Example 26 with ConstraintMapping
use of org.eclipse.jetty.security.ConstraintMapping in project elastic-core-maven by OrdinaryDude.
the class API method disableHttpMethods.
private static void disableHttpMethods(SecurityHandler securityHandler) {
if (securityHandler instanceof ConstraintSecurityHandler) {
ConstraintSecurityHandler constraintSecurityHandler = (ConstraintSecurityHandler) securityHandler;
for (String method : DISABLED_HTTP_METHODS) {
disableHttpMethod(constraintSecurityHandler, method);
}
ConstraintMapping enableEverythingButTraceMapping = new ConstraintMapping();
Constraint enableEverythingButTraceConstraint = new Constraint();
enableEverythingButTraceConstraint.setName("Enable everything but TRACE");
enableEverythingButTraceMapping.setConstraint(enableEverythingButTraceConstraint);
enableEverythingButTraceMapping.setMethodOmissions(DISABLED_HTTP_METHODS);
enableEverythingButTraceMapping.setPathSpec("/");
constraintSecurityHandler.addConstraintMapping(enableEverythingButTraceMapping);
}
}
Also used :
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
Constraint(org.eclipse.jetty.util.security.Constraint)
ConstraintSecurityHandler(org.eclipse.jetty.security.ConstraintSecurityHandler)
Example 27 with ConstraintMapping
use of org.eclipse.jetty.security.ConstraintMapping in project jetty.project by eclipse.
the class TestSecurityAnnotationConversions method compareResults.
private void compareResults(ConstraintMapping[] expectedMappings, List<ConstraintMapping> actualMappings) {
assertNotNull(actualMappings);
assertEquals(expectedMappings.length, actualMappings.size());
for (int k = 0; k < actualMappings.size(); k++) {
ConstraintMapping am = actualMappings.get(k);
boolean matched = false;
for (int i = 0; i < expectedMappings.length && !matched; i++) {
ConstraintMapping em = expectedMappings[i];
if (em.getPathSpec().equals(am.getPathSpec())) {
if ((em.getMethod() == null && am.getMethod() == null) || em.getMethod() != null && em.getMethod().equals(am.getMethod())) {
matched = true;
assertEquals(em.getConstraint().getAuthenticate(), am.getConstraint().getAuthenticate());
assertEquals(em.getConstraint().getDataConstraint(), am.getConstraint().getDataConstraint());
if (em.getMethodOmissions() == null) {
assertNull(am.getMethodOmissions());
} else {
assertTrue(Arrays.equals(am.getMethodOmissions(), em.getMethodOmissions()));
}
if (em.getConstraint().getRoles() == null) {
assertNull(am.getConstraint().getRoles());
} else {
assertTrue(Arrays.equals(em.getConstraint().getRoles(), am.getConstraint().getRoles()));
}
}
}
}
if (!matched)
fail("No expected ConstraintMapping matching method:" + am.getMethod() + " pathSpec: " + am.getPathSpec());
}
}
Also used :
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
HttpConstraint(javax.servlet.annotation.HttpConstraint)
HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint)
Constraint(org.eclipse.jetty.util.security.Constraint)
Example 28 with ConstraintMapping
use of org.eclipse.jetty.security.ConstraintMapping in project jetty.project by eclipse.
the class TestSecurityAnnotationConversions method testPermitAll.
@Test
public void testPermitAll() throws Exception {
//Assume we found 1 servlet with a @ServletSecurity security annotation
WebAppContext wac = makeWebAppContext(PermitServlet.class.getCanonicalName(), "permitServlet", new String[] { "/foo/*", "*.foo" });
ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
AnnotationIntrospector introspector = new AnnotationIntrospector();
introspector.registerHandler(annotationHandler);
//set up the expected outcomes - no constraints at all as per Servlet Spec 3.1 pg 129
//1 ConstraintMapping per ServletMapping pathSpec
ConstraintMapping[] expectedMappings = new ConstraintMapping[] {};
introspector.introspect(PermitServlet.class);
compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used :
WebAppContext(org.eclipse.jetty.webapp.WebAppContext)
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
Test(org.junit.Test)
Example 29 with ConstraintMapping
use of org.eclipse.jetty.security.ConstraintMapping in project jetty.project by eclipse.
the class TestSecurityAnnotationConversions method testMethodAnnotation.
@Test
public void testMethodAnnotation() throws Exception {
//ServletSecurity annotation with HttpConstraint of TransportGuarantee.CONFIDENTIAL, and a list of rolesAllowed, and
//a HttpMethodConstraint for GET method that permits all and has TransportGuarantee.NONE (ie is default)
WebAppContext wac = makeWebAppContext(Method1Servlet.class.getCanonicalName(), "method1Servlet", new String[] { "/foo/*", "*.foo" });
//set up the expected outcomes: - a Constraint for the RolesAllowed on the class
//with userdata constraint of DC_CONFIDENTIAL
//and mappings for each of the pathSpecs
Constraint expectedConstraint1 = new Constraint();
expectedConstraint1.setAuthenticate(true);
expectedConstraint1.setRoles(new String[] { "tom", "dick", "harry" });
expectedConstraint1.setDataConstraint(Constraint.DC_CONFIDENTIAL);
//a Constraint for the PermitAll on the doGet method with a userdata
//constraint of DC_CONFIDENTIAL inherited from the class
Constraint expectedConstraint2 = new Constraint();
expectedConstraint2.setDataConstraint(Constraint.DC_NONE);
ConstraintMapping[] expectedMappings = new ConstraintMapping[4];
expectedMappings[0] = new ConstraintMapping();
expectedMappings[0].setConstraint(expectedConstraint1);
expectedMappings[0].setPathSpec("/foo/*");
expectedMappings[0].setMethodOmissions(new String[] { "GET" });
expectedMappings[1] = new ConstraintMapping();
expectedMappings[1].setConstraint(expectedConstraint1);
expectedMappings[1].setPathSpec("*.foo");
expectedMappings[1].setMethodOmissions(new String[] { "GET" });
expectedMappings[2] = new ConstraintMapping();
expectedMappings[2].setConstraint(expectedConstraint2);
expectedMappings[2].setPathSpec("/foo/*");
expectedMappings[2].setMethod("GET");
expectedMappings[3] = new ConstraintMapping();
expectedMappings[3].setConstraint(expectedConstraint2);
expectedMappings[3].setPathSpec("*.foo");
expectedMappings[3].setMethod("GET");
AnnotationIntrospector introspector = new AnnotationIntrospector();
ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
introspector.registerHandler(annotationHandler);
introspector.introspect(Method1Servlet.class);
compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used :
WebAppContext(org.eclipse.jetty.webapp.WebAppContext)
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
HttpConstraint(javax.servlet.annotation.HttpConstraint)
HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint)
Constraint(org.eclipse.jetty.util.security.Constraint)
Test(org.junit.Test)
Example 30 with ConstraintMapping
use of org.eclipse.jetty.security.ConstraintMapping in project jetty.project by eclipse.
the class ServletSecurityAnnotationHandler method doHandle.
/**
* @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class)
*/
public void doHandle(Class clazz) {
if (!(_context.getSecurityHandler() instanceof ConstraintAware)) {
LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
return;
}
ServletSecurity servletSecurity = (ServletSecurity) clazz.getAnnotation(ServletSecurity.class);
if (servletSecurity == null)
return;
//If there are already constraints defined (ie from web.xml) that match any
//of the url patterns defined for this servlet, then skip the security annotation.
List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
List<ConstraintMapping> constraintMappings = ((ConstraintAware) _context.getSecurityHandler()).getConstraintMappings();
if (constraintsExist(servletMappings, constraintMappings)) {
LOG.warn("Constraints already defined for " + clazz.getName() + ", skipping ServletSecurity annotation");
return;
}
//Make a fresh list
constraintMappings = new ArrayList<ConstraintMapping>();
ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
for (ServletMapping sm : servletMappings) {
for (String url : sm.getPathSpecs()) {
_context.getMetaData().setOrigin("constraint.url." + url, servletSecurity, clazz);
constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
}
}
//set up the security constraints produced by the annotation
ConstraintAware securityHandler = (ConstraintAware) _context.getSecurityHandler();
for (ConstraintMapping m : constraintMappings) securityHandler.addConstraintMapping(m);
//Servlet Spec 3.1 requires paths with uncovered http methods to be reported
securityHandler.checkPathsWithUncoveredHttpMethods();
}
Also used :
ServletMapping(org.eclipse.jetty.servlet.ServletMapping)
ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ConstraintAware(org.eclipse.jetty.security.ConstraintAware)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Aggregations
ConstraintMapping (org.eclipse.jetty.security.ConstraintMapping)50
Constraint (org.eclipse.jetty.util.security.Constraint)47
ConstraintSecurityHandler (org.eclipse.jetty.security.ConstraintSecurityHandler)35
HashLoginService (org.eclipse.jetty.security.HashLoginService)20
BasicAuthenticator (org.eclipse.jetty.security.authentication.BasicAuthenticator)17
Server (org.eclipse.jetty.server.Server)12
WebAppContext (org.eclipse.jetty.webapp.WebAppContext)9
ArrayList (java.util.ArrayList)6
Password (org.eclipse.jetty.util.security.Password)6
Test (org.junit.Test)6
File (java.io.File)5
HttpConstraint (javax.servlet.annotation.HttpConstraint)5
HttpMethodConstraint (javax.servlet.annotation.HttpMethodConstraint)5
IOException (java.io.IOException)4
LoginService (org.eclipse.jetty.security.LoginService)4
ServerConnector (org.eclipse.jetty.server.ServerConnector)4
ResourceHandler (org.eclipse.jetty.server.handler.ResourceHandler)4
ServletHolder (org.eclipse.jetty.servlet.ServletHolder)4
HashSet (java.util.HashSet)3
ConstraintAware (org.eclipse.jetty.security.ConstraintAware)3
