Example 6 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project tomcat by apache.
the class StandardWrapper method processServletSecurityAnnotation.
private void processServletSecurityAnnotation(Class<?> clazz) {
// Calling this twice isn't harmful so no syncs
servletSecurityAnnotationScanRequired = false;
Context ctxt = (Context) getParent();
if (ctxt.getIgnoreAnnotations()) {
return;
}
ServletSecurity secAnnotation = clazz.getAnnotation(ServletSecurity.class);
if (secAnnotation != null) {
ctxt.addServletSecurity(new ApplicationServletRegistration(this, ctxt), new ServletSecurityElement(secAnnotation));
}
}
Also used :
Context(org.apache.catalina.Context)
ServletContext(javax.servlet.ServletContext)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Example 7 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project tomcat by apache.
the class TestSecurityConstraint method testCreateConstraints.
/**
* Uses the examples in SRV.13.4 as the basis for these tests
*/
@Test
public void testCreateConstraints() {
ServletSecurityElement element;
SecurityConstraint[] result;
Set<HttpMethodConstraintElement> hmces = new HashSet<>();
// Example 13-1
// @ServletSecurity
element = new ServletSecurityElement();
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(0, result.length);
// Example 13-2
// @ServletSecurity(
// @HttpConstraint(
// transportGuarantee = TransportGuarantee.CONFIDENTIAL))
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL));
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(1, result.length);
assertFalse(result[0].getAuthConstraint());
assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(0, result[0].findCollections()[0].findMethods().length);
assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[0].getUserConstraint());
// Example 13-3
// @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
element = new ServletSecurityElement(new HttpConstraintElement(EmptyRoleSemantic.DENY));
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(1, result.length);
assertTrue(result[0].getAuthConstraint());
assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(0, result[0].findCollections()[0].findMethods().length);
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
// Example 13-4
// @ServletSecurity(@HttpConstraint(rolesAllowed = "R1"))
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1));
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(1, result.length);
assertTrue(result[0].getAuthConstraint());
assertEquals(1, result[0].findAuthRoles().length);
assertTrue(result[0].findAuthRole(ROLE1));
assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(0, result[0].findCollections()[0].findMethods().length);
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
// Example 13-5
// @ServletSecurity((httpMethodConstraints = {
// @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
// @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
// transportGuarantee = TransportGuarantee.CONFIDENTIAL)
// })
hmces.clear();
hmces.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1)));
hmces.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL, ROLE1)));
element = new ServletSecurityElement(hmces);
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(2, result.length);
for (int i = 0; i < 2; i++) {
assertTrue(result[i].getAuthConstraint());
assertEquals(1, result[i].findAuthRoles().length);
assertTrue(result[i].findAuthRole(ROLE1));
assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
assertEquals(1, result[i].findCollections()[0].findMethods().length);
String method = result[i].findCollections()[0].findMethods()[0];
if ("GET".equals(method)) {
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
} else if ("POST".equals(method)) {
assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[i].getUserConstraint());
} else {
fail("Unexpected method :[" + method + "]");
}
}
// Example 13-6
// @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
// httpMethodConstraints = @HttpMethodConstraint("GET"))
hmces.clear();
hmces.add(new HttpMethodConstraintElement("GET"));
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(2, result.length);
for (int i = 0; i < 2; i++) {
assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
if (result[i].findCollections()[0].findMethods().length == 1) {
assertEquals("GET", result[i].findCollections()[0].findMethods()[0]);
assertFalse(result[i].getAuthConstraint());
} else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
assertEquals("GET", result[i].findCollections()[0].findOmittedMethods()[0]);
assertTrue(result[i].getAuthConstraint());
assertEquals(1, result[i].findAuthRoles().length);
assertEquals(ROLE1, result[i].findAuthRoles()[0]);
} else {
fail("Unexpected number of methods defined");
}
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
}
// Example 13-7
// @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
// httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
// emptyRoleSemantic = EmptyRoleSemantic.DENY))
hmces.clear();
hmces.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
result = SecurityConstraint.createConstraints(element, URL_PATTERN);
assertEquals(2, result.length);
for (int i = 0; i < 2; i++) {
assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
if (result[i].findCollections()[0].findMethods().length == 1) {
assertEquals("TRACE", result[i].findCollections()[0].findMethods()[0]);
assertTrue(result[i].getAuthConstraint());
assertEquals(0, result[i].findAuthRoles().length);
} else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
assertEquals("TRACE", result[i].findCollections()[0].findOmittedMethods()[0]);
assertTrue(result[i].getAuthConstraint());
assertEquals(1, result[i].findAuthRoles().length);
assertEquals(ROLE1, result[i].findAuthRoles()[0]);
} else {
fail("Unexpected number of methods defined");
}
assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
}
// Example 13-8 is the same as 13-4
// Example 13-9 is the same as 13-7
}
Also used :
HttpConstraintElement(javax.servlet.HttpConstraintElement)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 8 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class ServletSecurityAnnotationHandler method doHandle.
/**
* @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class)
*/
public void doHandle(Class clazz) {
if (!(_context.getSecurityHandler() instanceof ConstraintAware)) {
LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
return;
}
ServletSecurity servletSecurity = (ServletSecurity) clazz.getAnnotation(ServletSecurity.class);
if (servletSecurity == null)
return;
//If there are already constraints defined (ie from web.xml) that match any
//of the url patterns defined for this servlet, then skip the security annotation.
List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
List<ConstraintMapping> constraintMappings = ((ConstraintAware) _context.getSecurityHandler()).getConstraintMappings();
if (constraintsExist(servletMappings, constraintMappings)) {
LOG.warn("Constraints already defined for " + clazz.getName() + ", skipping ServletSecurity annotation");
return;
}
//Make a fresh list
constraintMappings = new ArrayList<ConstraintMapping>();
ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
for (ServletMapping sm : servletMappings) {
for (String url : sm.getPathSpecs()) {
_context.getMetaData().setOrigin("constraint.url." + url, servletSecurity, clazz);
constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
}
}
//set up the security constraints produced by the annotation
ConstraintAware securityHandler = (ConstraintAware) _context.getSecurityHandler();
for (ConstraintMapping m : constraintMappings) securityHandler.addConstraintMapping(m);
//Servlet Spec 3.1 requires paths with uncovered http methods to be reported
securityHandler.checkPathsWithUncoveredHttpMethods();
}
Also used :
ServletMapping(org.eclipse.jetty.servlet.ServletMapping)
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ConstraintAware(org.eclipse.jetty.security.ConstraintAware)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Example 9 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class TestListener method contextInitialized.
@Override
public void contextInitialized(ServletContextEvent sce) {
// System.err.println("contextInitialized "+sce);
_called.put("contextInitialized", new Throwable());
//configure programmatic security
ServletRegistration.Dynamic rego = sce.getServletContext().addServlet("RegoTest", RegTest.class.getName());
rego.addMapping("/rego/*");
HttpConstraintElement constraintElement = new HttpConstraintElement(ServletSecurity.EmptyRoleSemantic.PERMIT, ServletSecurity.TransportGuarantee.NONE, new String[] { "admin" });
ServletSecurityElement securityElement = new ServletSecurityElement(constraintElement, null);
Set<String> unchanged = rego.setServletSecurity(securityElement);
//// System.err.println("Security constraints registered: "+unchanged.isEmpty());
//Test that a security constraint from web.xml can't be overridden programmatically
ServletRegistration.Dynamic rego2 = sce.getServletContext().addServlet("RegoTest2", RegTest.class.getName());
rego2.addMapping("/rego2/*");
securityElement = new ServletSecurityElement(constraintElement, null);
unchanged = rego2.setServletSecurity(securityElement);
//// System.err.println("Overridding web.xml constraints not possible:" +!unchanged.isEmpty());
/* For servlet 3.0 */
FilterRegistration registration = sce.getServletContext().addFilter("TestFilter", TestFilter.class.getName());
if (//otherwise defined in web.xml
registration != null) {
((FilterRegistration.Dynamic) registration).setAsyncSupported(true);
} else {
registration = sce.getServletContext().getFilterRegistration("TestFilter");
}
registration.setInitParameter("remote", "false");
registration.addMappingForUrlPatterns(EnumSet.of(DispatcherType.ERROR, DispatcherType.ASYNC, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.REQUEST), true, new String[] { "/*" });
}
Also used :
ServletRegistration(javax.servlet.ServletRegistration)
HttpConstraintElement(javax.servlet.HttpConstraintElement)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
FilterRegistration(javax.servlet.FilterRegistration)
Example 10 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class ConstraintTest method testSecurityElementExample13_1.
/**
* Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-1
* @ServletSecurity
* @throws Exception if test fails
*/
@Test
public void testSecurityElementExample13_1() throws Exception {
ServletSecurityElement element = new ServletSecurityElement();
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
Assert.assertTrue(mappings.isEmpty());
}
Also used :
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Test(org.junit.Test)
Aggregations
ServletSecurityElement (javax.servlet.ServletSecurityElement)12
Test (org.junit.Test)9
HttpConstraintElement (javax.servlet.HttpConstraintElement)8
ArrayList (java.util.ArrayList)4
HttpMethodConstraintElement (javax.servlet.HttpMethodConstraintElement)4
ServletSecurity (javax.servlet.annotation.ServletSecurity)3
Context (org.apache.catalina.Context)2
HashSet (java.util.HashSet)1
FilterRegistration (javax.servlet.FilterRegistration)1
ServletContext (javax.servlet.ServletContext)1
ServletRegistration (javax.servlet.ServletRegistration)1
Response (org.apache.catalina.connector.Response)1
TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)1
TesterContext (org.apache.tomcat.unittest.TesterContext)1
TesterRequest (org.apache.tomcat.unittest.TesterRequest)1
TesterResponse (org.apache.tomcat.unittest.TesterResponse)1
SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)1
SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)1
ConstraintAware (org.eclipse.jetty.security.ConstraintAware)1
ConstraintMapping (org.eclipse.jetty.security.ConstraintMapping)1
