Example 1 with SecurityConstraintImpl
use of org.glassfish.web.deployment.descriptor.SecurityConstraintImpl in project Payara by payara.
the class WebResourceHTTPMethod method check.
/**
* The http-method element contains the name of web resource collection's HTTP
* method
*
* @param descriptor the Web deployment descriptor
* @return <code>Result</code> the results for this assertion
*/
public Result check(WebBundleDescriptor descriptor) {
Result result = getInitializedResult();
ComponentNameConstructor compName = getVerifierContext().getComponentNameConstructor();
if (descriptor.getSecurityConstraints().hasMoreElements()) {
boolean oneFailed = false;
boolean foundIt = false;
int na = 0;
int noSc = 0;
int naWRC = 0;
int noWRC = 0;
// get the http method's in this .war
for (Enumeration e = descriptor.getSecurityConstraints(); e.hasMoreElements(); ) {
foundIt = false;
noSc++;
SecurityConstraintImpl securityConstraintImpl = (SecurityConstraintImpl) e.nextElement();
if (!securityConstraintImpl.getWebResourceCollections().isEmpty()) {
for (WebResourceCollection webResourceCollection : securityConstraintImpl.getWebResourceCollections()) {
noWRC++;
if (!webResourceCollection.getHttpMethods().isEmpty()) {
for (String webRCHTTPMethod : webResourceCollection.getHttpMethods()) {
// valid methods are the following
if ((webRCHTTPMethod.equals("OPTIONS")) || (webRCHTTPMethod.equals("GET")) || (webRCHTTPMethod.equals("HEAD")) || (webRCHTTPMethod.equals("POST")) || (webRCHTTPMethod.equals("PUT")) || (webRCHTTPMethod.equals("DELETE")) || (webRCHTTPMethod.equals("TRACE")) || (webRCHTTPMethod.equals("CONNECT"))) {
foundIt = true;
} else {
foundIt = false;
}
if (foundIt) {
result.addGoodDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addGoodDetails(smh.getLocalString(getClass().getName() + ".passed", "http-method [ {0} ] is valid HTTP method name within web resource collection [ {1} ] in web application [ {2} ]", new Object[] { webRCHTTPMethod, webResourceCollection.getName(), descriptor.getName() }));
} else {
if (!oneFailed) {
oneFailed = true;
}
result.addErrorDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addErrorDetails(smh.getLocalString(getClass().getName() + ".failed", "Error: http-method [ {0} ] is not valid HTTP method name within web resource collection [ {1} ] in web application [ {2} ]", new Object[] { webRCHTTPMethod, webResourceCollection.getName(), descriptor.getName() }));
}
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable1", "There are no web http-methods in the web resource collection [ {0} ] within [ {1} ]", new Object[] { webResourceCollection.getName(), descriptor.getName() }));
naWRC++;
}
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable2", "There are no web web resource collections in the web security constraint within [ {0} ]", new Object[] { descriptor.getName() }));
na++;
}
}
if (oneFailed) {
result.setStatus(Result.FAILED);
} else if ((na == noSc) || (naWRC == noWRC)) {
result.setStatus(Result.NOT_APPLICABLE);
} else {
result.setStatus(Result.PASSED);
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable", "There are no http-method elements within the web archive [ {0} ]", new Object[] { descriptor.getName() }));
}
return result;
}
Also used :
WebResourceCollection(com.sun.enterprise.deployment.web.WebResourceCollection)
Enumeration(java.util.Enumeration)
SecurityConstraintImpl(org.glassfish.web.deployment.descriptor.SecurityConstraintImpl)
ComponentNameConstructor(com.sun.enterprise.tools.verifier.tests.ComponentNameConstructor)
Result(com.sun.enterprise.tools.verifier.Result)
Example 2 with SecurityConstraintImpl
use of org.glassfish.web.deployment.descriptor.SecurityConstraintImpl in project Payara by payara.
the class WebResourceName method check.
/**
* The web-resource-name element contains the name of this web resource
* collection
*
* @param descriptor the Web deployment descriptor
* @return <code>Result</code> the results for this assertion
*/
public Result check(WebBundleDescriptor descriptor) {
Result result = getInitializedResult();
ComponentNameConstructor compName = getVerifierContext().getComponentNameConstructor();
if (descriptor.getSecurityConstraints().hasMoreElements()) {
boolean oneFailed = false;
int na = 0;
int noSc = 0;
boolean foundIt = false;
// get the security constraint's in this .war
for (Enumeration e = descriptor.getSecurityConstraints(); e.hasMoreElements(); ) {
foundIt = false;
noSc++;
SecurityConstraintImpl securityConstraintImpl = (SecurityConstraintImpl) e.nextElement();
if (!securityConstraintImpl.getWebResourceCollections().isEmpty()) {
for (WebResourceCollection webResCollection : securityConstraintImpl.getWebResourceCollections()) {
String webRCName = webResCollection.getName();
// cannot be blank
if (webRCName.length() > 0) {
foundIt = true;
} else {
foundIt = false;
}
if (foundIt) {
result.addGoodDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addGoodDetails(smh.getLocalString(getClass().getName() + ".passed", "web-resource-name [ {0} ] contains the name of this web resource collection within web application [ {1} ]", new Object[] { webRCName, descriptor.getName() }));
} else {
if (!oneFailed) {
oneFailed = true;
}
result.addErrorDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addErrorDetails(smh.getLocalString(getClass().getName() + ".failed", "Error: web-resource-name [ {0} ] does not contain the name of this web resource collection within web application [ {1} ]", new Object[] { webRCName, descriptor.getName() }));
}
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable2", "There are no web web resource collections in the web security constraint within [ {0} ]", new Object[] { descriptor.getName() }));
na++;
}
}
if (oneFailed) {
result.setStatus(Result.FAILED);
} else if (na == noSc) {
result.setStatus(Result.NOT_APPLICABLE);
} else {
result.setStatus(Result.PASSED);
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable", "There are no web-resource-name elements within the web archive [ {0} ]", new Object[] { descriptor.getName() }));
}
return result;
}
Also used :
WebResourceCollection(com.sun.enterprise.deployment.web.WebResourceCollection)
Enumeration(java.util.Enumeration)
SecurityConstraintImpl(org.glassfish.web.deployment.descriptor.SecurityConstraintImpl)
ComponentNameConstructor(com.sun.enterprise.tools.verifier.tests.ComponentNameConstructor)
Result(com.sun.enterprise.tools.verifier.Result)
Example 3 with SecurityConstraintImpl
use of org.glassfish.web.deployment.descriptor.SecurityConstraintImpl in project Payara by payara.
the class DynamicWebServletRegistrationImpl method setSecurityConfig.
@Override
public void setSecurityConfig(SecurityConfig config) {
if (config == null) {
return;
}
this.config = config;
LoginConfig lc = config.getLoginConfig();
if (lc != null) {
LoginConfiguration loginConf = new LoginConfigurationImpl();
loginConf.setAuthenticationMethod(lc.getAuthMethod().name());
loginConf.setRealmName(lc.getRealmName());
FormLoginConfig form = lc.getFormLoginConfig();
if (form != null) {
loginConf.setFormErrorPage(form.getFormErrorPage());
loginConf.setFormLoginPage(form.getFormLoginPage());
}
LoginConfigDecorator decorator = new LoginConfigDecorator(loginConf);
setLoginConfig(decorator);
getWebBundleDescriptor().setLoginConfiguration(loginConf);
}
Set<org.glassfish.embeddable.web.config.SecurityConstraint> securityConstraints = config.getSecurityConstraints();
for (org.glassfish.embeddable.web.config.SecurityConstraint sc : securityConstraints) {
com.sun.enterprise.deployment.web.SecurityConstraint securityConstraint = new SecurityConstraintImpl();
Set<org.glassfish.embeddable.web.config.WebResourceCollection> wrcs = sc.getWebResourceCollection();
for (org.glassfish.embeddable.web.config.WebResourceCollection wrc : wrcs) {
WebResourceCollectionImpl webResourceColl = new WebResourceCollectionImpl();
webResourceColl.setDisplayName(wrc.getName());
for (String urlPattern : wrc.getUrlPatterns()) {
webResourceColl.addUrlPattern(urlPattern);
}
securityConstraint.addWebResourceCollection(webResourceColl);
AuthorizationConstraintImpl ac = null;
if (sc.getAuthConstraint() != null && sc.getAuthConstraint().length > 0) {
ac = new AuthorizationConstraintImpl();
for (String roleName : sc.getAuthConstraint()) {
Role role = new Role(roleName);
getWebBundleDescriptor().addRole(role);
ac.addSecurityRole(roleName);
}
} else {
// DENY
ac = new AuthorizationConstraintImpl();
}
securityConstraint.setAuthorizationConstraint(ac);
UserDataConstraint udc = new UserDataConstraintImpl();
udc.setTransportGuarantee(((sc.getDataConstraint() == TransportGuarantee.CONFIDENTIAL) ? UserDataConstraint.CONFIDENTIAL_TRANSPORT : UserDataConstraint.NONE_TRANSPORT));
securityConstraint.setUserDataConstraint(udc);
if (wrc.getHttpMethods() != null) {
for (String httpMethod : wrc.getHttpMethods()) {
webResourceColl.addHttpMethod(httpMethod);
}
}
if (wrc.getHttpMethodOmissions() != null) {
for (String httpMethod : wrc.getHttpMethodOmissions()) {
webResourceColl.addHttpMethodOmission(httpMethod);
}
}
getWebBundleDescriptor().addSecurityConstraint(securityConstraint);
TomcatDeploymentConfig.configureSecurityConstraint(this, getWebBundleDescriptor());
}
}
if (pipeline != null) {
GlassFishValve basic = pipeline.getBasic();
if ((basic != null) && (basic instanceof java.net.Authenticator)) {
removeValve(basic);
}
GlassFishValve[] valves = pipeline.getValves();
for (GlassFishValve valve : valves) {
if (valve instanceof java.net.Authenticator) {
removeValve(valve);
}
}
}
if (realm != null && realm instanceof RealmInitializer) {
((RealmInitializer) realm).initializeRealm(this.getWebBundleDescriptor(), false, ((VirtualServer) parent).getAuthRealmName());
((RealmInitializer) realm).setVirtualServer(getParent());
((RealmInitializer) realm).updateWebSecurityManager();
setRealm(realm);
}
}
Also used :
WebResourceCollection(com.sun.enterprise.deployment.web.WebResourceCollection)
RealmInitializer(com.sun.enterprise.security.integration.RealmInitializer)
AuthorizationConstraintImpl(org.glassfish.web.deployment.descriptor.AuthorizationConstraintImpl)
SecurityConstraint(com.sun.enterprise.deployment.web.SecurityConstraint)
LoginConfigurationImpl(org.glassfish.web.deployment.descriptor.LoginConfigurationImpl)
FormLoginConfig(org.glassfish.embeddable.web.config.FormLoginConfig)
LoginConfig(org.glassfish.embeddable.web.config.LoginConfig)
SecurityConstraintImpl(org.glassfish.web.deployment.descriptor.SecurityConstraintImpl)
UserDataConstraint(com.sun.enterprise.deployment.web.UserDataConstraint)
FormLoginConfig(org.glassfish.embeddable.web.config.FormLoginConfig)
UserDataConstraintImpl(org.glassfish.web.deployment.descriptor.UserDataConstraintImpl)
LoginConfiguration(com.sun.enterprise.deployment.web.LoginConfiguration)
SecurityConstraint(com.sun.enterprise.deployment.web.SecurityConstraint)
GlassFishValve(org.glassfish.web.valve.GlassFishValve)
Role(org.glassfish.security.common.Role)
LoginConfigDecorator(com.sun.enterprise.web.deploy.LoginConfigDecorator)
WebResourceCollectionImpl(org.glassfish.web.deployment.descriptor.WebResourceCollectionImpl)
Example 4 with SecurityConstraintImpl
use of org.glassfish.web.deployment.descriptor.SecurityConstraintImpl in project Payara by payara.
the class WebSecurityRoleName method check.
/**
* The Web role-name element contains the name of a security role.
*
* @param descriptor the Web deployment descriptor
*
* @return <code>Result</code> the results for this assertion
*/
public Result check(WebBundleDescriptor descriptor) {
Result result = getInitializedResult();
ComponentNameConstructor compName = getVerifierContext().getComponentNameConstructor();
if (descriptor.getSecurityConstraints().hasMoreElements()) {
boolean oneFailed = false;
boolean foundIt = false;
int naSr = 0;
int naAci = 0;
int noAci = 0;
int noSc = 0;
// get the security role name's in this .war
for (Enumeration e = descriptor.getSecurityConstraints(); e.hasMoreElements(); ) {
foundIt = false;
noSc++;
SecurityConstraintImpl securityConstraintImpl = (SecurityConstraintImpl) e.nextElement();
AuthorizationConstraintImpl aci = (AuthorizationConstraintImpl) securityConstraintImpl.getAuthorizationConstraint();
if (aci != null) {
noAci++;
if (aci.getSecurityRoles().hasMoreElements()) {
for (Enumeration ee = aci.getSecurityRoles(); ee.hasMoreElements(); ) {
SecurityRoleDescriptor srd = (SecurityRoleDescriptor) ee.nextElement();
String roleName = srd.getName();
// jsb, nothing to test here...?
if (roleName.length() > 0) {
foundIt = true;
} else {
foundIt = false;
}
if (foundIt) {
result.addGoodDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addGoodDetails(smh.getLocalString(getClass().getName() + ".passed", "The security role name [ {0} ] found within web application [ {1} ]", new Object[] { roleName, descriptor.getName() }));
} else {
if (!oneFailed) {
oneFailed = true;
}
result.addErrorDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addErrorDetails(smh.getLocalString(getClass().getName() + ".failed", "Error: The security role name [ {0} ] not found within web application [ {1} ]", new Object[] { roleName, descriptor.getName() }));
}
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable1", "Not Applicable: There are no security roles in this security constraint within [ {0} ]", new Object[] { descriptor.getName() }));
naSr++;
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable2", "Not Applicable: There is no authorization constraint in this security constraint within [ {0} ]", new Object[] { descriptor.getName() }));
naAci++;
}
}
if (oneFailed) {
result.setStatus(Result.FAILED);
} else if ((noSc == naAci) || (noAci == naSr)) {
result.setStatus(Result.NOT_APPLICABLE);
} else {
result.setStatus(Result.PASSED);
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable", "There are no role-name elements within the web archive [ {0} ]", new Object[] { descriptor.getName() }));
}
return result;
}
Also used :
AuthorizationConstraintImpl(org.glassfish.web.deployment.descriptor.AuthorizationConstraintImpl)
SecurityConstraintImpl(org.glassfish.web.deployment.descriptor.SecurityConstraintImpl)
Example 5 with SecurityConstraintImpl
use of org.glassfish.web.deployment.descriptor.SecurityConstraintImpl in project Payara by payara.
the class TransportGuarantee method check.
/**
* The transport-guarantee element specifies that the communication between
* client and server should be "SECURE", "NONE", or "CONFIDENTIAL".
*
* @param descriptor the Web deployment descriptor
*
* @return <code>Result</code> the results for this assertion
*/
public Result check(WebBundleDescriptor descriptor) {
Result result = getInitializedResult();
ComponentNameConstructor compName = getVerifierContext().getComponentNameConstructor();
if (descriptor.getSecurityConstraints().hasMoreElements()) {
boolean oneFailed = false;
boolean foundIt = false;
int na = 0;
int noSc = 0;
// get the errorpage's in this .war
for (Enumeration e = descriptor.getSecurityConstraints(); e.hasMoreElements(); ) {
foundIt = false;
noSc++;
SecurityConstraintImpl securityConstraintImpl = (SecurityConstraintImpl) e.nextElement();
UserDataConstraintImpl userDataConstraint = (UserDataConstraintImpl) securityConstraintImpl.getUserDataConstraint();
if (userDataConstraint != null) {
String transportGuarantee = userDataConstraint.getTransportGuarantee();
if (transportGuarantee.length() > 0) {
if ((transportGuarantee.equals("NONE")) || (transportGuarantee.equals("INTEGRAL")) || (transportGuarantee.equals("CONFIDENTIAL"))) {
foundIt = true;
} else {
foundIt = false;
}
} else {
foundIt = false;
}
if (foundIt) {
result.addGoodDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addGoodDetails(smh.getLocalString(getClass().getName() + ".passed", "transport-guarantee [ {0} ] specifies that the communication between client and server should be one of \"SECURE\", \"NONE\", or \"CONFIDENTIAL\" within web application [ {1} ]", new Object[] { transportGuarantee, descriptor.getName() }));
} else {
if (!oneFailed) {
oneFailed = true;
}
result.addErrorDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addErrorDetails(smh.getLocalString(getClass().getName() + ".failed", "Error: transport-guarantee [ {0} ] does not specify that the communication between client and server is one of \"SECURE\", \"NONE\", or \"CONFIDENTIAL\" within web application [ {1} ]", new Object[] { transportGuarantee, descriptor.getName() }));
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.addNaDetails(smh.getLocalString(getClass().getName() + ".notApplicable1", "There are no transport-guarantee elements within the web application [ {0} ]", new Object[] { descriptor.getName() }));
na++;
}
}
if (oneFailed) {
result.setStatus(Result.FAILED);
} else if (na == noSc) {
result.setStatus(Result.NOT_APPLICABLE);
} else {
result.setStatus(Result.PASSED);
}
} else {
result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable", "There are no transport-guarantee elements within the web archive [ {0} ]", new Object[] { descriptor.getName() }));
}
return result;
}
Also used :
UserDataConstraintImpl(org.glassfish.web.deployment.descriptor.UserDataConstraintImpl)
SecurityConstraintImpl(org.glassfish.web.deployment.descriptor.SecurityConstraintImpl)
Aggregations
SecurityConstraintImpl (org.glassfish.web.deployment.descriptor.SecurityConstraintImpl)5
WebResourceCollection (com.sun.enterprise.deployment.web.WebResourceCollection)3
Result (com.sun.enterprise.tools.verifier.Result)2
ComponentNameConstructor (com.sun.enterprise.tools.verifier.tests.ComponentNameConstructor)2
Enumeration (java.util.Enumeration)2
AuthorizationConstraintImpl (org.glassfish.web.deployment.descriptor.AuthorizationConstraintImpl)2
UserDataConstraintImpl (org.glassfish.web.deployment.descriptor.UserDataConstraintImpl)2
LoginConfiguration (com.sun.enterprise.deployment.web.LoginConfiguration)1
SecurityConstraint (com.sun.enterprise.deployment.web.SecurityConstraint)1
UserDataConstraint (com.sun.enterprise.deployment.web.UserDataConstraint)1
RealmInitializer (com.sun.enterprise.security.integration.RealmInitializer)1
LoginConfigDecorator (com.sun.enterprise.web.deploy.LoginConfigDecorator)1
FormLoginConfig (org.glassfish.embeddable.web.config.FormLoginConfig)1
LoginConfig (org.glassfish.embeddable.web.config.LoginConfig)1
Role (org.glassfish.security.common.Role)1
LoginConfigurationImpl (org.glassfish.web.deployment.descriptor.LoginConfigurationImpl)1
WebResourceCollectionImpl (org.glassfish.web.deployment.descriptor.WebResourceCollectionImpl)1
GlassFishValve (org.glassfish.web.valve.GlassFishValve)1
