use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class DataConstraintsTest method testConfidential.
@Test
public void testConfidential() throws Exception {
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(false);
constraint0.setName("confid");
constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/confid/*");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[] { mapping0 }));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
Assert.assertThat(response, Matchers.containsString("Location: BWTP://"));
Assert.assertThat(response, Matchers.containsString(":9999"));
response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class QuickStartDescriptorGenerator method generateQuickStartWebXml.
/**
* Perform the generation of the xml file
* @param stream the stream to generate the quickstart-web.xml to
* @throws IOException if unable to generate the quickstart-web.xml
* @throws FileNotFoundException if unable to find the file
*/
public void generateQuickStartWebXml(OutputStream stream) throws FileNotFoundException, IOException {
if (_webApp == null)
throw new IllegalStateException("No webapp for quickstart generation");
if (stream == null)
throw new IllegalStateException("No output for quickstart generation");
_webApp.getMetaData().getOrigins();
if (_webApp.getBaseResource() == null)
throw new IllegalArgumentException("No base resource for " + this);
LOG.info("Quickstart generating");
XmlAppendable out = new XmlAppendable(stream, "UTF-8");
MetaData md = _webApp.getMetaData();
Map<String, String> webappAttr = new HashMap<>();
webappAttr.put("xmlns", "http://xmlns.jcp.org/xml/ns/javaee");
webappAttr.put("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance");
webappAttr.put("xsi:schemaLocation", "http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd");
webappAttr.put("metadata-complete", "true");
webappAttr.put("version", "3.1");
out.openTag("web-app", webappAttr);
if (_webApp.getDisplayName() != null)
out.tag("display-name", _webApp.getDisplayName());
// Set some special context parameters
// The location of the war file on disk
AttributeNormalizer normalizer = new AttributeNormalizer(_webApp.getBaseResource());
// The library order
addContextParamFromAttribute(out, ServletContext.ORDERED_LIBS);
//the servlet container initializers
addContextParamFromAttribute(out, AnnotationConfiguration.CONTAINER_INITIALIZERS);
//the tlds discovered
addContextParamFromAttribute(out, MetaInfConfiguration.METAINF_TLDS, normalizer);
//the META-INF/resources discovered
addContextParamFromAttribute(out, MetaInfConfiguration.METAINF_RESOURCES, normalizer);
//add the name of the origin attribute, if it is being used
if (_generateOrigin) {
out.openTag("context-param").tag("param-name", ORIGIN).tag("param-value", _originAttribute).closeTag();
}
// init params
for (String p : _webApp.getInitParams().keySet()) out.openTag("context-param", origin(md, "context-param." + p)).tag("param-name", p).tag("param-value", _webApp.getInitParameter(p)).closeTag();
if (_webApp.getEventListeners() != null)
for (EventListener e : _webApp.getEventListeners()) out.openTag("listener", origin(md, e.getClass().getCanonicalName() + ".listener")).tag("listener-class", e.getClass().getCanonicalName()).closeTag();
ServletHandler servlets = _webApp.getServletHandler();
if (servlets.getFilters() != null) {
for (FilterHolder holder : servlets.getFilters()) outholder(out, md, holder);
}
if (servlets.getFilterMappings() != null) {
for (FilterMapping mapping : servlets.getFilterMappings()) {
out.openTag("filter-mapping");
out.tag("filter-name", mapping.getFilterName());
if (mapping.getPathSpecs() != null)
for (String s : mapping.getPathSpecs()) out.tag("url-pattern", s);
if (mapping.getServletNames() != null)
for (String n : mapping.getServletNames()) out.tag("servlet-name", n);
if (!mapping.isDefaultDispatches()) {
if (mapping.appliesTo(DispatcherType.REQUEST))
out.tag("dispatcher", "REQUEST");
if (mapping.appliesTo(DispatcherType.ASYNC))
out.tag("dispatcher", "ASYNC");
if (mapping.appliesTo(DispatcherType.ERROR))
out.tag("dispatcher", "ERROR");
if (mapping.appliesTo(DispatcherType.FORWARD))
out.tag("dispatcher", "FORWARD");
if (mapping.appliesTo(DispatcherType.INCLUDE))
out.tag("dispatcher", "INCLUDE");
}
out.closeTag();
}
}
if (servlets.getServlets() != null) {
for (ServletHolder holder : servlets.getServlets()) outholder(out, md, holder);
}
if (servlets.getServletMappings() != null) {
for (ServletMapping mapping : servlets.getServletMappings()) {
out.openTag("servlet-mapping", origin(md, mapping.getServletName() + ".servlet.mappings"));
out.tag("servlet-name", mapping.getServletName());
if (mapping.getPathSpecs() != null)
for (String s : mapping.getPathSpecs()) out.tag("url-pattern", s);
out.closeTag();
}
}
// Security elements
SecurityHandler security = _webApp.getSecurityHandler();
if (security != null && (security.getRealmName() != null || security.getAuthMethod() != null)) {
out.openTag("login-config");
if (security.getAuthMethod() != null)
out.tag("auth-method", origin(md, "auth-method"), security.getAuthMethod());
if (security.getRealmName() != null)
out.tag("realm-name", origin(md, "realm-name"), security.getRealmName());
if (Constraint.__FORM_AUTH.equalsIgnoreCase(security.getAuthMethod())) {
out.openTag("form-login-config");
out.tag("form-login-page", origin(md, "form-login-page"), security.getInitParameter(FormAuthenticator.__FORM_LOGIN_PAGE));
out.tag("form-error-page", origin(md, "form-error-page"), security.getInitParameter(FormAuthenticator.__FORM_ERROR_PAGE));
out.closeTag();
}
out.closeTag();
}
if (security instanceof ConstraintAware) {
ConstraintAware ca = (ConstraintAware) security;
for (String r : ca.getRoles()) out.openTag("security-role").tag("role-name", r).closeTag();
for (ConstraintMapping m : ca.getConstraintMappings()) {
out.openTag("security-constraint");
out.openTag("web-resource-collection");
{
if (m.getConstraint().getName() != null)
out.tag("web-resource-name", m.getConstraint().getName());
if (m.getPathSpec() != null)
out.tag("url-pattern", origin(md, "constraint.url." + m.getPathSpec()), m.getPathSpec());
if (m.getMethod() != null)
out.tag("http-method", m.getMethod());
if (m.getMethodOmissions() != null)
for (String o : m.getMethodOmissions()) out.tag("http-method-omission", o);
out.closeTag();
}
if (m.getConstraint().getAuthenticate()) {
String[] roles = m.getConstraint().getRoles();
if (roles != null && roles.length > 0) {
out.openTag("auth-constraint");
if (m.getConstraint().getRoles() != null)
for (String r : m.getConstraint().getRoles()) out.tag("role-name", r);
out.closeTag();
} else
out.tag("auth-constraint");
}
switch(m.getConstraint().getDataConstraint()) {
case Constraint.DC_NONE:
out.openTag("user-data-constraint").tag("transport-guarantee", "NONE").closeTag();
break;
case Constraint.DC_INTEGRAL:
out.openTag("user-data-constraint").tag("transport-guarantee", "INTEGRAL").closeTag();
break;
case Constraint.DC_CONFIDENTIAL:
out.openTag("user-data-constraint").tag("transport-guarantee", "CONFIDENTIAL").closeTag();
break;
default:
break;
}
out.closeTag();
}
}
if (_webApp.getWelcomeFiles() != null) {
out.openTag("welcome-file-list");
for (String welcomeFile : _webApp.getWelcomeFiles()) {
out.tag("welcome-file", welcomeFile);
}
out.closeTag();
}
Map<String, String> localeEncodings = _webApp.getLocaleEncodings();
if (localeEncodings != null && !localeEncodings.isEmpty()) {
out.openTag("locale-encoding-mapping-list");
for (Map.Entry<String, String> entry : localeEncodings.entrySet()) {
out.openTag("locale-encoding-mapping", origin(md, "locale-encoding." + entry.getKey()));
out.tag("locale", entry.getKey());
out.tag("encoding", entry.getValue());
out.closeTag();
}
out.closeTag();
}
//session-config
if (_webApp.getSessionHandler() != null) {
out.openTag("session-config");
int maxInactiveSec = _webApp.getSessionHandler().getMaxInactiveInterval();
out.tag("session-timeout", (maxInactiveSec == 0 ? "0" : Integer.toString(maxInactiveSec / 60)));
//cookie-config
SessionCookieConfig cookieConfig = _webApp.getSessionHandler().getSessionCookieConfig();
if (cookieConfig != null) {
out.openTag("cookie-config");
if (cookieConfig.getName() != null)
out.tag("name", origin(md, "cookie-config.name"), cookieConfig.getName());
if (cookieConfig.getDomain() != null)
out.tag("domain", origin(md, "cookie-config.domain"), cookieConfig.getDomain());
if (cookieConfig.getPath() != null)
out.tag("path", origin(md, "cookie-config.path"), cookieConfig.getPath());
if (cookieConfig.getComment() != null)
out.tag("comment", origin(md, "cookie-config.comment"), cookieConfig.getComment());
out.tag("http-only", origin(md, "cookie-config.http-only"), Boolean.toString(cookieConfig.isHttpOnly()));
out.tag("secure", origin(md, "cookie-config.secure"), Boolean.toString(cookieConfig.isSecure()));
out.tag("max-age", origin(md, "cookie-config.max-age"), Integer.toString(cookieConfig.getMaxAge()));
out.closeTag();
}
// tracking-modes
Set<SessionTrackingMode> modes = _webApp.getSessionHandler().getEffectiveSessionTrackingModes();
if (modes != null) {
for (SessionTrackingMode mode : modes) out.tag("tracking-mode", mode.toString());
}
out.closeTag();
}
//error-pages
Map<String, String> errorPages = ((ErrorPageErrorHandler) _webApp.getErrorHandler()).getErrorPages();
if (errorPages != null) {
for (Map.Entry<String, String> entry : errorPages.entrySet()) {
out.openTag("error-page", origin(md, "error." + entry.getKey()));
//a global or default error page has no code or exception
if (!ErrorPageErrorHandler.GLOBAL_ERROR_PAGE.equals(entry.getKey())) {
if (entry.getKey().matches("\\d{3}"))
out.tag("error-code", entry.getKey());
else
out.tag("exception-type", entry.getKey());
}
out.tag("location", entry.getValue());
out.closeTag();
}
}
//mime-types
MimeTypes mimeTypes = _webApp.getMimeTypes();
if (mimeTypes != null) {
for (Map.Entry<String, String> entry : mimeTypes.getMimeMap().entrySet()) {
out.openTag("mime-mapping");
out.tag("extension", origin(md, "extension." + entry.getKey()), entry.getKey());
out.tag("mime-type", entry.getValue());
out.closeTag();
}
}
//jsp-config
JspConfig jspConfig = (JspConfig) _webApp.getServletContext().getJspConfigDescriptor();
if (jspConfig != null) {
out.openTag("jsp-config");
Collection<TaglibDescriptor> tlds = jspConfig.getTaglibs();
if (tlds != null && !tlds.isEmpty()) {
for (TaglibDescriptor tld : tlds) {
out.openTag("taglib");
out.tag("taglib-uri", tld.getTaglibURI());
out.tag("taglib-location", tld.getTaglibLocation());
out.closeTag();
}
}
Collection<JspPropertyGroupDescriptor> jspPropertyGroups = jspConfig.getJspPropertyGroups();
if (jspPropertyGroups != null && !jspPropertyGroups.isEmpty()) {
for (JspPropertyGroupDescriptor jspPropertyGroup : jspPropertyGroups) {
out.openTag("jsp-property-group");
Collection<String> strings = jspPropertyGroup.getUrlPatterns();
if (strings != null && !strings.isEmpty()) {
for (String urlPattern : strings) out.tag("url-pattern", urlPattern);
}
if (jspPropertyGroup.getElIgnored() != null)
out.tag("el-ignored", jspPropertyGroup.getElIgnored());
if (jspPropertyGroup.getPageEncoding() != null)
out.tag("page-encoding", jspPropertyGroup.getPageEncoding());
if (jspPropertyGroup.getScriptingInvalid() != null)
out.tag("scripting-invalid", jspPropertyGroup.getScriptingInvalid());
if (jspPropertyGroup.getIsXml() != null)
out.tag("is-xml", jspPropertyGroup.getIsXml());
if (jspPropertyGroup.getDeferredSyntaxAllowedAsLiteral() != null)
out.tag("deferred-syntax-allowed-as-literal", jspPropertyGroup.getDeferredSyntaxAllowedAsLiteral());
if (jspPropertyGroup.getTrimDirectiveWhitespaces() != null)
out.tag("trim-directive-whitespaces", jspPropertyGroup.getTrimDirectiveWhitespaces());
if (jspPropertyGroup.getDefaultContentType() != null)
out.tag("default-content-type", jspPropertyGroup.getDefaultContentType());
if (jspPropertyGroup.getBuffer() != null)
out.tag("buffer", jspPropertyGroup.getBuffer());
if (jspPropertyGroup.getErrorOnUndeclaredNamespace() != null)
out.tag("error-on-undeclared-namespace", jspPropertyGroup.getErrorOnUndeclaredNamespace());
strings = jspPropertyGroup.getIncludePreludes();
if (strings != null && !strings.isEmpty()) {
for (String prelude : strings) out.tag("include-prelude", prelude);
}
strings = jspPropertyGroup.getIncludeCodas();
if (strings != null && !strings.isEmpty()) {
for (String coda : strings) out.tag("include-coda", coda);
}
out.closeTag();
}
}
out.closeTag();
}
//lifecycle: post-construct, pre-destroy
LifeCycleCallbackCollection lifecycles = ((LifeCycleCallbackCollection) _webApp.getAttribute(LifeCycleCallbackCollection.LIFECYCLE_CALLBACK_COLLECTION));
if (lifecycles != null) {
Collection<LifeCycleCallback> tmp = lifecycles.getPostConstructCallbacks();
for (LifeCycleCallback c : tmp) {
out.openTag("post-construct");
out.tag("lifecycle-callback-class", c.getTargetClassName());
out.tag("lifecycle-callback-method", c.getMethodName());
out.closeTag();
}
tmp = lifecycles.getPreDestroyCallbacks();
for (LifeCycleCallback c : tmp) {
out.openTag("pre-destroy");
out.tag("lifecycle-callback-class", c.getTargetClassName());
out.tag("lifecycle-callback-method", c.getMethodName());
out.closeTag();
}
}
out.literal(_extraXML);
out.closeTag();
}
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class ConstraintSecurityHandler method createConstraint.
/* ------------------------------------------------------------ */
/**
* Create a security constraint
*
* @param name the name of the constraint
* @param authenticate true to authenticate
* @param roles list of roles
* @param dataConstraint the data constraint
* @return the constraint
*/
public static Constraint createConstraint(String name, boolean authenticate, String[] roles, int dataConstraint) {
Constraint constraint = createConstraint();
if (name != null)
constraint.setName(name);
constraint.setAuthenticate(authenticate);
constraint.setRoles(roles);
constraint.setDataConstraint(dataConstraint);
return constraint;
}
use of org.eclipse.jetty.util.security.Constraint in project jetty.project by eclipse.
the class ConstraintSecurityHandler method createConstraint.
/* ------------------------------------------------------------ */
/**
* Create Constraint
*
* @param name the name
* @param rolesAllowed the list of allowed roles
* @param permitOrDeny the permission semantic
* @param transport the transport guarantee
* @return the created constraint
*/
public static Constraint createConstraint(String name, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport) {
Constraint constraint = createConstraint();
if (rolesAllowed == null || rolesAllowed.length == 0) {
if (permitOrDeny.equals(EmptyRoleSemantic.DENY)) {
//Equivalent to <auth-constraint> with no roles
constraint.setName(name + "-Deny");
constraint.setAuthenticate(true);
} else {
//Equivalent to no <auth-constraint>
constraint.setName(name + "-Permit");
constraint.setAuthenticate(false);
}
} else {
//Equivalent to <auth-constraint> with list of <security-role-name>s
constraint.setAuthenticate(true);
constraint.setRoles(rolesAllowed);
constraint.setName(name + "-RolesAllowed");
}
//Equivalent to //<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>
constraint.setDataConstraint((transport.equals(TransportGuarantee.CONFIDENTIAL) ? Constraint.DC_CONFIDENTIAL : Constraint.DC_NONE));
return constraint;
}
use of org.eclipse.jetty.util.security.Constraint in project h2o-3 by h2oai.
the class JettyHTTPD method createServer.
protected void createServer(Connector connector) throws Exception {
_server.setConnectors(new Connector[] { connector });
if (H2O.ARGS.hash_login || H2O.ARGS.ldap_login || H2O.ARGS.kerberos_login) {
// REFER TO http://www.eclipse.org/jetty/documentation/9.1.4.v20140401/embedded-examples.html#embedded-secured-hello-handler
if (H2O.ARGS.login_conf == null) {
Log.err("Must specify -login_conf argument");
H2O.exit(1);
}
LoginService loginService;
if (H2O.ARGS.hash_login) {
Log.info("Configuring HashLoginService");
loginService = new HashLoginService("H2O", H2O.ARGS.login_conf);
} else if (H2O.ARGS.ldap_login) {
Log.info("Configuring JAASLoginService (with LDAP)");
System.setProperty("java.security.auth.login.config", H2O.ARGS.login_conf);
loginService = new JAASLoginService("ldaploginmodule");
} else if (H2O.ARGS.kerberos_login) {
Log.info("Configuring JAASLoginService (with Kerberos)");
System.setProperty("java.security.auth.login.config", H2O.ARGS.login_conf);
loginService = new JAASLoginService("krb5loginmodule");
} else {
throw H2O.fail();
}
IdentityService identityService = new DefaultIdentityService();
loginService.setIdentityService(identityService);
_server.addBean(loginService);
// Set a security handler as the first handler in the chain.
ConstraintSecurityHandler security = new ConstraintSecurityHandler();
// Set up a constraint to authenticate all calls, and allow certain roles in.
Constraint constraint = new Constraint();
constraint.setName("auth");
constraint.setAuthenticate(true);
// Configure role stuff (to be disregarded). We are ignoring roles, and only going off the user name.
//
// Jetty 8 and prior.
//
// Jetty 8 requires the security.setStrict(false) and ANY_ROLE.
security.setStrict(false);
constraint.setRoles(new String[] { Constraint.ANY_ROLE });
// Jetty 9 and later.
//
// Jetty 9 and later uses a different servlet spec, and ANY_AUTH gives the same behavior
// for that API version as ANY_ROLE did previously. This required some low-level debugging
// to figure out, so I'm documenting it here.
// Jetty 9 did not require security.setStrict(false).
//
// constraint.setRoles(new String[]{Constraint.ANY_AUTH});
ConstraintMapping mapping = new ConstraintMapping();
// Lock down all API calls
mapping.setPathSpec("/*");
mapping.setConstraint(constraint);
security.setConstraintMappings(Collections.singletonList(mapping));
// Authentication / Authorization
security.setAuthenticator(new BasicAuthenticator());
security.setLoginService(loginService);
// Pass-through to H2O if authenticated.
registerHandlers(security);
_server.setHandler(security);
} else {
registerHandlers(_server);
}
_server.start();
}
Aggregations