AuthorizationManager<Message<?>> {
|
||||
|
||||
private final Log logger = LogFactory.getLog(getClass());
|
||||
|
||||
private final List<MessageMatcherEntry<AuthorizationManager<MessageAuthorizationContext<?>>>> mappings;
|
||||
|
||||
private MessageMatcherDelegatingAuthorizationManager(
|
||||
List<MessageMatcherEntry<AuthorizationManager<MessageAuthorizationContext<?>>>> mappings) {
|
||||
Assert.notEmpty(mappings, "mappings cannot be empty");
|
||||
this.mappings = mappings;
|
||||
}
|
||||
|
||||
/**
|
||||
* Delegates to a specific {@link AuthorizationManager} based on a
|
||||
* {@link MessageMatcher} evaluation.
|
||||
* @param authentication the {@link Supplier} of the {@link Authentication} to check
|
||||
* @param message the {@link Message} to check
|
||||
* @return an {@link AuthorizationDecision}. If there is no {@link MessageMatcher}
|
||||
* matching the message, or the {@link AuthorizationManager} could not decide, then
|
||||
* null is returned
|
||||
*/
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, Message<?> message) {
|
||||
if (this.logger.isTraceEnabled()) {
|
||||
this.logger.trace(LogMessage.format("Authorizing message"));
|
||||
}
|
||||
for (MessageMatcherEntry<AuthorizationManager<MessageAuthorizationContext<?>>> mapping : this.mappings) {
|
||||
MessageMatcher<?> matcher = mapping.getMessageMatcher();
|
||||
MessageAuthorizationContext<?> authorizationContext = authorizationContext(matcher, message);
|
||||
if (authorizationContext != null) {
|
||||
AuthorizationManager<MessageAuthorizationContext<?>> manager = mapping.getEntry();
|
||||
if (this.logger.isTraceEnabled()) {
|
||||
this.logger.trace(LogMessage.format("Checking authorization on message using %s", manager));
|
||||
}
|
||||
return manager.check(authentication, authorizationContext);
|
||||
}
|
||||
}
|
||||
this.logger.trace("Abstaining since did not find matching MessageMatcher");
|
||||
return null;
|
||||
}
|
||||
|
||||
private MessageAuthorizationContext<?> authorizationContext(MessageMatcher<?> matcher, Message<?> message) {
|
||||
if (!matcher.matches((Message) message)) {
|
||||
return null;
|
||||
}
|
||||
if (matcher instanceof SimpDestinationMessageMatcher) {
|
||||
SimpDestinationMessageMatcher simp = (SimpDestinationMessageMatcher) matcher;
|
||||
return new MessageAuthorizationContext<>(message, simp.extractPathVariables(message));
|
||||
}
|
||||
return new MessageAuthorizationContext<>(message);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a builder for {@link MessageMatcherDelegatingAuthorizationManager}.
|
||||
* @return the new {@link MessageMatcherDelegatingAuthorizationManager.Builder}
|
||||
* instance
|
||||
*/
|
||||
public static Builder builder() {
|
||||
return new Builder();
|
||||
}
|
||||
|
||||
/**
|
||||
* A builder for {@link MessageMatcherDelegatingAuthorizationManager}.
|
||||
*/
|
||||
public static final class Builder {
|
||||
|
||||
private final List<MessageMatcherEntry<AuthorizationManager<MessageAuthorizationContext<?>>>> mappings = new ArrayList<>();
|
||||
|
||||
/**
|
||||
* Maps a {@link MessageMatcher} to an {@link AuthorizationManager}.
|
||||
* @param matcher the {@link MessageMatcher} to use
|
||||
* @param manager the {@link AuthorizationManager} to use
|
||||
* @return the {@link MessageMatcherDelegatingAuthorizationManager.Builder} for
|
||||
* further customizations
|
||||
*/
|
||||
public MessageMatcherDelegatingAuthorizationManager.Builder add(MessageMatcher<?> matcher,
|
||||
AuthorizationManager<MessageAuthorizationContext<?>> manager) {
|
||||
Assert.notNull(matcher, "matcher cannot be null");
|
||||
Assert.notNull(manager, "manager cannot be null");
|
||||
this.mappings.add(new MessageMatcherEntry<>(matcher, manager));
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a {@link MessageMatcherDelegatingAuthorizationManager} instance.
|
||||
* @return the {@link MessageMatcherDelegatingAuthorizationManager} instance
|
||||
*/
|
||||
public MessageMatcherDelegatingAuthorizationManager build() {
|
||||
return new MessageMatcherDelegatingAuthorizationManager(this.mappings);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
+1
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -26,9 +26,7 @@ import org.springframework.security.access.SecurityMetadataSource;
|
||||
* @since 4.0
|
||||
* @see ChannelSecurityInterceptor
|
||||
* @see DefaultMessageSecurityMetadataSource
|
||||
* @deprecated Use {@link MessageMatcherDelegatingAuthorizationManager} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public interface MessageSecurityMetadataSource extends SecurityMetadataSource {
|
||||
|
||||
}
|
||||
|
||||
-44
@@ -1,44 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.messaging.util.matcher;
|
||||
|
||||
/**
|
||||
* A rich object for associating a {@link MessageMatcher} to another object.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.7
|
||||
*/
|
||||
public class MessageMatcherEntry<T> {
|
||||
|
||||
private final MessageMatcher<?> messageMatcher;
|
||||
|
||||
private final T entry;
|
||||
|
||||
public MessageMatcherEntry(MessageMatcher requestMatcher, T entry) {
|
||||
this.messageMatcher = requestMatcher;
|
||||
this.entry = entry;
|
||||
}
|
||||
|
||||
public MessageMatcher<?> getMessageMatcher() {
|
||||
return this.messageMatcher;
|
||||
}
|
||||
|
||||
public T getEntry() {
|
||||
return this.entry;
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user