Example 26 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class ContextConfig method configureStop.
/**
* Process a "stop" event for this Context.
*/
protected synchronized void configureStop() {
if (log.isDebugEnabled()) {
log.debug(sm.getString("contextConfig.stop"));
}
int i;
// Removing children
Container[] children = context.findChildren();
for (i = 0; i < children.length; i++) {
context.removeChild(children[i]);
}
// Removing application parameters
/*
ApplicationParameter[] applicationParameters =
context.findApplicationParameters();
for (i = 0; i < applicationParameters.length; i++) {
context.removeApplicationParameter
(applicationParameters[i].getName());
}
*/
// Removing security constraints
SecurityConstraint[] securityConstraints = context.findConstraints();
for (i = 0; i < securityConstraints.length; i++) {
context.removeConstraint(securityConstraints[i]);
}
// Removing Ejbs
/*
ContextEjb[] contextEjbs = context.findEjbs();
for (i = 0; i < contextEjbs.length; i++) {
context.removeEjb(contextEjbs[i].getName());
}
*/
// Removing environments
/*
ContextEnvironment[] contextEnvironments = context.findEnvironments();
for (i = 0; i < contextEnvironments.length; i++) {
context.removeEnvironment(contextEnvironments[i].getName());
}
*/
// Removing errors pages
ErrorPage[] errorPages = context.findErrorPages();
for (i = 0; i < errorPages.length; i++) {
context.removeErrorPage(errorPages[i]);
}
// Removing filter defs
FilterDef[] filterDefs = context.findFilterDefs();
for (i = 0; i < filterDefs.length; i++) {
context.removeFilterDef(filterDefs[i]);
}
// Removing filter maps
FilterMap[] filterMaps = context.findFilterMaps();
for (i = 0; i < filterMaps.length; i++) {
context.removeFilterMap(filterMaps[i]);
}
// Removing local ejbs
/*
ContextLocalEjb[] contextLocalEjbs = context.findLocalEjbs();
for (i = 0; i < contextLocalEjbs.length; i++) {
context.removeLocalEjb(contextLocalEjbs[i].getName());
}
*/
// Removing Mime mappings
String[] mimeMappings = context.findMimeMappings();
for (i = 0; i < mimeMappings.length; i++) {
context.removeMimeMapping(mimeMappings[i]);
}
// Removing parameters
String[] parameters = context.findParameters();
for (i = 0; i < parameters.length; i++) {
context.removeParameter(parameters[i]);
}
// Removing resource env refs
/*
String[] resourceEnvRefs = context.findResourceEnvRefs();
for (i = 0; i < resourceEnvRefs.length; i++) {
context.removeResourceEnvRef(resourceEnvRefs[i]);
}
*/
// Removing resource links
/*
ContextResourceLink[] contextResourceLinks =
context.findResourceLinks();
for (i = 0; i < contextResourceLinks.length; i++) {
context.removeResourceLink(contextResourceLinks[i].getName());
}
*/
// Removing resources
/*
ContextResource[] contextResources = context.findResources();
for (i = 0; i < contextResources.length; i++) {
context.removeResource(contextResources[i].getName());
}
*/
// Removing security role
String[] securityRoles = context.findSecurityRoles();
for (i = 0; i < securityRoles.length; i++) {
context.removeSecurityRole(securityRoles[i]);
}
// Removing servlet mappings
String[] servletMappings = context.findServletMappings();
for (i = 0; i < servletMappings.length; i++) {
context.removeServletMapping(servletMappings[i]);
}
// FIXME : Removing status pages
// Removing welcome files
String[] welcomeFiles = context.findWelcomeFiles();
for (i = 0; i < welcomeFiles.length; i++) {
context.removeWelcomeFile(welcomeFiles[i]);
}
// Removing wrapper lifecycles
String[] wrapperLifecycles = context.findWrapperLifecycles();
for (i = 0; i < wrapperLifecycles.length; i++) {
context.removeWrapperLifecycle(wrapperLifecycles[i]);
}
// Removing wrapper listeners
String[] wrapperListeners = context.findWrapperListeners();
for (i = 0; i < wrapperListeners.length; i++) {
context.removeWrapperListener(wrapperListeners[i]);
}
// Remove (partially) folders and files created by antiLocking
if (antiLockingDocBase != null) {
// No need to log failure - it is expected in this case
ExpandWar.delete(antiLockingDocBase, false);
}
// Reset ServletContextInitializer scanning
initializerClassMap.clear();
typeInitializerMap.clear();
ok = true;
}
Also used :
ErrorPage(org.apache.tomcat.util.descriptor.web.ErrorPage)
FilterDef(org.apache.tomcat.util.descriptor.web.FilterDef)
FilterMap(org.apache.tomcat.util.descriptor.web.FilterMap)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Container(org.apache.catalina.Container)
Example 27 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class ContextConfig method validateSecurityRoles.
/**
* Validate the usage of security role names in the web application
* deployment descriptor. If any problems are found, issue warning
* messages (for backwards compatibility) and add the missing roles.
* (To make these problems fatal instead, simply set the <code>ok</code>
* instance variable to <code>false</code> as well).
*/
protected void validateSecurityRoles() {
// Check role names used in <security-constraint> elements
SecurityConstraint[] constraints = context.findConstraints();
for (int i = 0; i < constraints.length; i++) {
String[] roles = constraints[i].findAuthRoles();
for (int j = 0; j < roles.length; j++) {
if (!"*".equals(roles[j]) && !context.findSecurityRole(roles[j])) {
log.warn(sm.getString("contextConfig.role.auth", roles[j]));
context.addSecurityRole(roles[j]);
}
}
}
// Check role names used in <servlet> elements
Container[] wrappers = context.findChildren();
for (int i = 0; i < wrappers.length; i++) {
Wrapper wrapper = (Wrapper) wrappers[i];
String runAs = wrapper.getRunAs();
if ((runAs != null) && !context.findSecurityRole(runAs)) {
log.warn(sm.getString("contextConfig.role.runas", runAs));
context.addSecurityRole(runAs);
}
String[] names = wrapper.findSecurityReferences();
for (int j = 0; j < names.length; j++) {
String link = wrapper.findSecurityReference(names[j]);
if ((link != null) && !context.findSecurityRole(link)) {
log.warn(sm.getString("contextConfig.role.link", link));
context.addSecurityRole(link);
}
}
}
}
Also used :
Wrapper(org.apache.catalina.Wrapper)
Container(org.apache.catalina.Container)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Example 28 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class ContextConfig method authenticatorConfig.
/**
* Set up an Authenticator automatically if required, and one has not
* already been configured.
*/
protected void authenticatorConfig() {
LoginConfig loginConfig = context.getLoginConfig();
SecurityConstraint[] constraints = context.findConstraints();
if (context.getIgnoreAnnotations() && (constraints == null || constraints.length == 0) && !context.getPreemptiveAuthentication()) {
return;
} else {
if (loginConfig == null) {
// Not metadata-complete or security constraints present, need
// an authenticator to support @ServletSecurity annotations
// and/or constraints
loginConfig = DUMMY_LOGIN_CONFIG;
context.setLoginConfig(loginConfig);
}
}
// Has an authenticator been configured already?
if (context.getAuthenticator() != null) {
return;
}
// Has a Realm been configured for us to authenticate against?
if (context.getRealm() == null) {
log.error(sm.getString("contextConfig.missingRealm"));
ok = false;
return;
}
/*
* First check to see if there is a custom mapping for the login
* method. If so, use it. Otherwise, check if there is a mapping in
* org/apache/catalina/startup/Authenticators.properties.
*/
Valve authenticator = null;
if (customAuthenticators != null) {
authenticator = (Valve) customAuthenticators.get(loginConfig.getAuthMethod());
}
if (authenticator == null) {
if (authenticators == null) {
log.error(sm.getString("contextConfig.authenticatorResources"));
ok = false;
return;
}
// Identify the class name of the Valve we should configure
String authenticatorName = authenticators.getProperty(loginConfig.getAuthMethod());
if (authenticatorName == null) {
log.error(sm.getString("contextConfig.authenticatorMissing", loginConfig.getAuthMethod()));
ok = false;
return;
}
// Instantiate and install an Authenticator of the requested class
try {
Class<?> authenticatorClass = Class.forName(authenticatorName);
authenticator = (Valve) authenticatorClass.newInstance();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.error(sm.getString("contextConfig.authenticatorInstantiate", authenticatorName), t);
ok = false;
}
}
if (authenticator != null) {
Pipeline pipeline = context.getPipeline();
if (pipeline != null) {
pipeline.addValve(authenticator);
if (log.isDebugEnabled()) {
log.debug(sm.getString("contextConfig.authenticatorConfigured", loginConfig.getAuthMethod()));
}
}
}
}
Also used :
LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig)
Valve(org.apache.catalina.Valve)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Pipeline(org.apache.catalina.Pipeline)
Example 29 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class ContextMBean method findConstraints.
/**
* Return the security constraints for this web application.
* If there are none, a zero-length array is returned.
* @return a string array with a representation of each
* security constraint
* @throws MBeanException propagated from the managed resource access
*/
public String[] findConstraints() throws MBeanException {
Context context = doGetManagedResource();
SecurityConstraint[] constraints = context.findConstraints();
String[] stringConstraints = new String[constraints.length];
for (int counter = 0; counter < constraints.length; counter++) {
stringConstraints[counter] = constraints[counter].toString();
}
return stringConstraints;
}
Also used :
Context(org.apache.catalina.Context)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Example 30 with SecurityConstraint
use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class TestRealmBase method testHttpConstraint.
/*
* This test case covers the special case in section 13.4.1 of the Servlet
* 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
*/
@Test
public void testHttpConstraint() throws IOException {
// Get the annotation from the test case
Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
// Convert the annotation into constraints
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
// Create a separate constraint that covers DELETE
SecurityConstraint deleteConstraint = new SecurityConstraint();
deleteConstraint.addAuthRole(ROLE1);
SecurityCollection deleteCollection = new SecurityCollection();
deleteCollection.addMethod("DELETE");
deleteCollection.addPatternDecoded("/*");
deleteConstraint.addCollection(deleteCollection);
TesterMapRealm mapRealm = new TesterMapRealm();
// Set up the mock request and response
TesterRequest request = new TesterRequest();
Response response = new TesterResponse();
Context context = request.getContext();
context.addSecurityRole(ROLE1);
context.addSecurityRole(ROLE2);
request.getMappingData().context = context;
// Create the principals
List<String> userRoles1 = new ArrayList<>();
userRoles1.add(ROLE1);
GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
List<String> userRoles2 = new ArrayList<>();
userRoles2.add(ROLE2);
GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
List<String> userRoles99 = new ArrayList<>();
GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
// Add the constraints to the context
for (SecurityConstraint constraint : constraints) {
context.addConstraint(constraint);
}
context.addConstraint(deleteConstraint);
// All users should be able to perform a GET
request.setMethod("GET");
SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
// Only user1 should be able to perform a POST as only that user has
// role1.
request.setMethod("POST");
SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
// Only users with application roles (role1 or role2 so user1 or user2)
// should be able to perform a PUT.
request.setMethod("PUT");
SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
// Any authenticated user should be able to perform a TRACE.
request.setMethod("TRACE");
SecurityConstraint[] constraintsTrace = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
// Only user1 should be able to perform a DELETE as only that user has
// role1.
request.setMethod("DELETE");
SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used :
Context(org.apache.catalina.Context)
TesterContext(org.apache.tomcat.unittest.TesterContext)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ArrayList(java.util.ArrayList)
TesterResponse(org.apache.tomcat.unittest.TesterResponse)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
TesterResponse(org.apache.tomcat.unittest.TesterResponse)
Response(org.apache.catalina.connector.Response)
TesterMapRealm(org.apache.catalina.startup.TesterMapRealm)
TesterRequest(org.apache.tomcat.unittest.TesterRequest)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
Test(org.junit.Test)
Aggregations
SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)33
SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)22
LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)14
Context (org.apache.catalina.Context)12
TesterServlet (org.apache.catalina.startup.TesterServlet)5
BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)4
TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)4
Tomcat (org.apache.catalina.startup.Tomcat)4
Test (org.junit.Test)4
ArrayList (java.util.ArrayList)3
Wrapper (org.apache.catalina.Wrapper)3
SSLAuthenticator (org.apache.catalina.authenticator.SSLAuthenticator)3
StandardContext (org.apache.catalina.core.StandardContext)3
Principal (java.security.Principal)2
Container (org.apache.catalina.Container)2
DigestAuthenticator (org.apache.catalina.authenticator.DigestAuthenticator)2
NonLoginAuthenticator (org.apache.catalina.authenticator.NonLoginAuthenticator)2
Request (org.apache.catalina.connector.Request)2
Response (org.apache.catalina.connector.Response)2
TesterServletEncodeUrl (org.apache.catalina.startup.TesterServletEncodeUrl)2
