Examples with SecurityCollection org.apache.tomcat.util.descriptor.web.SecurityCollection used on opensource projects

Example 11 with SecurityCollection

use of org.apache.tomcat.util.descriptor.web.SecurityCollection in project tomee by apache.

the class CdiEventRealmTest method find.

@Test
public void find() {
    final SecurityConstraint[] securityConstraints = new CdiEventRealm().findSecurityConstraints(mock(Request.class), mock(Context.class));
    assertEquals(1, securityConstraints.length);
    final SecurityConstraint c = securityConstraints[0];
    assertEquals("CONFIDENTIAL", c.getUserConstraint());
    assertEquals(2, c.findAuthRoles().length);
    assertEquals(1, c.findCollections().length);
    SecurityCollection sc = c.findCollections()[0];
    assertTrue(sc.findPattern("/*"));
}

Example 12 with SecurityCollection

use of org.apache.tomcat.util.descriptor.web.SecurityCollection in project tomee by apache.

the class TomcatHessianRegistry method createNewContext.

private static Context createNewContext(final ClassLoader classLoader, final String rAuthMethod, final String rTransportGuarantee, final String realmName, final String name) {
    String path = name;
    if (path == null) {
        path = "/";
    }
    if (!path.startsWith("/")) {
        path = "/" + path;
    }
    final StandardContext context = new IgnoredStandardContext();
    context.setPath(path);
    context.setDocBase("");
    context.setParentClassLoader(classLoader);
    context.setDelegate(true);
    context.setName(name);
    TomcatWebAppBuilder.class.cast(SystemInstance.get().getComponent(WebAppBuilder.class)).initJ2EEInfo(context);
    // Configure security
    String authMethod = rAuthMethod;
    if (authMethod != null) {
        authMethod = authMethod.toUpperCase();
    }
    String transportGuarantee = rTransportGuarantee;
    if (transportGuarantee != null) {
        transportGuarantee = transportGuarantee.toUpperCase();
    }
    if (authMethod != null & !"NONE".equals(authMethod)) {
        if ("BASIC".equals(authMethod) || "DIGEST".equals(authMethod) || "CLIENT-CERT".equals(authMethod)) {
            // Setup a login configuration
            final LoginConfig loginConfig = new LoginConfig();
            loginConfig.setAuthMethod(authMethod);
            loginConfig.setRealmName(realmName);
            context.setLoginConfig(loginConfig);
            // Setup a default Security Constraint
            final String securityRole = SystemInstance.get().getProperty(TOMEE_HESSIAN_SECURITY_ROLE_PREFIX + name, "default");
            for (final String role : securityRole.split(",")) {
                final SecurityCollection collection = new SecurityCollection();
                collection.addMethod("GET");
                collection.addMethod("POST");
                collection.addPattern("/*");
                collection.setName(role);
                final SecurityConstraint sc = new SecurityConstraint();
                sc.addAuthRole("*");
                sc.addCollection(collection);
                sc.setAuthConstraint(true);
                sc.setUserConstraint(transportGuarantee);
                context.addConstraint(sc);
                context.addSecurityRole(role);
            }
        }
        // Set the proper authenticator
        switch(authMethod) {
            case "BASIC":
                context.addValve(new BasicAuthenticator());
                break;
            case "DIGEST":
                context.addValve(new DigestAuthenticator());
                break;
            case "CLIENT-CERT":
                context.addValve(new SSLAuthenticator());
                break;
            case "NONE":
                context.addValve(new NonLoginAuthenticator());
                break;
        }
        context.getPipeline().addValve(new OpenEJBValve());
    } else {
        throw new IllegalArgumentException("Invalid authMethod: " + authMethod);
    }
    return context;
}

Example 13 with SecurityCollection

use of org.apache.tomcat.util.descriptor.web.SecurityCollection in project tomcat by apache.

the class StandardContext method addServletSecurity.

@Override
public Set<String> addServletSecurity(ServletRegistration.Dynamic registration, ServletSecurityElement servletSecurityElement) {
    Set<String> conflicts = new HashSet<>();
    Collection<String> urlPatterns = registration.getMappings();
    for (String urlPattern : urlPatterns) {
        boolean foundConflict = false;
        SecurityConstraint[] securityConstraints = findConstraints();
        for (SecurityConstraint securityConstraint : securityConstraints) {
            SecurityCollection[] collections = securityConstraint.findCollections();
            for (SecurityCollection collection : collections) {
                if (collection.findPattern(urlPattern)) {
                    // not. It is not permitted to have a mixture
                    if (collection.isFromDescriptor()) {
                        // Skip this pattern
                        foundConflict = true;
                        conflicts.add(urlPattern);
                        break;
                    } else {
                        // Need to overwrite constraint for this pattern
                        collection.removePattern(urlPattern);
                        // If the collection is now empty, remove it
                        if (collection.findPatterns().length == 0) {
                            securityConstraint.removeCollection(collection);
                        }
                    }
                }
            }
            // If the constraint now has no collections - remove it
            if (securityConstraint.findCollections().length == 0) {
                removeConstraint(securityConstraint);
            }
            // once a conflict has been found
            if (foundConflict) {
                break;
            }
        }
        // If the pattern did not conflict, add the new constraint(s).
        if (!foundConflict) {
            SecurityConstraint[] newSecurityConstraints = SecurityConstraint.createConstraints(servletSecurityElement, urlPattern);
            for (SecurityConstraint securityConstraint : newSecurityConstraints) {
                addConstraint(securityConstraint);
            }
            checkConstraintsForUncoveredMethods(newSecurityConstraints);
        }
    }
    return conflicts;
}

Example 14 with SecurityCollection

use of org.apache.tomcat.util.descriptor.web.SecurityCollection in project tomcat by apache.

the class StandardContext method addConstraint.

/**
     * Add a security constraint to the set for this web application.
     *
     * @param constraint the new security constraint
     */
@Override
public void addConstraint(SecurityConstraint constraint) {
    // Validate the proposed constraint
    SecurityCollection[] collections = constraint.findCollections();
    for (int i = 0; i < collections.length; i++) {
        String[] patterns = collections[i].findPatterns();
        for (int j = 0; j < patterns.length; j++) {
            patterns[j] = adjustURLPattern(patterns[j]);
            if (!validateURLPattern(patterns[j]))
                throw new IllegalArgumentException(sm.getString("standardContext.securityConstraint.pattern", patterns[j]));
        }
        if (collections[i].findMethods().length > 0 && collections[i].findOmittedMethods().length > 0) {
            throw new IllegalArgumentException(sm.getString("standardContext.securityConstraint.mixHttpMethod"));
        }
    }
    // Add this constraint to the set for our web application
    synchronized (constraintsLock) {
        SecurityConstraint[] results = new SecurityConstraint[constraints.length + 1];
        for (int i = 0; i < constraints.length; i++) results[i] = constraints[i];
        results[constraints.length] = constraint;
        constraints = results;
    }
}

Example 15 with SecurityCollection

use of org.apache.tomcat.util.descriptor.web.SecurityCollection in project tomcat by apache.

the class TestNonLoginAndBasicAuthenticator method setUpNonLogin.

private void setUpNonLogin() throws Exception {
    // Must have a real docBase for webapps - just use temp
    nonloginContext = tomcat.addContext(CONTEXT_PATH_NOLOGIN, System.getProperty("java.io.tmpdir"));
    // Add protected servlet to the context
    Tomcat.addServlet(nonloginContext, "TesterServlet1", new TesterServlet());
    nonloginContext.addServletMappingDecoded(URI_PROTECTED, "TesterServlet1");
    SecurityCollection collection1 = new SecurityCollection();
    collection1.addPatternDecoded(URI_PROTECTED);
    SecurityConstraint sc1 = new SecurityConstraint();
    sc1.addAuthRole(ROLE);
    sc1.addCollection(collection1);
    nonloginContext.addConstraint(sc1);
    // Add unprotected servlet to the context
    Tomcat.addServlet(nonloginContext, "TesterServlet2", new TesterServlet());
    nonloginContext.addServletMappingDecoded(URI_PUBLIC, "TesterServlet2");
    SecurityCollection collection2 = new SecurityCollection();
    collection2.addPatternDecoded(URI_PUBLIC);
    SecurityConstraint sc2 = new SecurityConstraint();
    // do not add a role - which signals access permitted without one
    sc2.addCollection(collection2);
    nonloginContext.addConstraint(sc2);
    // Configure the authenticator and inherit the Realm from Engine
    LoginConfig lc = new LoginConfig();
    lc.setAuthMethod("NONE");
    nonloginContext.setLoginConfig(lc);
    AuthenticatorBase nonloginAuthenticator = new NonLoginAuthenticator();
    nonloginContext.getPipeline().addValve(nonloginAuthenticator);
}