use of javax.servlet.annotation.HttpConstraint in project jetty.project by eclipse.
the class TestSecurityAnnotationConversions method testMethodAnnotation2.
@Test
public void testMethodAnnotation2() throws Exception {
//A ServletSecurity annotation that has HttpConstraint of CONFIDENTIAL with defined roles, but a
//HttpMethodConstraint for GET that permits all, but also requires CONFIDENTIAL
WebAppContext wac = makeWebAppContext(Method2Servlet.class.getCanonicalName(), "method2Servlet", new String[] { "/foo/*", "*.foo" });
AnnotationIntrospector introspector = new AnnotationIntrospector();
ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
introspector.registerHandler(annotationHandler);
//set up the expected outcomes: - a Constraint for the RolesAllowed on the class
//with userdata constraint of DC_CONFIDENTIAL
//and mappings for each of the pathSpecs
Constraint expectedConstraint1 = new Constraint();
expectedConstraint1.setAuthenticate(true);
expectedConstraint1.setRoles(new String[] { "tom", "dick", "harry" });
expectedConstraint1.setDataConstraint(Constraint.DC_CONFIDENTIAL);
//a Constraint for the Permit on the GET method with a userdata
//constraint of DC_CONFIDENTIAL
Constraint expectedConstraint2 = new Constraint();
expectedConstraint2.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping[] expectedMappings = new ConstraintMapping[4];
expectedMappings[0] = new ConstraintMapping();
expectedMappings[0].setConstraint(expectedConstraint1);
expectedMappings[0].setPathSpec("/foo/*");
expectedMappings[0].setMethodOmissions(new String[] { "GET" });
expectedMappings[1] = new ConstraintMapping();
expectedMappings[1].setConstraint(expectedConstraint1);
expectedMappings[1].setPathSpec("*.foo");
expectedMappings[1].setMethodOmissions(new String[] { "GET" });
expectedMappings[2] = new ConstraintMapping();
expectedMappings[2].setConstraint(expectedConstraint2);
expectedMappings[2].setPathSpec("/foo/*");
expectedMappings[2].setMethod("GET");
expectedMappings[3] = new ConstraintMapping();
expectedMappings[3].setConstraint(expectedConstraint2);
expectedMappings[3].setPathSpec("*.foo");
expectedMappings[3].setMethod("GET");
introspector.introspect(Method2Servlet.class);
compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
use of javax.servlet.annotation.HttpConstraint in project jetty.project by eclipse.
the class TestSecurityAnnotationConversions method testDenyAllOnClass.
@Test
public void testDenyAllOnClass() throws Exception {
WebAppContext wac = makeWebAppContext(DenyServlet.class.getCanonicalName(), "denyServlet", new String[] { "/foo/*", "*.foo" });
//Assume we found 1 servlet with a @HttpConstraint with value=EmptyRoleSemantic.DENY security annotation
ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
AnnotationIntrospector introspector = new AnnotationIntrospector();
introspector.registerHandler(annotationHandler);
//set up the expected outcomes:
//1 ConstraintMapping per ServletMapping pathSpec
Constraint expectedConstraint = new Constraint();
expectedConstraint.setAuthenticate(true);
expectedConstraint.setDataConstraint(Constraint.DC_NONE);
ConstraintMapping[] expectedMappings = new ConstraintMapping[2];
expectedMappings[0] = new ConstraintMapping();
expectedMappings[0].setConstraint(expectedConstraint);
expectedMappings[0].setPathSpec("/foo/*");
expectedMappings[1] = new ConstraintMapping();
expectedMappings[1].setConstraint(expectedConstraint);
expectedMappings[1].setPathSpec("*.foo");
introspector.introspect(DenyServlet.class);
compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
use of javax.servlet.annotation.HttpConstraint in project Payara by payara.
the class ServletSecurityHandler method processAnnotation.
private HandlerProcessingResult processAnnotation(AnnotationInfo ainfo, WebComponentDescriptor webCompDesc) throws AnnotationProcessorException {
Class webCompClass = (Class) ainfo.getAnnotatedElement();
if (!HttpServlet.class.isAssignableFrom(webCompClass)) {
log(Level.SEVERE, ainfo, localStrings.getLocalString("web.deployment.annotation.handlers.needtoextend", "The Class {0} having annotation {1} need to be a derived class of {2}.", new Object[] { webCompClass.getName(), SecurityConstraint.class.getName(), HttpServlet.class.getName() }));
return getDefaultFailedResult();
}
Set<String> urlPatterns = getUrlPatternsWithoutSecurityConstraint(webCompDesc);
if (urlPatterns.size() > 0) {
WebBundleDescriptor webBundleDesc = webCompDesc.getWebBundleDescriptor();
ServletSecurity servletSecurityAn = (ServletSecurity) ainfo.getAnnotation();
HttpMethodConstraint[] httpMethodConstraints = servletSecurityAn.httpMethodConstraints();
for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
String httpMethod = httpMethodConstraint.value();
if (httpMethod == null || httpMethod.length() == 0) {
return getDefaultFailedResult();
}
createSecurityConstraint(webBundleDesc, urlPatterns, httpMethodConstraint.rolesAllowed(), httpMethodConstraint.emptyRoleSemantic(), httpMethodConstraint.transportGuarantee(), httpMethod);
}
HttpConstraint httpConstraint = servletSecurityAn.value();
boolean isDefault = isDefaultHttpConstraint(httpConstraint);
if (isDefault && (httpMethodConstraints.length > 0)) {
if (logger.isLoggable(Level.FINER)) {
StringBuilder methodString = new StringBuilder();
for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
methodString.append(" ");
methodString.append(httpMethodConstraint.value());
}
for (String pattern : urlPatterns) {
logger.finer("Pattern: " + pattern + " assumes default unprotected configuration for all methods except:" + methodString);
}
}
}
if (!isDefault || (httpMethodConstraints.length == 0)) {
SecurityConstraint securityConstraint = createSecurityConstraint(webBundleDesc, urlPatterns, httpConstraint.rolesAllowed(), httpConstraint.value(), httpConstraint.transportGuarantee(), null);
// we know there is one WebResourceCollection there
WebResourceCollection webResColl = securityConstraint.getWebResourceCollections().iterator().next();
for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
// exclude constrained httpMethod from the top level constraint
webResColl.addHttpMethodOmission(httpMethodConstraint.value());
}
}
}
return getDefaultProcessedResult();
}
use of javax.servlet.annotation.HttpConstraint in project jetty.project by eclipse.
the class TestSecurityAnnotationConversions method testMethodAnnotation.
@Test
public void testMethodAnnotation() throws Exception {
//ServletSecurity annotation with HttpConstraint of TransportGuarantee.CONFIDENTIAL, and a list of rolesAllowed, and
//a HttpMethodConstraint for GET method that permits all and has TransportGuarantee.NONE (ie is default)
WebAppContext wac = makeWebAppContext(Method1Servlet.class.getCanonicalName(), "method1Servlet", new String[] { "/foo/*", "*.foo" });
//set up the expected outcomes: - a Constraint for the RolesAllowed on the class
//with userdata constraint of DC_CONFIDENTIAL
//and mappings for each of the pathSpecs
Constraint expectedConstraint1 = new Constraint();
expectedConstraint1.setAuthenticate(true);
expectedConstraint1.setRoles(new String[] { "tom", "dick", "harry" });
expectedConstraint1.setDataConstraint(Constraint.DC_CONFIDENTIAL);
//a Constraint for the PermitAll on the doGet method with a userdata
//constraint of DC_CONFIDENTIAL inherited from the class
Constraint expectedConstraint2 = new Constraint();
expectedConstraint2.setDataConstraint(Constraint.DC_NONE);
ConstraintMapping[] expectedMappings = new ConstraintMapping[4];
expectedMappings[0] = new ConstraintMapping();
expectedMappings[0].setConstraint(expectedConstraint1);
expectedMappings[0].setPathSpec("/foo/*");
expectedMappings[0].setMethodOmissions(new String[] { "GET" });
expectedMappings[1] = new ConstraintMapping();
expectedMappings[1].setConstraint(expectedConstraint1);
expectedMappings[1].setPathSpec("*.foo");
expectedMappings[1].setMethodOmissions(new String[] { "GET" });
expectedMappings[2] = new ConstraintMapping();
expectedMappings[2].setConstraint(expectedConstraint2);
expectedMappings[2].setPathSpec("/foo/*");
expectedMappings[2].setMethod("GET");
expectedMappings[3] = new ConstraintMapping();
expectedMappings[3].setConstraint(expectedConstraint2);
expectedMappings[3].setPathSpec("*.foo");
expectedMappings[3].setMethod("GET");
AnnotationIntrospector introspector = new AnnotationIntrospector();
ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
introspector.registerHandler(annotationHandler);
introspector.introspect(Method1Servlet.class);
compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Aggregations