Examples with HttpMethodConstraintElement javax.servlet.HttpMethodConstraintElement used on opensource projects

Search in sources :

Example 6 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project tomcat by apache.

the class SecurityConstraint method createConstraints.

/**
     * Convert a {@link ServletSecurityElement} to an array of
     * {@link SecurityConstraint}(s).
     *
     * @param element       The element to be converted
     * @param urlPattern    The url pattern that the element should be applied
     *                      to
     * @return              The (possibly zero length) array of constraints that
     *                      are the equivalent to the input
     */
public static SecurityConstraint[] createConstraints(ServletSecurityElement element, String urlPattern) {
    Set<SecurityConstraint> result = new HashSet<>();
    // Add the per method constraints
    Collection<HttpMethodConstraintElement> methods = element.getHttpMethodConstraints();
    Iterator<HttpMethodConstraintElement> methodIter = methods.iterator();
    while (methodIter.hasNext()) {
        HttpMethodConstraintElement methodElement = methodIter.next();
        SecurityConstraint constraint = createConstraint(methodElement, urlPattern, true);
        // There will always be a single collection
        SecurityCollection collection = constraint.findCollections()[0];
        collection.addMethod(methodElement.getMethodName());
        result.add(constraint);
    }
    // Add the constraint for all the other methods
    SecurityConstraint constraint = createConstraint(element, urlPattern, false);
    if (constraint != null) {
        // There will always be a single collection
        SecurityCollection collection = constraint.findCollections()[0];
        Iterator<String> ommittedMethod = element.getMethodNames().iterator();
        while (ommittedMethod.hasNext()) {
            collection.addOmittedMethod(ommittedMethod.next());
        }
        result.add(constraint);
    }
    return result.toArray(new SecurityConstraint[result.size()]);
}
Also used : HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) HashSet(java.util.HashSet)

Example 7 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project tomcat by apache.

the class TestSecurityConstraint method testCreateConstraints.

/**
     * Uses the examples in SRV.13.4 as the basis for these tests
     */
@Test
public void testCreateConstraints() {
    ServletSecurityElement element;
    SecurityConstraint[] result;
    Set<HttpMethodConstraintElement> hmces = new HashSet<>();
    // Example 13-1
    // @ServletSecurity
    element = new ServletSecurityElement();
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(0, result.length);
    // Example 13-2
    // @ServletSecurity(
    //     @HttpConstraint(
    //         transportGuarantee = TransportGuarantee.CONFIDENTIAL))
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(1, result.length);
    assertFalse(result[0].getAuthConstraint());
    assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    assertEquals(0, result[0].findCollections()[0].findMethods().length);
    assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[0].getUserConstraint());
    // Example 13-3
    // @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
    element = new ServletSecurityElement(new HttpConstraintElement(EmptyRoleSemantic.DENY));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(1, result.length);
    assertTrue(result[0].getAuthConstraint());
    assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    assertEquals(0, result[0].findCollections()[0].findMethods().length);
    assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
    // Example 13-4
    // @ServletSecurity(@HttpConstraint(rolesAllowed = "R1"))
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(1, result.length);
    assertTrue(result[0].getAuthConstraint());
    assertEquals(1, result[0].findAuthRoles().length);
    assertTrue(result[0].findAuthRole(ROLE1));
    assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    assertEquals(0, result[0].findCollections()[0].findMethods().length);
    assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
    // Example 13-5
    // @ServletSecurity((httpMethodConstraints = {
    //     @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
    //     @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
    //     transportGuarantee = TransportGuarantee.CONFIDENTIAL)
    // })
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1)));
    hmces.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL, ROLE1)));
    element = new ServletSecurityElement(hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        assertTrue(result[i].getAuthConstraint());
        assertEquals(1, result[i].findAuthRoles().length);
        assertTrue(result[i].findAuthRole(ROLE1));
        assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        assertEquals(1, result[i].findCollections()[0].findMethods().length);
        String method = result[i].findCollections()[0].findMethods()[0];
        if ("GET".equals(method)) {
            assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
        } else if ("POST".equals(method)) {
            assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[i].getUserConstraint());
        } else {
            fail("Unexpected method :[" + method + "]");
        }
    }
    // Example 13-6
    // @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
    //     httpMethodConstraints = @HttpMethodConstraint("GET"))
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("GET"));
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        if (result[i].findCollections()[0].findMethods().length == 1) {
            assertEquals("GET", result[i].findCollections()[0].findMethods()[0]);
            assertFalse(result[i].getAuthConstraint());
        } else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
            assertEquals("GET", result[i].findCollections()[0].findOmittedMethods()[0]);
            assertTrue(result[i].getAuthConstraint());
            assertEquals(1, result[i].findAuthRoles().length);
            assertEquals(ROLE1, result[i].findAuthRoles()[0]);
        } else {
            fail("Unexpected number of methods defined");
        }
        assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
    }
    // Example 13-7
    // @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
    //     httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
    //         emptyRoleSemantic = EmptyRoleSemantic.DENY))
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        if (result[i].findCollections()[0].findMethods().length == 1) {
            assertEquals("TRACE", result[i].findCollections()[0].findMethods()[0]);
            assertTrue(result[i].getAuthConstraint());
            assertEquals(0, result[i].findAuthRoles().length);
        } else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
            assertEquals("TRACE", result[i].findCollections()[0].findOmittedMethods()[0]);
            assertTrue(result[i].getAuthConstraint());
            assertEquals(1, result[i].findAuthRoles().length);
            assertEquals(ROLE1, result[i].findAuthRoles()[0]);
        } else {
            fail("Unexpected number of methods defined");
        }
        assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
    }
// Example 13-8 is the same as 13-4
// Example 13-9 is the same as 13-7
}
Also used : HttpConstraintElement(javax.servlet.HttpConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 8 with HttpMethodConstraintElement

use of javax.servlet.HttpMethodConstraintElement in project undertow by undertow-io.

the class ServletRegistrationImpl method setServletSecurity.

@Override
public Set<String> setServletSecurity(final ServletSecurityElement constraint) {
    if (constraint == null) {
        throw UndertowMessages.MESSAGES.argumentCannotBeNull("constraint");
    }
    DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
    //this is not super efficient, but it does not really matter
    final Set<String> urlPatterns = new HashSet<>();
    for (SecurityConstraint sc : deploymentInfo.getSecurityConstraints()) {
        for (WebResourceCollection webResources : sc.getWebResourceCollections()) {
            urlPatterns.addAll(webResources.getUrlPatterns());
        }
    }
    final Set<String> ret = new HashSet<>();
    for (String url : servletInfo.getMappings()) {
        if (urlPatterns.contains(url)) {
            ret.add(url);
        }
    }
    ServletSecurityInfo info = new ServletSecurityInfo();
    servletInfo.setServletSecurityInfo(info);
    info.setTransportGuaranteeType(constraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE).setEmptyRoleSemantic(emptyRoleSemantic(constraint.getEmptyRoleSemantic())).addRolesAllowed(constraint.getRolesAllowed());
    for (final HttpMethodConstraintElement methodConstraint : constraint.getHttpMethodConstraints()) {
        info.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo().setTransportGuaranteeType(methodConstraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE).setMethod(methodConstraint.getMethodName()).setEmptyRoleSemantic(emptyRoleSemantic(methodConstraint.getEmptyRoleSemantic())).addRolesAllowed(methodConstraint.getRolesAllowed()));
    }
    return ret;
}
Also used : WebResourceCollection(io.undertow.servlet.api.WebResourceCollection) ServletSecurityInfo(io.undertow.servlet.api.ServletSecurityInfo) DeploymentInfo(io.undertow.servlet.api.DeploymentInfo) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) SecurityConstraint(io.undertow.servlet.api.SecurityConstraint) HashSet(java.util.HashSet) HttpMethodSecurityInfo(io.undertow.servlet.api.HttpMethodSecurityInfo)

Aggregations

HttpMethodConstraintElement (javax.servlet.HttpMethodConstraintElement)8 ArrayList (java.util.ArrayList)5 HttpConstraintElement (javax.servlet.HttpConstraintElement)4 ServletSecurityElement (javax.servlet.ServletSecurityElement)4 Test (org.junit.Test)4 HashSet (java.util.HashSet)3 CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)2 Constraint (org.eclipse.jetty.util.security.Constraint)2 DeploymentInfo (io.undertow.servlet.api.DeploymentInfo)1 HttpMethodSecurityInfo (io.undertow.servlet.api.HttpMethodSecurityInfo)1 SecurityConstraint (io.undertow.servlet.api.SecurityConstraint)1 ServletSecurityInfo (io.undertow.servlet.api.ServletSecurityInfo)1 WebResourceCollection (io.undertow.servlet.api.WebResourceCollection)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial