Example 11 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomee by apache.
the class CdiEventRealm method findSecurityConstraints.
@Override
public SecurityConstraint[] findSecurityConstraints(final Request request, final Context context) {
final SecurityConstraint[] sc = super.findSecurityConstraints(request, context);
if (beanManager() == null) {
return sc;
}
final FindSecurityConstraintsEvent event = new FindSecurityConstraintsEvent(request.getRequest(), context.getPath());
beanManager().fireEvent(event);
if (!event.getRoles().isEmpty()) {
final SecurityConstraint s = new SecurityConstraint();
final SecurityCollection collection = new SecurityCollection();
// only for the current request
collection.addPattern("/*");
collection.addMethod(request.getMethod());
s.addCollection(collection);
if (event.getUserConstraint() != null) {
s.setUserConstraint(event.getUserConstraint());
}
for (final String r : event.getRoles()) {
s.addAuthRole(r);
}
return new SecurityConstraint[] { s };
}
return sc;
}
Also used :
FindSecurityConstraintsEvent(org.apache.tomee.catalina.realm.event.FindSecurityConstraintsEvent)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
Example 12 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomee by apache.
the class ConfigurationTest method autoConfig.
@Test
public void autoConfig() {
final Configuration configuration = new Configuration();
configuration.loadFromProperties(new PropertiesBuilder().p("http", "1234").p("stop", "1235").p("host", "here").p("dir", "target/dirtmp").p("quickSession", "false").p("webResourceCached", "false").p("withEjbRemote", "true").p("deployOpenEjbApp", "true").p("users.u1", "p1").p("users.u2", "p2").p("roles.admin", "u1,u2").p("roles.simple", "u1").p("realm", "org.apache.catalina.realm.JAASRealm").p("realm.appName", "app").p("realm.configFile", "configuration.jaas").p("login", "").p("login.realmName", "app").p("login.authMethod", "BASIC").p("securityConstraint", "").p("securityConstraint.authConstraint", "true").p("securityConstraint.authRole", "**").p("securityConstraint.collection", "api:/api/*").build());
assertEquals(1234, configuration.getHttpPort());
assertEquals(1235, configuration.getStopPort());
assertEquals("target/dirtmp", configuration.getDir());
assertFalse(configuration.isQuickSession());
assertTrue(configuration.isWithEjbRemote());
assertTrue(configuration.isDeployOpenEjbApp());
assertEquals(new HashMap<String, String>() {
{
put("u1", "p1");
put("u2", "p2");
}
}, configuration.getUsers());
assertEquals(new HashMap<String, String>() {
{
put("admin", "u1,u2");
put("simple", "u1");
}
}, configuration.getRoles());
assertNotNull(configuration.getRealm());
assertTrue(JAASRealm.class.isInstance(configuration.getRealm()));
final JAASRealm realm = JAASRealm.class.cast(configuration.getRealm());
assertEquals("app", realm.getAppName());
assertEquals("configuration.jaas", realm.getConfigFile());
assertNotNull(configuration.getLoginConfig());
final LoginConfig loginConfig = configuration.getLoginConfig().build();
assertEquals("app", loginConfig.getRealmName());
assertEquals("BASIC", loginConfig.getAuthMethod());
final Collection<SecurityConstaintBuilder> securityConstraints = configuration.getSecurityConstraints();
assertNotNull(securityConstraints);
assertEquals(1, securityConstraints.size());
final SecurityConstraint constraint = securityConstraints.iterator().next().build();
assertTrue(constraint.getAuthConstraint());
assertTrue(constraint.getAuthenticatedUsers());
assertEquals("/api/*", constraint.findCollection("api").findPatterns()[0]);
}
Also used :
JAASRealm(org.apache.catalina.realm.JAASRealm)
LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig)
PropertiesBuilder(org.apache.openejb.testng.PropertiesBuilder)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Test(org.junit.Test)
Example 13 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project fru-paqx-parent by dellemc-symphony.
the class ContextConfig method servletContainer.
@Bean
public /**
* This container is required in order to implement the redirect from http 8080 to https 18443 in spring boot.
* This means that http can continue to be used but will automatically redirect to https
* The responses from FRU will be https regardless of the protocol/port used by the cli.
*/
EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
@Override
protected /**
* This is the method where ssl is configured in the tomcat container.
* We want to override this in order to be able to take an encrypted-base64-encoded password from
* application.properties and to decode+decrypt it and provide it to the Ssl object before ssl configuration begins.
*/
void configureSsl(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
if (LOG.isDebugEnabled()) {
LOG.debug("ContextConfig: servletContainer: encoded password = " + ssl.getKeyStorePassword());
}
byte[] decodedBytes = Base64.getDecoder().decode(ssl.getKeyStorePassword());
ssl.setKeyStorePassword(new String(decodedBytes));
super.configureSsl(protocol, ssl);
}
};
//Setup the redirection
tomcat.addAdditionalTomcatConnectors(initiateHttpConnector());
//Setup the custom realm, which sets the custom redirect code.
//By default the redirect is 302. But if the request to be redirected is a post,
//then the post is converted to a get and therefore the post's body is removed in the redirect. (e.g. using CURL)
//We need to set the redirection with code 307 so that the origin method is used in the redirect
//e.g. get uses get on redirect and post uses post on redirect.
//This conforms to standard RFC 2616
tomcat.addContextCustomizers((TomcatContextCustomizer) context -> {
RealmBase base = new CombinedRealm();
base.setTransportGuaranteeRedirectStatus(307);
context.setRealm(base);
});
return tomcat;
}
Also used :
Context(org.apache.catalina.Context)
CombinedRealm(org.apache.catalina.realm.CombinedRealm)
Logger(org.slf4j.Logger)
TomcatContextCustomizer(org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
LoggerFactory(org.slf4j.LoggerFactory)
Connector(org.apache.catalina.connector.Connector)
Context(org.apache.catalina.Context)
EmbeddedServletContainerFactory(org.springframework.boot.context.embedded.EmbeddedServletContainerFactory)
RealmBase(org.apache.catalina.realm.RealmBase)
Configuration(org.springframework.context.annotation.Configuration)
Ssl(org.springframework.boot.context.embedded.Ssl)
TomcatEmbeddedServletContainerFactory(org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory)
Base64(java.util.Base64)
ConsumerContextConfig(com.dell.cpsd.service.common.client.context.ConsumerContextConfig)
AbstractHttp11JsseProtocol(org.apache.coyote.http11.AbstractHttp11JsseProtocol)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Bean(org.springframework.context.annotation.Bean)
AbstractHttp11JsseProtocol(org.apache.coyote.http11.AbstractHttp11JsseProtocol)
CombinedRealm(org.apache.catalina.realm.CombinedRealm)
TomcatEmbeddedServletContainerFactory(org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory)
RealmBase(org.apache.catalina.realm.RealmBase)
Ssl(org.springframework.boot.context.embedded.Ssl)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
Bean(org.springframework.context.annotation.Bean)
Example 14 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomee by apache.
the class TomcatWsRegistry method createNewContext.
private static Context createNewContext(final ClassLoader classLoader, String authMethod, String transportGuarantee, final String realmName, final String name) {
String path = name;
if (path == null) {
path = "/";
}
if (!path.startsWith("/")) {
path = "/" + path;
}
final StandardContext context = new IgnoredStandardContext();
context.setPath(path);
context.setDocBase("");
context.setParentClassLoader(classLoader);
context.setDelegate(true);
context.setName(name);
((TomcatWebAppBuilder) SystemInstance.get().getComponent(WebAppBuilder.class)).initJ2EEInfo(context);
// Configure security
if (authMethod != null) {
authMethod = authMethod.toUpperCase();
}
if (transportGuarantee != null) {
transportGuarantee = transportGuarantee.toUpperCase();
}
if (authMethod == null || "NONE".equals(authMethod)) {
// NOPMD
// ignore none for now as the NonLoginAuthenticator seems to be completely hosed
} else if ("BASIC".equals(authMethod) || "DIGEST".equals(authMethod) || "CLIENT-CERT".equals(authMethod)) {
// Setup a login configuration
final LoginConfig loginConfig = new LoginConfig();
loginConfig.setAuthMethod(authMethod);
loginConfig.setRealmName(realmName);
context.setLoginConfig(loginConfig);
// Setup a default Security Constraint
final String securityRole = SystemInstance.get().getProperty(TOMEE_JAXWS_SECURITY_ROLE_PREFIX + name, "default");
for (final String role : securityRole.split(",")) {
final SecurityCollection collection = new SecurityCollection();
collection.addMethod("GET");
collection.addMethod("POST");
collection.addPattern("/*");
collection.setName(role);
final SecurityConstraint sc = new SecurityConstraint();
sc.addAuthRole("*");
sc.addCollection(collection);
sc.setAuthConstraint(true);
sc.setUserConstraint(transportGuarantee);
context.addConstraint(sc);
context.addSecurityRole(role);
}
// Set the proper authenticator
if ("BASIC".equals(authMethod)) {
context.addValve(new BasicAuthenticator());
} else if ("DIGEST".equals(authMethod)) {
context.addValve(new DigestAuthenticator());
} else if ("CLIENT-CERT".equals(authMethod)) {
context.addValve(new SSLAuthenticator());
} else if ("NONE".equals(authMethod)) {
context.addValve(new NonLoginAuthenticator());
}
context.getPipeline().addValve(new OpenEJBValve());
} else {
throw new IllegalArgumentException("Invalid authMethod: " + authMethod);
}
return context;
}
Also used :
TomcatWebAppBuilder(org.apache.tomee.catalina.TomcatWebAppBuilder)
NonLoginAuthenticator(org.apache.catalina.authenticator.NonLoginAuthenticator)
TomcatWebAppBuilder(org.apache.tomee.catalina.TomcatWebAppBuilder)
WebAppBuilder(org.apache.openejb.assembler.classic.WebAppBuilder)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
IgnoredStandardContext(org.apache.tomee.catalina.IgnoredStandardContext)
SSLAuthenticator(org.apache.catalina.authenticator.SSLAuthenticator)
BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator)
OpenEJBValve(org.apache.tomee.catalina.OpenEJBValve)
DigestAuthenticator(org.apache.catalina.authenticator.DigestAuthenticator)
IgnoredStandardContext(org.apache.tomee.catalina.IgnoredStandardContext)
StandardContext(org.apache.catalina.core.StandardContext)
LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
Example 15 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomee by apache.
the class CdiEventRealmTest method find.
@Test
public void find() {
final SecurityConstraint[] securityConstraints = new CdiEventRealm().findSecurityConstraints(mock(Request.class), mock(Context.class));
assertEquals(1, securityConstraints.length);
final SecurityConstraint c = securityConstraints[0];
assertEquals("CONFIDENTIAL", c.getUserConstraint());
assertEquals(2, c.findAuthRoles().length);
assertEquals(1, c.findCollections().length);
SecurityCollection sc = c.findCollections()[0];
assertTrue(sc.findPattern("/*"));
}
Also used :
GSSContext(org.ietf.jgss.GSSContext)
Context(org.apache.catalina.Context)
CdiEventRealm(org.apache.tomee.catalina.realm.CdiEventRealm)
Request(org.apache.catalina.connector.Request)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
Test(org.junit.Test)
Aggregations
SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)33
SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)22
LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)14
Context (org.apache.catalina.Context)12
TesterServlet (org.apache.catalina.startup.TesterServlet)5
BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)4
TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)4
Tomcat (org.apache.catalina.startup.Tomcat)4
Test (org.junit.Test)4
ArrayList (java.util.ArrayList)3
Wrapper (org.apache.catalina.Wrapper)3
SSLAuthenticator (org.apache.catalina.authenticator.SSLAuthenticator)3
StandardContext (org.apache.catalina.core.StandardContext)3
Principal (java.security.Principal)2
Container (org.apache.catalina.Container)2
DigestAuthenticator (org.apache.catalina.authenticator.DigestAuthenticator)2
NonLoginAuthenticator (org.apache.catalina.authenticator.NonLoginAuthenticator)2
Request (org.apache.catalina.connector.Request)2
Response (org.apache.catalina.connector.Response)2
TesterServletEncodeUrl (org.apache.catalina.startup.TesterServletEncodeUrl)2
