public Object authorize(AbstractSecurityContext context) throws Exception { log.debug("Authorize: %s", context); log.debug( "Is %s secured? %b", context.getDestination().getId(), context.getDestination().isSecured()); startAuthorization(context); HttpGraniteContext graniteContext = (HttpGraniteContext) GraniteContext.getCurrentInstance(); Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); SecurityContext securityContextBefore = null; int securityContextHashBefore = 0; if (graniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) { securityContextBefore = loadSecurityContextFromSession(); if (securityContextBefore == null) securityContextBefore = SecurityContextHolder.getContext(); else securityContextHashBefore = securityContextBefore.hashCode(); SecurityContextHolder.setContext(securityContextBefore); authentication = securityContextBefore.getAuthentication(); } if (context.getDestination().isSecured()) { if (!isAuthenticated(authentication) || authentication instanceof AnonymousAuthenticationToken) { log.debug("Is not authenticated!"); throw SecurityServiceException.newNotLoggedInException("User not logged in"); } if (!userCanAccessService(context, authentication)) { log.debug("Access denied for: %s", authentication.getName()); throw SecurityServiceException.newAccessDeniedException("User not in required role"); } } try { Object returnedObject = securityInterceptor != null ? securityInterceptor.invoke(context) : endAuthorization(context); return returnedObject; } catch (AccessDeniedException e) { throw SecurityServiceException.newAccessDeniedException(e.getMessage()); } catch (InvocationTargetException e) { handleAuthorizationExceptions(e); throw e; } finally { if (graniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) { // Do this only when not already filtered by Spring Security SecurityContext securityContextAfter = SecurityContextHolder.getContext(); SecurityContextHolder.clearContext(); saveSecurityContextInSession(securityContextAfter, securityContextHashBefore); } } }
public Object authorize(AbstractSecurityContext context) throws Exception { startAuthorization(context); HttpGraniteContext graniteContext = (HttpGraniteContext) GraniteManager.getCurrentInstance(); HttpServletRequest httpRequest = graniteContext.getRequest(); Request request = getRequest(httpRequest); Session session = request.getSessionInternal(); request.setAuthType(session.getAuthType()); request.setUserPrincipal(session.getPrincipal()); if (context.getDestination().isSecured()) { Principal principal = getPrincipal(httpRequest); if (principal == null) { if (httpRequest.getRequestedSessionId() != null) { HttpSession httpSession = httpRequest.getSession(false); if (httpSession == null || httpRequest.getRequestedSessionId().equals(httpSession.getId())) throw SecurityServiceException.newSessionExpiredException("Session expired"); } throw SecurityServiceException.newNotLoggedInException("User not logged in"); } Realm realm = getRealm(httpRequest); boolean accessDenied = true; for (String role : context.getDestination().getRoles()) { if (realm.hasRole(principal, role)) { accessDenied = false; break; } } if (accessDenied) throw SecurityServiceException.newAccessDeniedException("User not in required role"); } try { return endAuthorization(context); } catch (InvocationTargetException e) { for (Throwable t = e; t != null; t = t.getCause()) { // Don't create a dependency to javax.ejb in SecurityService... if (t instanceof SecurityException || "javax.ejb.EJBAccessException".equals(t.getClass().getName())) throw SecurityServiceException.newAccessDeniedException(t.getMessage()); } throw e; } }
protected void handleAuthorizationExceptions(InvocationTargetException e) { for (Throwable t = e; t != null; t = t.getCause()) { // Don't create a dependency to javax.ejb in SecurityService... if (t instanceof SecurityException || t instanceof AccessDeniedException || "javax.ejb.EJBAccessException".equals(t.getClass().getName())) throw SecurityServiceException.newAccessDeniedException(t.getMessage()); } }
public void login(Object credentials) throws SecurityServiceException { String[] decoded = decodeBase64Credentials(credentials); HttpGraniteContext context = (HttpGraniteContext) GraniteManager.getCurrentInstance(); HttpServletRequest httpRequest = context.getRequest(); Realm realm = getRealm(httpRequest); Principal principal = realm.authenticate(decoded[0], decoded[1]); if (principal == null) throw SecurityServiceException.newInvalidCredentialsException("Wrong username or password"); Request request = getRequest(httpRequest); request.setAuthType(AUTH_TYPE); request.setUserPrincipal(principal); Session session = request.getSessionInternal(); session.setAuthType(AUTH_TYPE); session.setPrincipal(principal); session.setNote(Constants.SESS_USERNAME_NOTE, decoded[0]); session.setNote(Constants.SESS_PASSWORD_NOTE, decoded[1]); }
protected void handleAuthenticationExceptions(AuthenticationException e) { if (e instanceof BadCredentialsException || e instanceof UsernameNotFoundException) throw SecurityServiceException.newInvalidCredentialsException(e.getMessage()); throw SecurityServiceException.newAuthenticationFailedException(e.getMessage()); }