Search in sources :

Example 1 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project jetty.project by eclipse.

the class ConstraintSecurityHandler method createConstraintsWithMappingsForPath.

/* ------------------------------------------------------------ */
/** 
     * Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement
     * 
     * @param name the name
     * @param pathSpec the path spec
     * @param securityElement the servlet security element
     * @return the list of constraint mappings
     */
public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name, String pathSpec, ServletSecurityElement securityElement) {
    List<ConstraintMapping> mappings = new ArrayList<ConstraintMapping>();
    //Create a constraint that will describe the default case (ie if not overridden by specific HttpMethodConstraints)
    Constraint httpConstraint = null;
    ConstraintMapping httpConstraintMapping = null;
    if (securityElement.getEmptyRoleSemantic() != EmptyRoleSemantic.PERMIT || securityElement.getRolesAllowed().length != 0 || securityElement.getTransportGuarantee() != TransportGuarantee.NONE) {
        httpConstraint = ConstraintSecurityHandler.createConstraint(name, securityElement);
        //Create a mapping for the pathSpec for the default case
        httpConstraintMapping = new ConstraintMapping();
        httpConstraintMapping.setPathSpec(pathSpec);
        httpConstraintMapping.setConstraint(httpConstraint);
        mappings.add(httpConstraintMapping);
    }
    //See Spec 13.4.1.2 p127
    List<String> methodOmissions = new ArrayList<String>();
    //make constraint mappings for this url for each of the HttpMethodConstraintElements
    Collection<HttpMethodConstraintElement> methodConstraintElements = securityElement.getHttpMethodConstraints();
    if (methodConstraintElements != null) {
        for (HttpMethodConstraintElement methodConstraintElement : methodConstraintElements) {
            //Make a Constraint that captures the <auth-constraint> and <user-data-constraint> elements supplied for the HttpMethodConstraintElement
            Constraint methodConstraint = ConstraintSecurityHandler.createConstraint(name, methodConstraintElement);
            ConstraintMapping mapping = new ConstraintMapping();
            mapping.setConstraint(methodConstraint);
            mapping.setPathSpec(pathSpec);
            if (methodConstraintElement.getMethodName() != null) {
                mapping.setMethod(methodConstraintElement.getMethodName());
                //See spec 13.4.1.2 p127 - add an omission for every method name to the default constraint
                methodOmissions.add(methodConstraintElement.getMethodName());
            }
            mappings.add(mapping);
        }
    }
    //UNLESS the default constraint contains all default values. In that case, we won't add it. See Servlet Spec 3.1 pg 129
    if (methodOmissions.size() > 0 && httpConstraintMapping != null)
        httpConstraintMapping.setMethodOmissions(methodOmissions.toArray(new String[methodOmissions.size()]));
    return mappings;
}
Also used : Constraint(org.eclipse.jetty.util.security.Constraint) ArrayList(java.util.ArrayList) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)

Example 2 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_7.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-7
     * @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"), 
     *                  httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
     *                  emptyRoleSemantic = EmptyRoleSemantic.DENY))
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_7() throws Exception {
    List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
    methodElements.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
    ServletSecurityElement element = new ServletSecurityElement(new HttpConstraintElement(TransportGuarantee.NONE, "R1"), methodElements);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(2, mappings.size());
    Assert.assertTrue(mappings.get(0).getMethodOmissions() != null);
    Assert.assertEquals("TRACE", mappings.get(0).getMethodOmissions()[0]);
    Assert.assertTrue(mappings.get(0).getConstraint().getAuthenticate());
    Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
    Assert.assertEquals("TRACE", mappings.get(1).getMethod());
    Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
    Assert.assertEquals(0, mappings.get(1).getConstraint().getDataConstraint());
    Assert.assertTrue(mappings.get(1).getConstraint().isForbidden());
}
Also used : ArrayList(java.util.ArrayList) HttpConstraintElement(javax.servlet.HttpConstraintElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 3 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_6.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-6
     * @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"), httpMethodConstraints = @HttpMethodConstraint("GET"))
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_6() throws Exception {
    List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
    methodElements.add(new HttpMethodConstraintElement("GET"));
    ServletSecurityElement element = new ServletSecurityElement(new HttpConstraintElement(TransportGuarantee.NONE, "R1"), methodElements);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(2, mappings.size());
    Assert.assertTrue(mappings.get(0).getMethodOmissions() != null);
    Assert.assertEquals("GET", mappings.get(0).getMethodOmissions()[0]);
    Assert.assertTrue(mappings.get(0).getConstraint().getAuthenticate());
    Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
    Assert.assertEquals("GET", mappings.get(1).getMethod());
    Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
    Assert.assertEquals(0, mappings.get(1).getConstraint().getDataConstraint());
    Assert.assertFalse(mappings.get(1).getConstraint().getAuthenticate());
}
Also used : ArrayList(java.util.ArrayList) HttpConstraintElement(javax.servlet.HttpConstraintElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 4 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_5.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-5
     * @ServletSecurity((httpMethodConstraints = {
     * @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
     * @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
     *         transportGuarantee = TransportGuarantee.CONFIDENTIAL)})
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_5() throws Exception {
    List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
    methodElements.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(TransportGuarantee.NONE, "R1")));
    methodElements.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL, "R1")));
    ServletSecurityElement element = new ServletSecurityElement(methodElements);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(2, mappings.size());
    Assert.assertEquals("GET", mappings.get(0).getMethod());
    Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
    Assert.assertTrue(mappings.get(0).getMethodOmissions() == null);
    Assert.assertEquals(0, mappings.get(0).getConstraint().getDataConstraint());
    Assert.assertEquals("POST", mappings.get(1).getMethod());
    Assert.assertEquals("R1", mappings.get(1).getConstraint().getRoles()[0]);
    Assert.assertEquals(2, mappings.get(1).getConstraint().getDataConstraint());
    Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
}
Also used : ArrayList(java.util.ArrayList) HttpConstraintElement(javax.servlet.HttpConstraintElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 5 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project blade by biezhi.

the class ConstraintSecurityHandler method createConstraintsWithMappingsForPath.

/* ------------------------------------------------------------ */
/** 
     * Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement
     * 
     * @param name the name
     * @param pathSpec the path spec
     * @param securityElement the servlet security element
     * @return the list of constraint mappings
     */
public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name, String pathSpec, ServletSecurityElement securityElement) {
    List<ConstraintMapping> mappings = new ArrayList<ConstraintMapping>();
    //Create a constraint that will describe the default case (ie if not overridden by specific HttpMethodConstraints)
    Constraint httpConstraint = null;
    ConstraintMapping httpConstraintMapping = null;
    if (securityElement.getEmptyRoleSemantic() != EmptyRoleSemantic.PERMIT || securityElement.getRolesAllowed().length != 0 || securityElement.getTransportGuarantee() != TransportGuarantee.NONE) {
        httpConstraint = ConstraintSecurityHandler.createConstraint(name, securityElement);
        //Create a mapping for the pathSpec for the default case
        httpConstraintMapping = new ConstraintMapping();
        httpConstraintMapping.setPathSpec(pathSpec);
        httpConstraintMapping.setConstraint(httpConstraint);
        mappings.add(httpConstraintMapping);
    }
    //See Spec 13.4.1.2 p127
    List<String> methodOmissions = new ArrayList<String>();
    //make constraint mappings for this url for each of the HttpMethodConstraintElements
    Collection<HttpMethodConstraintElement> methodConstraintElements = securityElement.getHttpMethodConstraints();
    if (methodConstraintElements != null) {
        for (HttpMethodConstraintElement methodConstraintElement : methodConstraintElements) {
            //Make a Constraint that captures the <auth-constraint> and <user-data-constraint> elements supplied for the HttpMethodConstraintElement
            Constraint methodConstraint = ConstraintSecurityHandler.createConstraint(name, methodConstraintElement);
            ConstraintMapping mapping = new ConstraintMapping();
            mapping.setConstraint(methodConstraint);
            mapping.setPathSpec(pathSpec);
            if (methodConstraintElement.getMethodName() != null) {
                mapping.setMethod(methodConstraintElement.getMethodName());
                //See spec 13.4.1.2 p127 - add an omission for every method name to the default constraint
                methodOmissions.add(methodConstraintElement.getMethodName());
            }
            mappings.add(mapping);
        }
    }
    //UNLESS the default constraint contains all default values. In that case, we won't add it. See Servlet Spec 3.1 pg 129
    if (methodOmissions.size() > 0 && httpConstraintMapping != null)
        httpConstraintMapping.setMethodOmissions(methodOmissions.toArray(new String[methodOmissions.size()]));
    return mappings;
}
Also used : Constraint(org.eclipse.jetty.util.security.Constraint) ArrayList(java.util.ArrayList) CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)

Aggregations

HttpMethodConstraintElement (javax.servlet.HttpMethodConstraintElement)10 ArrayList (java.util.ArrayList)5 HashSet (java.util.HashSet)4 HttpConstraintElement (javax.servlet.HttpConstraintElement)4 ServletSecurityElement (javax.servlet.ServletSecurityElement)4 Test (org.junit.Test)4 CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)2 Constraint (org.eclipse.jetty.util.security.Constraint)2 SecurityConstraint (com.sun.enterprise.deployment.web.SecurityConstraint)1 WebResourceCollection (com.sun.enterprise.deployment.web.WebResourceCollection)1 DeploymentInfo (io.undertow.servlet.api.DeploymentInfo)1 HttpMethodSecurityInfo (io.undertow.servlet.api.HttpMethodSecurityInfo)1 SecurityConstraint (io.undertow.servlet.api.SecurityConstraint)1 ServletSecurityInfo (io.undertow.servlet.api.ServletSecurityInfo)1 WebResourceCollection (io.undertow.servlet.api.WebResourceCollection)1