Example 1 with SingleConstraintMatch
use of io.undertow.servlet.api.SingleConstraintMatch in project undertow by undertow-io.
the class ServletSecurityConstraintHandler method handleRequest.
@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
final String path = exchange.getRelativePath();
SecurityPathMatch securityMatch = securityPathMatches.getSecurityInfo(path, exchange.getRequestMethod().toString());
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
List<SingleConstraintMatch> list = servletRequestContext.getRequiredConstrains();
if (list == null) {
servletRequestContext.setRequiredConstrains(list = new ArrayList<>());
}
list.add(securityMatch.getMergedConstraint());
TransportGuaranteeType type = servletRequestContext.getTransportGuarenteeType();
if (type == null || type.ordinal() < securityMatch.getTransportGuaranteeType().ordinal()) {
servletRequestContext.setTransportGuarenteeType(securityMatch.getTransportGuaranteeType());
}
UndertowLogger.SECURITY_LOGGER.debugf("Security constraints for request %s are %s", exchange.getRequestURI(), list);
next.handleRequest(exchange);
}
Also used :
SingleConstraintMatch(io.undertow.servlet.api.SingleConstraintMatch)
TransportGuaranteeType(io.undertow.servlet.api.TransportGuaranteeType)
ArrayList(java.util.ArrayList)
ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext)
Example 2 with SingleConstraintMatch
use of io.undertow.servlet.api.SingleConstraintMatch in project undertow by undertow-io.
the class ServletSecurityRoleHandler method handleRequest.
@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
ServletRequest request = servletRequestContext.getServletRequest();
if (request.getDispatcherType() == DispatcherType.REQUEST) {
List<SingleConstraintMatch> constraints = servletRequestContext.getRequiredConstrains();
SecurityContext sc = exchange.getSecurityContext();
if (!authorizationManager.canAccessResource(constraints, sc.getAuthenticatedAccount(), servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo(), servletRequestContext.getOriginalRequest(), servletRequestContext.getDeployment())) {
HttpServletResponse response = (HttpServletResponse) servletRequestContext.getServletResponse();
response.sendError(StatusCodes.FORBIDDEN);
return;
}
}
next.handleRequest(exchange);
}
Also used :
ServletRequest(javax.servlet.ServletRequest)
SingleConstraintMatch(io.undertow.servlet.api.SingleConstraintMatch)
SecurityContext(io.undertow.security.api.SecurityContext)
ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Example 3 with SingleConstraintMatch
use of io.undertow.servlet.api.SingleConstraintMatch in project undertow by undertow-io.
the class DefaultAuthorizationManager method canAccessResource.
@Override
public boolean canAccessResource(List<SingleConstraintMatch> constraints, Account account, ServletInfo servletInfo, HttpServletRequest request, Deployment deployment) {
if (constraints == null || constraints.isEmpty()) {
return true;
}
for (final SingleConstraintMatch constraint : constraints) {
boolean found = false;
Set<String> roleSet = constraint.getRequiredRoles();
if (roleSet.isEmpty() && constraint.getEmptyRoleSemantic() != SecurityInfo.EmptyRoleSemantic.DENY) {
/*
* The EmptyRoleSemantic was either PERMIT or AUTHENTICATE, either way a roles check is not needed.
*/
found = true;
} else if (account != null) {
if (roleSet.contains("**") && !deployment.getDeploymentInfo().getSecurityRoles().contains("**")) {
found = true;
} else {
final Set<String> roles = deployment.getDeploymentInfo().getPrincipalVersusRolesMap().get(account.getPrincipal().getName());
for (String role : roleSet) {
if (roles != null) {
if (roles.contains(role)) {
found = true;
break;
}
}
if (account.getRoles().contains(role)) {
found = true;
break;
}
}
}
}
if (!found) {
return false;
}
}
return true;
}
Also used :
SingleConstraintMatch(io.undertow.servlet.api.SingleConstraintMatch)
Set(java.util.Set)
Example 4 with SingleConstraintMatch
use of io.undertow.servlet.api.SingleConstraintMatch in project undertow by undertow-io.
the class ServletAuthenticationConstraintHandler method isAuthenticationRequired.
@Override
protected boolean isAuthenticationRequired(final HttpServerExchange exchange) {
//j_security_check always requires auth
if (exchange.getRelativePath().endsWith(ServletFormAuthenticationMechanism.DEFAULT_POST_LOCATION)) {
return true;
}
List<SingleConstraintMatch> constraints = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getRequiredConstrains();
/*
* Even once this is set to true the reason we allow the loop to continue is in case an empty role with a semantic of
* deny is found as that will override everything.
*/
boolean authenticationRequired = false;
for (SingleConstraintMatch constraint : constraints) {
if (constraint.getRequiredRoles().isEmpty()) {
if (constraint.getEmptyRoleSemantic() == EmptyRoleSemantic.DENY) {
/*
* For this case we return false as we know it can never be satisfied.
*/
return false;
} else if (constraint.getEmptyRoleSemantic() == EmptyRoleSemantic.AUTHENTICATE) {
authenticationRequired = true;
}
} else {
authenticationRequired = true;
}
}
if (authenticationRequired) {
UndertowLogger.SECURITY_LOGGER.debugf("Authenticating required for request %s", exchange);
}
return authenticationRequired;
}
Also used :
SingleConstraintMatch(io.undertow.servlet.api.SingleConstraintMatch)
Example 5 with SingleConstraintMatch
use of io.undertow.servlet.api.SingleConstraintMatch in project undertow by undertow-io.
the class SecurityPathMatches method handleMatch.
private void handleMatch(final String method, final PathSecurityInformation exact, RuntimeMatch currentMatch) {
List<SecurityInformation> roles = exact.defaultRequiredRoles;
for (SecurityInformation role : roles) {
transport(currentMatch, role.transportGuaranteeType);
currentMatch.constraints.add(new SingleConstraintMatch(role.emptyRoleSemantic, role.roles));
if (role.emptyRoleSemantic == SecurityInfo.EmptyRoleSemantic.DENY || !role.roles.isEmpty()) {
currentMatch.uncovered = false;
}
}
List<SecurityInformation> methodInfo = exact.perMethodRequiredRoles.get(method);
if (methodInfo != null) {
currentMatch.uncovered = false;
for (SecurityInformation role : methodInfo) {
transport(currentMatch, role.transportGuaranteeType);
currentMatch.constraints.add(new SingleConstraintMatch(role.emptyRoleSemantic, role.roles));
}
}
for (ExcludedMethodRoles excluded : exact.excludedMethodRoles) {
if (!excluded.methods.contains(method)) {
currentMatch.uncovered = false;
transport(currentMatch, excluded.securityInformation.transportGuaranteeType);
currentMatch.constraints.add(new SingleConstraintMatch(excluded.securityInformation.emptyRoleSemantic, excluded.securityInformation.roles));
}
}
}
Also used :
SingleConstraintMatch(io.undertow.servlet.api.SingleConstraintMatch)
Aggregations
SingleConstraintMatch (io.undertow.servlet.api.SingleConstraintMatch)5
ServletRequestContext (io.undertow.servlet.handlers.ServletRequestContext)2
SecurityContext (io.undertow.security.api.SecurityContext)1
TransportGuaranteeType (io.undertow.servlet.api.TransportGuaranteeType)1
ArrayList (java.util.ArrayList)1
Set (java.util.Set)1
ServletRequest (javax.servlet.ServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
