use of javax.servlet.HttpMethodConstraintElement in project tomcat by apache.
the class SecurityConstraint method createConstraints.
/**
* Convert a {@link ServletSecurityElement} to an array of
* {@link SecurityConstraint}(s).
*
* @param element The element to be converted
* @param urlPattern The url pattern that the element should be applied
* to
* @return The (possibly zero length) array of constraints that
* are the equivalent to the input
*/
public static SecurityConstraint[] createConstraints(ServletSecurityElement element, String urlPattern) {
Set<SecurityConstraint> result = new HashSet<>();
// Add the per method constraints
Collection<HttpMethodConstraintElement> methods = element.getHttpMethodConstraints();
Iterator<HttpMethodConstraintElement> methodIter = methods.iterator();
while (methodIter.hasNext()) {
HttpMethodConstraintElement methodElement = methodIter.next();
SecurityConstraint constraint = createConstraint(methodElement, urlPattern, true);
// There will always be a single collection
SecurityCollection collection = constraint.findCollections()[0];
collection.addMethod(methodElement.getMethodName());
result.add(constraint);
}
// Add the constraint for all the other methods
SecurityConstraint constraint = createConstraint(element, urlPattern, false);
if (constraint != null) {
// There will always be a single collection
SecurityCollection collection = constraint.findCollections()[0];
Iterator<String> ommittedMethod = element.getMethodNames().iterator();
while (ommittedMethod.hasNext()) {
collection.addOmittedMethod(ommittedMethod.next());
}
result.add(constraint);
}
return result.toArray(new SecurityConstraint[result.size()]);
}
use of javax.servlet.HttpMethodConstraintElement in project tomcat by apache.
the class TestSecurityConstraint method testCreateConstraints.
/**
* Uses the examples in SRV.13.4 as the basis for these tests
*/
@Test
public void testCreateConstraints() {
ServletSecurityElement element;
SecurityConstraint[] result;
Set<HttpMethodConstraintElement> hmces = new HashSet<>();
// Example 13-1
// @ServletSecurity
element = new ServletSecurityElement();
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(0, result.length);
// Example 13-2
// @ServletSecurity(
// @HttpConstraint(
// transportGuarantee = TransportGuarantee.CONFIDENTIAL))
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL));
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(1, result.length);
assertFalse(result[0].getAuthConstraint());
assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(0, result[0].findCollections()[0].findMethods().length);
assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[0].getUserConstraint());
// Example 13-3
// @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
element = new ServletSecurityElement(new HttpConstraintElement(EmptyRoleSemantic.DENY));
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(1, result.length);
assertTrue(result[0].getAuthConstraint());
assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(0, result[0].findCollections()[0].findMethods().length);
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
// Example 13-4
// @ServletSecurity(@HttpConstraint(rolesAllowed = "R1"))
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1));
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(1, result.length);
assertTrue(result[0].getAuthConstraint());
assertEquals(1, result[0].findAuthRoles().length);
assertTrue(result[0].findAuthRole(ROLE1));
assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(0, result[0].findCollections()[0].findMethods().length);
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
// Example 13-5
// @ServletSecurity((httpMethodConstraints = {
// @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
// @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
// transportGuarantee = TransportGuarantee.CONFIDENTIAL)
// })
hmces.clear();
hmces.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1)));
hmces.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL, ROLE1)));
element = new ServletSecurityElement(hmces);
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(2, result.length);
for (int i = 0; i < 2; i++) {
assertTrue(result[i].getAuthConstraint());
assertEquals(1, result[i].findAuthRoles().length);
assertTrue(result[i].findAuthRole(ROLE1));
assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(1, result[i].findCollections()[0].findMethods().length);
String method = result[i].findCollections()[0].findMethods()[0];
if ("GET".equals(method)) {
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
} else if ("POST".equals(method)) {
assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[i].getUserConstraint());
} else {
fail("Unexpected method :[" + method + "]");
}
}
// Example 13-6
// @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
// httpMethodConstraints = @HttpMethodConstraint("GET"))
hmces.clear();
hmces.add(new HttpMethodConstraintElement("GET"));
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(2, result.length);
for (int i = 0; i < 2; i++) {
assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
if (result[i].findCollections()[0].findMethods().length == 1) {
assertEquals("GET", result[i].findCollections()[0].findMethods()[0]);
assertFalse(result[i].getAuthConstraint());
} else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
assertEquals("GET", result[i].findCollections()[0].findOmittedMethods()[0]);
assertTrue(result[i].getAuthConstraint());
assertEquals(1, result[i].findAuthRoles().length);
assertEquals(ROLE1, result[i].findAuthRoles()[0]);
} else {
fail("Unexpected number of methods defined");
}
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
}
// Example 13-7
// @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
// httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
// emptyRoleSemantic = EmptyRoleSemantic.DENY))
hmces.clear();
hmces.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(2, result.length);
for (int i = 0; i < 2; i++) {
assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
if (result[i].findCollections()[0].findMethods().length == 1) {
assertEquals("TRACE", result[i].findCollections()[0].findMethods()[0]);
assertTrue(result[i].getAuthConstraint());
assertEquals(0, result[i].findAuthRoles().length);
} else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
assertEquals("TRACE", result[i].findCollections()[0].findOmittedMethods()[0]);
assertTrue(result[i].getAuthConstraint());
assertEquals(1, result[i].findAuthRoles().length);
assertEquals(ROLE1, result[i].findAuthRoles()[0]);
} else {
fail("Unexpected number of methods defined");
}
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
}
// Example 13-8 is the same as 13-4
// Example 13-9 is the same as 13-7
}
use of javax.servlet.HttpMethodConstraintElement in project undertow by undertow-io.
the class ServletRegistrationImpl method setServletSecurity.
@Override
public Set<String> setServletSecurity(final ServletSecurityElement constraint) {
if (constraint == null) {
throw UndertowMessages.MESSAGES.argumentCannotBeNull("constraint");
}
DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
//this is not super efficient, but it does not really matter
final Set<String> urlPatterns = new HashSet<>();
for (SecurityConstraint sc : deploymentInfo.getSecurityConstraints()) {
for (WebResourceCollection webResources : sc.getWebResourceCollections()) {
urlPatterns.addAll(webResources.getUrlPatterns());
}
}
final Set<String> ret = new HashSet<>();
for (String url : servletInfo.getMappings()) {
if (urlPatterns.contains(url)) {
ret.add(url);
}
}
ServletSecurityInfo info = new ServletSecurityInfo();
servletInfo.setServletSecurityInfo(info);
info.setTransportGuaranteeType(constraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE).setEmptyRoleSemantic(emptyRoleSemantic(constraint.getEmptyRoleSemantic())).addRolesAllowed(constraint.getRolesAllowed());
for (final HttpMethodConstraintElement methodConstraint : constraint.getHttpMethodConstraints()) {
info.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo().setTransportGuaranteeType(methodConstraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE).setMethod(methodConstraint.getMethodName()).setEmptyRoleSemantic(emptyRoleSemantic(methodConstraint.getEmptyRoleSemantic())).addRolesAllowed(methodConstraint.getRolesAllowed()));
}
return ret;
}
Aggregations