Permalink
Browse files

updated taglibs and other isAllGranted-type logic to include inferred…

… roles based on role hierarchy
  • Loading branch information...
1 parent 55015d0 commit 33799f6c4e27d3af88b74902537a46fa3496888f @burtbeckwith burtbeckwith committed May 5, 2010
@@ -35,7 +35,7 @@
import javax.servlet.http.HttpServletRequest;
import org.codehaus.groovy.grails.commons.ApplicationHolder;
-import org.springframework.context.ApplicationContext;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
@@ -192,8 +192,8 @@ private SpringSecurityUtils() {
* @return <code>true</code> if the user is authenticated and has all the roles
*/
public static boolean ifAllGranted(final String roles) {
- Collection<GrantedAuthority> granted = getPrincipalAuthorities();
- return granted.containsAll(parseAuthoritiesString(roles));
+ Collection<GrantedAuthority> inferred = findInferredAuthorities(getPrincipalAuthorities());
+ return inferred.containsAll(parseAuthoritiesString(roles));
}
/**
@@ -202,8 +202,8 @@ public static boolean ifAllGranted(final String roles) {
* @return <code>true</code> if the user is authenticated and has none the roles
*/
public static boolean ifNotGranted(final String roles) {
- Collection<GrantedAuthority> granted = getPrincipalAuthorities();
- Set<String> grantedCopy = retainAll(granted, parseAuthoritiesString(roles));
+ Collection<GrantedAuthority> inferred = findInferredAuthorities(getPrincipalAuthorities());
+ Set<String> grantedCopy = retainAll(inferred, parseAuthoritiesString(roles));
return grantedCopy.isEmpty();
}
@@ -213,8 +213,8 @@ public static boolean ifNotGranted(final String roles) {
* @return <code>true</code> if the user is authenticated and has any the roles
*/
public static boolean ifAnyGranted(final String roles) {
- Collection<GrantedAuthority> granted = getPrincipalAuthorities();
- Set<String> grantedCopy = retainAll(granted, parseAuthoritiesString(roles));
+ Collection<GrantedAuthority> inferred = findInferredAuthorities(getPrincipalAuthorities());
+ Set<String> grantedCopy = retainAll(inferred, parseAuthoritiesString(roles));
return !grantedCopy.isEmpty();
}
@@ -349,7 +349,6 @@ public static void clientRegisterFilter(final String beanName, final SecurityFil
* @param order the position (see {@link SecurityFilterPosition})
*/
public static void clientRegisterFilter(final String beanName, final int order) {
- ApplicationContext ctx = ApplicationHolder.getApplication().getMainContext();
Filter oldFilter = CONFIGURED_ORDERED_FILTERS.get(order);
if (oldFilter != null) {
@@ -358,8 +357,9 @@ public static void clientRegisterFilter(final String beanName, final int order)
"' is already registered in that position");
}
- CONFIGURED_ORDERED_FILTERS.put(order, (Filter)ctx.getBean(beanName));
- FilterChainProxy filterChain = (FilterChainProxy)ctx.getBean("springSecurityFilterChain");
+ Filter filter = getBean(beanName);
+ CONFIGURED_ORDERED_FILTERS.put(order, filter);
+ FilterChainProxy filterChain = getBean("springSecurityFilterChain");
filterChain.setFilterChainMap(Collections.singletonMap(
filterChain.getMatcher().getUniversalMatchPattern(),
new ArrayList<Filter>(CONFIGURED_ORDERED_FILTERS.values())));
@@ -430,4 +430,19 @@ private static ConfigObject mergeConfig(final ConfigObject currentConfig, final
}
return config;
}
+
+ private static Collection<GrantedAuthority> findInferredAuthorities(
+ final Collection<GrantedAuthority> granted) {
+ RoleHierarchy roleHierarchy = getBean("roleHierarchy");
+ Collection<GrantedAuthority> reachable = roleHierarchy.getReachableGrantedAuthorities(granted);
+ if (reachable == null) {
+ return Collections.emptyList();
+ }
+ return reachable;
+ }
+
+ @SuppressWarnings("unchecked")
+ private static <T> T getBean(final String name) {
+ return (T)ApplicationHolder.getApplication().getMainContext().getBean(name);
+ }
}
@@ -14,9 +14,14 @@
*/
package org.codehaus.groovy.grails.plugins.springsecurity
+import org.codehaus.groovy.grails.commons.ApplicationHolder as AH
import org.codehaus.groovy.grails.commons.ConfigurationHolder as CH
+import org.codehaus.groovy.grails.commons.DefaultGrailsApplication
+import org.springframework.context.ApplicationContext
import org.springframework.mock.web.MockHttpServletRequest
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl
import org.springframework.security.core.GrantedAuthority
import org.springframework.security.core.authority.GrantedAuthorityImpl
import org.springframework.security.web.PortResolverImpl
@@ -167,32 +172,74 @@ class SpringSecurityUtilsTests extends GroovyTestCase {
}
void testIfAllGranted() {
+ initRoleHierarchy ''
SecurityTestUtils.authenticate(['ROLE_1', 'ROLE_2'])
+
assertTrue SpringSecurityUtils.ifAllGranted('ROLE_1')
assertTrue SpringSecurityUtils.ifAllGranted('ROLE_2')
assertTrue SpringSecurityUtils.ifAllGranted('ROLE_1,ROLE_2')
assertFalse SpringSecurityUtils.ifAllGranted('ROLE_1,ROLE_2,ROLE_3')
assertFalse SpringSecurityUtils.ifAllGranted('ROLE_3')
}
+ void testIfAllGranted_UsingHierarchy() {
+ initRoleHierarchy 'ROLE_3 > ROLE_2 \n ROLE_2 > ROLE_1'
+ SecurityTestUtils.authenticate(['ROLE_3'])
+
+ assertTrue SpringSecurityUtils.ifAllGranted('ROLE_1')
+ assertTrue SpringSecurityUtils.ifAllGranted('ROLE_2')
+ assertTrue SpringSecurityUtils.ifAllGranted('ROLE_1,ROLE_2')
+ assertTrue SpringSecurityUtils.ifAllGranted('ROLE_1,ROLE_2,ROLE_3')
+ assertTrue SpringSecurityUtils.ifAllGranted('ROLE_3')
+ assertFalse SpringSecurityUtils.ifAllGranted('ROLE_4')
+ }
+
void testIfNotGranted() {
+ initRoleHierarchy ''
SecurityTestUtils.authenticate(['ROLE_1', 'ROLE_2'])
+
assertFalse SpringSecurityUtils.ifNotGranted('ROLE_1')
assertFalse SpringSecurityUtils.ifNotGranted('ROLE_2')
assertFalse SpringSecurityUtils.ifNotGranted('ROLE_1,ROLE_2')
assertFalse SpringSecurityUtils.ifNotGranted('ROLE_1,ROLE_2,ROLE_3')
assertTrue SpringSecurityUtils.ifNotGranted('ROLE_3')
}
+ void testIfNotGranted_UsingHierarchy() {
+ initRoleHierarchy 'ROLE_3 > ROLE_2 \n ROLE_2 > ROLE_1'
+ SecurityTestUtils.authenticate(['ROLE_3'])
+
+ assertFalse SpringSecurityUtils.ifNotGranted('ROLE_1')
+ assertFalse SpringSecurityUtils.ifNotGranted('ROLE_2')
+ assertFalse SpringSecurityUtils.ifNotGranted('ROLE_1,ROLE_2')
+ assertFalse SpringSecurityUtils.ifNotGranted('ROLE_1,ROLE_2,ROLE_3')
+ assertFalse SpringSecurityUtils.ifNotGranted('ROLE_3')
+ assertTrue SpringSecurityUtils.ifNotGranted('ROLE_4')
+ }
+
void testIfAnyGranted() {
+ initRoleHierarchy ''
SecurityTestUtils.authenticate(['ROLE_1', 'ROLE_2'])
+
assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_1')
assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_2')
assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_1,ROLE_2')
assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_1,ROLE_2,ROLE_3')
assertFalse SpringSecurityUtils.ifAnyGranted('ROLE_3')
}
+ void testIfAnyGranted_UsingHierarchy() {
+ initRoleHierarchy 'ROLE_3 > ROLE_2 \n ROLE_2 > ROLE_1'
+ SecurityTestUtils.authenticate(['ROLE_3'])
+
+ assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_1')
+ assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_2')
+ assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_1,ROLE_2')
+ assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_1,ROLE_2,ROLE_3')
+ assertTrue SpringSecurityUtils.ifAnyGranted('ROLE_3')
+ assertFalse SpringSecurityUtils.ifAnyGranted('ROLE_4')
+ }
+
void testPrivateConstructor() {
SecurityTestUtils.testPrivateConstructor SpringSecurityUtils
}
@@ -205,6 +252,12 @@ class SpringSecurityUtilsTests extends GroovyTestCase {
assertTrue c1.containsAll(c2)
}
+ private void initRoleHierarchy(String hierarchy) {
+ def roleHierarchy = new RoleHierarchyImpl(hierarchy: hierarchy)
+ def ctx = [getBean: { String name -> roleHierarchy }] as ApplicationContext
+ AH.application = new DefaultGrailsApplication(mainContext: ctx)
+ }
+
/**
* {@inheritDoc}
* @see junit.framework.TestCase#tearDown()
@@ -215,6 +268,7 @@ class SpringSecurityUtilsTests extends GroovyTestCase {
SecurityTestUtils.logout()
CH.config = null
SpringSecurityUtils.securityConfig = null
+ AH.application = null
}
}

0 comments on commit 33799f6

Please sign in to comment.