Search in sources :

Example 36 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class ContextMBean method findConstraints.

/**
 * Return the security constraints for this web application.
 * If there are none, a zero-length array is returned.
 * @return a string array with a representation of each
 *  security constraint
 * @throws MBeanException propagated from the managed resource access
 */
public String[] findConstraints() throws MBeanException {
    Context context = doGetManagedResource();
    SecurityConstraint[] constraints = context.findConstraints();
    String[] stringConstraints = new String[constraints.length];
    for (int counter = 0; counter < constraints.length; counter++) {
        stringConstraints[counter] = constraints[counter].toString();
    }
    return stringConstraints;
}
Also used : Context(org.apache.catalina.Context) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 37 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class TestRealmBase method doRoleTest.

private void doRoleTest(List<String> userRoles, List<String> constraintOneRoles, List<String> constraintTwoRoles, List<String> applicationRoles, boolean expected) throws IOException {
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Configure the security constraints for the resource
    SecurityConstraint constraintOne = new SecurityConstraint();
    if (constraintOneRoles != null) {
        constraintOne.setAuthConstraint(true);
        for (String constraintRole : constraintOneRoles) {
            constraintOne.addAuthRole(constraintRole);
            if (applicationRoles.contains(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
                constraintOne.treatAllAuthenticatedUsersAsApplicationRole();
            }
        }
    }
    SecurityConstraint constraintTwo = new SecurityConstraint();
    if (constraintTwoRoles != null) {
        constraintTwo.setAuthConstraint(true);
        for (String constraintRole : constraintTwoRoles) {
            constraintTwo.addAuthRole(constraintRole);
            if (applicationRoles.contains(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
                constraintTwo.treatAllAuthenticatedUsersAsApplicationRole();
            }
        }
    }
    SecurityConstraint[] constraints = new SecurityConstraint[] { constraintOne, constraintTwo };
    // Set up the mock request and response
    Request request = new Request(null);
    Response response = new TesterResponse();
    Context context = new TesterContext();
    for (String applicationRole : applicationRoles) {
        context.addSecurityRole(applicationRole);
    }
    request.getMappingData().context = context;
    // Configure the users in the Realm
    if (userRoles != null) {
        GenericPrincipal gp = new GenericPrincipal(USER1, userRoles);
        request.setUserPrincipal(gp);
    }
    // Check if user meets constraints
    boolean result = mapRealm.hasResourcePermission(request, response, constraints, null);
    Assert.assertEquals(Boolean.valueOf(expected), Boolean.valueOf(result));
}
Also used : TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) Request(org.apache.catalina.connector.Request) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TesterResponse(org.apache.tomcat.unittest.TesterResponse) TesterContext(org.apache.tomcat.unittest.TesterContext) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 38 with SecurityConstraint

use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.

the class TestRealmBase method testHttpConstraint.

/*
     * This test case covers the special case in section 13.4.1 of the Servlet
     * 3.1 specification for {@link jakarta.servlet.annotation.HttpConstraint}.
     */
@Test
public void testHttpConstraint() throws IOException {
    // Get the annotation from the test case
    Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
    ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
    // Convert the annotation into constraints
    ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
    SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
    // Create a separate constraint that covers DELETE
    SecurityConstraint deleteConstraint = new SecurityConstraint();
    deleteConstraint.addAuthRole(ROLE1);
    SecurityCollection deleteCollection = new SecurityCollection();
    deleteCollection.addMethod("DELETE");
    deleteCollection.addPatternDecoded("/*");
    deleteConstraint.addCollection(deleteCollection);
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Set up the mock request and response
    TesterRequest request = new TesterRequest();
    Response response = new TesterResponse();
    Context context = request.getContext();
    context.addSecurityRole(ROLE1);
    context.addSecurityRole(ROLE2);
    request.getMappingData().context = context;
    // Create the principals
    List<String> userRoles1 = new ArrayList<>();
    userRoles1.add(ROLE1);
    GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
    List<String> userRoles2 = new ArrayList<>();
    userRoles2.add(ROLE2);
    GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
    List<String> userRoles99 = new ArrayList<>();
    GenericPrincipal gp99 = new GenericPrincipal(USER99, userRoles99);
    // Add the constraints to the context
    for (SecurityConstraint constraint : constraints) {
        context.addConstraint(constraint);
    }
    context.addConstraint(deleteConstraint);
    // All users should be able to perform a GET
    request.setMethod("GET");
    SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    // Only user1 should be able to perform a POST as only that user has
    // role1.
    request.setMethod("POST");
    SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    // Only users with application roles (role1 or role2 so user1 or user2)
    // should be able to perform a PUT.
    request.setMethod("PUT");
    SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    // Any authenticated user should be able to perform a TRACE.
    request.setMethod("TRACE");
    SecurityConstraint[] constraintsTrace = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    // Only user1 should be able to perform a DELETE as only that user has
    // role1.
    request.setMethod("DELETE");
    SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used : Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) ServletSecurity(jakarta.servlet.annotation.ServletSecurity) ArrayList(java.util.ArrayList) TesterResponse(org.apache.tomcat.unittest.TesterResponse) ServletSecurityElement(jakarta.servlet.ServletSecurityElement) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) TesterRequest(org.apache.tomcat.unittest.TesterRequest) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection) Test(org.junit.Test)

Aggregations

SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)38 SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)28 Context (org.apache.catalina.Context)18 LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)17 Tomcat (org.apache.catalina.startup.Tomcat)8 Test (org.junit.Test)7 TesterServlet (org.apache.catalina.startup.TesterServlet)6 TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)5 ArrayList (java.util.ArrayList)4 AuthenticatorBase (org.apache.catalina.authenticator.AuthenticatorBase)3 BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)3 SSLAuthenticator (org.apache.catalina.authenticator.SSLAuthenticator)3 StandardContext (org.apache.catalina.core.StandardContext)3 DefaultServlet (org.apache.catalina.servlets.DefaultServlet)3 FilterDef (org.apache.tomcat.util.descriptor.web.FilterDef)3 FilterMap (org.apache.tomcat.util.descriptor.web.FilterMap)3 TomcatEmbeddedServletContainerFactory (org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory)3 ClientEndpointConfig (jakarta.websocket.ClientEndpointConfig)2 File (java.io.File)2 Principal (java.security.Principal)2