summaryrefslogtreecommitdiff
path: root/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java')
-rw-r--r--src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java51
1 files changed, 51 insertions, 0 deletions
diff --git a/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java
new file mode 100644
index 0000000..eb80d47
--- /dev/null
+++ b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java
@@ -0,0 +1,51 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.Procedure;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.AfterReturning;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import java.util.Arrays;
+
+// TODO Disabled for now - check bytecode reported incompatibility for older OS installations
+//@Component
+@Aspect
+public class FormBasedSecurityAspects {
+
+ private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+ private final FormBasedPermissionEvaluator permissionEvaluator;
+
+ public FormBasedSecurityAspects(
+ final FormBasedPermissionEvaluator permissionEvaluator
+ ) {
+ this.permissionEvaluator = permissionEvaluator;
+ }
+
+ @AfterReturning(value = "@annotation(dev.dnpm.security.FormSecuredResult)", returning = "procedure")
+ public void afterProcedureFormBased(Procedure procedure) {
+ if (
+ null != procedure
+ && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)
+ ) {
+ logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId());
+ throw new IllegalSecuredObjectAccessException();
+ }
+ }
+
+ @Before(value = "@annotation(dev.dnpm.security.FormSecured)")
+ public void beforeProcedureFormBased(JoinPoint jp) {
+ Arrays.stream(jp.getArgs())
+ .filter(arg -> arg instanceof Procedure)
+ .forEach(procedure -> {
+ if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) {
+ logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId());
+ throw new IllegalSecuredObjectAccessException();
+ }
+ });
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-01 02:37:07 +0000