1 package org.springframework.security.oauth.provider.expression;
2
3 import java.util.List;
4 import java.util.Set;
5
6 import org.aopalliance.intercept.MethodInvocation;
7 import org.springframework.core.convert.TypeDescriptor;
8 import org.springframework.expression.AccessException;
9 import org.springframework.expression.EvaluationContext;
10 import org.springframework.expression.MethodExecutor;
11 import org.springframework.expression.MethodResolver;
12 import org.springframework.expression.TypedValue;
13 import org.springframework.expression.spel.support.StandardEvaluationContext;
14 import org.springframework.security.access.expression.SecurityExpressionRoot;
15 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
16 import org.springframework.security.core.Authentication;
17 import org.springframework.security.core.GrantedAuthority;
18 import org.springframework.security.core.authority.AuthorityUtils;
19 import org.springframework.security.oauth.provider.OAuthAuthenticationDetails;
20
21
22
23
24
25 public class OAuthMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
26
27 @Override
28 public StandardEvaluationContext createEvaluationContextInternal(Authentication auth, MethodInvocation mi) {
29 StandardEvaluationContext ec = super.createEvaluationContextInternal(auth, mi);
30 ec.addMethodResolver(new OAuthMethodResolver());
31 return ec;
32 }
33
34 public static boolean consumerHasAnyRole(SecurityExpressionRoot root, String... roles) {
35 Authentication authentication = root.getAuthentication();
36 if (authentication.getDetails() instanceof OAuthAuthenticationDetails) {
37 OAuthAuthenticationDetails details = (OAuthAuthenticationDetails) authentication.getDetails();
38 List<GrantedAuthority> consumerAuthorities = details.getConsumerDetails().getAuthorities();
39 if (consumerAuthorities != null) {
40 Set<String> roleSet = AuthorityUtils.authorityListToSet(consumerAuthorities);
41 for (String role : roles) {
42 if (roleSet.contains(role)) {
43 return true;
44 }
45 }
46 }
47 }
48
49 return false;
50 }
51
52 public static boolean isOAuthConsumerAuth(SecurityExpressionRoot root) {
53 Authentication authentication = root.getAuthentication();
54 if (authentication.getDetails() instanceof OAuthAuthenticationDetails) {
55 return true;
56 }
57
58 return false;
59 }
60
61 private static class OAuthMethodResolver implements MethodResolver {
62 public MethodExecutor resolve(EvaluationContext context, Object targetObject, String name,
63 List<TypeDescriptor> argumentTypes) throws AccessException {
64 if (targetObject instanceof SecurityExpressionRoot) {
65 if ("oauthConsumerHasRole".equals(name) || "oauthConsumerHasAnyRole".equals(name)) {
66 return new OAuthClientRoleExecutor();
67 } else if ("denyOAuthConsumer".equals(name)) {
68 return new DenyOAuthClientRoleExecutor();
69 }
70 }
71
72 return null;
73 }
74
75 }
76
77 private static class OAuthClientRoleExecutor implements MethodExecutor {
78 public TypedValue execute(EvaluationContext context, Object target, Object... arguments) throws AccessException {
79 String[] roles = new String[arguments.length];
80 for (int i = 0; i < arguments.length; i++) {
81 roles[i] = String.valueOf(arguments[i]);
82 }
83 return new TypedValue(consumerHasAnyRole((SecurityExpressionRoot) target, roles));
84 }
85 }
86
87 private static class DenyOAuthClientRoleExecutor implements MethodExecutor {
88 public TypedValue execute(EvaluationContext context, Object target, Object... arguments) throws AccessException {
89 return new TypedValue(!isOAuthConsumerAuth((SecurityExpressionRoot) target));
90 }
91 }
92 }