org.eclipse.jetty.security.ConstraintMapping Java Examples

protected ConstraintSecurityHandler configureCommonAuthentication(String constraintName,
    String[] allowedRoles, Authenticator authenticator, String realm,
    LoginService loginService) {

  Constraint constraint = new Constraint();
  constraint.setName(constraintName);
  constraint.setRoles(allowedRoles);
  // This is telling Jetty to not allow unauthenticated requests through (very important!)
  constraint.setAuthenticate(true);

  ConstraintMapping cm = new ConstraintMapping();
  cm.setConstraint(constraint);
  cm.setPathSpec("/*");

  ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
  sh.setAuthenticator(authenticator);
  sh.setLoginService(loginService);
  sh.setConstraintMappings(new ConstraintMapping[]{cm});
  sh.setRealmName(realm);

  return sh;
}
 

@Override
protected SecurityHandler buildSecurityHandler()
{
    if( constraintServices != null )
    {
        ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
        for( ConstraintService eachConstraintService : constraintServices )
        {
            ConstraintMapping csMapping = eachConstraintService.buildConstraintMapping();
            if( csMapping != null )
            {
                securityHandler.addConstraintMapping( csMapping );
            }
        }
        if( !securityHandler.getConstraintMappings().isEmpty() )
        {
            return securityHandler;
        }
    }
    return super.buildSecurityHandler();
}
 

private void addServlet(final Servlet servlet, final String path, WebPermission... permissions) {
  servletContextHandler.addServlet(new ServletHolder(servlet), path);
  if (permissions != null && permissions.length > 0) {
    for (WebPermission p : permissions) {
      Constraint constraint = getConstraintForPermission(p);
      ConstraintMapping mapping = new ConstraintMapping();
      mapping.setPathSpec(servletContextHandler.getContextPath() + path);
      mapping.setConstraint(constraint);
      if (p.hasMethod()) {
        mapping.setMethod(p.getMethod().name());
      }
      constraintMappings.add(mapping);
    }
  }

  LOGGER.info("Servlet added on path {}", path);
}
 

@Test
public void shouldCreateUnsecuredPathConstraints() {
  // Given:
  config = restConfigWith(ImmutableMap.of(
      RestConfig.AUTHENTICATION_SKIP_PATHS, "/path/1,/path/2"));

  // When:
  final List<ConstraintMapping> mappings = AuthUtil.createUnsecuredConstraints(config);

  // Then:
  assertThat(mappings.size(), is(2));
  assertThat(mappings.get(0).getMethod(), is("*"));
  assertThat(mappings.get(0).getPathSpec(), is("/path/1"));
  assertThat(mappings.get(0).getConstraint().getAuthenticate(), is(false));
  assertThat(mappings.get(1).getMethod(), is("*"));
  assertThat(mappings.get(1).getPathSpec(), is("/path/2"));
  assertThat(mappings.get(1).getConstraint().getAuthenticate(), is(false));
}
 

@Produces
@Named("securityHandler")
public static ConstraintSecurityHandler createSecurityHandler() {
    Constraint constraint = new Constraint("BASIC", "customer");
    constraint.setAuthenticate(true);

    ConstraintMapping mapping = new ConstraintMapping();
    mapping.setConstraint(constraint);
    mapping.setPathSpec("/*");

    ConstraintSecurityHandler handler = new ConstraintSecurityHandler();
    handler.addConstraintMapping(mapping);
    handler.setAuthenticator(new BasicAuthenticator());
    handler.setLoginService(new HashLoginService("RiderAutoParts", "src/main/resources/users.properties"));

    return handler;
}
 

@Test
public void testSetUnsecurePathConstraintsWithUnSecure() {
  final Map<String, Object> config = ImmutableMap.of(
      RestConfig.AUTHENTICATION_SKIP_PATHS, "/path/1,/path/2");

  ConstraintSecurityHandler securityHandler = new TestApp(config).createBasicSecurityHandler();

  final List<ConstraintMapping> mappings = securityHandler.getConstraintMappings();
  assertThat(mappings.size(), is(3));
  assertThat(mappings.get(0).getPathSpec(), is("/*"));
  assertThat(mappings.get(0).getConstraint().getAuthenticate(), is(true));
  assertThat(mappings.get(1).getPathSpec(), is("/path/1"));
  assertThat(mappings.get(1).getConstraint().getAuthenticate(), is(false));
  assertThat(mappings.get(2).getPathSpec(), is("/path/2"));
  assertThat(mappings.get(2).getConstraint().getAuthenticate(), is(false));
}
 

/**
 * Add constraints to a Jetty Context to disallow undesirable Http methods.
 * @param ctxHandler The context to modify
 * @param allowOptionsMethod if true then OPTIONS method will not be set in constraint mapping
 */
public static void constrainHttpMethods(ServletContextHandler ctxHandler,
    boolean allowOptionsMethod) {
  Constraint c = new Constraint();
  c.setAuthenticate(true);

  ConstraintMapping cmt = new ConstraintMapping();
  cmt.setConstraint(c);
  cmt.setMethod("TRACE");
  cmt.setPathSpec("/*");

  ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();

  if (!allowOptionsMethod) {
    ConstraintMapping cmo = new ConstraintMapping();
    cmo.setConstraint(c);
    cmo.setMethod("OPTIONS");
    cmo.setPathSpec("/*");
    securityHandler.setConstraintMappings(new ConstraintMapping[] { cmt, cmo });
  } else {
    securityHandler.setConstraintMappings(new ConstraintMapping[] { cmt });
  }

  ctxHandler.setSecurityHandler(securityHandler);
}
 

private void addBasicAuth(Server server) {
    
    ConstraintSecurityHandler security = new ConstraintSecurityHandler();
    security.setAuthenticator(new BasicAuthenticator());

    Constraint constraint = new Constraint();
    constraint.setAuthenticate(true);
    constraint.setRoles(ROLES);
    ConstraintMapping mapping = new ConstraintMapping();
    mapping.setPathSpec("/*");
    mapping.setConstraint(constraint);
    security.setConstraintMappings(Collections.singletonList(mapping));

    HashLoginService loginService = new HashLoginService();
    loginService.setUserStore(buildUserStore());
    server.addBean(loginService);
    security.setLoginService(loginService);

    security.setHandler(server.getHandler());
    server.setHandler(security);
}
 

public InMemoryIdentityManager() {
	loginService = new HashLoginService();
	loginService.setName(realm);

	securityHandler = new ConstraintSecurityHandler();
	securityHandler.setAuthenticator(new BasicAuthenticator());
	securityHandler.setRealmName(realm);
	securityHandler.setLoginService(loginService);

	Constraint constraint = new Constraint();
	constraint.setName(Constraint.__BASIC_AUTH);
	//		constraint.setRoles(new String[] { "getRole", "postRole", "allRole" });
	constraint.setRoles(new String[]{Constraint.ANY_AUTH, "getRole", "postRole", "allRole"});
	constraint.setAuthenticate(true);

	ConstraintMapping cm = new ConstraintMapping();
	cm.setConstraint(constraint);
	cm.setPathSpec("/*");
	securityHandler.addConstraintMapping(cm);
}
 

@Override
public void accept(final ServletContextHandler context) {
  final List<String> roles = config.getList(RestConfig.AUTHENTICATION_ROLES_CONFIG);
  final Constraint constraint = new Constraint();
  constraint.setAuthenticate(true);
  constraint.setRoles(roles.toArray(new String[0]));

  final ConstraintMapping constraintMapping = new ConstraintMapping();
  constraintMapping.setConstraint(constraint);
  constraintMapping.setMethod("*");
  constraintMapping.setPathSpec("/*");

  final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
  securityHandler.addConstraintMapping(constraintMapping);
  securityHandler.setAuthenticator(new BasicAuthenticator());
  securityHandler.setLoginService(new TestLoginService());
  securityHandler.setRealmName("TestRealm");

 context.setSecurityHandler(securityHandler);
}
 

/**
 * Build a secure or unsecure constraint using standard RestConfig for a path.
 *
 * @param restConfig the rest app's config.
 * @param authenticate authentication flag.
 * @param pathSpec path for constraint.
 * @return the constraint mapping.
 */
private static ConstraintMapping createConstraint(
    final RestConfig restConfig,
    final boolean authenticate,
    final String pathSpec
) {
  final Constraint constraint = new Constraint();
  constraint.setAuthenticate(authenticate);
  if (authenticate) {
    final List<String> roles = restConfig.getList(RestConfig.AUTHENTICATION_ROLES_CONFIG);
    constraint.setRoles(roles.toArray(new String[0]));
  }

  final ConstraintMapping mapping = new ConstraintMapping();
  mapping.setConstraint(constraint);
  mapping.setMethod("*");
  if (authenticate && AuthUtil.isCorsEnabled(restConfig)) {
    mapping.setMethodOmissions(new String[]{"OPTIONS"});
  }
  mapping.setPathSpec(pathSpec);
  return mapping;
}
 

protected void addConstraintMapping(WebContainer service, ConstraintMapping constraintMapping) {
    Constraint constraint = constraintMapping.getConstraint();
    String[] roles = constraint.getRoles();
    // name property is unavailable on constraint object :/

    String name = "Constraint-" + new SecureRandom().nextInt(Integer.MAX_VALUE);

    int dataConstraint = constraint.getDataConstraint();
    String dataConstraintStr;
    switch (dataConstraint) {
        case Constraint.DC_UNSET: dataConstraintStr = null; break;
        case Constraint.DC_NONE: dataConstraintStr = "NONE"; break;
        case Constraint.DC_CONFIDENTIAL: dataConstraintStr = "CONFIDENTIAL"; break;
        case Constraint.DC_INTEGRAL: dataConstraintStr = "INTEGRAL"; break;
        default:
            log.warnv("Unknown data constraint: " + dataConstraint);
            dataConstraintStr = "CONFIDENTIAL";
    }
    List<String> rolesList = Arrays.asList(roles);

    log.debug("Adding security constraint name=" + name + ", url=" + constraintMapping.getPathSpec() + ", dataConstraint=" + dataConstraintStr + ", canAuthenticate="
    + constraint.getAuthenticate() + ", roles=" + rolesList);
    service.registerConstraintMapping(name, constraintMapping.getPathSpec(), null, dataConstraintStr, constraint.getAuthenticate(), rolesList, httpContext);
}
 

private static SecurityHandler basicAuth(String username, String password, String realm) {
    HashLoginService loginService = new HashLoginService();
    loginService.putUser(username, Credential.getCredential(password), new String[]{"user"});
    loginService.setName(realm);

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__DIGEST_AUTH);
    constraint.setRoles(new String[]{"user"});
    constraint.setAuthenticate(true);

    ConstraintMapping constraintMapping = new ConstraintMapping();
    constraintMapping.setConstraint(constraint);
    constraintMapping.setPathSpec("/*");

    ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
    csh.setAuthenticator(new BasicAuthenticator());
    csh.setRealmName("realm");
    csh.addConstraintMapping(constraintMapping);
    csh.setLoginService(loginService);
    return csh;
}
 

protected void addConstraintMapping(WebContainer service, ConstraintMapping constraintMapping) {
    Constraint constraint = constraintMapping.getConstraint();
    String[] roles = constraint.getRoles();
    // name property is unavailable on constraint object :/

    String name = "Constraint-" + new SecureRandom().nextInt(Integer.MAX_VALUE);

    int dataConstraint = constraint.getDataConstraint();
    String dataConstraintStr;
    switch (dataConstraint) {
        case Constraint.DC_UNSET: dataConstraintStr = null; break;
        case Constraint.DC_NONE: dataConstraintStr = "NONE"; break;
        case Constraint.DC_CONFIDENTIAL: dataConstraintStr = "CONFIDENTIAL"; break;
        case Constraint.DC_INTEGRAL: dataConstraintStr = "INTEGRAL"; break;
        default:
            log.warnv("Unknown data constraint: " + dataConstraint);
            dataConstraintStr = "CONFIDENTIAL";
    }
    List<String> rolesList = Arrays.asList(roles);

    log.debug("Adding security constraint name=" + name + ", url=" + constraintMapping.getPathSpec() + ", dataConstraint=" + dataConstraintStr + ", canAuthenticate="
    + constraint.getAuthenticate() + ", roles=" + rolesList);
    service.registerConstraintMapping(name, constraintMapping.getPathSpec(), null, dataConstraintStr, constraint.getAuthenticate(), rolesList, httpContext);
}
 

@Test
public void shouldCreateGlobalConstraintWithOptionsOmittedForCor() {
  // Given:
  config = restConfigWith(ImmutableMap.of(
      RestConfig.ACCESS_CONTROL_ALLOW_ORIGIN_CONFIG, "something"));

  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getMethodOmissions(), is(new String[]{"OPTIONS"}));
}
 

@Test
public void shouldCreateGlobalConstraintWithNoMethodsOmittedForNonCor() {
  // Given:
  config = restConfigWith(ImmutableMap.of(
      RestConfig.ACCESS_CONTROL_ALLOW_ORIGIN_CONFIG, ""));

  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getMethodOmissions(), is(nullValue()));
}
 

/**
 * Build constraints for any unsecured paths defined in standard RestConfig.
 *
 * @param restConfig the rest app's config.
 * @return the list of constraint mappings.
 */
public static List<ConstraintMapping> createUnsecuredConstraints(final RestConfig restConfig) {
  final List<String> unsecuredPaths = restConfig.getList(RestConfig.AUTHENTICATION_SKIP_PATHS);

  return unsecuredPaths.stream()
      .map(p -> createConstraint(restConfig, false, p))
      .collect(Collectors.toList());
}
 

@Test
public void shouldCreateGlobalConstraintToCoverAllMethods() {
  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getMethod(), is("*"));
}
 

@Test
public void shouldCreateGlobalConstraintToCoverAllPaths() {
  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getPathSpec(), is("/*"));
}
 

@Override
protected void run() {
    server = new Server(PORT);

    HashLoginService loginService = new HashLoginService();
    loginService.setName("My Realm");
    UserStore userStore = new UserStore();
    String[] roles = new String[] {"user"};
    userStore.addUser(USER, Credential.getCredential(PWD), roles);
    loginService.setUserStore(userStore);

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__DIGEST_AUTH);
    constraint.setRoles(roles);
    constraint.setAuthenticate(true);

    ConstraintMapping cm = new ConstraintMapping();
    cm.setConstraint(constraint);
    cm.setPathSpec("/*");

    ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
    csh.setAuthenticator(new DigestAuthenticator());
    csh.addConstraintMapping(cm);
    csh.setLoginService(loginService);

    ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
    context.setSecurityHandler(csh);
    context.setContextPath("/");
    server.setHandler(context);
    context.addServlet(new ServletHolder(new TestServlet()), "/*");

    try {
        server.start();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
 

@Test
public void shouldCreateGlobalConstraintWithAuthRequired() {
  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getConstraint().getAuthenticate(), is(true));
}
 

@Test
public void shouldDefaultToCreatingGlobalConstraintWithAnyRole() {
  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getConstraint().isAnyRole(), is(true));
  assertThat(mapping.getConstraint().isAnyAuth(), is(false));
  assertThat(mapping.getConstraint().getRoles(), is(new String[]{"*"}));
}
 

@Test
public void shouldCreateGlobalConstraintWithRoles() {
  // Given:
  config = restConfigWith(ImmutableMap.of(
      RestConfig.AUTHENTICATION_ROLES_CONFIG, " r1 , r2 "));

  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getConstraint().isAnyRole(), is(false));
  assertThat(mapping.getConstraint().getRoles(), is(new String[]{"r1","r2"}));
}
 

@Test
public void shouldCreateGlobalConstraintWithNoRoles() {
  // Given:
  config = restConfigWith(ImmutableMap.of(
      RestConfig.AUTHENTICATION_ROLES_CONFIG, "*"));

  // When:
  final ConstraintMapping mapping = AuthUtil.createGlobalAuthConstraint(config);

  // Then:
  assertThat(mapping.getConstraint().isAnyRole(), is(true));
  assertThat(mapping.getConstraint().getRoles(), is(new String[]{"*"}));
}
 

@Test
public void shouldCreateNoUnsecuredPathConstraints() {
  // Given:
  config = restConfigWith(ImmutableMap.of(
      RestConfig.AUTHENTICATION_SKIP_PATHS, ""));

  // When:
  final List<ConstraintMapping> mappings = AuthUtil.createUnsecuredConstraints(config);

  // Then:
  assertThat(mappings.size(), is(0));
}
 

@Test
public void shouldCreateUnsecuredPathConstraint() {
  // Given:
  config = restConfigWith(ImmutableMap.of());

  // When:
  final ConstraintMapping mappings =
      AuthUtil.createUnsecuredConstraint(config, "/path/*");

  // Then:
  assertThat(mappings.getMethod(), is("*"));
  assertThat(mappings.getPathSpec(), is("/path/*"));
  assertThat(mappings.getConstraint().getAuthenticate(), is(false));
}
 

@Test
public void shouldCreateSecuredPathConstraint() {
  // Given:
  config = restConfigWith(ImmutableMap.of());

  // When:
  final ConstraintMapping mappings =
      AuthUtil.createSecuredConstraint(config, "/path/*");

  // Then:
  assertThat(mappings.getMethod(), is("*"));
  assertThat(mappings.getPathSpec(), is("/path/*"));
  assertThat(mappings.getConstraint().getAuthenticate(), is(true));
}
 

public static void main(String args[]) throws Exception {
	org.eclipse.jetty.server.Server adminServer = new org.eclipse.jetty.server.Server();
	ServerConnector connector = new ServerConnector(adminServer);
	connector.setPort(8083);
	adminServer.setConnectors(new Connector[]{ connector });
	
	Constraint constraint = new Constraint();
	constraint.setName(Constraint.__BASIC_AUTH);
	constraint.setRoles(new String[] {"admin_role"});
	constraint.setAuthenticate(true);
	
	ConstraintMapping cm = new ConstraintMapping();
	cm.setConstraint(constraint);
	cm.setPathSpec("/*");
	
	HashLoginService loginService = new HashLoginService("Please enter Chipster Admin username and password");
	loginService.update("chipster", 
			new Password("chipster"), 
			new String[] {"admin_role"});
	
	ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
	sh.setLoginService(loginService);
	sh.addConstraintMapping(cm);
	
	WebAppContext context = new WebAppContext();
	File war = new File("../chipster/dist/admin-web.war");
	//File war = new File("webapps/admin-web.war");
	context.setWar(war.getAbsolutePath());
	System.out.println(war.getAbsolutePath());
       context.setContextPath("/");
			
       context.setHandler(sh);
	HandlerCollection handlers = new HandlerCollection();
	handlers.setHandlers(new Handler[] {context, new DefaultHandler()});
			
	adminServer.setHandler(handlers);
       adminServer.start();
}
 

@Override
public boolean addConstraintMapping(HttpContext httpContext, WebContainer service, Object cm) {
    if (cm instanceof ConstraintMapping) {
        ConstraintMapping constraintMapping = (ConstraintMapping) cm;
        Constraint constraint = constraintMapping.getConstraint();
        String[] roles = constraint.getRoles();
        // name property is unavailable on constraint object :/

        String name = "Constraint-" + new SecureRandom().nextInt(Integer.MAX_VALUE);

        int dataConstraint = constraint.getDataConstraint();
        String dataConstraintStr;
        switch (dataConstraint) {
            case Constraint.DC_UNSET:
                dataConstraintStr = null;
                break;
            case Constraint.DC_NONE:
                dataConstraintStr = "NONE";
                break;
            case Constraint.DC_CONFIDENTIAL:
                dataConstraintStr = "CONFIDENTIAL";
                break;
            case Constraint.DC_INTEGRAL:
                dataConstraintStr = "INTEGRAL";
                break;
            default:
                log.warnv("Unknown data constraint: " + dataConstraint);
                dataConstraintStr = "CONFIDENTIAL";
        }
        List<String> rolesList = Arrays.asList(roles);

        log.debug("Adding security constraint name=" + name + ", url=" + constraintMapping.getPathSpec() + ", dataConstraint=" + dataConstraintStr + ", canAuthenticate="
                + constraint.getAuthenticate() + ", roles=" + rolesList);
        service.registerConstraintMapping(name, constraintMapping.getPathSpec(), null, dataConstraintStr, constraint.getAuthenticate(), rolesList, httpContext);
        return true;
    }
    return false;
}
 

public boolean addConstraintMapping(HttpContext httpContext, WebContainer service, Object cm) {
    if (cm instanceof ConstraintMapping) {
        ConstraintMapping constraintMapping = (ConstraintMapping) cm;
        Constraint constraint = constraintMapping.getConstraint();
        String[] roles = constraint.getRoles();
        // name property is unavailable on constraint object :/

        String name = "Constraint-" + new SecureRandom().nextInt(Integer.MAX_VALUE);

        int dataConstraint = constraint.getDataConstraint();
        String dataConstraintStr;
        switch (dataConstraint) {
            case Constraint.DC_UNSET:
                dataConstraintStr = null;
                break;
            case Constraint.DC_NONE:
                dataConstraintStr = "NONE";
                break;
            case Constraint.DC_CONFIDENTIAL:
                dataConstraintStr = "CONFIDENTIAL";
                break;
            case Constraint.DC_INTEGRAL:
                dataConstraintStr = "INTEGRAL";
                break;
            default:
                log.warnv("Unknown data constraint: " + dataConstraint);
                dataConstraintStr = "CONFIDENTIAL";
        }
        List<String> rolesList = Arrays.asList(roles);

        log.debug("Adding security constraint name=" + name + ", url=" + constraintMapping.getPathSpec() + ", dataConstraint=" + dataConstraintStr + ", canAuthenticate="
                + constraint.getAuthenticate() + ", roles=" + rolesList);
        service.registerConstraintMapping(name, constraintMapping.getPathSpec(), null, dataConstraintStr, constraint.getAuthenticate(), rolesList, httpContext);
        return true;
    }
    return false;
}