Search in sources :

Example 31 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class TestRealmBase method doRoleTest.

private void doRoleTest(List<String> userRoles, List<String> constraintOneRoles, List<String> constraintTwoRoles, List<String> applicationRoles, boolean expected) throws IOException {
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Configure the security constraints for the resource
    SecurityConstraint constraintOne = new SecurityConstraint();
    if (constraintOneRoles != null) {
        constraintOne.setAuthConstraint(true);
        for (String constraintRole : constraintOneRoles) {
            constraintOne.addAuthRole(constraintRole);
            if (applicationRoles.contains(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
                constraintOne.treatAllAuthenticatedUsersAsApplicationRole();
            }
        }
    }
    SecurityConstraint constraintTwo = new SecurityConstraint();
    if (constraintTwoRoles != null) {
        constraintTwo.setAuthConstraint(true);
        for (String constraintRole : constraintTwoRoles) {
            constraintTwo.addAuthRole(constraintRole);
            if (applicationRoles.contains(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
                constraintTwo.treatAllAuthenticatedUsersAsApplicationRole();
            }
        }
    }
    SecurityConstraint[] constraints = new SecurityConstraint[] { constraintOne, constraintTwo };
    // Set up the mock request and response
    Request request = new Request(null);
    Response response = new TesterResponse();
    Context context = new TesterContext();
    for (String applicationRole : applicationRoles) {
        context.addSecurityRole(applicationRole);
    }
    request.getMappingData().context = context;
    // Configure the users in the Realm
    if (userRoles != null) {
        GenericPrincipal gp = new GenericPrincipal(USER1, PWD, userRoles);
        request.setUserPrincipal(gp);
    }
    // Check if user meets constraints
    boolean result = mapRealm.hasResourcePermission(request, response, constraints, null);
    Assert.assertEquals(Boolean.valueOf(expected), Boolean.valueOf(result));
}
Also used : TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) Request(org.apache.catalina.connector.Request) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TesterResponse(org.apache.tomcat.unittest.TesterResponse) TesterContext(org.apache.tomcat.unittest.TesterContext) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 32 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class TestRestCsrfPreventionFilter2 method setUpApplication.

private void setUpApplication() throws Exception {
    context = tomcat.addContext(CONTEXT_PATH_LOGIN, System.getProperty("java.io.tmpdir"));
    context.setSessionTimeout(SHORT_SESSION_TIMEOUT_MINS);
    Tomcat.addServlet(context, SERVLET_NAME, new TesterServlet());
    context.addServletMappingDecoded(URI_PROTECTED, SERVLET_NAME);
    FilterDef filterDef = new FilterDef();
    filterDef.setFilterName(FILTER_NAME);
    filterDef.setFilterClass(RestCsrfPreventionFilter.class.getCanonicalName());
    filterDef.addInitParameter(FILTER_INIT_PARAM, REMOVE_CUSTOMER + "," + ADD_CUSTOMER);
    context.addFilterDef(filterDef);
    FilterMap filterMap = new FilterMap();
    filterMap.setFilterName(FILTER_NAME);
    filterMap.addURLPatternDecoded(URI_CSRF_PROTECTED);
    context.addFilterMap(filterMap);
    SecurityCollection collection = new SecurityCollection();
    collection.addPatternDecoded(URI_PROTECTED);
    SecurityConstraint sc = new SecurityConstraint();
    sc.addAuthRole(ROLE);
    sc.addCollection(collection);
    context.addConstraint(sc);
    LoginConfig lc = new LoginConfig();
    lc.setAuthMethod(METHOD);
    context.setLoginConfig(lc);
    AuthenticatorBase basicAuthenticator = new BasicAuthenticator();
    context.getPipeline().addValve(basicAuthenticator);
}
Also used : AuthenticatorBase(org.apache.catalina.authenticator.AuthenticatorBase) FilterDef(org.apache.tomcat.util.descriptor.web.FilterDef) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) FilterMap(org.apache.tomcat.util.descriptor.web.FilterMap) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Example 33 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project cas by apereo.

the class CasEmbeddedContainerTomcatConfiguration method configureBasicAuthn.

private void configureBasicAuthn(final TomcatEmbeddedServletContainerFactory tomcat) {
    final CasEmbeddedApacheTomcatBasicAuthenticationProperties basic = casProperties.getServer().getBasicAuthn();
    if (basic.isEnabled()) {
        tomcat.addContextCustomizers(ctx -> {
            final LoginConfig config = new LoginConfig();
            config.setAuthMethod("BASIC");
            ctx.setLoginConfig(config);
            basic.getSecurityRoles().forEach(ctx::addSecurityRole);
            basic.getAuthRoles().forEach(r -> {
                final SecurityConstraint constraint = new SecurityConstraint();
                constraint.addAuthRole(r);
                final SecurityCollection collection = new SecurityCollection();
                basic.getPatterns().forEach(collection::addPattern);
                constraint.addCollection(collection);
                ctx.addConstraint(constraint);
            });
        });
        tomcat.addContextValves(new BasicAuthenticator());
    }
}
Also used : BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) CasEmbeddedApacheTomcatBasicAuthenticationProperties(org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatBasicAuthenticationProperties) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Aggregations

SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)33 SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)22 LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)14 Context (org.apache.catalina.Context)12 TesterServlet (org.apache.catalina.startup.TesterServlet)5 BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)4 TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)4 Tomcat (org.apache.catalina.startup.Tomcat)4 Test (org.junit.Test)4 ArrayList (java.util.ArrayList)3 Wrapper (org.apache.catalina.Wrapper)3 SSLAuthenticator (org.apache.catalina.authenticator.SSLAuthenticator)3 StandardContext (org.apache.catalina.core.StandardContext)3 Principal (java.security.Principal)2 Container (org.apache.catalina.Container)2 DigestAuthenticator (org.apache.catalina.authenticator.DigestAuthenticator)2 NonLoginAuthenticator (org.apache.catalina.authenticator.NonLoginAuthenticator)2 Request (org.apache.catalina.connector.Request)2 Response (org.apache.catalina.connector.Response)2 TesterServletEncodeUrl (org.apache.catalina.startup.TesterServletEncodeUrl)2