Example 6 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class StandardContext method addConstraint.
/**
* Add a security constraint to the set for this web application.
*/
@Override
public void addConstraint(SecurityConstraint constraint) {
// Validate the proposed constraint
SecurityCollection[] collections = constraint.findCollections();
for (SecurityCollection collection : collections) {
String[] patterns = collection.findPatterns();
for (int j = 0; j < patterns.length; j++) {
patterns[j] = adjustURLPattern(patterns[j]);
if (!validateURLPattern(patterns[j])) {
String msg = MessageFormat.format(rb.getString(LogFacade.SECURITY_CONSTRAINT_PATTERN_EXCEPTION), patterns[j]);
throw new IllegalArgumentException(msg);
}
}
}
// Add this constraint to the set for our web application
constraints.add(constraint);
}
Also used :
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityCollection(org.apache.catalina.deploy.SecurityCollection)
Example 7 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class RealmBase method hasUserDataPermission.
/**
* Checks if the given request URI and method are the target of any
* user-data-constraint with a transport-guarantee of CONFIDENTIAL,
* and whether any such constraint is already satisfied.
*
* If <tt>uri</tt> and <tt>method</tt> are null, then the URI and method
* of the given <tt>request</tt> are checked.
*
* If a user-data-constraint exists that is not satisfied, then the
* given <tt>request</tt> will be redirected to HTTPS.
*
* @param request the request that may be redirected
* @param response the response that may be redirected
* @param constraints the security constraints to check against
* @param uri the request URI (minus the context path) to check
* @param method the request method to check
*
* @return true if the request URI and method are not the target of any
* unsatisfied user-data-constraint with a transport-guarantee of
* CONFIDENTIAL, and false if they are (in which case the given request
* will have been redirected to HTTPS)
*/
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) throws IOException {
// Is there a relevant user data constraint?
if (constraints == null || constraints.length == 0) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " No applicable security constraint defined");
return (true);
}
for (int i = 0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String userConstraint = constraint.getUserConstraint();
if (userConstraint == null) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " No applicable user data constraint defined");
return (true);
}
if (userConstraint.equals(Constants.NONE_TRANSPORT)) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " User data constraint has no restrictions");
return (true);
}
}
// Validate the request against the user data constraint
if (request.getRequest().isSecure()) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " User data constraint already satisfied");
return (true);
}
// Initialize variables we need to determine the appropriate action
HttpServletRequest hrequest = (HttpServletRequest) request.getRequest();
HttpServletResponse hresponse = (HttpServletResponse) response.getResponse();
int redirectPort = request.getConnector().getRedirectPort();
// Is redirecting disabled?
if (redirectPort <= 0) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " SSL redirect is disabled");
/* S1AS 4878272
hresponse.sendError
response.sendError
(HttpServletResponse.SC_FORBIDDEN,
hrequest.getRequestURI());
*/
// BEGIN S1AS 4878272
hresponse.sendError(HttpServletResponse.SC_FORBIDDEN);
response.setDetailMessage(hrequest.getRequestURI());
// END S1AS 4878272
return (false);
}
// Redirect to the corresponding SSL port
StringBuilder file = new StringBuilder();
String protocol = "https";
String host = hrequest.getServerName();
// Protocol
file.append(protocol).append("://").append(host);
// Host with port
if (redirectPort != 443) {
file.append(":").append(redirectPort);
}
// URI
file.append(hrequest.getRequestURI());
String requestedSessionId = hrequest.getRequestedSessionId();
if ((requestedSessionId != null) && hrequest.isRequestedSessionIdFromURL()) {
String sessionParameterName = ((request.getContext() != null) ? request.getContext().getSessionParameterName() : Globals.SESSION_PARAMETER_NAME);
file.append(";" + sessionParameterName + "=");
file.append(requestedSessionId);
}
String queryString = hrequest.getQueryString();
if (queryString != null) {
file.append('?');
file.append(queryString);
}
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, "Redirecting to " + file.toString());
hresponse.sendRedirect(file.toString());
return (false);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
Example 8 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class RealmBase method hasResourcePermission.
/**
* Perform access control based on the specified authorization constraint.
* Return <code>true</code> if this constraint is satisfied and processing
* should continue, or <code>false</code> otherwise.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraints Security constraint we are enforcing
* @param context The Context to which client of this class is attached.
*
* @exception IOException if an input/output error occurs
*/
public boolean hasResourcePermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, Context context) throws IOException {
if (constraints == null || constraints.length == 0)
return (true);
// Which user principal have we already authenticated?
Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal();
for (int i = 0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String[] roles = constraint.findAuthRoles();
if (roles == null)
roles = new String[0];
if (constraint.getAllRoles())
return (true);
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " Checking roles " + principal);
if (roles.length == 0) {
if (constraint.getAuthConstraint()) {
// BEGIN S1AS 4878272
((HttpServletResponse) response.getResponse()).sendError(HttpServletResponse.SC_FORBIDDEN);
response.setDetailMessage(rb.getString(LogFacade.ACCESS_RESOURCE_DENIED));
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, "No roles ");
// No listed roles means no access at all
return (false);
} else {
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE, "Passing all access");
}
return (true);
}
} else if (principal == null) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " No user authenticated, cannot grant access");
// BEGIN S1AS 4878272
((HttpServletResponse) response.getResponse()).sendError(HttpServletResponse.SC_FORBIDDEN);
response.setDetailMessage(rb.getString(LogFacade.CONFIG_ERROR_NOT_AUTHENTICATED));
// END S1AS 4878272
return (false);
}
for (int j = 0; j < roles.length; j++) {
if (hasRole(principal, roles[j])) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, "Role found: " + roles[j]);
return (true);
} else {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, "No role found: " + roles[j]);
}
}
}
// Return a "Forbidden" message denying access to this resource
/* S1AS 4878272
((HttpServletResponse) response.getResponse()).sendError
*/
// BEGIN S1AS 4878272
((HttpServletResponse) response.getResponse()).sendError(HttpServletResponse.SC_FORBIDDEN);
response.setDetailMessage(rb.getString(LogFacade.ACCESS_RESOURCE_DENIED));
// END S1AS 4878272
return (false);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Principal(java.security.Principal)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
Example 9 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class RealmBase method findSecurityConstraints.
/**
* Gets the security constraints configured by the given context
* for the given request URI and method.
*
* @param uri the request URI (minus the context Path)
* @param method the request method
* @param context the context
*
* @return the security constraints configured by the given context
* for the given request URI and method, or null
*/
public SecurityConstraint[] findSecurityConstraints(String uri, String method, Context context) {
ArrayList<SecurityConstraint> results = null;
// Are there any defined security constraints?
if (!context.hasConstraints()) {
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " No applicable constraints defined");
return (null);
}
// START SJSWS 6324431
String origUri = uri;
boolean caseSensitiveMapping = ((StandardContext) context).isCaseSensitiveMapping();
if (uri != null && !caseSensitiveMapping) {
uri = uri.toLowerCase(Locale.ENGLISH);
}
// END SJSWS 6324431
boolean found = false;
List<SecurityConstraint> constraints = context.getConstraints();
Iterator<SecurityConstraint> i = constraints.iterator();
while (i.hasNext()) {
SecurityConstraint constraint = i.next();
SecurityCollection[] collection = constraint.findCollections();
// See Bugzilla 30624
if (collection == null) {
continue;
}
if (log.isLoggable(Level.FINEST)) {
/* SJSWS 6324431
log.trace(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
*/
// START SJSWS 6324431
String msg = "Checking constraint '" + constraint + "' against " + method + " " + origUri + " --> " + constraint.included(uri, method, caseSensitiveMapping);
log.log(Level.FINEST, msg);
// END SJSWS 6324431
}
// START SJSWS 6324431
if (log.isLoggable(Level.FINE) && constraint.included(uri, method, caseSensitiveMapping)) {
log.log(Level.FINE, " Matched constraint '" + constraint + "' against " + method + " " + origUri);
}
for (int j = 0; j < collection.length; j++) {
String[] patterns = collection[j].findPatterns();
// See Bugzilla 30624
if (patterns == null) {
continue;
}
for (int k = 0; k < patterns.length; k++) {
/* SJSWS 6324431
if(uri.equals(patterns[k])) {
*/
// START SJSWS 6324431
String pattern = caseSensitiveMapping ? patterns[k] : patterns[k].toLowerCase(Locale.ENGLISH);
if (uri != null && uri.equals(pattern)) {
// END SJSWS 6324431
found = true;
if (collection[j].findMethod(method)) {
if (results == null) {
results = new ArrayList<SecurityConstraint>();
}
results.add(constraint);
}
}
}
}
}
if (found) {
return resultsToArray(results);
}
int longest = -1;
i = constraints.iterator();
while (i.hasNext()) {
SecurityConstraint constraint = i.next();
SecurityCollection[] collection = constraint.findCollections();
// See Bugzilla 30624
if (collection == null) {
continue;
}
if (log.isLoggable(Level.FINEST)) {
/* SJSWS 6324431
log.trace(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
*/
// START SJSWS 6324431
String msg = " Checking constraint '" + constraint + "' against " + method + " " + origUri + " --> " + constraint.included(uri, method, caseSensitiveMapping);
log.log(Level.FINE, msg);
// END SJSWS 6324431
}
// START SJSWS 6324431
if (log.isLoggable(Level.FINE) && constraint.included(uri, method, caseSensitiveMapping)) {
log.log(Level.FINE, " Matched constraint '" + constraint + "' against " + method + " " + origUri);
}
for (int j = 0; j < collection.length; j++) {
String[] patterns = collection[j].findPatterns();
// See Bugzilla 30624
if (patterns == null) {
continue;
}
boolean matched = false;
int length = -1;
for (int k = 0; k < patterns.length; k++) {
/* SJSWS 6324431
String pattern = patterns[k];
*/
// START SJSWS 6324431
String pattern = caseSensitiveMapping ? patterns[k] : patterns[k].toLowerCase(Locale.ENGLISH);
// END SJSWS 6324431
if (pattern.startsWith("/") && pattern.endsWith("/*") && pattern.length() >= longest) {
if (pattern.length() == 2) {
matched = true;
length = pattern.length();
} else if (uri != null && (pattern.regionMatches(0, uri, 0, pattern.length() - 1) || (pattern.length() - 2 == uri.length() && pattern.regionMatches(0, uri, 0, pattern.length() - 2)))) {
matched = true;
length = pattern.length();
}
}
}
if (matched) {
found = true;
if (length > longest) {
if (results != null) {
results.clear();
}
longest = length;
}
if (collection[j].findMethod(method)) {
if (results == null) {
results = new ArrayList<SecurityConstraint>();
}
results.add(constraint);
}
}
}
}
if (found) {
return resultsToArray(results);
}
i = constraints.iterator();
while (i.hasNext()) {
SecurityConstraint constraint = i.next();
SecurityCollection[] collection = constraint.findCollections();
// See Bugzilla 30624
if (collection == null) {
continue;
}
if (log.isLoggable(Level.FINEST)) {
/* SJSWS 6324431
log.trace(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
*/
// START SJSWS 6324431
String msg = " Checking constraint '" + constraint + "' against " + method + " " + origUri + " --> " + constraint.included(uri, method, caseSensitiveMapping);
log.log(Level.FINEST, msg);
// END SJSWS 6324431
}
// START SJSWS 6324431
if (log.isLoggable(Level.FINE) && constraint.included(uri, method, caseSensitiveMapping)) {
log.log(Level.FINE, " Matched constraint '" + constraint + "' against " + method + " " + origUri);
}
// END SJSWS 6324431
boolean matched = false;
int pos = -1;
for (int j = 0; j < collection.length; j++) {
String[] patterns = collection[j].findPatterns();
// See Bugzilla 30624
if (patterns == null) {
continue;
}
for (int k = 0; k < patterns.length && !matched; k++) {
/* SJSWS 6324431
String pattern = patterns[k];
*/
// START SJSWS 6324431
String pattern = caseSensitiveMapping ? patterns[k] : patterns[k].toLowerCase(Locale.ENGLISH);
// END SJSWS 6324431
if (uri != null && pattern.startsWith("*.")) {
int slash = uri.lastIndexOf("/");
int dot = uri.lastIndexOf(".");
if (slash >= 0 && dot > slash && dot != uri.length() - 1 && uri.length() - dot == pattern.length() - 1) {
if (pattern.regionMatches(1, uri, dot, uri.length() - dot)) {
matched = true;
pos = j;
}
}
}
}
}
if (matched) {
found = true;
if (collection[pos].findMethod(method)) {
if (results == null) {
results = new ArrayList<SecurityConstraint>();
}
results.add(constraint);
}
}
}
if (found) {
return resultsToArray(results);
}
i = constraints.iterator();
while (i.hasNext()) {
SecurityConstraint constraint = i.next();
SecurityCollection[] collection = constraint.findCollections();
// See Bugzilla 30624
if (collection == null) {
continue;
}
if (log.isLoggable(Level.FINEST)) {
/* SJSWS 6324431
log.trace(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
*/
// START SJSWS 6324431
String msg = " Checking constraint '" + constraint + "' against " + method + " " + origUri + " --> " + constraint.included(uri, method, caseSensitiveMapping);
log.log(Level.FINEST, msg);
// END SJSWS 6324431
}
// START SJSWS 6324431
if (log.isLoggable(Level.FINE) && constraint.included(uri, method, caseSensitiveMapping)) {
log.log(Level.FINE, " Matched constraint '" + constraint + "' against " + method + " " + origUri);
}
for (int j = 0; j < collection.length; j++) {
String[] patterns = collection[j].findPatterns();
// See Bugzilla 30624
if (patterns == null) {
continue;
}
boolean matched = false;
for (int k = 0; k < patterns.length && !matched; k++) {
/* SJSWS 6324431
String pattern = patterns[k];
*/
// START SJSWS 6324431
String pattern = caseSensitiveMapping ? patterns[k] : patterns[k].toLowerCase(Locale.ENGLISH);
// END SJSWS 6324431
if (pattern.equals("/")) {
matched = true;
}
}
if (matched) {
if (results == null) {
results = new ArrayList<SecurityConstraint>();
}
results.add(constraint);
}
}
}
if (results == null) {
// No applicable security constraint was found
if (log.isLoggable(Level.FINE))
log.log(Level.FINE, " No applicable constraint located");
}
return resultsToArray(results);
}
Also used :
StandardContext(org.apache.catalina.core.StandardContext)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityCollection(org.apache.catalina.deploy.SecurityCollection)
Example 10 with SecurityConstraint
use of org.apache.catalina.deploy.SecurityConstraint in project Payara by payara.
the class ContextConfig method validateSecurityRoles.
/**
* Validate the usage of security role names in the web application
* deployment descriptor. If any problems are found, issue warning
* messages (for backwards compatibility) and add the missing roles.
* (To make these problems fatal instead, simply set the <code>ok</code>
* instance variable to <code>false</code> as well).
*/
protected void validateSecurityRoles() {
// Check role names used in <security-constraint> elements
Iterator<SecurityConstraint> iter = context.getConstraints().iterator();
while (iter.hasNext()) {
for (String role : iter.next().findAuthRoles()) {
if (!"*".equals(role) && !context.hasSecurityRole(role)) {
if (log.isLoggable(Level.INFO)) {
log.log(Level.INFO, LogFacade.SECURITY_ROLE_NAME_USED_IN_AUTH_WITHOUT_DEFINITION, new Object[] { role, context.getName() });
}
context.addSecurityRole(role);
}
}
}
// Check role names used in <servlet> elements
Container[] wrappers = context.findChildren();
for (int i = 0; i < wrappers.length; i++) {
Wrapper wrapper = (Wrapper) wrappers[i];
String runAs = wrapper.getRunAs();
if ((runAs != null) && !context.hasSecurityRole(runAs)) {
if (log.isLoggable(Level.INFO)) {
log.log(Level.INFO, LogFacade.SECURITY_ROLE_NAME_USED_IN_RUNAS_WITHOUT_DEFINITION, new Object[] { runAs, context.getName() });
}
context.addSecurityRole(runAs);
}
String[] names = wrapper.findSecurityReferences();
for (int j = 0; j < names.length; j++) {
String link = wrapper.findSecurityReference(names[j]);
if ((link != null) && !context.hasSecurityRole(link)) {
if (log.isLoggable(Level.INFO)) {
log.log(Level.INFO, LogFacade.SECURITY_ROLE_NAME_USED_IN_LINK_WITHOUT_DEFINITION, new Object[] { link, context.getName() });
}
context.addSecurityRole(link);
}
}
}
}
Also used :
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
Aggregations
SecurityConstraint (org.apache.catalina.deploy.SecurityConstraint)10
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
Principal (java.security.Principal)2
RequestDispatcher (javax.servlet.RequestDispatcher)2
ServletContext (javax.servlet.ServletContext)2
Realm (org.apache.catalina.Realm)2
LoginConfig (org.apache.catalina.deploy.LoginConfig)2
SecurityCollection (org.apache.catalina.deploy.SecurityCollection)2
WebSecurityManager (com.sun.enterprise.security.web.integration.WebSecurityManager)1
IOException (java.io.IOException)1
ServletException (javax.servlet.ServletException)1
StandardContext (org.apache.catalina.core.StandardContext)1
GlassFishValve (org.glassfish.web.valve.GlassFishValve)1
