View Javadoc
1   package org.springframework.security.oauth.provider.expression;
2   
3   import java.util.List;
4   import java.util.Set;
5   
6   import org.aopalliance.intercept.MethodInvocation;
7   import org.springframework.core.convert.TypeDescriptor;
8   import org.springframework.expression.AccessException;
9   import org.springframework.expression.EvaluationContext;
10  import org.springframework.expression.MethodExecutor;
11  import org.springframework.expression.MethodResolver;
12  import org.springframework.expression.TypedValue;
13  import org.springframework.expression.spel.support.StandardEvaluationContext;
14  import org.springframework.security.access.expression.SecurityExpressionRoot;
15  import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
16  import org.springframework.security.core.Authentication;
17  import org.springframework.security.core.GrantedAuthority;
18  import org.springframework.security.core.authority.AuthorityUtils;
19  import org.springframework.security.oauth.provider.OAuthAuthenticationDetails;
20  
21  /**
22   * @author Ryan Heaton
23   * @author Dave Syer
24   */
25  public class OAuthMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
26  
27  	@Override
28  	public StandardEvaluationContext createEvaluationContextInternal(Authentication auth, MethodInvocation mi) {
29  		StandardEvaluationContext ec = super.createEvaluationContextInternal(auth, mi);
30  		ec.addMethodResolver(new OAuthMethodResolver());
31  		return ec;
32  	}
33  
34  	public static boolean consumerHasAnyRole(SecurityExpressionRoot root, String... roles) {
35  		Authentication authentication = root.getAuthentication();
36  		if (authentication.getDetails() instanceof OAuthAuthenticationDetails) {
37  			OAuthAuthenticationDetails details = (OAuthAuthenticationDetails) authentication.getDetails();
38  			List<GrantedAuthority> consumerAuthorities = details.getConsumerDetails().getAuthorities();
39  			if (consumerAuthorities != null) {
40  				Set<String> roleSet = AuthorityUtils.authorityListToSet(consumerAuthorities);
41  				for (String role : roles) {
42  					if (roleSet.contains(role)) {
43  						return true;
44  					}
45  				}
46  			}
47  		}
48  
49  		return false;
50  	}
51  
52  	public static boolean isOAuthConsumerAuth(SecurityExpressionRoot root) {
53  		Authentication authentication = root.getAuthentication();
54  		if (authentication.getDetails() instanceof OAuthAuthenticationDetails) {
55  			return true;
56  		}
57  
58  		return false;
59  	}
60  
61  	private static class OAuthMethodResolver implements MethodResolver {
62  		public MethodExecutor resolve(EvaluationContext context, Object targetObject, String name,
63  				List<TypeDescriptor> argumentTypes) throws AccessException {
64  			if (targetObject instanceof SecurityExpressionRoot) {
65  				if ("oauthConsumerHasRole".equals(name) || "oauthConsumerHasAnyRole".equals(name)) {
66  					return new OAuthClientRoleExecutor();
67  				} else if ("denyOAuthConsumer".equals(name)) {
68  					return new DenyOAuthClientRoleExecutor();
69  				}
70  			}
71  
72  			return null;
73  		}
74  
75  	}
76  
77  	private static class OAuthClientRoleExecutor implements MethodExecutor {
78  		public TypedValue execute(EvaluationContext context, Object target, Object... arguments) throws AccessException {
79  			String[] roles = new String[arguments.length];
80  			for (int i = 0; i < arguments.length; i++) {
81  				roles[i] = String.valueOf(arguments[i]);
82  			}
83  			return new TypedValue(consumerHasAnyRole((SecurityExpressionRoot) target, roles));
84  		}
85  	}
86  
87  	private static class DenyOAuthClientRoleExecutor implements MethodExecutor {
88  		public TypedValue execute(EvaluationContext context, Object target, Object... arguments) throws AccessException {
89  			return new TypedValue(!isOAuthConsumerAuth((SecurityExpressionRoot) target));
90  		}
91  	}
92  }