View Javadoc
1   /*
2    * Copyright (c) MuleSoft, Inc.  All rights reserved.  http://www.mulesoft.com
3    * The software in this package is published under the terms of the CPAL v1.0
4    * license, a copy of which has been included with this distribution in the
5    * LICENSE.txt file.
6    */
7   package org.mule.module.spring.security;
8   
9   import org.mule.api.MuleEvent;
10  import org.mule.api.lifecycle.InitialisationException;
11  import org.mule.api.security.Authentication;
12  import org.mule.api.security.CryptoFailureException;
13  import org.mule.api.security.EncryptionStrategyNotFoundException;
14  import org.mule.api.security.NotPermittedException;
15  import org.mule.api.security.SecurityException;
16  import org.mule.api.security.SecurityProviderNotFoundException;
17  import org.mule.api.security.UnauthorisedException;
18  import org.mule.api.security.UnknownAuthenticationTypeException;
19  import org.mule.config.i18n.CoreMessages;
20  import org.mule.module.spring.security.i18n.SpringSecurityMessages;
21  import org.mule.security.AbstractSecurityFilter;
22  
23  import java.text.MessageFormat;
24  import java.util.Collection;
25  import java.util.HashSet;
26  
27  import edu.emory.mathcs.backport.java.util.Arrays;
28  
29  import org.apache.commons.logging.Log;
30  import org.apache.commons.logging.LogFactory;
31  import org.springframework.security.core.GrantedAuthority;
32  
33  /**
34   * Authorizes user access based on the required authorities for a user.
35   */
36  public class AuthorizationFilter extends AbstractSecurityFilter
37  {
38      protected final Log logger = LogFactory.getLog(getClass());
39      private Collection<String> requiredAuthorities = new HashSet<String>();
40  
41      public void doFilter(MuleEvent event)
42          throws SecurityException, UnknownAuthenticationTypeException, CryptoFailureException,
43          SecurityProviderNotFoundException, EncryptionStrategyNotFoundException, InitialisationException
44      {
45          Authentication auth = event.getSession().getSecurityContext().getAuthentication();
46          if (auth == null)
47          {
48              throw new UnauthorisedException(CoreMessages.authNoCredentials());
49          }
50  
51          if (!(auth instanceof SpringAuthenticationAdapter))
52          {
53              throw new UnauthorisedException(SpringSecurityMessages.springAuthenticationRequired());
54          }
55  
56          SpringAuthenticationAdapter springAuth = (SpringAuthenticationAdapter) auth;
57  
58          String principalName = springAuth.getName();
59          GrantedAuthority[] authorities = springAuth.getAuthorities();
60  
61          // If the principal has at least one of the granted authorities,
62          // then return.
63          boolean authorized = false;
64          if (authorities != null)
65          {
66              if (logger.isDebugEnabled())
67              {
68                  logger.debug("Found authorities '" + Arrays.toString(authorities) + "' for principal '"
69                               + principalName + "'.");
70              }
71  
72              for (GrantedAuthority authority : authorities)
73              {
74                  if (requiredAuthorities.contains(authority.getAuthority()))
75                  {
76                      authorized = true;
77                  }
78              }
79          }
80  
81          if (!authorized)
82          {
83              logger.info(MessageFormat.format("Could not find required authorities for {0}. Required authorities: {1}. Authorities found: {2}.", 
84                  principalName, Arrays.toString(requiredAuthorities.toArray()), Arrays.toString(authorities)));
85              throw new NotPermittedException(SpringSecurityMessages.noGrantedAuthority(principalName));
86          }
87      }
88  
89      public Collection<String> getRequiredAuthorities()
90      {
91          return requiredAuthorities;
92      }
93  
94      public void setRequiredAuthorities(Collection<String> requiredAuthorities)
95      {
96          this.requiredAuthorities = requiredAuthorities;
97      }
98  }