Example 1 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class AuthenticatorBase method invoke.
// --------------------------------------------------------- Public Methods
/**
* Enforce the security restrictions in the web application deployment
* descriptor of our associated Context.
*
* @param request Request to be processed
* @param response Response to be processed
*
* @exception IOException if an input/output error occurs
* @exception ServletException if thrown by a processing element
*/
@Override
public int invoke(Request request, Response response) throws IOException, ServletException {
// START GlassFish 247
if (!context.getAvailable()) {
try {
((HttpServletResponse) response.getResponse()).sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
} catch (IllegalStateException e) {
;
} catch (IOException e) {
;
}
return END_PIPELINE;
}
// END GlassFish 247
/* GlassFish 6386229
// If this is not an HTTP request, do nothing
if (!(request instanceof HttpRequest) ||
!(response instanceof HttpResponse)) {
return INVOKE_NEXT;
}
if (!(request.getRequest() instanceof HttpServletRequest) ||
!(response.getResponse() instanceof HttpServletResponse)) {
return INVOKE_NEXT;
}
*/
HttpRequest hrequest = (HttpRequest) request;
HttpResponse hresponse = (HttpResponse) response;
if (log.isLoggable(Level.FINE)) {
String msg = "Security checking request " + ((HttpServletRequest) request.getRequest()).getMethod() + " " + ((HttpServletRequest) request.getRequest()).getRequestURI();
log.log(Level.FINE, msg);
}
LoginConfig config = this.context.getLoginConfig();
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal();
if (principal == null) {
Session session = getSession(hrequest);
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isLoggable(Level.FINE)) {
String msg = "We have cached auth type " + session.getAuthType() + " for principal " + session.getPrincipal();
log.log(Level.FINE, msg);
}
hrequest.setAuthType(session.getAuthType());
hrequest.setUserPrincipal(principal);
}
}
}
}
Realm realm = this.context.getRealm();
// Is this request URI subject to a security constraint?
SecurityConstraint[] constraints = realm.findSecurityConstraints(hrequest, this.context);
if ((constraints == null)) /* &&
(!Constants.FORM_METHOD.equals(config.getAuthMethod())) */
{
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " Not subject to any constraint");
return processSecurityCheck(hrequest, hresponse, config);
}
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " Calling hasUserDataPermission()");
if (!realm.hasUserDataPermission(hrequest, hresponse, constraints)) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " Failed hasUserDataPermission() test");
// HTTP status code, so we do not have to do anything special
return END_PIPELINE;
}
// START SJSAS 6202703
/*
for(int i=0; i < constraints.length; i++) {
// Authenticate based upon the specified login configuration
if (constraints[i].getAuthConstraint()) {
if (log.isDebugEnabled())
log.debug(" Calling authenticate()");
if (!authenticate(hrequest, hresponse, config)) {
if (log.isDebugEnabled())
log.debug(" Failed authenticate() test");
//ASSERT: Authenticator already set the appropriate
//HTTP status code, so we do not have to do anything special
return END_PIPELINE;
} else {
break;
}
}
}
*/
// END SJSAS 6202703
// START SJSAS 6202703
int preAuthenticateCheckResult = realm.preAuthenticateCheck(hrequest, hresponse, constraints, disableProxyCaching, securePagesWithPragma, (sso != null));
if (preAuthenticateCheckResult == Realm.AUTHENTICATE_NOT_NEEDED) {
return processSecurityCheck(hrequest, hresponse, config);
} else if (preAuthenticateCheckResult == Realm.AUTHENTICATE_NEEDED) {
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, " Calling authenticate()");
}
boolean authenticateResult = realm.invokeAuthenticateDelegate(hrequest, hresponse, context, this, false);
if (!authenticateResult) {
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, " Failed authenticate() test");
}
return END_PIPELINE;
}
} else if (preAuthenticateCheckResult == Realm.AUTHENTICATED_NOT_AUTHORIZED) {
return END_PIPELINE;
}
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, " Calling accessControl()");
}
if (!realm.hasResourcePermission(hrequest, hresponse, constraints, this.context)) {
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, " Failed accessControl() test");
}
// START IASRI 4823322
Auditor[] auditors = this.context.getAuditors();
if (auditors != null) {
for (int j = 0; j < auditors.length; j++) {
auditors[j].webInvocation(hrequest, false);
}
}
/*
* ASSERT: AccessControl method has already set the
* appropriate HTTP status code, so we do not have to do
* anything special
*/
return END_PIPELINE;
}
// START IASRI 4823322
Auditor[] auditors = this.context.getAuditors();
if (auditors != null) {
boolean success = true;
for (int j = 0; j < auditors.length; j++) {
try {
auditors[j].webInvocation(hrequest, true);
} catch (Exception e) {
success = false;
}
}
if (!success) {
// fail authorization if auditor blew up
return END_PIPELINE;
}
}
// Any and all specified constraints have been satisfied
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, "Successfully passed all security constraints");
return INVOKE_NEXT;
}
Also used :
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IOException(java.io.IOException)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
LoginConfig(org.apache.catalina.deploy.LoginConfig)
Principal(java.security.Principal)
Example 2 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class ContextConfig method authenticatorConfig.
/**
* Set up an Authenticator automatically if required, and one has not
* already been configured.
*/
protected synchronized void authenticatorConfig() throws LifecycleException {
// Does this Context require an Authenticator?
/* START IASRI 4856062
// This constraints check is relocated to happen after
// setRealmName(). This allows apps which have no constraints
// and no authenticator to still have a realm name set in
// their RealmAdapater. This is only relevant in the case where
// the core ACLs are doing all access control AND the servlet
// wishes to call isUserInRole AND the application does have
// security-role-mapping elements in sun-web.xml. This is probably
// not an interesting scenario. But might as well allow it to
// work, maybe it is of some use.
SecurityConstraint constraints[] = context.findConstraints();
if ((constraints == null) || (constraints.length == 0))
return;
*/
LoginConfig loginConfig = context.getLoginConfig();
if (loginConfig == null) {
loginConfig = new LoginConfig("NONE", null, null, null);
context.setLoginConfig(loginConfig);
}
// Has an authenticator been configured already?
if (context instanceof Authenticator)
return;
if (context instanceof ContainerBase) {
Pipeline pipeline = ((ContainerBase) context).getPipeline();
if (pipeline != null) {
GlassFishValve basic = pipeline.getBasic();
if ((basic != null) && (basic instanceof Authenticator))
return;
GlassFishValve[] valves = pipeline.getValves();
for (int i = 0; i < valves.length; i++) {
if (valves[i] instanceof Authenticator)
return;
}
}
} else {
// Cannot install a Valve even if it would be needed
return;
}
// Has a Realm been configured for us to authenticate against?
/* START IASRI 4856062
if (context.getRealm() == null) {
*/
// BEGIN IASRI 4856062
Realm rlm = context.getRealm();
if (rlm == null) {
// END IASRI 4856062
throw new LifecycleException(rb.getString(LogFacade.NO_REALM_BEEN_CONFIGURED_EXCEPTION));
}
// BEGIN IASRI 4856062
// If a realm is available set its name in the Realm(Adapter)
rlm.setRealmName(loginConfig.getRealmName(), loginConfig.getAuthMethod());
if (!context.hasConstraints()) {
return;
}
// END IASRI 4856062
/*
* First check to see if there is a custom mapping for the login
* method. If so, use it. Otherwise, check if there is a mapping in
* org/apache/catalina/startup/Authenticators.properties.
*/
GlassFishValve authenticator = null;
if (customAuthenticators != null) {
/* PWC 6392537
authenticator = (Valve)
customAuthenticators.get(loginConfig.getAuthMethod());
*/
// START PWC 6392537
String loginMethod = loginConfig.getAuthMethod();
if (loginMethod != null && customAuthenticators.containsKey(loginMethod)) {
authenticator = getGlassFishValveAuthenticator(loginMethod);
if (authenticator == null) {
String msg = MessageFormat.format(rb.getString(LogFacade.CANNOT_CONFIG_AUTHENTICATOR_EXCEPTION), loginMethod);
throw new LifecycleException(msg);
}
}
// END PWC 6392537
}
if (authenticator == null) {
// Identify the class name of the Valve we should configure
String authenticatorName = null;
// BEGIN RIMOD 4808402
// If login-config is given but auth-method is null, use NONE
// so that NonLoginAuthenticator is picked
String authMethod = loginConfig.getAuthMethod();
if (authMethod == null) {
authMethod = "NONE";
}
authenticatorName = authenticators.getProperty(authMethod);
if (authenticatorName == null) {
String msg = MessageFormat.format(rb.getString(LogFacade.CANNOT_CONFIG_AUTHENTICATOR_EXCEPTION), loginConfig.getAuthMethod());
throw new LifecycleException(msg);
}
// Instantiate and install an Authenticator of the requested class
try {
Class authenticatorClass = Class.forName(authenticatorName);
authenticator = (GlassFishValve) authenticatorClass.newInstance();
} catch (Throwable t) {
String msg = MessageFormat.format(rb.getString(LogFacade.CANNOT_INSTANTIATE_AUTHENTICATOR_EXCEPTION), authenticatorName);
throw new LifecycleException(msg, t);
}
}
if (authenticator != null && context instanceof ContainerBase) {
Pipeline pipeline = ((ContainerBase) context).getPipeline();
if (pipeline != null) {
((ContainerBase) context).addValve(authenticator);
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, LogFacade.CONFIGURED_AUTHENTICATOR_FINE, loginConfig.getAuthMethod());
}
}
}
}
Also used :
LoginConfig(org.apache.catalina.deploy.LoginConfig)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
GlassFishValve(org.glassfish.web.valve.GlassFishValve)
Example 3 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class RealmAdapter method hasUserDataPermission.
/**
* Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of
* CONFIDENTIAL, and whether any such constraint is already satisfied.
*
* If <tt>uri</tt> and <tt>method</tt> are null, then the URI and method of the given <tt>request</tt> are checked.
*
* If a user-data-constraint exists that is not satisfied, then the given <tt>request</tt> will be redirected to HTTPS.
*
* @param request the request that may be redirected
* @param response the response that may be redirected
* @param constraints the security constraints to check against
* @param uri the request URI (minus the context path) to check
* @param method the request method to check
*
* @return true if the request URI and method are not the target of any unsatisfied user-data-constraint with a
* transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected
* to HTTPS)
*/
@Override
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) throws IOException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
if (httpServletRequest.getServletPath() == null) {
request.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
}
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security][ hasUserDataPermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
}
if (request.getRequest().isSecure()) {
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security] request.getRequest().isSecure(): " + request.getRequest().isSecure());
}
return true;
}
WebSecurityManager securityManager = getWebSecurityManager(true);
if (securityManager == null) {
return false;
}
int isGranted = 0;
try {
isGranted = securityManager.hasUserDataPermission(httpServletRequest, uri, method);
} catch (IllegalArgumentException e) {
// End the request after getting IllegalArgumentException while checking user data permission
logger.log(WARNING, resourceBundle.getString("realmAdapter.badRequestWithId"), e);
((HttpServletResponse) response.getResponse()).sendError(SC_BAD_REQUEST, resourceBundle.getString("realmAdapter.badRequest"));
return false;
}
// so the grand will succeed.
if (isGranted == -1) {
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security] redirecting using SSL");
}
return redirect(request, response);
}
if (isGranted == 0) {
((HttpServletResponse) response.getResponse()).sendError(SC_FORBIDDEN, resourceBundle.getString("realmBase.forbidden"));
return false;
}
return true;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
Example 4 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class FormAuthenticator method forwardToLoginPage.
/**
* Called to forward to the login page. may redirect current request to HTTPS
*
* @param request HttpRequest we are processing
* @param response HttpResponse we are creating
* @param config Login configuration describing how authentication
* should be performed
*/
protected void forwardToLoginPage(HttpRequest request, HttpResponse response, LoginConfig config) {
if (isChangeSessionIdOnAuthentication() && getSession(request, false) != null) {
request.changeSessionId();
}
ServletContext sc = context.getServletContext();
try {
String loginPage = config.getLoginPage();
if (!request.getRequest().isSecure()) {
Realm realm = context.getRealm();
if (realm != null) {
SecurityConstraint[] secConstraints = realm.findSecurityConstraints(loginPage, "GET", context);
if (secConstraints != null && !realm.hasUserDataPermission(request, response, secConstraints, loginPage, "GET")) {
/*
* Note that hasUserDataPermission will have already
* issued a redirect to HTTPS unless redirects
* have been disabled, in which case it will have
* called sendError(FORBIDDEN)
*/
return;
}
}
}
RequestDispatcher disp = sc.getRequestDispatcher(loginPage);
disp.forward(request.getRequest(), response.getResponse());
// NOTE: is finishResponse necessary or is it unnecessary after forward
response.finishResponse();
} catch (Throwable t) {
log.log(Level.WARNING, LogFacade.UNEXPECTED_ERROR_FORWARDING_TO_LOGIN_PAGE, t);
}
}
Also used :
ServletContext(javax.servlet.ServletContext)
Realm(org.apache.catalina.Realm)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
RequestDispatcher(javax.servlet.RequestDispatcher)
Example 5 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class FormAuthenticator method forwardToErrorPage.
/**
* Called to forward to the error page. may redirect current request to HTTPS
*
* @param request HttpRequest we are processing
* @param response HttpResponse we are creating
* @param config Login configuration describing how authentication
* should be performed
*/
protected void forwardToErrorPage(HttpRequest request, HttpResponse response, LoginConfig config) {
ServletContext sc = context.getServletContext();
try {
String errorPage = config.getErrorPage();
if (!request.getRequest().isSecure()) {
Realm realm = context.getRealm();
if (realm != null) {
SecurityConstraint[] secConstraints = realm.findSecurityConstraints(errorPage, "GET", context);
if (secConstraints != null && !realm.hasUserDataPermission(request, response, secConstraints, errorPage, "GET")) {
/*
* Note that hasUserDataPermission will have already
* issued a redirect to HTTPS unless redirects
* have been disabled, in which case it will have
* called sendError(FORBIDDEN).
*/
return;
}
}
}
RequestDispatcher disp = sc.getRequestDispatcher(errorPage);
disp.forward(request.getRequest(), response.getResponse());
} catch (Throwable t) {
log.log(Level.WARNING, LogFacade.UNEXPECTED_ERROR_FORWARDING_TO_LOGIN_PAGE, t);
}
}
Also used :
ServletContext(javax.servlet.ServletContext)
Realm(org.apache.catalina.Realm)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
RequestDispatcher(javax.servlet.RequestDispatcher)
Aggregations
SecurityConstraint (org.apache.catalina.deploy.SecurityConstraint)10
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Principal (java.security.Principal)2
RequestDispatcher (javax.servlet.RequestDispatcher)2
ServletContext (javax.servlet.ServletContext)2
Realm (org.apache.catalina.Realm)2
LoginConfig (org.apache.catalina.deploy.LoginConfig)2
SecurityCollection (org.apache.catalina.deploy.SecurityCollection)2
WebSecurityManager (com.sun.enterprise.security.web.integration.WebSecurityManager)1
IOException (java.io.IOException)1
ServletException (javax.servlet.ServletException)1
StandardContext (org.apache.catalina.core.StandardContext)1
GlassFishValve (org.glassfish.web.valve.GlassFishValve)1
