javax.servlet.ServletSecurityElement Java Examples

The following examples show how to use javax.servlet.ServletSecurityElement. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: StandardWrapper.java    From Tomcat7.0.67 with Apache License 2.0 6 votes vote down vote up
private void processServletSecurityAnnotation(Class<?> clazz) {
    // Calling this twice isn't harmful so no syncs
    servletSecurityAnnotationScanRequired = false;

    Context ctxt = (Context) getParent();
    
    if (ctxt.getIgnoreAnnotations()) {
        return;
    }

    ServletSecurity secAnnotation =
        clazz.getAnnotation(ServletSecurity.class);
    if (secAnnotation != null) {
        ctxt.addServletSecurity(
                new ApplicationServletRegistration(this, ctxt),
                new ServletSecurityElement(secAnnotation));
    }
}
 
Example #2
Source File: ApplicationServletRegistration.java    From Tomcat7.0.67 with Apache License 2.0 6 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
    if (constraint == null) {
        throw new IllegalArgumentException(sm.getString(
                "applicationServletRegistration.setServletSecurity.iae",
                getName(), context.getName()));
    }
    
    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(sm.getString(
                "applicationServletRegistration.setServletSecurity.ise",
                getName(), context.getName()));
    }

    return context.addServletSecurity(this, constraint);
}
 
Example #3
Source File: ApplicationServletRegistration.java    From Tomcat8-Source-Read with MIT License 6 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
    if (constraint == null) {
        throw new IllegalArgumentException(sm.getString(
                "applicationServletRegistration.setServletSecurity.iae",
                getName(), context.getName()));
    }

    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(sm.getString(
                "applicationServletRegistration.setServletSecurity.ise",
                getName(), context.getName()));
    }

    this.constraint = constraint;
    return context.addServletSecurity(this, constraint);
}
 
Example #4
Source File: TestStandardContext.java    From Tomcat8-Source-Read with MIT License 6 votes vote down vote up
@Override
public void onStartup(Set<Class<?>> c, ServletContext ctx)
        throws ServletException {
    // Register and map servlet
    Servlet s = new TesterServlet();
    ServletRegistration.Dynamic sr = ctx.addServlet("test", s);
    sr.addMapping("/test");

    // Add a constraint with uncovered methods
    HttpConstraintElement hce = new HttpConstraintElement(
            TransportGuarantee.NONE, "tomcat");
    HttpMethodConstraintElement hmce =
            new HttpMethodConstraintElement("POST", hce);
    Set<HttpMethodConstraintElement> hmces = new HashSet<>();
    hmces.add(hmce);
    ServletSecurityElement sse = new ServletSecurityElement(hmces);
    sr.setServletSecurity(sse);
}
 
Example #5
Source File: AuthorizationPreInitializer.java    From piranha with BSD 3-Clause "New" or "Revised" License 6 votes vote down vote up
public List<SecurityConstraint> getConstraintsFromSecurityElements(ServletContext servletContext, AuthorizationService authorizationService) throws ServletException {
    List<Entry<List<String>, ServletSecurityElement>> elements = getOptionalAttribute(servletContext, SECURITY_ELEMENTS);
    if (elements == null) {
        return null;
    }

    List<SecurityConstraint> constraints = new ArrayList<>();

    for (Entry<List<String>, ServletSecurityElement> elementEntry : elements) {
        constraints.addAll(ElementsToConstraintsTransformer.createConstraints(
                new HashSet<>(elementEntry.getKey()),
                elementEntry.getValue()));
    }

    return constraints;
}
 
Example #6
Source File: ApplicationServletRegistration.java    From tomcatsrc with Apache License 2.0 6 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
    if (constraint == null) {
        throw new IllegalArgumentException(sm.getString(
                "applicationServletRegistration.setServletSecurity.iae",
                getName(), context.getName()));
    }
    
    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        throw new IllegalStateException(sm.getString(
                "applicationServletRegistration.setServletSecurity.ise",
                getName(), context.getName()));
    }

    return context.addServletSecurity(this, constraint);
}
 
Example #7
Source File: LowTypedRealm.java    From tomee with Apache License 2.0 5 votes vote down vote up
@Override
public SecurityConstraint[] findSecurityConstraints(final Request request, final Context context) {
    final Map<String, ServletSecurityElement> map = (Map<String, ServletSecurityElement>) invoke(findSecurityConstraintsMethod, request.getRequest(), context.getPath());
    final List<SecurityConstraint> constraints = new ArrayList<SecurityConstraint>();
    for (final Map.Entry<String, ServletSecurityElement> entry : map.entrySet()) {
        constraints.addAll(Arrays.asList(SecurityConstraint.createConstraints(entry.getValue(), entry.getKey())));
    }
    return constraints.toArray(new SecurityConstraint[constraints.size()]);
}
 
Example #8
Source File: TestStandardContext.java    From Tomcat7.0.67 with Apache License 2.0 5 votes vote down vote up
@Override
public void onStartup(Set<Class<?>> c, ServletContext ctx)
        throws ServletException {
    // Register and map servlet
    Servlet s = new Bug50015Servlet();
    ServletRegistration.Dynamic sr = ctx.addServlet("bug50015", s);
    sr.addMapping("/bug50015");

    // Limit access to users in the Tomcat role
    HttpConstraintElement hce = new HttpConstraintElement(
            TransportGuarantee.NONE, "tomcat");
    ServletSecurityElement sse = new ServletSecurityElement(hce);
    sr.setServletSecurity(sse);
}
 
Example #9
Source File: WebAnnotationSet.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
/**
 * Process the annotations for the servlets.
 *
 * @param context The context which will have its annotations processed
 */
protected static void loadApplicationServletAnnotations(Context context) {

    Container[] children = context.findChildren();
    for (Container child : children) {
        if (child instanceof Wrapper) {

            Wrapper wrapper = (Wrapper) child;
            if (wrapper.getServletClass() == null) {
                continue;
            }

            Class<?> clazz = Introspection.loadClass(context, wrapper.getServletClass());
            if (clazz == null) {
                continue;
            }

            loadClassAnnotation(context, clazz);
            loadFieldsAnnotation(context, clazz);
            loadMethodsAnnotation(context, clazz);

            /* Process RunAs annotation which can be only on servlets.
             * Ref JSR 250, equivalent to the run-as element in
             * the deployment descriptor
             */
            RunAs runAs = clazz.getAnnotation(RunAs.class);
            if (runAs != null) {
                wrapper.setRunAs(runAs.value());
            }

            // Process ServletSecurity annotation
            ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
            if (servletSecurity != null) {
                context.addServletSecurity(
                        new ApplicationServletRegistration(wrapper, context),
                        new ServletSecurityElement(servletSecurity));
            }
        }
    }
}
 
Example #10
Source File: ServletRegistrationImpl.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public Set<String> setServletSecurity(final ServletSecurityElement constraint) {
    if (constraint == null) {
        throw UndertowMessages.MESSAGES.argumentCannotBeNull("constraint");
    }
    DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();

    //this is not super efficient, but it does not really matter
    final Set<String> urlPatterns = new HashSet<>();
    for (SecurityConstraint sc : deploymentInfo.getSecurityConstraints()) {
        for (WebResourceCollection webResources : sc.getWebResourceCollections()) {
            urlPatterns.addAll(webResources.getUrlPatterns());
        }
    }
    final Set<String> ret = new HashSet<>();
    for (String url : servletInfo.getMappings()) {
        if (urlPatterns.contains(url)) {
            ret.add(url);
        }
    }
    ServletSecurityInfo info = new ServletSecurityInfo();
    servletInfo.setServletSecurityInfo(info);
    info.setTransportGuaranteeType(constraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
            .setEmptyRoleSemantic(emptyRoleSemantic(constraint.getEmptyRoleSemantic()))
            .addRolesAllowed(constraint.getRolesAllowed());

    for (final HttpMethodConstraintElement methodConstraint : constraint.getHttpMethodConstraints()) {
        info.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo()
                .setTransportGuaranteeType(methodConstraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
                .setMethod(methodConstraint.getMethodName())
                .setEmptyRoleSemantic(emptyRoleSemantic(methodConstraint.getEmptyRoleSemantic()))
                .addRolesAllowed(methodConstraint.getRolesAllowed()));
    }
    return ret;
}
 
Example #11
Source File: RpcWebInitializer.java    From Brutusin-RPC with Apache License 2.0 5 votes vote down vote up
private RpcServlet registerRpcServlet(ServletContext ctx) {
    LOGGER.info("Starting HTTP RPC runtime");
    RpcServlet servlet = new RpcServlet();
    ServletRegistration.Dynamic regInfo = ctx.addServlet(RpcServlet.class.getName(), servlet);
    ServletSecurityElement sec = new ServletSecurityElement(new HttpConstraintElement());
    regInfo.setServletSecurity(sec);
    regInfo.setLoadOnStartup(1);
    regInfo.addMapping(RpcConfig.getInstance().getPath() + "/http");
    return servlet;
}
 
Example #12
Source File: ServletRegistrationImpl.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public Set<String> setServletSecurity(final ServletSecurityElement constraint) {
    if (constraint == null) {
        throw UndertowMessages.MESSAGES.argumentCannotBeNull("constraint");
    }
    DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();

    //this is not super efficient, but it does not really matter
    final Set<String> urlPatterns = new HashSet<>();
    for (SecurityConstraint sc : deploymentInfo.getSecurityConstraints()) {
        for (WebResourceCollection webResources : sc.getWebResourceCollections()) {
            urlPatterns.addAll(webResources.getUrlPatterns());
        }
    }
    final Set<String> ret = new HashSet<>();
    for (String url : servletInfo.getMappings()) {
        if (urlPatterns.contains(url)) {
            ret.add(url);
        }
    }
    ServletSecurityInfo info = new ServletSecurityInfo();
    servletInfo.setServletSecurityInfo(info);
    info.setTransportGuaranteeType(constraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
            .setEmptyRoleSemantic(emptyRoleSemantic(constraint.getEmptyRoleSemantic()))
            .addRolesAllowed(constraint.getRolesAllowed());

    for (final HttpMethodConstraintElement methodConstraint : constraint.getHttpMethodConstraints()) {
        info.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo()
                .setTransportGuaranteeType(methodConstraint.getTransportGuarantee() == CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
                .setMethod(methodConstraint.getMethodName())
                .setEmptyRoleSemantic(emptyRoleSemantic(methodConstraint.getEmptyRoleSemantic()))
                .addRolesAllowed(methodConstraint.getRolesAllowed()));
    }
    return ret;
}
 
Example #13
Source File: TestStandardContext.java    From tomcatsrc with Apache License 2.0 5 votes vote down vote up
@Override
public void onStartup(Set<Class<?>> c, ServletContext ctx)
        throws ServletException {
    // Register and map servlet
    Servlet s = new Bug50015Servlet();
    ServletRegistration.Dynamic sr = ctx.addServlet("bug50015", s);
    sr.addMapping("/bug50015");

    // Limit access to users in the Tomcat role
    HttpConstraintElement hce = new HttpConstraintElement(
            TransportGuarantee.NONE, "tomcat");
    ServletSecurityElement sse = new ServletSecurityElement(hce);
    sr.setServletSecurity(sse);
}
 
Example #14
Source File: TestStandardContext.java    From Tomcat8-Source-Read with MIT License 5 votes vote down vote up
@Override
public void onStartup(Set<Class<?>> c, ServletContext ctx)
        throws ServletException {
    // Register and map servlet
    Servlet s = new TesterServlet();
    ServletRegistration.Dynamic sr = ctx.addServlet("bug50015", s);
    sr.addMapping("/bug50015");

    // Limit access to users in the Tomcat role
    HttpConstraintElement hce = new HttpConstraintElement(
            TransportGuarantee.NONE, "tomcat");
    ServletSecurityElement sse = new ServletSecurityElement(hce);
    sr.setServletSecurity(sse);
}
 
Example #15
Source File: MockServletRegistrationDynamic.java    From joinfaces with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
	throw new UnsupportedOperationException(NOT_SUPPORTED_YET); //To change body of generated methods, choose Tools | Templates.
}
 
Example #16
Source File: MockServletRegistration.java    From spring4-understanding with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
	return null;
}
 
Example #17
Source File: FailedContext.java    From tomcatsrc with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> addServletSecurity(
        ApplicationServletRegistration registration,
        ServletSecurityElement servletSecurityElement) { return null; }
 
Example #18
Source File: TesterContext.java    From Tomcat7.0.67 with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> addServletSecurity(
        ApplicationServletRegistration registration,
        ServletSecurityElement servletSecurityElement) {
    return null;
}
 
Example #19
Source File: TesterContext.java    From tomcatsrc with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> addServletSecurity(
        ApplicationServletRegistration registration,
        ServletSecurityElement servletSecurityElement) {
    return null;
}
 
Example #20
Source File: ServletManager.java    From iaf with Apache License 2.0 4 votes vote down vote up
public void registerServlet(String servletName, Servlet servletClass, String urlMapping, String[] roles, int loadOnStartup, Map<String, String> initParameters) {
	log.info("instantiating IbisInitializer servlet name ["+servletName+"] servletClass ["+servletClass+"] loadOnStartup ["+loadOnStartup+"]");
	getServletContext().log("instantiating IbisInitializer servlet ["+servletName+"]");


	AppConstants appConstants = AppConstants.getInstance();
	String propertyPrefix = "servlet."+servletName+".";

	if(!appConstants.getBoolean(propertyPrefix+"enabled", true))
		return;

	ServletRegistration.Dynamic serv = getServletContext().addServlet(servletName, servletClass);
	ServletSecurity.TransportGuarantee transportGuarantee = getTransportGuarantee(propertyPrefix+"transportGuarantee");

	String stage = appConstants.getString("dtap.stage", null);
	String[] rolesCopy = new String[0];
	if(roles != null && !stage.equalsIgnoreCase("LOC"))
		rolesCopy = roles;
	String roleNames = appConstants.getString(propertyPrefix+"securityroles", null);
	if(StringUtils.isNotEmpty(roleNames))
		rolesCopy = roleNames.split(",");
	declareRoles(rolesCopy);

	HttpConstraintElement httpConstraintElement = new HttpConstraintElement(transportGuarantee, rolesCopy);
	ServletSecurityElement constraint = new ServletSecurityElement(httpConstraintElement);

	String urlMappingCopy = appConstants.getString(propertyPrefix+"urlMapping", urlMapping);
	if(!urlMappingCopy.startsWith("/") && !urlMappingCopy.startsWith("*")) {
		urlMappingCopy = "/"+urlMappingCopy;
	}
	serv.addMapping(urlMappingCopy);

	int loadOnStartupCopy = appConstants.getInt(propertyPrefix+"loadOnStartup", loadOnStartup);
	serv.setLoadOnStartup(loadOnStartupCopy);
	serv.setServletSecurity(constraint);

	if(initParameters != null && !initParameters.isEmpty()) {
		//Manually loop through the map as serv.setInitParameters will fail all parameters even if only 1 fails...
		for (String key : initParameters.keySet()) {
			String value = initParameters.get(key);
			if(!serv.setInitParameter(key, value)) {
				log("unable to set init-parameter ["+key+"] with value ["+value+"] for servlet ["+servletName+"]", Level.ERROR);
			}
		}
	}

	if(log.isDebugEnabled()) log.debug("registered servlet ["+servletName+"] class ["+servletClass+"] url ["+urlMapping+"] loadOnStartup ["+loadOnStartup+"]");
}
 
Example #21
Source File: FailedContext.java    From Tomcat7.0.67 with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> addServletSecurity(
        ApplicationServletRegistration registration,
        ServletSecurityElement servletSecurityElement) { return null; }
 
Example #22
Source File: NettyServletRegistration.java    From Jinx with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
    return null;
}
 
Example #23
Source File: ServletRegistration.java    From spring-boot-protocol with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
    this.servletSecurityElement = constraint;
    servletSecuritys.addAll(servletSecurityElement.getMethodNames());
    return servletSecuritys;
}
 
Example #24
Source File: ServletRegistration.java    From spring-boot-protocol with Apache License 2.0 4 votes vote down vote up
public ServletSecurityElement getServletSecurityElement() {
    return servletSecurityElement;
}
 
Example #25
Source File: MockServletRegistration.java    From java-technology-stack with MIT License 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
	return null;
}
 
Example #26
Source File: WebConfigurerTest.java    From flair-engine with Apache License 2.0 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
    return null;
}
 
Example #27
Source File: MockServletRegistration.java    From spring-analysis-note with MIT License 4 votes vote down vote up
@Override
public Set<String> setServletSecurity(ServletSecurityElement constraint) {
	return null;
}
 
Example #28
Source File: TesterContext.java    From Tomcat8-Source-Read with MIT License 4 votes vote down vote up
@Override
public Set<String> addServletSecurity(Dynamic registration,
        ServletSecurityElement servletSecurityElement) {
    return null;
}
 
Example #29
Source File: ApplicationContext.java    From Tomcat8-Source-Read with MIT License 4 votes vote down vote up
private ServletRegistration.Dynamic addServlet(String servletName, String servletClass,
        Servlet servlet, Map<String,String> initParams) throws IllegalStateException {

    if (servletName == null || servletName.equals("")) {
        throw new IllegalArgumentException(sm.getString(
                "applicationContext.invalidServletName", servletName));
    }

    if (!context.getState().equals(LifecycleState.STARTING_PREP)) {
        //TODO Spec breaking enhancement to ignore this restriction
        throw new IllegalStateException(
                sm.getString("applicationContext.addServlet.ise",
                        getContextPath()));
    }

    Wrapper wrapper = (Wrapper) context.findChild(servletName);

    // Assume a 'complete' ServletRegistration is one that has a class and
    // a name
    if (wrapper == null) {
        wrapper = context.createWrapper();
        wrapper.setName(servletName);
        context.addChild(wrapper);
    } else {
        if (wrapper.getName() != null &&
                wrapper.getServletClass() != null) {
            if (wrapper.isOverridable()) {
                wrapper.setOverridable(false);
            } else {
                return null;
            }
        }
    }

    ServletSecurity annotation = null;
    if (servlet == null) {
        wrapper.setServletClass(servletClass);
        Class<?> clazz = Introspection.loadClass(context, servletClass);
        if (clazz != null) {
            annotation = clazz.getAnnotation(ServletSecurity.class);
        }
    } else {
        wrapper.setServletClass(servlet.getClass().getName());
        wrapper.setServlet(servlet);
        if (context.wasCreatedDynamicServlet(servlet)) {
            annotation = servlet.getClass().getAnnotation(ServletSecurity.class);
        }
    }

    if (initParams != null) {
        for (Map.Entry<String, String> initParam: initParams.entrySet()) {
            wrapper.addInitParameter(initParam.getKey(), initParam.getValue());
        }
    }

    ServletRegistration.Dynamic registration =
            new ApplicationServletRegistration(wrapper, context);
    if (annotation != null) {
        registration.setServletSecurity(new ServletSecurityElement(annotation));
    }
    return registration;
}
 
Example #30
Source File: FailedContext.java    From Tomcat8-Source-Read with MIT License 4 votes vote down vote up
@Override
public Set<String> addServletSecurity(
        ServletRegistration.Dynamic registration,
        ServletSecurityElement servletSecurityElement) { return null; }