Search in sources :

Example 1 with Constraint

use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.

the class TestSecurityAnnotationConversions method testMethodAnnotation2.

@Test
public void testMethodAnnotation2() throws Exception {
    //A ServletSecurity annotation that has HttpConstraint of CONFIDENTIAL with defined roles, but a
    //HttpMethodConstraint for GET that permits all, but also requires CONFIDENTIAL
    WebAppContext wac = makeWebAppContext(Method2Servlet.class.getCanonicalName(), "method2Servlet", new String[] { "/foo/*", "*.foo" });
    AnnotationIntrospector introspector = new AnnotationIntrospector();
    ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
    introspector.registerHandler(annotationHandler);
    //set up the expected outcomes: - a Constraint for the RolesAllowed on the class
    //with userdata constraint of DC_CONFIDENTIAL
    //and mappings for each of the pathSpecs
    Constraint expectedConstraint1 = new Constraint();
    expectedConstraint1.setAuthenticate(true);
    expectedConstraint1.setRoles(new String[] { "tom", "dick", "harry" });
    expectedConstraint1.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    //a Constraint for the Permit on the GET method with a userdata
    //constraint of DC_CONFIDENTIAL
    Constraint expectedConstraint2 = new Constraint();
    expectedConstraint2.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    ConstraintMapping[] expectedMappings = new ConstraintMapping[4];
    expectedMappings[0] = new ConstraintMapping();
    expectedMappings[0].setConstraint(expectedConstraint1);
    expectedMappings[0].setPathSpec("/foo/*");
    expectedMappings[0].setMethodOmissions(new String[] { "GET" });
    expectedMappings[1] = new ConstraintMapping();
    expectedMappings[1].setConstraint(expectedConstraint1);
    expectedMappings[1].setPathSpec("*.foo");
    expectedMappings[1].setMethodOmissions(new String[] { "GET" });
    expectedMappings[2] = new ConstraintMapping();
    expectedMappings[2].setConstraint(expectedConstraint2);
    expectedMappings[2].setPathSpec("/foo/*");
    expectedMappings[2].setMethod("GET");
    expectedMappings[3] = new ConstraintMapping();
    expectedMappings[3].setConstraint(expectedConstraint2);
    expectedMappings[3].setPathSpec("*.foo");
    expectedMappings[3].setMethod("GET");
    introspector.introspect(Method2Servlet.class);
    compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used : WebAppContext(org.eclipse.jetty.webapp.WebAppContext) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Example 2 with Constraint

use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.

the class TestSecurityAnnotationConversions method testDenyAllOnClass.

@Test
public void testDenyAllOnClass() throws Exception {
    WebAppContext wac = makeWebAppContext(DenyServlet.class.getCanonicalName(), "denyServlet", new String[] { "/foo/*", "*.foo" });
    //Assume we found 1 servlet with a @HttpConstraint with value=EmptyRoleSemantic.DENY security annotation
    ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
    AnnotationIntrospector introspector = new AnnotationIntrospector();
    introspector.registerHandler(annotationHandler);
    //set up the expected outcomes:
    //1 ConstraintMapping per ServletMapping pathSpec
    Constraint expectedConstraint = new Constraint();
    expectedConstraint.setAuthenticate(true);
    expectedConstraint.setDataConstraint(Constraint.DC_NONE);
    ConstraintMapping[] expectedMappings = new ConstraintMapping[2];
    expectedMappings[0] = new ConstraintMapping();
    expectedMappings[0].setConstraint(expectedConstraint);
    expectedMappings[0].setPathSpec("/foo/*");
    expectedMappings[1] = new ConstraintMapping();
    expectedMappings[1].setConstraint(expectedConstraint);
    expectedMappings[1].setPathSpec("*.foo");
    introspector.introspect(DenyServlet.class);
    compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used : WebAppContext(org.eclipse.jetty.webapp.WebAppContext) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Example 3 with Constraint

use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.

the class TestSecurityAnnotationConversions method testRolesAllowedWithTransportGuarantee.

@Test
public void testRolesAllowedWithTransportGuarantee() throws Exception {
    //Assume we found 1 servlet with annotation with roles defined and
    //and a TransportGuarantee
    WebAppContext wac = makeWebAppContext(RolesServlet.class.getCanonicalName(), "rolesServlet", new String[] { "/foo/*", "*.foo" });
    ServletSecurityAnnotationHandler annotationHandler = new ServletSecurityAnnotationHandler(wac);
    AnnotationIntrospector introspector = new AnnotationIntrospector();
    introspector.registerHandler(annotationHandler);
    //set up the expected outcomes:compareResults
    //1 ConstraintMapping per ServletMapping
    Constraint expectedConstraint = new Constraint();
    expectedConstraint.setAuthenticate(true);
    expectedConstraint.setRoles(new String[] { "tom", "dick", "harry" });
    expectedConstraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    ConstraintMapping[] expectedMappings = new ConstraintMapping[2];
    expectedMappings[0] = new ConstraintMapping();
    expectedMappings[0].setConstraint(expectedConstraint);
    expectedMappings[0].setPathSpec("/foo/*");
    expectedMappings[1] = new ConstraintMapping();
    expectedMappings[1].setConstraint(expectedConstraint);
    expectedMappings[1].setPathSpec("*.foo");
    introspector.introspect(RolesServlet.class);
    compareResults(expectedMappings, ((ConstraintAware) wac.getSecurityHandler()).getConstraintMappings());
}
Also used : WebAppContext(org.eclipse.jetty.webapp.WebAppContext) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) HttpConstraint(javax.servlet.annotation.HttpConstraint) HttpMethodConstraint(javax.servlet.annotation.HttpMethodConstraint) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Example 4 with Constraint

use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.

the class HttpClientAuthenticationTest method start.

private void start(Authenticator authenticator, Handler handler) throws Exception {
    server = new Server();
    File realmFile = MavenTestingUtils.getTestResourceFile("realm.properties");
    LoginService loginService = new HashLoginService(realm, realmFile.getAbsolutePath());
    server.addBean(loginService);
    ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
    Constraint constraint = new Constraint();
    constraint.setAuthenticate(true);
    //allow any authenticated user
    constraint.setRoles(new String[] { "**" });
    ConstraintMapping mapping = new ConstraintMapping();
    mapping.setPathSpec("/secure");
    mapping.setConstraint(constraint);
    securityHandler.addConstraintMapping(mapping);
    securityHandler.setAuthenticator(authenticator);
    securityHandler.setLoginService(loginService);
    securityHandler.setHandler(handler);
    start(securityHandler);
}
Also used : HashLoginService(org.eclipse.jetty.security.HashLoginService) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) Server(org.eclipse.jetty.server.Server) Constraint(org.eclipse.jetty.util.security.Constraint) ConstraintSecurityHandler(org.eclipse.jetty.security.ConstraintSecurityHandler) File(java.io.File) HashLoginService(org.eclipse.jetty.security.HashLoginService) LoginService(org.eclipse.jetty.security.LoginService)

Example 5 with Constraint

use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.

the class Runner method configure.

/**
     * Configure a jetty instance and deploy the webapps presented as args
     *
     * @param args the command line arguments
     * @throws Exception if unable to configure
     */
public void configure(String[] args) throws Exception {
    // handle classpath bits first so we can initialize the log mechanism.
    for (int i = 0; i < args.length; i++) {
        if ("--lib".equals(args[i])) {
            try (Resource lib = Resource.newResource(args[++i])) {
                if (!lib.exists() || !lib.isDirectory())
                    usage("No such lib directory " + lib);
                _classpath.addJars(lib);
            }
        } else if ("--jar".equals(args[i])) {
            try (Resource jar = Resource.newResource(args[++i])) {
                if (!jar.exists() || jar.isDirectory())
                    usage("No such jar " + jar);
                _classpath.addPath(jar);
            }
        } else if ("--classes".equals(args[i])) {
            try (Resource classes = Resource.newResource(args[++i])) {
                if (!classes.exists() || !classes.isDirectory())
                    usage("No such classes directory " + classes);
                _classpath.addPath(classes);
            }
        } else if (args[i].startsWith("--"))
            i++;
    }
    initClassLoader();
    LOG.info("Runner");
    LOG.debug("Runner classpath {}", _classpath);
    String contextPath = __defaultContextPath;
    boolean contextPathSet = false;
    int port = __defaultPort;
    String host = null;
    int stopPort = 0;
    String stopKey = null;
    boolean runnerServerInitialized = false;
    for (int i = 0; i < args.length; i++) {
        switch(args[i]) {
            case "--port":
                port = Integer.parseInt(args[++i]);
                break;
            case "--host":
                host = args[++i];
                break;
            case "--stop-port":
                stopPort = Integer.parseInt(args[++i]);
                break;
            case "--stop-key":
                stopKey = args[++i];
                break;
            case "--log":
                _logFile = args[++i];
                break;
            case "--out":
                String outFile = args[++i];
                PrintStream out = new PrintStream(new RolloverFileOutputStream(outFile, true, -1));
                LOG.info("Redirecting stderr/stdout to " + outFile);
                System.setErr(out);
                System.setOut(out);
                break;
            case "--path":
                contextPath = args[++i];
                contextPathSet = true;
                break;
            case "--config":
                if (_configFiles == null)
                    _configFiles = new ArrayList<>();
                _configFiles.add(args[++i]);
                break;
            case "--lib":
                //skip
                ++i;
                break;
            case "--jar":
                //skip
                ++i;
                break;
            case "--classes":
                //skip
                ++i;
                break;
            case "--stats":
                _enableStats = true;
                _statsPropFile = args[++i];
                _statsPropFile = ("unsecure".equalsIgnoreCase(_statsPropFile) ? null : _statsPropFile);
                break;
            default:
                if (// log handlers not registered, server maybe not created, etc
                !runnerServerInitialized) {
                    if (// server not initialized yet
                    _server == null) {
                        // build the server
                        _server = new Server();
                    }
                    //apply jetty config files if there are any
                    if (_configFiles != null) {
                        for (String cfg : _configFiles) {
                            try (Resource resource = Resource.newResource(cfg)) {
                                XmlConfiguration xmlConfiguration = new XmlConfiguration(resource.getURL());
                                xmlConfiguration.configure(_server);
                            }
                        }
                    }
                    //check that everything got configured, and if not, make the handlers
                    HandlerCollection handlers = (HandlerCollection) _server.getChildHandlerByClass(HandlerCollection.class);
                    if (handlers == null) {
                        handlers = new HandlerCollection();
                        _server.setHandler(handlers);
                    }
                    //check if contexts already configured
                    _contexts = (ContextHandlerCollection) handlers.getChildHandlerByClass(ContextHandlerCollection.class);
                    if (_contexts == null) {
                        _contexts = new ContextHandlerCollection();
                        prependHandler(_contexts, handlers);
                    }
                    if (_enableStats) {
                        //if no stats handler already configured
                        if (handlers.getChildHandlerByClass(StatisticsHandler.class) == null) {
                            StatisticsHandler statsHandler = new StatisticsHandler();
                            Handler oldHandler = _server.getHandler();
                            statsHandler.setHandler(oldHandler);
                            _server.setHandler(statsHandler);
                            ServletContextHandler statsContext = new ServletContextHandler(_contexts, "/stats");
                            statsContext.addServlet(new ServletHolder(new StatisticsServlet()), "/");
                            statsContext.setSessionHandler(new SessionHandler());
                            if (_statsPropFile != null) {
                                HashLoginService loginService = new HashLoginService("StatsRealm", _statsPropFile);
                                Constraint constraint = new Constraint();
                                constraint.setName("Admin Only");
                                constraint.setRoles(new String[] { "admin" });
                                constraint.setAuthenticate(true);
                                ConstraintMapping cm = new ConstraintMapping();
                                cm.setConstraint(constraint);
                                cm.setPathSpec("/*");
                                ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
                                securityHandler.setLoginService(loginService);
                                securityHandler.setConstraintMappings(Collections.singletonList(cm));
                                securityHandler.setAuthenticator(new BasicAuthenticator());
                                statsContext.setSecurityHandler(securityHandler);
                            }
                        }
                    }
                    //ensure a DefaultHandler is present
                    if (handlers.getChildHandlerByClass(DefaultHandler.class) == null) {
                        handlers.addHandler(new DefaultHandler());
                    }
                    //ensure a log handler is present
                    _logHandler = (RequestLogHandler) handlers.getChildHandlerByClass(RequestLogHandler.class);
                    if (_logHandler == null) {
                        _logHandler = new RequestLogHandler();
                        handlers.addHandler(_logHandler);
                    }
                    //check a connector is configured to listen on
                    Connector[] connectors = _server.getConnectors();
                    if (connectors == null || connectors.length == 0) {
                        ServerConnector connector = new ServerConnector(_server);
                        connector.setPort(port);
                        if (host != null)
                            connector.setHost(host);
                        _server.addConnector(connector);
                        if (_enableStats)
                            connector.addBean(new ConnectionStatistics());
                    } else {
                        if (_enableStats) {
                            for (Connector connector : connectors) {
                                ((AbstractConnector) connector).addBean(new ConnectionStatistics());
                            }
                        }
                    }
                    runnerServerInitialized = true;
                }
                // Create a context
                try (Resource ctx = Resource.newResource(args[i])) {
                    if (!ctx.exists())
                        usage("Context '" + ctx + "' does not exist");
                    if (contextPathSet && !(contextPath.startsWith("/")))
                        contextPath = "/" + contextPath;
                    // Configure the context
                    if (!ctx.isDirectory() && ctx.toString().toLowerCase(Locale.ENGLISH).endsWith(".xml")) {
                        // It is a context config file
                        XmlConfiguration xmlConfiguration = new XmlConfiguration(ctx.getURL());
                        xmlConfiguration.getIdMap().put("Server", _server);
                        ContextHandler handler = (ContextHandler) xmlConfiguration.configure();
                        if (contextPathSet)
                            handler.setContextPath(contextPath);
                        _contexts.addHandler(handler);
                        String containerIncludeJarPattern = (String) handler.getAttribute(WebInfConfiguration.CONTAINER_JAR_PATTERN);
                        if (containerIncludeJarPattern == null)
                            containerIncludeJarPattern = __containerIncludeJarPattern;
                        else {
                            if (!containerIncludeJarPattern.contains(__containerIncludeJarPattern)) {
                                containerIncludeJarPattern = containerIncludeJarPattern + (StringUtil.isBlank(containerIncludeJarPattern) ? "" : "|") + __containerIncludeJarPattern;
                            }
                        }
                        handler.setAttribute(WebInfConfiguration.CONTAINER_JAR_PATTERN, containerIncludeJarPattern);
                        //check the configurations, if not explicitly set up, then configure all of them
                        if (handler instanceof WebAppContext) {
                            WebAppContext wac = (WebAppContext) handler;
                            if (wac.getConfigurationClasses() == null || wac.getConfigurationClasses().length == 0)
                                wac.setConfigurationClasses(__plusConfigurationClasses);
                        }
                    } else {
                        // assume it is a WAR file
                        WebAppContext webapp = new WebAppContext(_contexts, ctx.toString(), contextPath);
                        webapp.setConfigurationClasses(__plusConfigurationClasses);
                        webapp.setAttribute(WebInfConfiguration.CONTAINER_JAR_PATTERN, __containerIncludeJarPattern);
                    }
                }
                //reset
                contextPathSet = false;
                contextPath = __defaultContextPath;
                break;
        }
    }
    if (_server == null)
        usage("No Contexts defined");
    _server.setStopAtShutdown(true);
    switch((stopPort > 0 ? 1 : 0) + (stopKey != null ? 2 : 0)) {
        case 1:
            usage("Must specify --stop-key when --stop-port is specified");
            break;
        case 2:
            usage("Must specify --stop-port when --stop-key is specified");
            break;
        case 3:
            ShutdownMonitor monitor = ShutdownMonitor.getInstance();
            monitor.setPort(stopPort);
            monitor.setKey(stopKey);
            monitor.setExitVm(true);
            break;
    }
    if (_logFile != null) {
        NCSARequestLog requestLog = new NCSARequestLog(_logFile);
        requestLog.setExtended(false);
        _logHandler.setRequestLog(requestLog);
    }
}
Also used : SessionHandler(org.eclipse.jetty.server.session.SessionHandler) AbstractConnector(org.eclipse.jetty.server.AbstractConnector) ServerConnector(org.eclipse.jetty.server.ServerConnector) Connector(org.eclipse.jetty.server.Connector) ShutdownMonitor(org.eclipse.jetty.server.ShutdownMonitor) Server(org.eclipse.jetty.server.Server) ConnectionStatistics(org.eclipse.jetty.io.ConnectionStatistics) Constraint(org.eclipse.jetty.util.security.Constraint) ServletHolder(org.eclipse.jetty.servlet.ServletHolder) ArrayList(java.util.ArrayList) ContextHandlerCollection(org.eclipse.jetty.server.handler.ContextHandlerCollection) RolloverFileOutputStream(org.eclipse.jetty.util.RolloverFileOutputStream) XmlConfiguration(org.eclipse.jetty.xml.XmlConfiguration) ServerConnector(org.eclipse.jetty.server.ServerConnector) ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler) ContextHandler(org.eclipse.jetty.server.handler.ContextHandler) WebAppContext(org.eclipse.jetty.webapp.WebAppContext) HashLoginService(org.eclipse.jetty.security.HashLoginService) BasicAuthenticator(org.eclipse.jetty.security.authentication.BasicAuthenticator) RequestLogHandler(org.eclipse.jetty.server.handler.RequestLogHandler) ConstraintSecurityHandler(org.eclipse.jetty.security.ConstraintSecurityHandler) NCSARequestLog(org.eclipse.jetty.server.NCSARequestLog) ContextHandlerCollection(org.eclipse.jetty.server.handler.ContextHandlerCollection) HandlerCollection(org.eclipse.jetty.server.handler.HandlerCollection) PrintStream(java.io.PrintStream) ConstraintMapping(org.eclipse.jetty.security.ConstraintMapping) Resource(org.eclipse.jetty.util.resource.Resource) ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler) Handler(org.eclipse.jetty.server.Handler) DefaultHandler(org.eclipse.jetty.server.handler.DefaultHandler) ConstraintSecurityHandler(org.eclipse.jetty.security.ConstraintSecurityHandler) StatisticsHandler(org.eclipse.jetty.server.handler.StatisticsHandler) ContextHandler(org.eclipse.jetty.server.handler.ContextHandler) SessionHandler(org.eclipse.jetty.server.session.SessionHandler) RequestLogHandler(org.eclipse.jetty.server.handler.RequestLogHandler) Constraint(org.eclipse.jetty.util.security.Constraint) DefaultHandler(org.eclipse.jetty.server.handler.DefaultHandler) StatisticsServlet(org.eclipse.jetty.servlet.StatisticsServlet) StatisticsHandler(org.eclipse.jetty.server.handler.StatisticsHandler) ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler) AbstractConnector(org.eclipse.jetty.server.AbstractConnector)

Aggregations

Constraint (org.eclipse.jetty.util.security.Constraint)78 ConstraintMapping (org.eclipse.jetty.security.ConstraintMapping)46 ConstraintSecurityHandler (org.eclipse.jetty.security.ConstraintSecurityHandler)34 BasicAuthenticator (org.eclipse.jetty.security.authentication.BasicAuthenticator)27 HashLoginService (org.eclipse.jetty.security.HashLoginService)20 Test (org.junit.Test)15 Server (org.eclipse.jetty.server.Server)13 ArrayList (java.util.ArrayList)9 WebAppContext (org.eclipse.jetty.webapp.WebAppContext)8 Password (org.eclipse.jetty.util.security.Password)7 HashSet (java.util.HashSet)6 File (java.io.File)5 IOException (java.io.IOException)5 ResourceHandler (org.eclipse.jetty.server.handler.ResourceHandler)5 LoginService (org.eclipse.jetty.security.LoginService)4 ServerConnector (org.eclipse.jetty.server.ServerConnector)4 ContextHandler (org.eclipse.jetty.server.handler.ContextHandler)4 HandlerList (org.eclipse.jetty.server.handler.HandlerList)4 ServletContextHandler (org.eclipse.jetty.servlet.ServletContextHandler)4 ServletHolder (org.eclipse.jetty.servlet.ServletHolder)4