Package org.dspace.app.rest.security

package org.dspace.app.rest.security

DSpace-specific concepts and behaviors to support Spring Security. These may be used by Spring EL expressions in Spring Security annotations.

hasPermission terms are evaluated by DSpacePermissionEvaluator, an implementation of Spring's PermissionEvaluator. It tests access to specific model objects (Item, EPerson etc.) using those objects' policies. It is injected with a collection of RestPermissionEvaluatorPlugins which do the work.

hasAuthority terms are implemented by GrantedAuthority implementations such as EPersonRestAuthenticationProvider. These test for authorization properties of the session itself, such as membership in the site administrators group.

*PermissionEvaluatorPlugin classes test permission for specific types of objects. They implement RestPermissionEvaluatorPlugin.

Other classes TBD:

• *Filter
• *Configuration

Related Packages

Package	Description
org.dspace.app.rest
org.dspace.app.rest.security.jwt

Class	Description
AdminRestPermissionEvaluatorPlugin	Administrators are always allowed to perform any action on any DSpace object.
AnonymousAdditionalAuthorizationFilter	This is a Filter class that'll fetch special groups from the AuthenticationService and set these in the current DSpace Context.
AuthorizeServicePermissionEvaluatorPlugin	DSpaceObjectPermissionEvaluatorPlugin will check permissions based on the DSpace AuthorizeService.
BitstreamMetadataReadPermissionEvaluatorPlugin	Used by BitstreamRestRepository.findOne(Context, UUID) to get metadata of private bitstreams even though user can't access actual file
ClaimedTaskRestPermissionEvaluatorPlugin	An authenticated user is allowed to interact with a claimed task only if they own it claim.
CustomLogoutHandler	Custom logout handler to support stateless sessions
DSpace401AuthenticationEntryPoint	Spring security authentication entry point to return a 401 response for unauthorized requests This class is used in the WebSecurityConfiguration class.
DSpaceAuthentication	Custom Authentication for use with DSpace
DSpaceCsrfAuthenticationStrategy	Custom SessionAuthenticationStrategy to be used alongside DSpaceCsrfTokenRepository.
DSpaceCsrfTokenRepository	This is a custom Spring Security CsrfTokenRepository which supports *cross-domain* CSRF protection (allowing the client and backend to be on different domains).
DSpaceObjectAdminPermissionEvaluatorPlugin	RestPermissionEvaluatorPlugin class that evaluate admin permission against a generic DSpace Object.
DSpacePermissionEvaluator	DSpace permission evaluator.
DSpaceRestPermission	Enum that lists all available "permissions" an authenticated user can have on a specific REST endpoint.
EPersonRestAuthenticationProvider	This class is responsible for authenticating a user via REST.
EPersonRestPermissionEvaluatorPlugin	An authenticated user is allowed to view, update or delete their own data.
ExtractorOfAInprogressSubmissionInformations	Methods of this class are used on PreAuthorize annotations to convert input parameters.
GroupRestPermissionEvaluatorPlugin	An authenticated user is allowed to view information on all the groups they are a member of (READ permission).
MethodSecurityConfig	This EnableMethodSecurity configuration enables Spring Security annotation checks on all methods (e.g.
OidcLoginFilter	This class will filter OpenID Connect (OIDC) requests and try and authenticate them.
OrcidHistorySendToOrcidRestPermissionEvaluatorPlugin	Permission evaluator plugin that check if the current user can perform an ORCID synchronization.
OrcidLoginFilter	This class will filter ORCID requests and try and authenticate them.
OrcidQueueAndHistoryRestPermissionEvaluatorPlugin	Class that evaluate DELETE and READ permissions
OrcidQueueSearchRestPermissionEvaluatorPlugin	Permission evaluator plugin that check if the current user can search for ORCID queue records by owner.
PoolTaskRestPermissionEvaluatorPlugin	An authenticated user is allowed to interact with a pool task only if it is in their list.
ProcessRestPermissionEvaluatorPlugin	This class will handle calls made to Process endpoints.
QAEventRestPermissionEvaluatorPlugin	This class will handle Permissions for the QAEventRest object and its calls
QASourceRestPermissionEvaluatorPlugin	This class will handle Permissions for the QASourceRest object and QATopic
ReadAuthorizationPermissionEvaluatorPlugin	RestPermissionEvaluatorPlugin class that evaluate READ permissions for an Authorization
ResearcherProfileRestPermissionEvaluatorPlugin	An authenticated user is allowed to view, update or delete their own data.
ResourcePolicyAdminPermissionEvalutatorPlugin	RestPermissionEvaluatorPlugin class that evaluate ADMIN permissions over a Resource Policy
ResourcePolicyRestPermissionEvaluatorPlugin	RestPermissionEvaluatorPlugin class that evaluate READ, WRITE and DELETE permissions over a ResourcePolicy.
RestAuthenticationService	Interface for a service that can provide authentication for the REST API
RestObjectPermissionEvaluatorPlugin	Abstract RestPermissionEvaluatorPlugin class that contains utility methods to evaluate permissions for a Rest Object.
RestPermissionEvaluatorPlugin	Interface to define a permission evaluator plugin.
SamlLoginFilter	A filter that examines requests to see if the user has been authenticated via SAML.
ShibbolethLoginFilter	This class will filter Shibboleth requests to see if the user has been authenticated via Shibboleth.
StatelessAuthenticationFilter	Custom Spring authentication filter for Stateless authentication, intercepts requests to check for valid authentication.
StatelessLoginFilter	This class will filter /api/authn/login requests to try and authenticate them.
SubmissionCCLicenseRestEvaluatorPlugin
SubmissionCCLicenseUrlRestPermissionEvaluatorPlugin	This class will handle calls made to SubmissionCCLicenseUrlRest endpoints.
SubscriptionRestPermissionEvaluatorPlugin	RestPermissionEvaluatorPlugin class that evaluate READ, WRITE and DELETE permissions over a Subscription
SuggestionRestPermissionEvaluatorPlugin	An authenticated user is allowed to view a suggestion related to a Target object that he owns (as defined by "dspace.object.owner" metadata field) See RestPermissionEvaluatorPlugin for the inherited contract.
SuggestionTargetRestPermissionEvaluatorPlugin	An authenticated user is allowed to view a suggestion summary (SuggestionTarget) related to a Target object that they own (as defined by "dspace.object.owner" metadata field) See RestPermissionEvaluatorPlugin for the inherited contract.
TemplateItemRestPermissionEvaluatorPlugin	RestObjectPermissionEvaluatorPlugin class that evaluate WRITE and DELETE permission over a TemplateItem
UsageReportRestPermissionEvaluatorPlugin	This class will handle Permissions for the UsageReportRest object and its calls
VersionHistoryRestPermissionEvaluatorPlugin	This class acts as a PermissionEvaluator to decide whether a given request to a Versioning endpoint is allowed to pass through or not
VersioningSecurityBean	Methods of this class are used on PreAuthorize annotations to check security on versioning endpoint
VersionRestPatchPermissionEvaluatorPlugin	This class evaluate ADMIN permissions to patch operation over a Version.
VersionRestPermissionEvaluatorPlugin	This class acts as a PermissionEvaluator to decide whether a given request to a Versioning endpoint is allowed to pass through or not.
WebSecurityConfiguration	Spring Security configuration for DSpace Server Webapp
WebSecurityExpressionEvaluator	This class will contain the logic to allow us to evaluate an expression given through a String.
WorkflowRestPermissionEvaluatorPlugin	An authenticated user is allowed to interact with workflow item only if they belong to a task that they own or could claim.
WorkspaceItemRestPermissionEvaluatorPlugin	RestPermissionEvaluatorPlugin class that evaluate READ, WRITE and DELETE permissions over a WorkspaceItem.