diff --git a/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java b/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java index ebbfd1b8596b94899eb027b0db8e2ef9fabe43e2..d8d4289f314a095de84ec198240eb5ce3ec578f3 100644 --- a/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java +++ b/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java @@ -18,9 +18,14 @@ package org.genesys.blocks.security; import org.genesys.blocks.security.model.AclSid; import org.genesys.blocks.security.model.BasicUser; +import org.genesys.blocks.util.CurrentApplicationContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.BeansException; +import org.springframework.context.ApplicationContext; +import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; @@ -32,6 +37,23 @@ public class SecurityContextUtil { /** The Constant LOG. */ public static final Logger LOG = LoggerFactory.getLogger(SecurityContextUtil.class); + /** The permission evaluator. */ + private static PermissionEvaluator permissionEvaluator; + + // Context initialization + static { + ApplicationContext context = CurrentApplicationContext.getContext(); + if (context != null) { + try { + permissionEvaluator = context.getBean(PermissionEvaluator.class); + } catch (BeansException e) { + LOG.warn("Could not find PermissionEvaluator instance in your context"); + } + } else { + LOG.warn("You should initialize a bean instance of org.genesys.blocks.util.CurrentApplicationContext in your context"); + } + } + /** * Gets the username. * @@ -90,4 +112,43 @@ public class SecurityContextUtil { return null; } + + /** + * Checks for role. + * + * @param role the role + * @return true, if successful + */ + public static boolean hasRole(String role) { + final Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + if (auth != null) { + for (GrantedAuthority authority : auth.getAuthorities()) { + if (authority.getAuthority().equals("ROLE_" + role)) { + return true; + } + } + } + return false; + } + + /** + * Checks for permission. + * + * @param targetDomainObject the target domain object + * @param permission the permission + * @return true, if successful + */ + public static boolean hasPermission(Object targetDomainObject, Object permission) { + if (permissionEvaluator == null) { + LOG.warn("permissionEvaluator not available. No permissions."); + return false; + } + + final Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + if (auth != null) { + return permissionEvaluator.hasPermission(auth, targetDomainObject, permission); + } else { + return false; + } + } } diff --git a/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java b/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java index 2f25c9ee67919395816600e1e70b44bfca06e354..1363fc5cb2f863e41f082b90da8b0ae4df847f7d 100644 --- a/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java +++ b/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java @@ -15,6 +15,14 @@ */ package org.genesys.blocks.security.serialization; +import org.genesys.blocks.security.SecurityContextUtil; +import org.genesys.blocks.security.model.AclAwareModel; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.acls.domain.BasePermission; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; + import com.fasterxml.jackson.core.JsonGenerator; import com.fasterxml.jackson.databind.JavaType; import com.fasterxml.jackson.databind.SerializerProvider; @@ -24,19 +32,6 @@ import com.fasterxml.jackson.databind.introspect.BeanPropertyDefinition; import com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter; import com.fasterxml.jackson.databind.util.Annotations; -import java.util.concurrent.atomic.AtomicBoolean; - -import org.genesys.blocks.security.model.AclAwareModel; -import org.genesys.blocks.util.CurrentApplicationContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.BeansException; -import org.springframework.context.ApplicationContext; -import org.springframework.security.access.PermissionEvaluator; -import org.springframework.security.acls.domain.BasePermission; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContextHolder; - /** * The CurrentPermissionsWriter is applied to {@link AclAwareModel} and it * instructs Jackson to to include {@link Permissions} for current SID for every @@ -64,26 +59,10 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter { /** The Constant serialVersionUID. */ private static final long serialVersionUID = 1L; - /** The permission evaluator. */ - private static PermissionEvaluator permissionEvaluator; private static final Permissions NO_PERMISSIONS = new Permissions().grantNone(); private static final Permissions ALL_PERMISSIONS = new Permissions().grantAll(); - // Context initialization - static { - ApplicationContext context = CurrentApplicationContext.getContext(); - if (context != null) { - try { - permissionEvaluator = context.getBean(PermissionEvaluator.class); - } catch (BeansException e) { - LOG.warn("Could not find PermissionEvaluator instance in your context"); - } - } else { - LOG.warn("You should initialize a bean instance of org.genesys.blocks.util.CurrentApplicationContext in your context"); - } - } - /** * Instantiates a new current permissions writer. */ @@ -116,32 +95,22 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter { if (authentication == null) { return NO_PERMISSIONS; } - AtomicBoolean isAdmin = new AtomicBoolean(false); - authentication.getAuthorities().forEach(authority -> { - // We don't have a Role.ADMINSITRATOR defined so we use a String comparison. - if ("ROLE_ADMINISTRATOR".equals(authority.getAuthority())) { - isAdmin.set(true); - } - }); - if (isAdmin.get()) { + + if (SecurityContextUtil.hasRole("ADMINISTRATOR")) { return ALL_PERMISSIONS; } - if (permissionEvaluator != null) { - if (authentication != null) { - Permissions perms = new Permissions(); - try { - perms.create = permissionEvaluator.hasPermission(authentication, bean, BasePermission.CREATE); - perms.read = permissionEvaluator.hasPermission(authentication, bean, BasePermission.READ); - perms.write = permissionEvaluator.hasPermission(authentication, bean, BasePermission.WRITE); - perms.delete = permissionEvaluator.hasPermission(authentication, bean, BasePermission.DELETE); - perms.manage = permissionEvaluator.hasPermission(authentication, bean, BasePermission.ADMINISTRATION); - } catch (Throwable e) { - LOG.warn("Could not read current permissions {}", e.getMessage()); - } - return perms; - } + + Permissions perms = new Permissions(); + try { + perms.create = SecurityContextUtil.hasPermission(bean, BasePermission.CREATE); + perms.read = SecurityContextUtil.hasPermission(bean, BasePermission.READ); + perms.write = SecurityContextUtil.hasPermission(bean, BasePermission.WRITE); + perms.delete = SecurityContextUtil.hasPermission(bean, BasePermission.DELETE); + perms.manage = SecurityContextUtil.hasPermission(bean, BasePermission.ADMINISTRATION); + } catch (Throwable e) { + LOG.warn("Could not read current permissions {}", e.getMessage()); } - return null; + return perms; } /*