multiprofile for authorizer

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/AbstractRequireAllAuthorizer.java

@@ -12,7 +12,7 @@
 public abstract class AbstractRequireAllAuthorizer<E extends Object, U extends UserProfile> extends AbstractRequireElementAuthorizer<E, U> {
 
     @Override
-    public boolean isAuthorized(final WebContext context, final U profile) {
+    protected boolean isProfileAuthorized(final WebContext context, final U profile) {
         if (elements == null || elements.isEmpty()) {
             return true;
         }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/AbstractRequireAnyAuthorizer.java

@@ -12,7 +12,7 @@
 public abstract class AbstractRequireAnyAuthorizer<E extends Object, U extends UserProfile> extends AbstractRequireElementAuthorizer<E, U> {
 
     @Override
-    public boolean isAuthorized(final WebContext context, final U profile) {
+    protected boolean isProfileAuthorized(final WebContext context, final U profile) {
         if (elements == null || elements.isEmpty()) {
             return true;
         }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/AbstractRequireElementAuthorizer.java

@@ -14,7 +14,7 @@
  * @author Jerome Leleu
  * @since 1.8.1
  */
-public abstract class AbstractRequireElementAuthorizer<E extends Object, U extends UserProfile> implements Authorizer<U> {
+public abstract class AbstractRequireElementAuthorizer<E extends Object, U extends UserProfile> extends SingleProfileAuthorizer<U> {
 
     protected Set<E> elements;
 

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/Authorizer.java

@@ -3,6 +3,8 @@
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.profile.UserProfile;
 
+import java.util.List;
+
 /**
  * Checks if an access is authorized.
  *
@@ -12,11 +14,11 @@
 public interface Authorizer<U extends UserProfile> {
 
     /**
-     * Checks if the user profile is authorized for the current web context.
+     * Checks if the user profiles and / or the current web context are authorized.
      *
      * @param context the web context
-     * @param profile the user profile
+     * @param profiles the user profiles
      * @return if the access is authorized
      */
-    boolean isAuthorized(WebContext context, U profile);
+    boolean isAuthorized(WebContext context, List<U> profiles);
 }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/CacheControlHeader.java

@@ -3,6 +3,8 @@
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.profile.UserProfile;
 
+import java.util.List;
+
 /**
  * Cache control header.
  *
@@ -12,7 +14,7 @@
 public class CacheControlHeader implements Authorizer<UserProfile> {
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
         final String url = context.getFullRequestURL().toLowerCase();
         if (!url.endsWith(".css")
                 && !url.endsWith(".js")

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/SingleProfileAuthorizer.java

@@ -0,0 +1,27 @@
+package org.pac4j.core.authorization.authorizer;
+
+import org.pac4j.core.context.WebContext;
+import org.pac4j.core.profile.UserProfile;
+
+import java.util.List;
+
+/**
+ * Authorizer which is valid if one of the profile is authorized.
+ *
+ * @author Jerome Leleu
+ * @since 1.9.0
+ */
+public abstract class SingleProfileAuthorizer<U extends UserProfile> implements Authorizer<U> {
+
+    @Override
+    public boolean isAuthorized(final WebContext context, final List<U> profiles) {
+        for (final U profile : profiles) {
+            if (isProfileAuthorized(context, profile)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    protected abstract boolean isProfileAuthorized(final WebContext context, final U profile);
+}

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/StrictTransportSecurityHeader.java

@@ -4,6 +4,8 @@
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.profile.UserProfile;
 
+import java.util.List;
+
 /**
  * Strict transport security header.
  *
@@ -26,7 +28,7 @@ public StrictTransportSecurityHeader(final int maxAge) {
     }
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
         if (ContextHelper.isHttpsOrSecure(context)) {
             context.setResponseHeader("Strict-Transport-Security", "max-age=" + maxAge + " ; includeSubDomains");
         }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/XContentTypeOptionsHeader.java

@@ -3,6 +3,8 @@
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.profile.UserProfile;
 
+import java.util.List;
+
 /**
  * XContent type options header.
  *
@@ -12,7 +14,7 @@
 public class XContentTypeOptionsHeader implements Authorizer<UserProfile> {
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
         context.setResponseHeader("X-Content-Type-Options", "nosniff");
         return true;
     }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/XFrameOptionsHeader.java

@@ -3,6 +3,8 @@
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.profile.UserProfile;
 
+import java.util.List;
+
 /**
  * XFrame options header.
  *
@@ -12,7 +14,7 @@
 public class XFrameOptionsHeader implements Authorizer<UserProfile> {
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
         context.setResponseHeader("X-Frame-Options", "DENY");
         return true;
     }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/XSSProtectionHeader.java

@@ -3,6 +3,8 @@
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.profile.UserProfile;
 
+import java.util.List;
+
 /**
  * XSS protection header.
  *
@@ -12,7 +14,7 @@
 public class XSSProtectionHeader implements Authorizer<UserProfile> {
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
         context.setResponseHeader("X-XSS-Protection", "1; mode=block");
         return true;
     }

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/csrf/CsrfAuthorizer.java

@@ -7,6 +7,8 @@
 import org.pac4j.core.profile.UserProfile;
 import org.pac4j.core.util.CommonHelper;
 
+import java.util.List;
+
 /**
  * Authorizer that checks CSRF tokens.
  *
@@ -35,7 +37,7 @@ public CsrfAuthorizer(final String parameterName, final String headerName, final
     }
 
     @Override
-    public boolean isAuthorized(final WebContext context, final U profile) {
+    public boolean isAuthorized(final WebContext context, final List<U> profiles) {
         final boolean checkRequest = !onlyCheckPostRequest || (onlyCheckPostRequest && ContextHelper.isPost(context));
         if (checkRequest) {
             final String parameterToken = context.getRequestParameter(parameterName);

pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/csrf/CsrfTokenGeneratorAuthorizer.java

@@ -7,6 +7,8 @@
 import org.pac4j.core.profile.UserProfile;
 import org.pac4j.core.util.CommonHelper;
 
+import java.util.List;
+
 /**
  * Authorizer which creates a new CSRF token and adds it as a request attribute and as a cookie (AngularJS).
  *
@@ -22,7 +24,7 @@ public CsrfTokenGeneratorAuthorizer(final CsrfTokenGenerator csrfTokenGenerator)
     }
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
         CommonHelper.assertNotNull("csrfTokenGenerator", csrfTokenGenerator);
         final String token = csrfTokenGenerator.get(context);
         context.setRequestAttribute(Pac4jConstants.CSRF_TOKEN, token);

pac4j-core/src/main/java/org/pac4j/core/authorization/checker/AuthorizationChecker.java

@@ -15,7 +15,7 @@
  */
 public interface AuthorizationChecker {
 
-    boolean isAuthorized(WebContext context, UserProfile profile, String authorizerNames, Map<String, Authorizer> authorizersMap);
+    boolean isAuthorized(WebContext context, List<UserProfile> profiles, String authorizerNames, Map<String, Authorizer> authorizersMap);
 
-    boolean isAuthorized(WebContext context, UserProfile profile, List<Authorizer> authorizers);
+    boolean isAuthorized(WebContext context, List<UserProfile> profiles, List<Authorizer> authorizers);
 }

pac4j-core/src/main/java/org/pac4j/core/authorization/checker/DefaultAuthorizationChecker.java

@@ -31,7 +31,7 @@ public class DefaultAuthorizationChecker implements AuthorizationChecker {
     final static CsrfTokenGeneratorAuthorizer CSRF_TOKEN_GENERATOR_AUTHORIZER = new CsrfTokenGeneratorAuthorizer(new DefaultCsrfTokenGenerator());
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile, final String authorizerNames, final Map<String, Authorizer> authorizersMap) {
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles, final String authorizerNames, final Map<String, Authorizer> authorizersMap) {
         final List<Authorizer> authorizers = new ArrayList<>();
         // if we have an authorizer name (which may be a list of authorizer names)
         if (CommonHelper.isNotBlank(authorizerNames)) {
@@ -78,17 +78,17 @@ public boolean isAuthorized(final WebContext context, final UserProfile profile,
                 }
             }
         }
-        return isAuthorized(context, profile, authorizers);
+        return isAuthorized(context, profiles, authorizers);
     }
 
     @Override
-    public boolean isAuthorized(final WebContext context, final UserProfile profile, final List<Authorizer> authorizers) {
-        // authorizations check comes after authentication and profile must not be null
-        CommonHelper.assertNotNull("profile", profile);
+    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles, final List<Authorizer> authorizers) {
+        // authorizations check comes after authentication and profile must not be null nor empty
+        CommonHelper.assertTrue(profiles != null && profiles.size() > 0, "profiles must not be null or empty");
         if (authorizers != null && !authorizers.isEmpty()) {
             // check authorizations using authorizers: all must be satisfied
             for (Authorizer authorizer : authorizers) {
-                if (!authorizer.isAuthorized(context, profile)) {
+                if (!authorizer.isAuthorized(context, profiles)) {
                     return false;
                 }
             }

pac4j-core/src/main/java/org/pac4j/core/profile/ProfileManager.java

@@ -60,7 +60,7 @@ private LinkedHashMap<String, UserProfile> retrieveAll(final boolean readFromSes
         if (objSession != null && objSession instanceof LinkedHashMap) {
             profiles = (LinkedHashMap<String, UserProfile>) objSession;
         }
-        if (profiles == null && readFromSession) {
+        if ((profiles == null || profiles.size() == 0) && readFromSession) {
             final Object objRequest = this.context.getSessionAttribute(Pac4jConstants.USER_PROFILES);
             if (objRequest != null && objRequest instanceof LinkedHashMap) {
                 profiles = (LinkedHashMap<String, UserProfile>) objRequest;
@@ -86,16 +86,19 @@ public void remove(final boolean removeFromSession) {
     }
 
     /**
-     * Save the given user profile (replace the current one if multi profile is not supported, add it otherwise).
+     * Save the given user profile (replace the current one if multi profiles are not supported, add it otherwise).
      *
      * @param saveInSession if the user profile must be saved in session
      * @param profile a given user profile
-     * @param multiProfile whether multi profile is supported
+     * @param multiProfile whether multiple profiles are supported
      */
     public void save(final boolean saveInSession, final UserProfile profile, final boolean multiProfile) {
         final LinkedHashMap<String, UserProfile> profiles;
 
-        final String clientName = profile.getClientName();
+        String clientName = profile.getClientName();
+        if (clientName == null) {
+            clientName = "DEFAULT";
+        }
         if (multiProfile) {
             profiles = retrieveAll(saveInSession);
             profiles.remove(clientName);

pac4j-core/src/test/java/org/pac4j/core/authorization/authorizer/CheckHttpMethodAuthorizerTests.java

@@ -1,8 +1,13 @@
 package org.pac4j.core.authorization.authorizer;
 
+import org.junit.Before;
 import org.junit.Test;
 import org.pac4j.core.context.MockWebContext;
 import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.UserProfile;
+
+import java.util.ArrayList;
+import java.util.List;
 
 import static org.junit.Assert.*;
 
@@ -16,15 +21,23 @@
  */
 public final class CheckHttpMethodAuthorizerTests {
 
+    private List<UserProfile> profiles;
+
+    @Before
+    public void setUp() {
+        profiles = new ArrayList<>();
+        profiles.add(new CommonProfile());
+    }
+
     @Test
     public void testGoodHttpMethod() {
         final CheckHttpMethodAuthorizer authorizer = new CheckHttpMethodAuthorizer(HTTP_METHOD.GET, HTTP_METHOD.POST);
-        assertTrue(authorizer.isAuthorized(MockWebContext.create().setRequestMethod("GET"), new CommonProfile()));
+        assertTrue(authorizer.isAuthorized(MockWebContext.create().setRequestMethod("GET"), profiles));
     }
 
     @Test
     public void testBadHttpMethod() {
         final CheckHttpMethodAuthorizer authorizer = new CheckHttpMethodAuthorizer(HTTP_METHOD.PUT);
-        assertFalse(authorizer.isAuthorized(MockWebContext.create().setRequestMethod("DELETE"), new CommonProfile()));
+        assertFalse(authorizer.isAuthorized(MockWebContext.create().setRequestMethod("DELETE"), profiles));
     }
 }

pac4j-core/src/test/java/org/pac4j/core/authorization/authorizer/CheckProfileTypeAuthorizerTests.java

@@ -2,6 +2,10 @@
 
 import org.junit.Test;
 import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.UserProfile;
+
+import java.util.ArrayList;
+import java.util.List;
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -22,12 +26,16 @@ class FakeProfile2 extends CommonProfile {
     @Test
     public void testGoodProfile() {
         final CheckProfileTypeAuthorizer authorizer = new CheckProfileTypeAuthorizer(FakeProfile1.class, FakeProfile2.class);
-        assertTrue(authorizer.isAuthorized(null, new FakeProfile1()));
+        final List<UserProfile> profiles = new ArrayList<>();
+        profiles.add(new FakeProfile1());
+        assertTrue(authorizer.isAuthorized(null, profiles));
     }
 
     @Test
     public void testBadProfileType() {
         final CheckProfileTypeAuthorizer authorizer = new CheckProfileTypeAuthorizer(FakeProfile1.class);
-        assertFalse(authorizer.isAuthorized(null, new FakeProfile2()));
+        final List<UserProfile> profiles = new ArrayList<>();
+        profiles.add(new FakeProfile2());
+        assertFalse(authorizer.isAuthorized(null, profiles));
     }
 }