Search in sources :

Example 1 with HttpConstraint

use of javax.servlet.annotation.HttpConstraint in project jetty.project by eclipse.

the class TestSecurityAnnotationConversions method testMethodAnnotation2.

@Test
public void testMethodAnnotation2() throws Exception {
    //A ServletSecurity annotation that has HttpConstraint of CONFIDENTIAL with defined roles, but a
    //HttpMethodConstraint for GET that permits all, but also requires CONFIDENTIAL
    WebAppContext wac = makeWebAppContext(Method2Servlet.class.getCanonicalName(), "method2Servlet", new String[] { "/foo/*", "*.foo" });
    AnnotationIntrospector introspector = new AnnotationIntrospector();
    ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
    introspector.registerHandler(annotationHandler);
    //set up the expected outcomes: - a Constraint for the RolesAllowed on the class
    //with userdata constraint of DC_CONFIDENTIAL
    //and mappings for each of the pathSpecs
    Constraint expectedConstraint1 = new Constraint();
    expectedConstraint1.setAuthenticate(true);
    expectedConstraint1.setRoles(new String[] { "tom", "dick", "harry" });
    expectedConstraint1.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    //a Constraint for the Permit on the GET method with a userdata
    //constraint of DC_CONFIDENTIAL
    Constraint expectedConstraint2 = new Constraint();
    expectedConstraint2.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    ConstraintMapping[] expectedMappings = new ConstraintMapping[4];
    expectedMappings[0] = new ConstraintMapping();
    expectedMappings[0].setConstraint(expectedConstraint1);
    expectedMappings[0].setPathSpec("/foo/*");
    expectedMappings[0].setMethodOmissions(new String[] { "GET" });
    expectedMappings[1] = new ConstraintMapping();
    expectedMappings[1].setConstraint(expectedConstraint1);
    expectedMappings[1].setPathSpec("*.foo");
    expectedMappings[1].setMethodOmissions(new String[] { "GET" });
    expectedMappings[2] = new ConstraintMapping();
    expectedMappings[2].setConstraint(expectedConstraint2);
    expectedMappings[2].setPathSpec("/foo/*");
    expectedMappings[2].setMethod("GET");
    expectedMappings[3] = new ConstraintMapping();
    expectedMappings[3].setConstraint(expectedConstraint2);
    expectedMappings[3].setPathSpec("*.foo");
    expectedMappings[3].setMethod("GET");
    introspector.introspect(Method2Servlet.class);
    compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used : WebAppContext(org.eclipse.jetty.webapp.WebAppContext) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Example 2 with HttpConstraint

use of javax.servlet.annotation.HttpConstraint in project jetty.project by eclipse.

the class TestSecurityAnnotationConversions method testDenyAllOnClass.

@Test
public void testDenyAllOnClass() throws Exception {
    WebAppContext wac = makeWebAppContext(DenyServlet.class.getCanonicalName(), "denyServlet", new String[] { "/foo/*", "*.foo" });
    //Assume we found 1 servlet with a @HttpConstraint with value=EmptyRoleSemantic.DENY security annotation
    ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
    AnnotationIntrospector introspector = new AnnotationIntrospector();
    introspector.registerHandler(annotationHandler);
    //set up the expected outcomes:
    //1 ConstraintMapping per ServletMapping pathSpec
    Constraint expectedConstraint = new Constraint();
    expectedConstraint.setAuthenticate(true);
    expectedConstraint.setDataConstraint(Constraint.DC_NONE);
    ConstraintMapping[] expectedMappings = new ConstraintMapping[2];
    expectedMappings[0] = new ConstraintMapping();
    expectedMappings[0].setConstraint(expectedConstraint);
    expectedMappings[0].setPathSpec("/foo/*");
    expectedMappings[1] = new ConstraintMapping();
    expectedMappings[1].setConstraint(expectedConstraint);
    expectedMappings[1].setPathSpec("*.foo");
    introspector.introspect(DenyServlet.class);
    compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used : WebAppContext(org.eclipse.jetty.webapp.WebAppContext) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Example 3 with HttpConstraint

use of javax.servlet.annotation.HttpConstraint in project Payara by payara.

the class ServletSecurityHandler method processAnnotation.

private HandlerProcessingResult processAnnotation(AnnotationInfo ainfo, WebComponentDescriptor webCompDesc) throws AnnotationProcessorException {
    Class webCompClass = (Class) ainfo.getAnnotatedElement();
    if (!HttpServlet.class.isAssignableFrom(webCompClass)) {
        log(Level.SEVERE, ainfo, localStrings.getLocalString("web.deployment.annotation.handlers.needtoextend", "The Class {0} having annotation {1} need to be a derived class of {2}.", new Object[] { webCompClass.getName(), SecurityConstraint.class.getName(), HttpServlet.class.getName() }));
        return getDefaultFailedResult();
    }
    Set<String> urlPatterns = getUrlPatternsWithoutSecurityConstraint(webCompDesc);
    if (urlPatterns.size() > 0) {
        WebBundleDescriptor webBundleDesc = webCompDesc.getWebBundleDescriptor();
        ServletSecurity servletSecurityAn = (ServletSecurity) ainfo.getAnnotation();
        HttpMethodConstraint[] httpMethodConstraints = servletSecurityAn.httpMethodConstraints();
        for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
            String httpMethod = httpMethodConstraint.value();
            if (httpMethod == null || httpMethod.length() == 0) {
                return getDefaultFailedResult();
            }
            createSecurityConstraint(webBundleDesc, urlPatterns, httpMethodConstraint.rolesAllowed(), httpMethodConstraint.emptyRoleSemantic(), httpMethodConstraint.transportGuarantee(), httpMethod);
        }
        HttpConstraint httpConstraint = servletSecurityAn.value();
        boolean isDefault = isDefaultHttpConstraint(httpConstraint);
        if (isDefault && (httpMethodConstraints.length > 0)) {
            if (logger.isLoggable(Level.FINER)) {
                StringBuilder methodString = new StringBuilder();
                for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
                    methodString.append(" ");
                    methodString.append(httpMethodConstraint.value());
                }
                for (String pattern : urlPatterns) {
                    logger.finer("Pattern: " + pattern + " assumes default unprotected configuration for all methods except:" + methodString);
                }
            }
        }
        if (!isDefault || (httpMethodConstraints.length == 0)) {
            SecurityConstraint securityConstraint = createSecurityConstraint(webBundleDesc, urlPatterns, httpConstraint.rolesAllowed(), httpConstraint.value(), httpConstraint.transportGuarantee(), null);
            // we know there is one WebResourceCollection there
            WebResourceCollection webResColl = securityConstraint.getWebResourceCollections().iterator().next();
            for (HttpMethodConstraint httpMethodConstraint : httpMethodConstraints) {
                // exclude constrained httpMethod from the top level constraint
                webResColl.addHttpMethodOmission(httpMethodConstraint.value());
            }
        }
    }
    return getDefaultProcessedResult();
}
Also used : HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) WebResourceCollection(com.sun.enterprise.deployment.web.WebResourceCollection) HttpServlet(javax.servlet.http.HttpServlet) ServletSecurity(javax.servlet.annotation.ServletSecurity) SecurityConstraint(com.sun.enterprise.deployment.web.SecurityConstraint) WebBundleDescriptor(com.sun.enterprise.deployment.WebBundleDescriptor)

Example 4 with HttpConstraint

use of javax.servlet.annotation.HttpConstraint in project jetty.project by eclipse.

the class TestSecurityAnnotationConversions method testMethodAnnotation.

@Test
public void testMethodAnnotation() throws Exception {
    //ServletSecurity annotation with HttpConstraint of TransportGuarantee.CONFIDENTIAL, and a list of rolesAllowed, and
    //a HttpMethodConstraint for GET method that permits all and has TransportGuarantee.NONE (ie is default)
    WebAppContext wac = makeWebAppContext(Method1Servlet.class.getCanonicalName(), "method1Servlet", new String[] { "/foo/*", "*.foo" });
    //set up the expected outcomes: - a Constraint for the RolesAllowed on the class
    //with userdata constraint of DC_CONFIDENTIAL
    //and mappings for each of the pathSpecs
    Constraint expectedConstraint1 = new Constraint();
    expectedConstraint1.setAuthenticate(true);
    expectedConstraint1.setRoles(new String[] { "tom", "dick", "harry" });
    expectedConstraint1.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    //a Constraint for the PermitAll on the doGet method with a userdata
    //constraint of DC_CONFIDENTIAL inherited from the class
    Constraint expectedConstraint2 = new Constraint();
    expectedConstraint2.setDataConstraint(Constraint.DC_NONE);
    ConstraintMapping[] expectedMappings = new ConstraintMapping[4];
    expectedMappings[0] = new ConstraintMapping();
    expectedMappings[0].setConstraint(expectedConstraint1);
    expectedMappings[0].setPathSpec("/foo/*");
    expectedMappings[0].setMethodOmissions(new String[] { "GET" });
    expectedMappings[1] = new ConstraintMapping();
    expectedMappings[1].setConstraint(expectedConstraint1);
    expectedMappings[1].setPathSpec("*.foo");
    expectedMappings[1].setMethodOmissions(new String[] { "GET" });
    expectedMappings[2] = new ConstraintMapping();
    expectedMappings[2].setConstraint(expectedConstraint2);
    expectedMappings[2].setPathSpec("/foo/*");
    expectedMappings[2].setMethod("GET");
    expectedMappings[3] = new ConstraintMapping();
    expectedMappings[3].setConstraint(expectedConstraint2);
    expectedMappings[3].setPathSpec("*.foo");
    expectedMappings[3].setMethod("GET");
    AnnotationIntrospector introspector = new AnnotationIntrospector();
    ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
    introspector.registerHandler(annotationHandler);
    introspector.introspect(Method1Servlet.class);
    compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used : WebAppContext(org.eclipse.jetty.webapp.WebAppContext) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Aggregations

HttpConstraint (javax.servlet.annotation.HttpConstraint)4 HttpMethodConstraint (javax.servlet.annotation.HttpMethodConstraint)4 ConstraintMapping (org.eclipse.jetty.security.ConstraintMapping)3 Constraint (org.eclipse.jetty.util.security.Constraint)3 WebAppContext (org.eclipse.jetty.webapp.WebAppContext)3 Test (org.junit.Test)3 WebBundleDescriptor (com.sun.enterprise.deployment.WebBundleDescriptor)1 SecurityConstraint (com.sun.enterprise.deployment.web.SecurityConstraint)1 WebResourceCollection (com.sun.enterprise.deployment.web.WebResourceCollection)1 ServletSecurity (javax.servlet.annotation.ServletSecurity)1 HttpServlet (javax.servlet.http.HttpServlet)1