Search in sources :

Example 16 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomee by apache.

the class TomcatHessianRegistry method createNewContext.

private static Context createNewContext(final ClassLoader classLoader, final String rAuthMethod, final String rTransportGuarantee, final String realmName, final String name) {
    String path = name;
    if (path == null) {
        path = "/";
    }
    if (!path.startsWith("/")) {
        path = "/" + path;
    }
    final StandardContext context = new IgnoredStandardContext();
    context.setPath(path);
    context.setDocBase("");
    context.setParentClassLoader(classLoader);
    context.setDelegate(true);
    context.setName(name);
    TomcatWebAppBuilder.class.cast(SystemInstance.get().getComponent(WebAppBuilder.class)).initJ2EEInfo(context);
    // Configure security
    String authMethod = rAuthMethod;
    if (authMethod != null) {
        authMethod = authMethod.toUpperCase();
    }
    String transportGuarantee = rTransportGuarantee;
    if (transportGuarantee != null) {
        transportGuarantee = transportGuarantee.toUpperCase();
    }
    if (authMethod != null & !"NONE".equals(authMethod)) {
        if ("BASIC".equals(authMethod) || "DIGEST".equals(authMethod) || "CLIENT-CERT".equals(authMethod)) {
            // Setup a login configuration
            final LoginConfig loginConfig = new LoginConfig();
            loginConfig.setAuthMethod(authMethod);
            loginConfig.setRealmName(realmName);
            context.setLoginConfig(loginConfig);
            // Setup a default Security Constraint
            final String securityRole = SystemInstance.get().getProperty(TOMEE_HESSIAN_SECURITY_ROLE_PREFIX + name, "default");
            for (final String role : securityRole.split(",")) {
                final SecurityCollection collection = new SecurityCollection();
                collection.addMethod("GET");
                collection.addMethod("POST");
                collection.addPattern("/*");
                collection.setName(role);
                final SecurityConstraint sc = new SecurityConstraint();
                sc.addAuthRole("*");
                sc.addCollection(collection);
                sc.setAuthConstraint(true);
                sc.setUserConstraint(transportGuarantee);
                context.addConstraint(sc);
                context.addSecurityRole(role);
            }
        }
        // Set the proper authenticator
        switch(authMethod) {
            case "BASIC":
                context.addValve(new BasicAuthenticator());
                break;
            case "DIGEST":
                context.addValve(new DigestAuthenticator());
                break;
            case "CLIENT-CERT":
                context.addValve(new SSLAuthenticator());
                break;
            case "NONE":
                context.addValve(new NonLoginAuthenticator());
                break;
        }
        context.getPipeline().addValve(new OpenEJBValve());
    } else {
        throw new IllegalArgumentException("Invalid authMethod: " + authMethod);
    }
    return context;
}
Also used : TomcatWebAppBuilder(org.apache.tomee.catalina.TomcatWebAppBuilder) NonLoginAuthenticator(org.apache.catalina.authenticator.NonLoginAuthenticator) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) IgnoredStandardContext(org.apache.tomee.catalina.IgnoredStandardContext) SSLAuthenticator(org.apache.catalina.authenticator.SSLAuthenticator) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) OpenEJBValve(org.apache.tomee.catalina.OpenEJBValve) DigestAuthenticator(org.apache.catalina.authenticator.DigestAuthenticator) IgnoredStandardContext(org.apache.tomee.catalina.IgnoredStandardContext) StandardContext(org.apache.catalina.core.StandardContext) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Example 17 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class StandardContext method addServletSecurity.

@Override
public Set<String> addServletSecurity(ServletRegistration.Dynamic registration, ServletSecurityElement servletSecurityElement) {
    Set<String> conflicts = new HashSet<>();
    Collection<String> urlPatterns = registration.getMappings();
    for (String urlPattern : urlPatterns) {
        boolean foundConflict = false;
        SecurityConstraint[] securityConstraints = findConstraints();
        for (SecurityConstraint securityConstraint : securityConstraints) {
            SecurityCollection[] collections = securityConstraint.findCollections();
            for (SecurityCollection collection : collections) {
                if (collection.findPattern(urlPattern)) {
                    // not. It is not permitted to have a mixture
                    if (collection.isFromDescriptor()) {
                        // Skip this pattern
                        foundConflict = true;
                        conflicts.add(urlPattern);
                        break;
                    } else {
                        // Need to overwrite constraint for this pattern
                        collection.removePattern(urlPattern);
                        // If the collection is now empty, remove it
                        if (collection.findPatterns().length == 0) {
                            securityConstraint.removeCollection(collection);
                        }
                    }
                }
            }
            // If the constraint now has no collections - remove it
            if (securityConstraint.findCollections().length == 0) {
                removeConstraint(securityConstraint);
            }
            // once a conflict has been found
            if (foundConflict) {
                break;
            }
        }
        // If the pattern did not conflict, add the new constraint(s).
        if (!foundConflict) {
            SecurityConstraint[] newSecurityConstraints = SecurityConstraint.createConstraints(servletSecurityElement, urlPattern);
            for (SecurityConstraint securityConstraint : newSecurityConstraints) {
                addConstraint(securityConstraint);
            }
            checkConstraintsForUncoveredMethods(newSecurityConstraints);
        }
    }
    return conflicts;
}
Also used : SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) HashSet(java.util.HashSet) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Example 18 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class StandardContext method addConstraint.

/**
     * Add a security constraint to the set for this web application.
     *
     * @param constraint the new security constraint
     */
@Override
public void addConstraint(SecurityConstraint constraint) {
    // Validate the proposed constraint
    SecurityCollection[] collections = constraint.findCollections();
    for (int i = 0; i < collections.length; i++) {
        String[] patterns = collections[i].findPatterns();
        for (int j = 0; j < patterns.length; j++) {
            patterns[j] = adjustURLPattern(patterns[j]);
            if (!validateURLPattern(patterns[j]))
                throw new IllegalArgumentException(sm.getString("standardContext.securityConstraint.pattern", patterns[j]));
        }
        if (collections[i].findMethods().length > 0 && collections[i].findOmittedMethods().length > 0) {
            throw new IllegalArgumentException(sm.getString("standardContext.securityConstraint.mixHttpMethod"));
        }
    }
    // Add this constraint to the set for our web application
    synchronized (constraintsLock) {
        SecurityConstraint[] results = new SecurityConstraint[constraints.length + 1];
        for (int i = 0; i < constraints.length; i++) results[i] = constraints[i];
        results[constraints.length] = constraint;
        constraints = results;
    }
}
Also used : SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Example 19 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class StandardContext method removeConstraint.

/**
     * Remove the specified security constraint from this web application.
     *
     * @param constraint Constraint to be removed
     */
@Override
public void removeConstraint(SecurityConstraint constraint) {
    synchronized (constraintsLock) {
        // Make sure this constraint is currently present
        int n = -1;
        for (int i = 0; i < constraints.length; i++) {
            if (constraints[i].equals(constraint)) {
                n = i;
                break;
            }
        }
        if (n < 0)
            return;
        // Remove the specified constraint
        int j = 0;
        SecurityConstraint[] results = new SecurityConstraint[constraints.length - 1];
        for (int i = 0; i < constraints.length; i++) {
            if (i != n)
                results[j++] = constraints[i];
        }
        constraints = results;
    }
    // Inform interested listeners
    fireContainerEvent("removeConstraint", constraint);
}
Also used : SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 20 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class TestNonLoginAndBasicAuthenticator method setUpNonLogin.

private void setUpNonLogin() throws Exception {
    // Must have a real docBase for webapps - just use temp
    nonloginContext = tomcat.addContext(CONTEXT_PATH_NOLOGIN, System.getProperty("java.io.tmpdir"));
    // Add protected servlet to the context
    Tomcat.addServlet(nonloginContext, "TesterServlet1", new TesterServlet());
    nonloginContext.addServletMappingDecoded(URI_PROTECTED, "TesterServlet1");
    SecurityCollection collection1 = new SecurityCollection();
    collection1.addPatternDecoded(URI_PROTECTED);
    SecurityConstraint sc1 = new SecurityConstraint();
    sc1.addAuthRole(ROLE);
    sc1.addCollection(collection1);
    nonloginContext.addConstraint(sc1);
    // Add unprotected servlet to the context
    Tomcat.addServlet(nonloginContext, "TesterServlet2", new TesterServlet());
    nonloginContext.addServletMappingDecoded(URI_PUBLIC, "TesterServlet2");
    SecurityCollection collection2 = new SecurityCollection();
    collection2.addPatternDecoded(URI_PUBLIC);
    SecurityConstraint sc2 = new SecurityConstraint();
    // do not add a role - which signals access permitted without one
    sc2.addCollection(collection2);
    nonloginContext.addConstraint(sc2);
    // Configure the authenticator and inherit the Realm from Engine
    LoginConfig lc = new LoginConfig();
    lc.setAuthMethod("NONE");
    nonloginContext.setLoginConfig(lc);
    AuthenticatorBase nonloginAuthenticator = new NonLoginAuthenticator();
    nonloginContext.getPipeline().addValve(nonloginAuthenticator);
}
Also used : LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) TesterServlet(org.apache.catalina.startup.TesterServlet) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Aggregations

SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)33 SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)22 LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)14 Context (org.apache.catalina.Context)12 TesterServlet (org.apache.catalina.startup.TesterServlet)5 BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)4 TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)4 Tomcat (org.apache.catalina.startup.Tomcat)4 Test (org.junit.Test)4 ArrayList (java.util.ArrayList)3 Wrapper (org.apache.catalina.Wrapper)3 SSLAuthenticator (org.apache.catalina.authenticator.SSLAuthenticator)3 StandardContext (org.apache.catalina.core.StandardContext)3 Principal (java.security.Principal)2 Container (org.apache.catalina.Container)2 DigestAuthenticator (org.apache.catalina.authenticator.DigestAuthenticator)2 NonLoginAuthenticator (org.apache.catalina.authenticator.NonLoginAuthenticator)2 Request (org.apache.catalina.connector.Request)2 Response (org.apache.catalina.connector.Response)2 TesterServletEncodeUrl (org.apache.catalina.startup.TesterServletEncodeUrl)2