use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomee by apache.
the class TomcatHessianRegistry method createNewContext.
private static Context createNewContext(final ClassLoader classLoader, final String rAuthMethod, final String rTransportGuarantee, final String realmName, final String name) {
String path = name;
if (path == null) {
path = "/";
}
if (!path.startsWith("/")) {
path = "/" + path;
}
final StandardContext context = new IgnoredStandardContext();
context.setPath(path);
context.setDocBase("");
context.setParentClassLoader(classLoader);
context.setDelegate(true);
context.setName(name);
TomcatWebAppBuilder.class.cast(SystemInstance.get().getComponent(WebAppBuilder.class)).initJ2EEInfo(context);
// Configure security
String authMethod = rAuthMethod;
if (authMethod != null) {
authMethod = authMethod.toUpperCase();
}
String transportGuarantee = rTransportGuarantee;
if (transportGuarantee != null) {
transportGuarantee = transportGuarantee.toUpperCase();
}
if (authMethod != null & !"NONE".equals(authMethod)) {
if ("BASIC".equals(authMethod) || "DIGEST".equals(authMethod) || "CLIENT-CERT".equals(authMethod)) {
// Setup a login configuration
final LoginConfig loginConfig = new LoginConfig();
loginConfig.setAuthMethod(authMethod);
loginConfig.setRealmName(realmName);
context.setLoginConfig(loginConfig);
// Setup a default Security Constraint
final String securityRole = SystemInstance.get().getProperty(TOMEE_HESSIAN_SECURITY_ROLE_PREFIX + name, "default");
for (final String role : securityRole.split(",")) {
final SecurityCollection collection = new SecurityCollection();
collection.addMethod("GET");
collection.addMethod("POST");
collection.addPattern("/*");
collection.setName(role);
final SecurityConstraint sc = new SecurityConstraint();
sc.addAuthRole("*");
sc.addCollection(collection);
sc.setAuthConstraint(true);
sc.setUserConstraint(transportGuarantee);
context.addConstraint(sc);
context.addSecurityRole(role);
}
}
// Set the proper authenticator
switch(authMethod) {
case "BASIC":
context.addValve(new BasicAuthenticator());
break;
case "DIGEST":
context.addValve(new DigestAuthenticator());
break;
case "CLIENT-CERT":
context.addValve(new SSLAuthenticator());
break;
case "NONE":
context.addValve(new NonLoginAuthenticator());
break;
}
context.getPipeline().addValve(new OpenEJBValve());
} else {
throw new IllegalArgumentException("Invalid authMethod: " + authMethod);
}
return context;
}
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class StandardContext method addServletSecurity.
@Override
public Set<String> addServletSecurity(ServletRegistration.Dynamic registration, ServletSecurityElement servletSecurityElement) {
Set<String> conflicts = new HashSet<>();
Collection<String> urlPatterns = registration.getMappings();
for (String urlPattern : urlPatterns) {
boolean foundConflict = false;
SecurityConstraint[] securityConstraints = findConstraints();
for (SecurityConstraint securityConstraint : securityConstraints) {
SecurityCollection[] collections = securityConstraint.findCollections();
for (SecurityCollection collection : collections) {
if (collection.findPattern(urlPattern)) {
// not. It is not permitted to have a mixture
if (collection.isFromDescriptor()) {
// Skip this pattern
foundConflict = true;
conflicts.add(urlPattern);
break;
} else {
// Need to overwrite constraint for this pattern
collection.removePattern(urlPattern);
// If the collection is now empty, remove it
if (collection.findPatterns().length == 0) {
securityConstraint.removeCollection(collection);
}
}
}
}
// If the constraint now has no collections - remove it
if (securityConstraint.findCollections().length == 0) {
removeConstraint(securityConstraint);
}
// once a conflict has been found
if (foundConflict) {
break;
}
}
// If the pattern did not conflict, add the new constraint(s).
if (!foundConflict) {
SecurityConstraint[] newSecurityConstraints = SecurityConstraint.createConstraints(servletSecurityElement, urlPattern);
for (SecurityConstraint securityConstraint : newSecurityConstraints) {
addConstraint(securityConstraint);
}
checkConstraintsForUncoveredMethods(newSecurityConstraints);
}
}
return conflicts;
}
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class StandardContext method addConstraint.
/**
* Add a security constraint to the set for this web application.
*
* @param constraint the new security constraint
*/
@Override
public void addConstraint(SecurityConstraint constraint) {
// Validate the proposed constraint
SecurityCollection[] collections = constraint.findCollections();
for (int i = 0; i < collections.length; i++) {
String[] patterns = collections[i].findPatterns();
for (int j = 0; j < patterns.length; j++) {
patterns[j] = adjustURLPattern(patterns[j]);
if (!validateURLPattern(patterns[j]))
throw new IllegalArgumentException(sm.getString("standardContext.securityConstraint.pattern", patterns[j]));
}
if (collections[i].findMethods().length > 0 && collections[i].findOmittedMethods().length > 0) {
throw new IllegalArgumentException(sm.getString("standardContext.securityConstraint.mixHttpMethod"));
}
}
// Add this constraint to the set for our web application
synchronized (constraintsLock) {
SecurityConstraint[] results = new SecurityConstraint[constraints.length + 1];
for (int i = 0; i < constraints.length; i++) results[i] = constraints[i];
results[constraints.length] = constraint;
constraints = results;
}
}
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class StandardContext method removeConstraint.
/**
* Remove the specified security constraint from this web application.
*
* @param constraint Constraint to be removed
*/
@Override
public void removeConstraint(SecurityConstraint constraint) {
synchronized (constraintsLock) {
// Make sure this constraint is currently present
int n = -1;
for (int i = 0; i < constraints.length; i++) {
if (constraints[i].equals(constraint)) {
n = i;
break;
}
}
if (n < 0)
return;
// Remove the specified constraint
int j = 0;
SecurityConstraint[] results = new SecurityConstraint[constraints.length - 1];
for (int i = 0; i < constraints.length; i++) {
if (i != n)
results[j++] = constraints[i];
}
constraints = results;
}
// Inform interested listeners
fireContainerEvent("removeConstraint", constraint);
}
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class TestNonLoginAndBasicAuthenticator method setUpNonLogin.
private void setUpNonLogin() throws Exception {
// Must have a real docBase for webapps - just use temp
nonloginContext = tomcat.addContext(CONTEXT_PATH_NOLOGIN, System.getProperty("java.io.tmpdir"));
// Add protected servlet to the context
Tomcat.addServlet(nonloginContext, "TesterServlet1", new TesterServlet());
nonloginContext.addServletMappingDecoded(URI_PROTECTED, "TesterServlet1");
SecurityCollection collection1 = new SecurityCollection();
collection1.addPatternDecoded(URI_PROTECTED);
SecurityConstraint sc1 = new SecurityConstraint();
sc1.addAuthRole(ROLE);
sc1.addCollection(collection1);
nonloginContext.addConstraint(sc1);
// Add unprotected servlet to the context
Tomcat.addServlet(nonloginContext, "TesterServlet2", new TesterServlet());
nonloginContext.addServletMappingDecoded(URI_PUBLIC, "TesterServlet2");
SecurityCollection collection2 = new SecurityCollection();
collection2.addPatternDecoded(URI_PUBLIC);
SecurityConstraint sc2 = new SecurityConstraint();
// do not add a role - which signals access permitted without one
sc2.addCollection(collection2);
nonloginContext.addConstraint(sc2);
// Configure the authenticator and inherit the Realm from Engine
LoginConfig lc = new LoginConfig();
lc.setAuthMethod("NONE");
nonloginContext.setLoginConfig(lc);
AuthenticatorBase nonloginAuthenticator = new NonLoginAuthenticator();
nonloginContext.getPipeline().addValve(nonloginAuthenticator);
}
Aggregations