BAEL-3495 Code for Deny of Missing Pre/PostAuthorize annotation

- Moved classes around so that the scans do not collide
- Make sure the LiveTest actually stops when done
- Removed some useless gitignore / README parts.
This commit is contained in:
Martin van Wingerden
2019-12-19 18:58:07 +01:00
parent 93b79e272d
commit 03a34d5cf6
20 changed files with 182 additions and 54 deletions
@@ -12,9 +12,6 @@ import org.springframework.web.filter.DelegatingFilterProxy;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
@SpringBootApplication
@EnableJpaRepositories("com.baeldung.repository")
@ComponentScan("com.baeldung")
@EntityScan("com.baeldung.entity")
public class App extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(App.class, args);
@@ -31,19 +28,16 @@ public class App extends SpringBootServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
// TODO Auto-generated method stub
return null;
}
@Override
protected Class<?>[] getServletConfigClasses() {
// TODO Auto-generated method stub
return null;
}
@Override
protected String[] getServletMappings() {
// TODO Auto-generated method stub
return null;
}
}
@@ -1,4 +1,4 @@
package com.baeldung.auditing;
package com.baeldung.app.auditing;
import org.springframework.boot.actuate.audit.AuditEvent;
import org.springframework.boot.actuate.security.AbstractAuthorizationAuditListener;
@@ -1,4 +1,4 @@
package com.baeldung.auditing;
package com.baeldung.app.auditing;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -1,11 +1,11 @@
package com.baeldung.config;
package com.baeldung.app.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Component;
import com.baeldung.entity.Task;
import com.baeldung.repository.TaskRepository;
import com.baeldung.app.entity.Task;
import com.baeldung.app.repository.TaskRepository;
@Component
public class DatabaseLoader implements CommandLineRunner {
@@ -1,4 +1,4 @@
package com.baeldung.config;
package com.baeldung.app.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
@@ -1,4 +1,4 @@
package com.baeldung.controller;
package com.baeldung.app.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
@@ -7,8 +7,8 @@ import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.baeldung.entity.Task;
import com.baeldung.service.TaskService;
import com.baeldung.app.entity.Task;
import com.baeldung.app.service.TaskService;
@Controller
@RequestMapping("api/tasks")
@@ -1,4 +1,4 @@
package com.baeldung.entity;
package com.baeldung.app.entity;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
@@ -1,4 +1,4 @@
package com.baeldung.filter;
package com.baeldung.app.filter;
import java.io.IOException;
@@ -1,8 +1,8 @@
package com.baeldung.repository;
package com.baeldung.app.repository;
import org.springframework.data.repository.CrudRepository;
import com.baeldung.entity.Task;
import com.baeldung.app.entity.Task;
public interface TaskRepository extends CrudRepository<Task, Long> {
@@ -1,12 +1,12 @@
package com.baeldung.service;
package com.baeldung.app.service;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreFilter;
import org.springframework.stereotype.Service;
import com.baeldung.entity.Task;
import com.baeldung.repository.TaskRepository;
import com.baeldung.app.entity.Task;
import com.baeldung.app.repository.TaskRepository;
@Service
public class TaskService {
@@ -0,0 +1,49 @@
package com.baeldung.denyonmissing;
import static org.springframework.security.access.annotation.Jsr250SecurityConfig.DENY_ALL_ATTRIBUTE;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
public class CustomPermissionAllowedMethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
@Override
protected Collection<ConfigAttribute> findAttributes(Class<?> clazz) {
return null;
}
@Override
protected Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass) {
Annotation[] annotations = AnnotationUtils.getAnnotations(method);
List<ConfigAttribute> attributes = new ArrayList<>();
// if the class is annotated as @Controller we should by default deny access to every method
if (AnnotationUtils.findAnnotation(targetClass, Controller.class) != null) {
attributes.add(DENY_ALL_ATTRIBUTE);
}
if (annotations != null) {
for (Annotation a : annotations) {
// but not if the method has at least a PreAuthorize or PostAuthorize annotation
if (a instanceof PreAuthorize || a instanceof PostAuthorize) {
return null;
}
}
}
return attributes;
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
}
@@ -0,0 +1,11 @@
package com.baeldung.denyonmissing;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DenyApplication {
public static void main(String[] args) {
SpringApplication.run(DenyApplication.class, args);
}
}
@@ -0,0 +1,29 @@
package com.baeldung.denyonmissing;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.method.MethodSecurityMetadataSource;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class DenyMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
return new CustomPermissionAllowedMethodSecurityMetadataSource();
}
@Bean
public UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.withUsername("user").password("{noop}password").roles("USER").build(),
User.withUsername("guest").password("{noop}password").roles().build()
);
}
}
@@ -0,0 +1,19 @@
package com.baeldung.denyonmissing;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class DenyOnMissingController {
@GetMapping(path = "hello")
@PreAuthorize("hasRole('USER')")
public String hello() {
return "Hello world!";
}
@GetMapping(path = "bye")
public String bye() {
return "Bye bye world!";
}
}