Examples of RunAsManager

org.springframework.security.access.intercept.RunAsManager
Creates a new temporary {@link Authentication} object for the current secureobject invocation only.
This interface permits implementations to replace the Authentication object that applies to the current secure object invocation only. The {@link org.springframework.security.access.intercept.AbstractSecurityInterceptor} will replacethe Authentication object held in the {@link org.springframework.security.core.context.SecurityContext SecurityContext}for the duration of the secure object callback only, returning it to the original Authentication object when the callback ends.

This is provided so that systems with two layers of objects can be established. One layer is public facing and has normal secure methods with the granted authorities expected to be held by external callers. The other layer is private, and is only expected to be called by objects within the public facing layer. The objects in this private layer still need security (otherwise they would be public methods) and they also need security in such a manner that prevents them being called directly by external callers. The objects in the private layer would be configured to require granted authorities never granted to external callers. The RunAsManager interface provides a mechanism to elevate security in this manner.

It is expected implementations will provide a corresponding concrete Authentication and AuthenticationProvider so that the replacement Authentication object can be authenticated. Some form of security will need to be implemented to ensure the AuthenticationProvider only accepts Authentication objects created by an authorized concrete implementation of RunAsManager.
@author Ben Alex

Examples of org.springframework.security.access.intercept.RunAsManager

                .setAfterInvocationManager(afterInvocationManager());
        methodSecurityInterceptor
                .setAuthenticationManager(authenticationManager());
        methodSecurityInterceptor
                .setSecurityMetadataSource(methodSecurityMetadataSource());
        RunAsManager runAsManager = runAsManager();
        if (runAsManager != null) {
            methodSecurityInterceptor.setRunAsManager(runAsManager);
        }
        return methodSecurityInterceptor;
    }

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

        SecurityContext ctx = SecurityContextHolder.getContext();
        Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
        token.setAuthenticated(true);
        ctx.setAuthentication(token);


        RunAsManager runAsManager = mock(RunAsManager.class);
        when(runAsManager.buildRunAs(eq(token), any(), anyCollection())).thenReturn(new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), token.getClass()));
        interceptor.setRunAsManager(runAsManager);


        FilterInvocation fi = createinvocation();
        FilterChain chain = fi.getChain();

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

    @SuppressWarnings("unchecked")
    public void invokeWithAspectJCallbackRunAsReplacementCleansAfterException() throws Exception {
        SecurityContext ctx = SecurityContextHolder.getContext();
        ctx.setAuthentication(token);
        token.setAuthenticated(true);
        final RunAsManager runAs = mock(RunAsManager.class);
        final RunAsUserToken runAsToken =
            new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), TestingAuthenticationToken.class);
        interceptor.setRunAsManager(runAs);
        when(runAs.buildRunAs(eq(token), any(MethodInvocation.class), any(List.class))).thenReturn(runAsToken);
        when(aspectJCallback.proceedWithObject()).thenThrow(new RuntimeException());


        try {
            interceptor.invoke(joinPoint, aspectJCallback);
            fail("Expected Exception");

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

    @SuppressWarnings("unchecked")
    public void invokeRunAsReplacementCleansAfterException() throws Throwable {
        SecurityContext ctx = SecurityContextHolder.getContext();
        ctx.setAuthentication(token);
        token.setAuthenticated(true);
        final RunAsManager runAs = mock(RunAsManager.class);
        final RunAsUserToken runAsToken =
            new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), TestingAuthenticationToken.class);
        interceptor.setRunAsManager(runAs);
        when(runAs.buildRunAs(eq(token), any(MethodInvocation.class), any(List.class))).thenReturn(runAsToken);
        when(joinPoint.proceed()).thenThrow(new RuntimeException());


        try {
            interceptor.invoke(joinPoint);
            fail("Expected Exception");

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

        advisedTarget = (ITargetObject) pf.getProxy();
    }


    @Test
    public void gettersReturnExpectedData() {
        RunAsManager runAs = mock(RunAsManager.class);
        AfterInvocationManager aim = mock(AfterInvocationManager.class);
        interceptor.setRunAsManager(runAs);
        interceptor.setAfterInvocationManager(aim);
        assertEquals(adm, interceptor.getAccessDecisionManager());
        assertEquals(runAs, interceptor.getRunAsManager());

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

        interceptor.afterPropertiesSet();
    }


    @Test(expected=IllegalArgumentException.class)
    public void intitalizationRejectsRunAsManagerThatDoesNotSupportMethodInvocation() throws Exception {
        final RunAsManager ram = mock(RunAsManager.class);
        when(ram.supports(MethodInvocation.class)).thenReturn(false);
        interceptor.setRunAsManager(ram);
        interceptor.afterPropertiesSet();
    }

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

    @Test
    public void runAsReplacementIsCorrectlySet() throws Exception {
        SecurityContext ctx = SecurityContextHolder.getContext();
        ctx.setAuthentication(token);
        token.setAuthenticated(true);
        final RunAsManager runAs = mock(RunAsManager.class);
        final RunAsUserToken runAsToken =
            new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), TestingAuthenticationToken.class);
        interceptor.setRunAsManager(runAs);
        mdsReturnsUserRole();
        when(runAs.buildRunAs(eq(token), any(MethodInvocation.class), any(List.class))).thenReturn(runAsToken);


        String result = advisedTarget.makeUpperCase("hello");
        assertEquals("HELLO org.springframework.security.access.intercept.RunAsUserToken true", result);
        // Check we've changed back
        assertSame(ctx, SecurityContextHolder.getContext());

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

        createTarget(true);
        when(realTarget.makeUpperCase(anyString())).thenThrow(new RuntimeException());
        SecurityContext ctx = SecurityContextHolder.getContext();
        ctx.setAuthentication(token);
        token.setAuthenticated(true);
        final RunAsManager runAs = mock(RunAsManager.class);
        final RunAsUserToken runAsToken =
            new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), TestingAuthenticationToken.class);
        interceptor.setRunAsManager(runAs);
        mdsReturnsUserRole();
        when(runAs.buildRunAs(eq(token), any(MethodInvocation.class), any(List.class))).thenReturn(runAsToken);


        try {
            advisedTarget.makeUpperCase("hello");
            fail("Expected Exception");
        }catch(RuntimeException success) {}

View Full Code Here

Examples of org.springframework.security.access.intercept.RunAsManager

                .setAfterInvocationManager(afterInvocationManager());
        methodSecurityInterceptor
                .setAuthenticationManager(authenticationManager());
        methodSecurityInterceptor
                .setSecurityMetadataSource(methodSecurityMetadataSource());
        RunAsManager runAsManager = runAsManager();
        if (runAsManager != null) {
            methodSecurityInterceptor.setRunAsManager(runAsManager);
        }
        return methodSecurityInterceptor;
    }

View Full Code Here

TOP

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.