Search in sources :

Example 6 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project tomcat by apache.

the class SecurityConstraint method createConstraints.

/**
     * Convert a {@link ServletSecurityElement} to an array of
     * {@link SecurityConstraint}(s).
     *
     * @param element       The element to be converted
     * @param urlPattern    The url pattern that the element should be applied
     *                      to
     * @return              The (possibly zero length) array of constraints that
     *                      are the equivalent to the input
     */
public static SecurityConstraint[] createConstraints(ServletSecurityElement element, String urlPattern) {
    Set<SecurityConstraint> result = new HashSet<>();
    // Add the per method constraints
    Collection<HttpMethodConstraintElement> methods = element.getHttpMethodConstraints();
    Iterator<HttpMethodConstraintElement> methodIter = methods.iterator();
    while (methodIter.hasNext()) {
        HttpMethodConstraintElement methodElement = methodIter.next();
        SecurityConstraint constraint = createConstraint(methodElement, urlPattern, true);
        // There will always be a single collection
        SecurityCollection collection = constraint.findCollections()[0];
        collection.addMethod(methodElement.getMethodName());
        result.add(constraint);
    }
    // Add the constraint for all the other methods
    SecurityConstraint constraint = createConstraint(element, urlPattern, false);
    if (constraint != null) {
        // There will always be a single collection
        SecurityCollection collection = constraint.findCollections()[0];
        Iterator<String> ommittedMethod = element.getMethodNames().iterator();
        while (ommittedMethod.hasNext()) {
            collection.addOmittedMethod(ommittedMethod.next());
        }
        result.add(constraint);
    }
    return result.toArray(new SecurityConstraint[result.size()]);
}
Also used : HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) HashSet(java.util.HashSet)

Example 7 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project tomcat by apache.

the class TestSecurityConstraint method testCreateConstraints.

/**
     * Uses the examples in SRV.13.4 as the basis for these tests
     */
@Test
public void testCreateConstraints() {
    ServletSecurityElement element;
    SecurityConstraint[] result;
    Set<HttpMethodConstraintElement> hmces = new HashSet<>();
    // Example 13-1
    // @ServletSecurity
    element = new ServletSecurityElement();
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(0, result.length);
    // Example 13-2
    // @ServletSecurity(
    //     @HttpConstraint(
    //         transportGuarantee = TransportGuarantee.CONFIDENTIAL))
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(1, result.length);
    assertFalse(result[0].getAuthConstraint());
    assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    assertEquals(0, result[0].findCollections()[0].findMethods().length);
    assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[0].getUserConstraint());
    // Example 13-3
    // @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
    element = new ServletSecurityElement(new HttpConstraintElement(EmptyRoleSemantic.DENY));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(1, result.length);
    assertTrue(result[0].getAuthConstraint());
    assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    assertEquals(0, result[0].findCollections()[0].findMethods().length);
    assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
    // Example 13-4
    // @ServletSecurity(@HttpConstraint(rolesAllowed = "R1"))
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(1, result.length);
    assertTrue(result[0].getAuthConstraint());
    assertEquals(1, result[0].findAuthRoles().length);
    assertTrue(result[0].findAuthRole(ROLE1));
    assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    assertEquals(0, result[0].findCollections()[0].findMethods().length);
    assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
    // Example 13-5
    // @ServletSecurity((httpMethodConstraints = {
    //     @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
    //     @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
    //     transportGuarantee = TransportGuarantee.CONFIDENTIAL)
    // })
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1)));
    hmces.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL, ROLE1)));
    element = new ServletSecurityElement(hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        assertTrue(result[i].getAuthConstraint());
        assertEquals(1, result[i].findAuthRoles().length);
        assertTrue(result[i].findAuthRole(ROLE1));
        assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        assertEquals(1, result[i].findCollections()[0].findMethods().length);
        String method = result[i].findCollections()[0].findMethods()[0];
        if ("GET".equals(method)) {
            assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
        } else if ("POST".equals(method)) {
            assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[i].getUserConstraint());
        } else {
            fail("Unexpected method :[" + method + "]");
        }
    }
    // Example 13-6
    // @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
    //     httpMethodConstraints = @HttpMethodConstraint("GET"))
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("GET"));
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        if (result[i].findCollections()[0].findMethods().length == 1) {
            assertEquals("GET", result[i].findCollections()[0].findMethods()[0]);
            assertFalse(result[i].getAuthConstraint());
        } else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
            assertEquals("GET", result[i].findCollections()[0].findOmittedMethods()[0]);
            assertTrue(result[i].getAuthConstraint());
            assertEquals(1, result[i].findAuthRoles().length);
            assertEquals(ROLE1, result[i].findAuthRoles()[0]);
        } else {
            fail("Unexpected number of methods defined");
        }
        assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
    }
    // Example 13-7
    // @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
    //     httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
    //         emptyRoleSemantic = EmptyRoleSemantic.DENY))
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        if (result[i].findCollections()[0].findMethods().length == 1) {
            assertEquals("TRACE", result[i].findCollections()[0].findMethods()[0]);
            assertTrue(result[i].getAuthConstraint());
            assertEquals(0, result[i].findAuthRoles().length);
        } else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
            assertEquals("TRACE", result[i].findCollections()[0].findOmittedMethods()[0]);
            assertTrue(result[i].getAuthConstraint());
            assertEquals(1, result[i].findAuthRoles().length);
            assertEquals(ROLE1, result[i].findAuthRoles()[0]);
        } else {
            fail("Unexpected number of methods defined");
        }
        assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
    }
// Example 13-8 is the same as 13-4
// Example 13-9 is the same as 13-7
}
Also used : HttpConstraintElement(javax.servlet.HttpConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 8 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project undertow by undertow-io.

the class ServletRegistrationImpl method setServletSecurity.

@Override
public Set<String> setServletSecurity(final ServletSecurityElement constraint) {
    if (constraint == null) {
        throw UndertowMessages.MESSAGES.argumentCannotBeNull("constraint");
    }
    DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
    //this is not super efficient, but it does not really matter
    final Set<String> urlPatterns = new HashSet<>();
    for (SecurityConstraint sc : deploymentInfo.getSecurityConstraints()) {
        for (WebResourceCollection webResources : sc.getWebResourceCollections()) {
            urlPatterns.addAll(webResources.getUrlPatterns());
        }
    }
    final Set<String> ret = new HashSet<>();
    for (String url : servletInfo.getMappings()) {
        if (urlPatterns.contains(url)) {
            ret.add(url);
        }
    }
    ServletSecurityInfo info = new ServletSecurityInfo();
    servletInfo.setServletSecurityInfo(info);
    info.setTransportGuaranteeType(constraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE).setEmptyRoleSemantic(emptyRoleSemantic(constraint.getEmptyRoleSemantic())).addRolesAllowed(constraint.getRolesAllowed());
    for (final HttpMethodConstraintElement methodConstraint : constraint.getHttpMethodConstraints()) {
        info.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo().setTransportGuaranteeType(methodConstraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE).setMethod(methodConstraint.getMethodName()).setEmptyRoleSemantic(emptyRoleSemantic(methodConstraint.getEmptyRoleSemantic())).addRolesAllowed(methodConstraint.getRolesAllowed()));
    }
    return ret;
}
Also used : WebResourceCollection(io.undertow.servlet.api.WebResourceCollection) ServletSecurityInfo(io.undertow.servlet.api.ServletSecurityInfo) DeploymentInfo(io.undertow.servlet.api.DeploymentInfo) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) SecurityConstraint(io.undertow.servlet.api.SecurityConstraint) HashSet(java.util.HashSet) HttpMethodSecurityInfo(io.undertow.servlet.api.HttpMethodSecurityInfo)

Aggregations

HttpMethodConstraintElement (javax.servlet.HttpMethodConstraintElement)8 ArrayList (java.util.ArrayList)5 HttpConstraintElement (javax.servlet.HttpConstraintElement)4 ServletSecurityElement (javax.servlet.ServletSecurityElement)4 Test (org.junit.Test)4 HashSet (java.util.HashSet)3 CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)2 Constraint (org.eclipse.jetty.util.security.Constraint)2 DeploymentInfo (io.undertow.servlet.api.DeploymentInfo)1 HttpMethodSecurityInfo (io.undertow.servlet.api.HttpMethodSecurityInfo)1 SecurityConstraint (io.undertow.servlet.api.SecurityConstraint)1 ServletSecurityInfo (io.undertow.servlet.api.ServletSecurityInfo)1 WebResourceCollection (io.undertow.servlet.api.WebResourceCollection)1