Module org.eclipse.jetty.security
Package org.eclipse.jetty.security

Class ConstraintSecurityHandler

  • All Implemented Interfaces:
    Authenticator.AuthConfiguration, ConstraintAware, org.eclipse.jetty.server.Handler, org.eclipse.jetty.server.HandlerContainer, org.eclipse.jetty.util.component.Container, org.eclipse.jetty.util.component.Destroyable, org.eclipse.jetty.util.component.Dumpable, org.eclipse.jetty.util.component.LifeCycle
    public class ConstraintSecurityHandler
extends SecurityHandler
implements ConstraintAware
    ConstraintSecurityHandler

    Handler to enforce SecurityConstraints. This implementation is servlet spec 3.1 compliant and pre-computes the constraint combinations for runtime efficiency.

    • Nested Class Summary

      • Nested classes/interfaces inherited from class org.eclipse.jetty.server.handler.AbstractHandler

        org.eclipse.jetty.server.handler.AbstractHandler.ErrorDispatchHandler

      • Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

        org.eclipse.jetty.util.component.AbstractLifeCycle.AbstractLifeCycleListener, org.eclipse.jetty.util.component.AbstractLifeCycle.StopException

      • Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container

        org.eclipse.jetty.util.component.Container.InheritedListener, org.eclipse.jetty.util.component.Container.Listener

      • Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

        org.eclipse.jetty.util.component.LifeCycle.Listener

    • Field Summary

      • Fields inherited from class org.eclipse.jetty.server.handler.HandlerWrapper

        _handler

      • Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

        FAILED, STARTED, STARTING, STOPPED, STOPPING

      • Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

        KEY

    • Constructor Detail

      • ConstraintSecurityHandler

        public ConstraintSecurityHandler()

    • Method Detail

      • createConstraint

        public static org.eclipse.jetty.util.security.Constraint createConstraint()

      • createConstraint

        public static org.eclipse.jetty.util.security.Constraint createConstraint​(org.eclipse.jetty.util.security.Constraint constraint)

      • createConstraint

        public static org.eclipse.jetty.util.security.Constraint createConstraint​(java.lang.String name,
                                                                          boolean authenticate,
                                                                          java.lang.String[] roles,
                                                                          int dataConstraint)
        Create a security constraint
        Parameters:
        name - the name of the constraint
        authenticate - true to authenticate
        roles - list of roles
        dataConstraint - the data constraint
        Returns:
        the constraint

      • createConstraint

        public static org.eclipse.jetty.util.security.Constraint createConstraint​(java.lang.String name,
                                                                          javax.servlet.HttpConstraintElement element)
        Create a Constraint
        Parameters:
        name - the name
        element - the http constraint element
        Returns:
        the created constraint

      • createConstraint

        public static org.eclipse.jetty.util.security.Constraint createConstraint​(java.lang.String name,
                                                                          java.lang.String[] rolesAllowed,
                                                                          javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny,
                                                                          javax.servlet.annotation.ServletSecurity.TransportGuarantee transport)
        Create Constraint
        Parameters:
        name - the name
        rolesAllowed - the list of allowed roles
        permitOrDeny - the permission semantic
        transport - the transport guarantee
        Returns:
        the created constraint

      • getConstraintMappingsForPath

        public static java.util.List<ConstraintMapping> getConstraintMappingsForPath​(java.lang.String pathSpec,
                                                                             java.util.List<ConstraintMapping> constraintMappings)

      • removeConstraintMappingsForPath

        public static java.util.List<ConstraintMapping> removeConstraintMappingsForPath​(java.lang.String pathSpec,
                                                                                java.util.List<ConstraintMapping> constraintMappings)
        Take out of the constraint mappings those that match the given path.
        Parameters:
        pathSpec - the path spec
        constraintMappings - a new list minus the matching constraints
        Returns:
        the list of constraint mappings

      • createConstraintsWithMappingsForPath

        public static java.util.List<ConstraintMapping> createConstraintsWithMappingsForPath​(java.lang.String name,
                                                                                     java.lang.String pathSpec,
                                                                                     javax.servlet.ServletSecurityElement securityElement)
        Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement
        Parameters:
        name - the name
        pathSpec - the path spec
        securityElement - the servlet security element
        Returns:
        the list of constraint mappings

      • getRoles

        public java.util.Set<java.lang.String> getRoles()
        Specified by:
        getRoles in interface ConstraintAware

      • setConstraintMappings

        public void setConstraintMappings​(java.util.List<ConstraintMapping> constraintMappings)
        Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
        Parameters:
        constraintMappings - The constraintMappings to set, from which the set of known roles is determined.

      • setConstraintMappings

        public void setConstraintMappings​(ConstraintMapping[] constraintMappings)
        Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
        Parameters:
        constraintMappings - The constraintMappings to set as array, from which the set of known roles is determined. Needed to retain API compatibility for 7.x

      • setConstraintMappings

        public void setConstraintMappings​(java.util.List<ConstraintMapping> constraintMappings,
                                  java.util.Set<java.lang.String> roles)
        Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
        Specified by:
        setConstraintMappings in interface ConstraintAware
        Parameters:
        constraintMappings - The constraintMappings to set.
        roles - The known roles (or null to determine them from the mappings)

      • addConstraintMapping

        public void addConstraintMapping​(ConstraintMapping mapping)
        Description copied from interface: ConstraintAware
        Add a Constraint Mapping. May be called for running webapplication as an annotated servlet is instantiated.
        Specified by:
        addConstraintMapping in interface ConstraintAware
        Parameters:
        mapping - the mapping

      • addRole

        public void addRole​(java.lang.String role)
        Description copied from interface: ConstraintAware
        Add a Role definition. May be called on running webapplication as an annotated servlet is instantiated.
        Specified by:
        addRole in interface ConstraintAware
        Parameters:
        role - the role

      • doStart

        protected void doStart()
                throws java.lang.Exception
        Overrides:
        doStart in class SecurityHandler
        Throws:
        java.lang.Exception

      • doStop

        protected void doStop()
               throws java.lang.Exception
        Overrides:
        doStop in class SecurityHandler
        Throws:
        java.lang.Exception

      • processConstraintMapping

        protected void processConstraintMapping​(ConstraintMapping mapping)
        Create and combine the constraint with the existing processed constraints.
        Parameters:
        mapping - the constraint mapping

      • processConstraintMappingWithMethodOmissions

        protected void processConstraintMappingWithMethodOmissions​(ConstraintMapping mapping,
                                                           java.util.Map<java.lang.String,​RoleInfo> mappings)
        Constraints that name method omissions are dealt with differently. We create an entry in the mappings with key "<method>.omission". This entry is only ever combined with other omissions for the same method to produce a consolidated RoleInfo. Then, when we wish to find the relevant constraints for a given Request (in prepareConstraintInfo()), we consult 3 types of entries in the mappings: an entry that names the method of the Request specifically, an entry that names constraints that apply to all methods, entries of the form <method>.omission, where the method of the Request is not named in the omission.
        Parameters:
        mapping - the constraint mapping
        mappings - the mappings of roles

      • configureRoleInfo

        protected void configureRoleInfo​(RoleInfo ri,
                                 ConstraintMapping mapping)
        Initialize or update the RoleInfo from the constraint
        Parameters:
        ri - the role info
        mapping - the constraint mapping

      • prepareConstraintInfo

        protected RoleInfo prepareConstraintInfo​(java.lang.String pathInContext,
                                         org.eclipse.jetty.server.Request request)
        Find constraints that apply to the given path. In order to do this, we consult 3 different types of information stored in the mappings for each path - each mapping represents a merged set of user data constraints, roles etc -:
        1. A mapping of an exact method name
        2. A mapping with key * that matches every method name
        3. Mappings with keys of the form "<method>.<method>.<method>.omission" that indicates it will match every method name EXCEPT those given
        Specified by:
        prepareConstraintInfo in class SecurityHandler
        See Also:
        SecurityHandler.prepareConstraintInfo(java.lang.String, org.eclipse.jetty.server.Request)

      • checkUserDataPermissions

        protected boolean checkUserDataPermissions​(java.lang.String pathInContext,
                                           org.eclipse.jetty.server.Request request,
                                           org.eclipse.jetty.server.Response response,
                                           RoleInfo roleInfo)
                                    throws java.io.IOException
        Specified by:
        checkUserDataPermissions in class SecurityHandler
        Throws:
        java.io.IOException

      • isAuthMandatory

        protected boolean isAuthMandatory​(org.eclipse.jetty.server.Request baseRequest,
                                  org.eclipse.jetty.server.Response baseResponse,
                                  java.lang.Object constraintInfo)
        Specified by:
        isAuthMandatory in class SecurityHandler

      • checkWebResourcePermissions

        protected boolean checkWebResourcePermissions​(java.lang.String pathInContext,
                                              org.eclipse.jetty.server.Request request,
                                              org.eclipse.jetty.server.Response response,
                                              java.lang.Object constraintInfo,
                                              org.eclipse.jetty.server.UserIdentity userIdentity)
                                       throws java.io.IOException
        Specified by:
        checkWebResourcePermissions in class SecurityHandler
        Throws:
        java.io.IOException

      • dump

        public void dump​(java.lang.Appendable out,
                 java.lang.String indent)
          throws java.io.IOException
        Specified by:
        dump in interface org.eclipse.jetty.util.component.Dumpable
        Overrides:
        dump in class org.eclipse.jetty.util.component.ContainerLifeCycle
        Throws:
        java.io.IOException

      • setDenyUncoveredHttpMethods

        public void setDenyUncoveredHttpMethods​(boolean deny)
        Description copied from interface: ConstraintAware
        See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.
        Specified by:
        setDenyUncoveredHttpMethods in interface ConstraintAware
        Parameters:
        deny - true for denied method access

      • checkPathsWithUncoveredHttpMethods

        public boolean checkPathsWithUncoveredHttpMethods()
        Servlet spec 3.1 pg. 147.
        Specified by:
        checkPathsWithUncoveredHttpMethods in interface ConstraintAware
        Returns:
        true if urls with uncovered http methods

      • getPathsWithUncoveredHttpMethods

        public java.util.Set<java.lang.String> getPathsWithUncoveredHttpMethods()
        Servlet spec 3.1 pg. 147. The container must check all the combined security constraint information and log any methods that are not protected and the urls at which they are not protected
        Returns:
        list of paths for which there are uncovered methods

      • omissionsExist

        protected boolean omissionsExist​(java.lang.String path,
                                 java.util.Map<java.lang.String,​RoleInfo> methodMappings)
        Check if any http method omissions exist in the list of method to auth info mappings.
        Parameters:
        path - the path
        methodMappings - the method mappings
        Returns:
        true if omission exist

      • getOmittedMethods

        protected java.util.Set<java.lang.String> getOmittedMethods​(java.lang.String omission)
        Given a string of the form <method>.<method>.omission split out the individual method names.
        Parameters:
        omission - the method
        Returns:
        the list of strings