From f2dc5b014d68fa61bacd5f9928eedd0c4c882070 Mon Sep 17 00:00:00 2001 From: Paul-Christian Volkmer Date: Mon, 10 Apr 2023 14:56:15 +0200 Subject: Issue #24: Annotationen für formularbasierte Berechtigungsprüfung --- .../DNPM/security/FormBasedSecurityAspects.java | 51 +++++++++++++++ src/main/java/DNPM/security/FormSecured.java | 14 ++++ src/main/java/DNPM/security/FormSecuredResult.java | 14 ++++ .../security/PersonPoolBasedSecurityAspects.java | 74 ++++++++++++++++++++++ src/main/java/DNPM/security/SecurityAspects.java | 74 ---------------------- 5 files changed, 153 insertions(+), 74 deletions(-) create mode 100644 src/main/java/DNPM/security/FormBasedSecurityAspects.java create mode 100644 src/main/java/DNPM/security/FormSecured.java create mode 100644 src/main/java/DNPM/security/FormSecuredResult.java create mode 100644 src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java delete mode 100644 src/main/java/DNPM/security/SecurityAspects.java (limited to 'src/main/java/DNPM') diff --git a/src/main/java/DNPM/security/FormBasedSecurityAspects.java b/src/main/java/DNPM/security/FormBasedSecurityAspects.java new file mode 100644 index 0000000..3dea944 --- /dev/null +++ b/src/main/java/DNPM/security/FormBasedSecurityAspects.java @@ -0,0 +1,51 @@ +package DNPM.security; + +import de.itc.onkostar.api.Procedure; +import org.aspectj.lang.JoinPoint; +import org.aspectj.lang.annotation.AfterReturning; +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; + +import java.util.Arrays; + +@Component +@Aspect +public class FormBasedSecurityAspects { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private final FormBasedPermissionEvaluator permissionEvaluator; + + public FormBasedSecurityAspects( + final FormBasedPermissionEvaluator permissionEvaluator + ) { + this.permissionEvaluator = permissionEvaluator; + } + + @AfterReturning(value = "@annotation(FormSecuredResult)", returning = "procedure") + public void afterProcedureFormBased(Procedure procedure) { + if ( + null != procedure + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @Before(value = "@annotation(FormSecured)") + public void beforeProcedureFormBased(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Procedure) + .forEach(procedure -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } +} diff --git a/src/main/java/DNPM/security/FormSecured.java b/src/main/java/DNPM/security/FormSecured.java new file mode 100644 index 0000000..2e12667 --- /dev/null +++ b/src/main/java/DNPM/security/FormSecured.java @@ -0,0 +1,14 @@ +package DNPM.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface FormSecured { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/DNPM/security/FormSecuredResult.java b/src/main/java/DNPM/security/FormSecuredResult.java new file mode 100644 index 0000000..ccfbd24 --- /dev/null +++ b/src/main/java/DNPM/security/FormSecuredResult.java @@ -0,0 +1,14 @@ +package DNPM.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface FormSecuredResult { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java b/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java new file mode 100644 index 0000000..37c313f --- /dev/null +++ b/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java @@ -0,0 +1,74 @@ +package DNPM.security; + +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.aspectj.lang.JoinPoint; +import org.aspectj.lang.annotation.AfterReturning; +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; + +import java.util.Arrays; + +@Component +@Aspect +public class PersonPoolBasedSecurityAspects { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private final PersonPoolBasedPermissionEvaluator permissionEvaluator; + + public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) { + this.permissionEvaluator = permissionEvaluator; + } + + @AfterReturning(value = "@annotation(PersonPoolSecuredResult) ", returning = "patient") + public void afterPatient(Patient patient) { + if ( + null != patient + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Patient blockiert: {}", patient.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @AfterReturning(value = "@annotation(PersonPoolSecuredResult)", returning = "procedure") + public void afterProcedure(Procedure procedure) { + if ( + null != procedure + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @Before(value = "@annotation(PersonPoolSecured)") + public void beforePatient(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Patient) + .forEach(patient -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Patient blockiert: {}", ((Patient)patient).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } + + @Before(value = "@annotation(PersonPoolSecured)") + public void beforeProcedure(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Procedure) + .forEach(procedure -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } + +} diff --git a/src/main/java/DNPM/security/SecurityAspects.java b/src/main/java/DNPM/security/SecurityAspects.java deleted file mode 100644 index a1fcd3f..0000000 --- a/src/main/java/DNPM/security/SecurityAspects.java +++ /dev/null @@ -1,74 +0,0 @@ -package DNPM.security; - -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.aspectj.lang.JoinPoint; -import org.aspectj.lang.annotation.AfterReturning; -import org.aspectj.lang.annotation.Aspect; -import org.aspectj.lang.annotation.Before; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.stereotype.Component; - -import java.util.Arrays; - -@Component -@Aspect -public class SecurityAspects { - - private final Logger logger = LoggerFactory.getLogger(this.getClass()); - - private final PersonPoolBasedPermissionEvaluator permissionEvaluator; - - public SecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) { - this.permissionEvaluator = permissionEvaluator; - } - - @AfterReturning(value = "@annotation(PersonPoolSecuredResult) ", returning = "patient") - public void afterPatient(Patient patient) { - if ( - null != patient - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Patient blockiert: {}", patient.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @AfterReturning(value = "@annotation(PersonPoolSecuredResult)", returning = "procedure") - public void afterProcedure(Procedure procedure) { - if ( - null != procedure - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @Before(value = "@annotation(PersonPoolSecured)") - public void beforePatient(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Patient) - .forEach(patient -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Patient blockiert: {}", ((Patient)patient).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } - - @Before(value = "@annotation(PersonPoolSecured)") - public void beforeProcedure(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Procedure) - .forEach(procedure -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } - -} -- cgit v1.2.3