Example 1 with ServletSecurity
use of javax.servlet.annotation.ServletSecurity in project Payara by payara.
the class ServletSecurityHandler method processAnnotation.
private HandlerProcessingResult processAnnotation(AnnotationInfo ainfo, WebComponentDescriptor webCompDesc) throws AnnotationProcessorException {
Class webCompClass = (Class) ainfo.getAnnotatedElement();
if (!HttpServlet.class.isAssignableFrom(webCompClass)) {
log(Level.SEVERE, ainfo, localStrings.getLocalString("web.deployment.annotation.handlers.needtoextend", "The Class {0} having annotation {1} need to be a derived class of {2}.", new Object[] { webCompClass.getName(), SecurityConstraint.class.getName(), HttpServlet.class.getName() }));
return getDefaultFailedResult();
}
Set<String> urlPatterns = getUrlPatternsWithoutSecurityConstraint(webCompDesc);
if (urlPatterns.size() > 0) {
WebBundleDescriptor webBundleDesc = webCompDesc.getWebBundleDescriptor();
ServletSecurity servletSecurityAn = (ServletSecurity) ainfo.getAnnotation();
HttpMethodConstraint[] httpMethodConstraints = servletSecurityAn.httpMethodConstraints();
for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
String httpMethod = httpMethodConstraint.value();
if (httpMethod == null || httpMethod.length() == 0) {
return getDefaultFailedResult();
}
createSecurityConstraint(webBundleDesc, urlPatterns, httpMethodConstraint.rolesAllowed(), httpMethodConstraint.emptyRoleSemantic(), httpMethodConstraint.transportGuarantee(), httpMethod);
}
HttpConstraint httpConstraint = servletSecurityAn.value();
boolean isDefault = isDefaultHttpConstraint(httpConstraint);
if (isDefault && (httpMethodConstraints.length > 0)) {
if (logger.isLoggable(Level.FINER)) {
StringBuilder methodString = new StringBuilder();
for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
methodString.append(" ");
methodString.append(httpMethodConstraint.value());
}
for (String pattern : urlPatterns) {
logger.finer("Pattern: " + pattern + " assumes default unprotected configuration for all methods except:" + methodString);
}
}
}
if (!isDefault || (httpMethodConstraints.length == 0)) {
SecurityConstraint securityConstraint = createSecurityConstraint(webBundleDesc, urlPatterns, httpConstraint.rolesAllowed(), httpConstraint.value(), httpConstraint.transportGuarantee(), null);
// we know there is one WebResourceCollection there
WebResourceCollection webResColl = securityConstraint.getWebResourceCollections().iterator().next();
for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
// exclude constrained httpMethod from the top level constraint
webResColl.addHttpMethodOmission(httpMethodConstraint.value());
}
}
}
return getDefaultProcessedResult();
}
Also used :
HttpConstraint(javax.servlet.annotation.HttpConstraint)
HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint)
WebResourceCollection(com.sun.enterprise.deployment.web.WebResourceCollection)
HttpServlet(javax.servlet.http.HttpServlet)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
SecurityConstraint(com.sun.enterprise.deployment.web.SecurityConstraint)
WebBundleDescriptor(com.sun.enterprise.deployment.WebBundleDescriptor)
Example 2 with ServletSecurity
use of javax.servlet.annotation.ServletSecurity in project Payara by payara.
the class DynamicWebServletRegistrationImpl method postProcessAnnotations.
void postProcessAnnotations() {
Class<? extends Servlet> clazz = wrapper.getServletClass();
if (clazz == null) {
return;
}
// Process RunAs
if (wcd.getRunAsIdentity() == null) {
String roleName = runAsRoleName;
if (roleName == null && clazz.isAnnotationPresent(RunAs.class)) {
RunAs runAs = clazz.getAnnotation(RunAs.class);
roleName = runAs.value();
}
if (roleName != null) {
super.setRunAsRole(roleName);
wbd.addRole(new Role(roleName));
RunAsIdentityDescriptor runAsDesc = new RunAsIdentityDescriptor();
runAsDesc.setRoleName(roleName);
wcd.setRunAsIdentity(runAsDesc);
}
}
// Process ServletSecurity
ServletSecurityElement ssElement = servletSecurityElement;
if (servletSecurityElement == null && clazz.isAnnotationPresent(ServletSecurity.class)) {
ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
ssElement = new ServletSecurityElement(servletSecurity);
}
if (ssElement != null) {
webModule.processServletSecurityElement(ssElement, wbd, wcd);
}
}
Also used :
Role(org.glassfish.security.common.Role)
RunAsIdentityDescriptor(com.sun.enterprise.deployment.RunAsIdentityDescriptor)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
RunAs(javax.annotation.security.RunAs)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Example 3 with ServletSecurity
use of javax.servlet.annotation.ServletSecurity in project tomcat by apache.
the class StandardWrapper method processServletSecurityAnnotation.
private void processServletSecurityAnnotation(Class<?> clazz) {
// Calling this twice isn't harmful so no syncs
servletSecurityAnnotationScanRequired = false;
Context ctxt = (Context) getParent();
if (ctxt.getIgnoreAnnotations()) {
return;
}
ServletSecurity secAnnotation = clazz.getAnnotation(ServletSecurity.class);
if (secAnnotation != null) {
ctxt.addServletSecurity(new ApplicationServletRegistration(this, ctxt), new ServletSecurityElement(secAnnotation));
}
}
Also used :
Context(org.apache.catalina.Context)
ServletContext(javax.servlet.ServletContext)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Example 4 with ServletSecurity
use of javax.servlet.annotation.ServletSecurity in project jetty.project by eclipse.
the class ServletSecurityAnnotationHandler method doHandle.
/**
* @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class)
*/
public void doHandle(Class clazz) {
if (!(_context.getSecurityHandler() instanceof ConstraintAware)) {
LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
return;
}
ServletSecurity servletSecurity = (ServletSecurity) clazz.getAnnotation(ServletSecurity.class);
if (servletSecurity == null)
return;
//If there are already constraints defined (ie from web.xml) that match any
//of the url patterns defined for this servlet, then skip the security annotation.
List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
List<ConstraintMapping> constraintMappings = ((ConstraintAware) _context.getSecurityHandler()).getConstraintMappings();
if (constraintsExist(servletMappings, constraintMappings)) {
LOG.warn("Constraints already defined for " + clazz.getName() + ", skipping ServletSecurity annotation");
return;
}
//Make a fresh list
constraintMappings = new ArrayList<ConstraintMapping>();
ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
for (ServletMapping sm : servletMappings) {
for (String url : sm.getPathSpecs()) {
_context.getMetaData().setOrigin("constraint.url." + url, servletSecurity, clazz);
constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
}
}
//set up the security constraints produced by the annotation
ConstraintAware securityHandler = (ConstraintAware) _context.getSecurityHandler();
for (ConstraintMapping m : constraintMappings) securityHandler.addConstraintMapping(m);
//Servlet Spec 3.1 requires paths with uncovered http methods to be reported
securityHandler.checkPathsWithUncoveredHttpMethods();
}
Also used :
ServletMapping(org.eclipse.jetty.servlet.ServletMapping)
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ConstraintAware(org.eclipse.jetty.security.ConstraintAware)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Example 5 with ServletSecurity
use of javax.servlet.annotation.ServletSecurity in project tomcat70 by apache.
the class TestRealmBase method testHttpConstraint.
/**
* This test case covers the special case in section 13.4.1 of the Servlet
* 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
*/
@Test
public void testHttpConstraint() throws IOException {
// Get the annotation from the test case
Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
// Convert the annotation into constraints
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
// Create a separate constraint that covers DELETE
SecurityConstraint deleteConstraint = new SecurityConstraint();
deleteConstraint.addAuthRole(ROLE1);
SecurityCollection deleteCollection = new SecurityCollection();
deleteCollection.addMethod("DELETE");
deleteCollection.addPattern("/*");
deleteConstraint.addCollection(deleteCollection);
TesterMapRealm mapRealm = new TesterMapRealm();
// Set up the mock request and response
TesterRequest request = new TesterRequest();
Response response = new TesterResponse();
Context context = request.getContext();
context.addSecurityRole(ROLE1);
context.addSecurityRole(ROLE2);
request.setContext(context);
// Create the principals
List<String> userRoles1 = new ArrayList<String>();
userRoles1.add(ROLE1);
GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
List<String> userRoles2 = new ArrayList<String>();
userRoles2.add(ROLE2);
GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
List<String> userRoles99 = new ArrayList<String>();
GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
// Add the constraints to the context
for (SecurityConstraint constraint : constraints) {
context.addConstraint(constraint);
}
context.addConstraint(deleteConstraint);
// All users should be able to perform a GET
request.setMethod("GET");
SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
// Only user1 should be able to perform a POST as only that user has
// role1.
request.setMethod("POST");
SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
// Only users with application roles (role1 or role2 so user1 or user2)
// should be able to perform a PUT.
request.setMethod("PUT");
SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
// Only user1 should be able to perform a DELETE as only that user has
// role1.
request.setMethod("DELETE");
SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used :
Context(org.apache.catalina.Context)
TesterContext(org.apache.tomcat.unittest.TesterContext)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ArrayList(java.util.ArrayList)
TesterResponse(org.apache.tomcat.unittest.TesterResponse)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
TesterResponse(org.apache.tomcat.unittest.TesterResponse)
Response(org.apache.catalina.connector.Response)
TesterMapRealm(org.apache.catalina.startup.TesterMapRealm)
TesterRequest(org.apache.tomcat.unittest.TesterRequest)
SecurityCollection(org.apache.catalina.deploy.SecurityCollection)
Test(org.junit.Test)
Aggregations
ServletSecurity (javax.servlet.annotation.ServletSecurity)7
ServletSecurityElement (javax.servlet.ServletSecurityElement)6
RunAs (javax.annotation.security.RunAs)2
Context (org.apache.catalina.Context)2
Wrapper (org.apache.catalina.Wrapper)2
RunAsIdentityDescriptor (com.sun.enterprise.deployment.RunAsIdentityDescriptor)1
WebBundleDescriptor (com.sun.enterprise.deployment.WebBundleDescriptor)1
SecurityConstraint (com.sun.enterprise.deployment.web.SecurityConstraint)1
WebResourceCollection (com.sun.enterprise.deployment.web.WebResourceCollection)1
ArrayList (java.util.ArrayList)1
ServletContext (javax.servlet.ServletContext)1
ServletRegistration (javax.servlet.ServletRegistration)1
HttpConstraint (javax.servlet.annotation.HttpConstraint)1
HttpMethodConstraint (javax.servlet.annotation.HttpMethodConstraint)1
HttpServlet (javax.servlet.http.HttpServlet)1
Container (org.apache.catalina.Container)1
Response (org.apache.catalina.connector.Response)1
ApplicationServletRegistration (org.apache.catalina.core.ApplicationServletRegistration)1
SecurityCollection (org.apache.catalina.deploy.SecurityCollection)1
SecurityConstraint (org.apache.catalina.deploy.SecurityConstraint)1
