Example 6 with Constraint
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class ConstraintSecurityHandler method processConstraintMappingWithMethodOmissions.
/* ------------------------------------------------------------ */
/** Constraints that name method omissions are dealt with differently.
* We create an entry in the mappings with key "<method>.omission". This entry
* is only ever combined with other omissions for the same method to produce a
* consolidated RoleInfo. Then, when we wish to find the relevant constraints for
* a given Request (in prepareConstraintInfo()), we consult 3 types of entries in
* the mappings: an entry that names the method of the Request specifically, an
* entry that names constraints that apply to all methods, entries of the form
* <method>.omission, where the method of the Request is not named in the omission.
* @param mapping the constraint mapping
* @param mappings the mappings of roles
*/
protected void processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String, RoleInfo> mappings) {
String[] omissions = mapping.getMethodOmissions();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < omissions.length; i++) {
if (i > 0)
sb.append(".");
sb.append(omissions[i]);
}
sb.append(OMISSION_SUFFIX);
RoleInfo ri = new RoleInfo();
mappings.put(sb.toString(), ri);
configureRoleInfo(ri, mapping);
}
Also used :
Constraint(org.eclipse.jetty.util.security.Constraint)
Example 7 with Constraint
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class ConstraintSecurityHandler method configureRoleInfo.
/* ------------------------------------------------------------ */
/**
* Initialize or update the RoleInfo from the constraint
* @param ri the role info
* @param mapping the constraint mapping
*/
protected void configureRoleInfo(RoleInfo ri, ConstraintMapping mapping) {
Constraint constraint = mapping.getConstraint();
boolean forbidden = constraint.isForbidden();
ri.setForbidden(forbidden);
//set up the data constraint (NOTE: must be done after setForbidden, as it nulls out the data constraint
//which we need in order to do combining of omissions in prepareConstraintInfo
UserDataConstraint userDataConstraint = UserDataConstraint.get(mapping.getConstraint().getDataConstraint());
ri.setUserDataConstraint(userDataConstraint);
//if forbidden, no point setting up roles
if (!ri.isForbidden()) {
//add in the roles
boolean checked = mapping.getConstraint().getAuthenticate();
ri.setChecked(checked);
if (ri.isChecked()) {
if (mapping.getConstraint().isAnyRole()) {
// * means matches any defined role
for (String role : _roles) ri.addRole(role);
ri.setAnyRole(true);
} else if (mapping.getConstraint().isAnyAuth()) {
//being authenticated is sufficient, not necessary to check roles
ri.setAnyAuth(true);
} else {
//user must be in one of the named roles
String[] newRoles = mapping.getConstraint().getRoles();
for (String role : newRoles) {
//check role has been defined
if (!_roles.contains(role))
throw new IllegalArgumentException("Attempt to use undeclared role: " + role + ", known roles: " + _roles);
ri.addRole(role);
}
}
}
}
}
Also used :
Constraint(org.eclipse.jetty.util.security.Constraint)
Example 8 with Constraint
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class ConstraintSecurityHandler method createConstraintsWithMappingsForPath.
/* ------------------------------------------------------------ */
/**
* Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement
*
* @param name the name
* @param pathSpec the path spec
* @param securityElement the servlet security element
* @return the list of constraint mappings
*/
public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name, String pathSpec, ServletSecurityElement securityElement) {
List<ConstraintMapping> mappings = new ArrayList<ConstraintMapping>();
//Create a constraint that will describe the default case (ie if not overridden by specific HttpMethodConstraints)
Constraint httpConstraint = null;
ConstraintMapping httpConstraintMapping = null;
if (securityElement.getEmptyRoleSemantic() != EmptyRoleSemantic.PERMIT || securityElement.getRolesAllowed().length != 0 || securityElement.getTransportGuarantee() != TransportGuarantee.NONE) {
httpConstraint = ConstraintSecurityHandler.createConstraint(name, securityElement);
//Create a mapping for the pathSpec for the default case
httpConstraintMapping = new ConstraintMapping();
httpConstraintMapping.setPathSpec(pathSpec);
httpConstraintMapping.setConstraint(httpConstraint);
mappings.add(httpConstraintMapping);
}
//See Spec 13.4.1.2 p127
List<String> methodOmissions = new ArrayList<String>();
//make constraint mappings for this url for each of the HttpMethodConstraintElements
Collection<HttpMethodConstraintElement> methodConstraintElements = securityElement.getHttpMethodConstraints();
if (methodConstraintElements != null) {
for (HttpMethodConstraintElement methodConstraintElement : methodConstraintElements) {
//Make a Constraint that captures the <auth-constraint> and <user-data-constraint> elements supplied for the HttpMethodConstraintElement
Constraint methodConstraint = ConstraintSecurityHandler.createConstraint(name, methodConstraintElement);
ConstraintMapping mapping = new ConstraintMapping();
mapping.setConstraint(methodConstraint);
mapping.setPathSpec(pathSpec);
if (methodConstraintElement.getMethodName() != null) {
mapping.setMethod(methodConstraintElement.getMethodName());
//See spec 13.4.1.2 p127 - add an omission for every method name to the default constraint
methodOmissions.add(methodConstraintElement.getMethodName());
}
mappings.add(mapping);
}
}
//UNLESS the default constraint contains all default values. In that case, we won't add it. See Servlet Spec 3.1 pg 129
if (methodOmissions.size() > 0 && httpConstraintMapping != null)
httpConstraintMapping.setMethodOmissions(methodOmissions.toArray(new String[methodOmissions.size()]));
return mappings;
}
Also used :
Constraint(org.eclipse.jetty.util.security.Constraint)
ArrayList(java.util.ArrayList)
CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList)
HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)
Example 9 with Constraint
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class SpecExampleConstraintTest method setupSecurity.
@Before
public void setupSecurity() {
_security = new ConstraintSecurityHandler();
_session.setHandler(_security);
RequestHandler _handler = new RequestHandler();
_security.setHandler(_handler);
/*
<security-constraint>
<web-resource-collection>
<web-resource-name>precluded methods</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/acme/wholesale/*</url-pattern>
<url-pattern>/acme/retail/*</url-pattern>
<http-method-exception>GET</http-method-exception>
<http-method-exception>POST</http-method-exception>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
*/
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(true);
constraint0.setName("precluded methods");
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/*");
mapping0.setConstraint(constraint0);
mapping0.setMethodOmissions(new String[] { "GET", "POST" });
ConstraintMapping mapping1 = new ConstraintMapping();
mapping1.setPathSpec("/acme/wholesale/*");
mapping1.setConstraint(constraint0);
mapping1.setMethodOmissions(new String[] { "GET", "POST" });
ConstraintMapping mapping2 = new ConstraintMapping();
mapping2.setPathSpec("/acme/retail/*");
mapping2.setConstraint(constraint0);
mapping2.setMethodOmissions(new String[] { "GET", "POST" });
/*
<security-constraint>
<web-resource-collection>
<web-resource-name>wholesale</web-resource-name>
<url-pattern>/acme/wholesale/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SALESCLERK</role-name>
</auth-constraint>
</security-constraint>
*/
Constraint constraint1 = new Constraint();
constraint1.setAuthenticate(true);
constraint1.setName("wholesale");
constraint1.setRoles(new String[] { "SALESCLERK" });
ConstraintMapping mapping3 = new ConstraintMapping();
mapping3.setPathSpec("/acme/wholesale/*");
mapping3.setConstraint(constraint1);
mapping3.setMethod("GET");
ConstraintMapping mapping4 = new ConstraintMapping();
mapping4.setPathSpec("/acme/wholesale/*");
mapping4.setConstraint(constraint1);
mapping4.setMethod("PUT");
/*
<security-constraint>
<web-resource-collection>
<web-resource-name>wholesale 2</web-resource-name>
<url-pattern>/acme/wholesale/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>CONTRACTOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
*/
Constraint constraint2 = new Constraint();
constraint2.setAuthenticate(true);
constraint2.setName("wholesale 2");
constraint2.setRoles(new String[] { "CONTRACTOR" });
constraint2.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping5 = new ConstraintMapping();
mapping5.setPathSpec("/acme/wholesale/*");
mapping5.setMethod("GET");
mapping5.setConstraint(constraint2);
ConstraintMapping mapping6 = new ConstraintMapping();
mapping6.setPathSpec("/acme/wholesale/*");
mapping6.setMethod("POST");
mapping6.setConstraint(constraint2);
/*
<security-constraint>
<web-resource-collection>
<web-resource-name>retail</web-resource-name>
<url-pattern>/acme/retail/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>CONTRACTOR</role-name>
<role-name>HOMEOWNER</role-name>
</auth-constraint>
</security-constraint>
*/
Constraint constraint4 = new Constraint();
constraint4.setName("retail");
constraint4.setAuthenticate(true);
constraint4.setRoles(new String[] { "CONTRACTOR", "HOMEOWNER" });
ConstraintMapping mapping7 = new ConstraintMapping();
mapping7.setPathSpec("/acme/retail/*");
mapping7.setMethod("GET");
mapping7.setConstraint(constraint4);
ConstraintMapping mapping8 = new ConstraintMapping();
mapping8.setPathSpec("/acme/retail/*");
mapping8.setMethod("POST");
mapping8.setConstraint(constraint4);
Set<String> knownRoles = new HashSet<String>();
knownRoles.add("CONTRACTOR");
knownRoles.add("HOMEOWNER");
knownRoles.add("SALESCLERK");
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[] { mapping0, mapping1, mapping2, mapping3, mapping4, mapping5, mapping6, mapping7, mapping8 }), knownRoles);
}
Also used :
Constraint(org.eclipse.jetty.util.security.Constraint)
HashSet(java.util.HashSet)
Before(org.junit.Before)
Example 10 with Constraint
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class ConstraintTest method testUncoveredHttpMethodDetection.
@Test
public void testUncoveredHttpMethodDetection() throws Exception {
//Test no methods named
Constraint constraint1 = new Constraint();
constraint1.setAuthenticate(true);
constraint1.setName("** constraint");
//No methods named, no uncovered methods
constraint1.setRoles(new String[] { Constraint.ANY_AUTH, "user" });
ConstraintMapping mapping1 = new ConstraintMapping();
mapping1.setPathSpec("/starstar/*");
mapping1.setConstraint(constraint1);
_security.setConstraintMappings(Collections.singletonList(mapping1));
_security.setAuthenticator(new BasicAuthenticator());
_server.start();
Set<String> uncoveredPaths = _security.getPathsWithUncoveredHttpMethods();
//no uncovered methods
Assert.assertTrue(uncoveredPaths.isEmpty());
//Test only an explicitly named method, no omissions to cover other methods
Constraint constraint2 = new Constraint();
constraint2.setAuthenticate(true);
constraint2.setName("user constraint");
constraint2.setRoles(new String[] { "user" });
ConstraintMapping mapping2 = new ConstraintMapping();
mapping2.setPathSpec("/user/*");
mapping2.setMethod("GET");
mapping2.setConstraint(constraint2);
_security.addConstraintMapping(mapping2);
uncoveredPaths = _security.getPathsWithUncoveredHttpMethods();
Assert.assertNotNull(uncoveredPaths);
Assert.assertEquals(1, uncoveredPaths.size());
Assert.assertTrue(uncoveredPaths.contains("/user/*"));
//Test an explicitly named method with a http-method-omission to cover all other methods
Constraint constraint2a = new Constraint();
constraint2a.setAuthenticate(true);
constraint2a.setName("forbid constraint");
ConstraintMapping mapping2a = new ConstraintMapping();
mapping2a.setPathSpec("/user/*");
mapping2a.setMethodOmissions(new String[] { "GET" });
mapping2a.setConstraint(constraint2a);
_security.addConstraintMapping(mapping2a);
uncoveredPaths = _security.getPathsWithUncoveredHttpMethods();
Assert.assertNotNull(uncoveredPaths);
Assert.assertEquals(0, uncoveredPaths.size());
//Test a http-method-omission only
Constraint constraint3 = new Constraint();
constraint3.setAuthenticate(true);
constraint3.setName("omit constraint");
ConstraintMapping mapping3 = new ConstraintMapping();
mapping3.setPathSpec("/omit/*");
mapping3.setMethodOmissions(new String[] { "GET", "POST" });
mapping3.setConstraint(constraint3);
_security.addConstraintMapping(mapping3);
uncoveredPaths = _security.getPathsWithUncoveredHttpMethods();
Assert.assertNotNull(uncoveredPaths);
Assert.assertTrue(uncoveredPaths.contains("/omit/*"));
_security.setDenyUncoveredHttpMethods(true);
uncoveredPaths = _security.getPathsWithUncoveredHttpMethods();
Assert.assertNotNull(uncoveredPaths);
Assert.assertEquals(0, uncoveredPaths.size());
}
Also used :
BasicAuthenticator(org.eclipse.jetty.security.authentication.BasicAuthenticator)
Constraint(org.eclipse.jetty.util.security.Constraint)
Test(org.junit.Test)
Aggregations
Constraint (org.eclipse.jetty.util.security.Constraint)78
ConstraintMapping (org.eclipse.jetty.security.ConstraintMapping)46
ConstraintSecurityHandler (org.eclipse.jetty.security.ConstraintSecurityHandler)34
BasicAuthenticator (org.eclipse.jetty.security.authentication.BasicAuthenticator)27
HashLoginService (org.eclipse.jetty.security.HashLoginService)20
Test (org.junit.Test)15
Server (org.eclipse.jetty.server.Server)13
ArrayList (java.util.ArrayList)9
WebAppContext (org.eclipse.jetty.webapp.WebAppContext)8
Password (org.eclipse.jetty.util.security.Password)7
HashSet (java.util.HashSet)6
File (java.io.File)5
IOException (java.io.IOException)5
ResourceHandler (org.eclipse.jetty.server.handler.ResourceHandler)5
LoginService (org.eclipse.jetty.security.LoginService)4
ServerConnector (org.eclipse.jetty.server.ServerConnector)4
ContextHandler (org.eclipse.jetty.server.handler.ContextHandler)4
HandlerList (org.eclipse.jetty.server.handler.HandlerList)4
ServletContextHandler (org.eclipse.jetty.servlet.ServletContextHandler)4
ServletHolder (org.eclipse.jetty.servlet.ServletHolder)4
