Package org.eclipse.jetty.security

Class ConstraintSecurityHandler

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.component.ContainerLifeCycle

org.eclipse.jetty.server.handler.AbstractHandler

org.eclipse.jetty.server.handler.AbstractHandlerContainer

org.eclipse.jetty.server.handler.HandlerWrapper

org.eclipse.jetty.security.SecurityHandler

org.eclipse.jetty.security.ConstraintSecurityHandler

All Implemented Interfaces:

Authenticator.AuthConfiguration, ConstraintAware, Handler, HandlerContainer, Container, Destroyable, Dumpable, Dumpable.DumpableContainer, LifeCycle

public class ConstraintSecurityHandler
extends SecurityHandler
implements ConstraintAware

ConstraintSecurityHandler

Handler to enforce SecurityConstraints. This implementation is servlet spec 3.1 compliant and pre-computes the constraint combinations for runtime efficiency.

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.security.SecurityHandler

SecurityHandler.NotChecked

Nested classes/interfaces inherited from class org.eclipse.jetty.server.handler.AbstractHandler

AbstractHandler.ErrorDispatchHandler

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

AbstractLifeCycle.AbstractLifeCycleListener, AbstractLifeCycle.StopException

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container

Container.InheritedListener, Container.Listener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable

Dumpable.DumpableContainer

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

LifeCycle.Listener

Field Summary

Fields inherited from class org.eclipse.jetty.security.SecurityHandler

__NO_USER, __NOBODY

Fields inherited from class org.eclipse.jetty.server.handler.HandlerWrapper

_handler

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

FAILED, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

KEY

Constructor Summary

Constructors

Constructor	Description
ConstraintSecurityHandler()

Method Summary

Modifier and Type	Method	Description
void	addConstraintMapping(ConstraintMapping mapping)	Add a Constraint Mapping.
void	addRole(String role)	Add a Role definition.
protected PathSpec	asPathSpec(ConstraintMapping mapping)
boolean	checkPathsWithUncoveredHttpMethods()	Servlet spec 3.1 pg.
protected boolean	checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo roleInfo)
protected boolean	checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity)
protected void	configureRoleInfo(RoleInfo ri, ConstraintMapping mapping)	Initialize or update the RoleInfo from the constraint
static Constraint	createConstraint()
static Constraint	createConstraint(String name, boolean authenticate, String[] roles, int dataConstraint)	Create a security constraint
static Constraint	createConstraint(String name, String[] rolesAllowed, javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, javax.servlet.annotation.ServletSecurity.TransportGuarantee transport)	Create Constraint
static Constraint	createConstraint(String name, javax.servlet.HttpConstraintElement element)	Create a Constraint
static Constraint	createConstraint(Constraint constraint)
static List<ConstraintMapping>	createConstraintsWithMappingsForPath(String name, String pathSpec, javax.servlet.ServletSecurityElement securityElement)	Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement
protected void	doStart()	Starts the managed lifecycle beans in the order they were added.
protected void	doStop()	Stops the managed lifecycle beans in the reverse order they were added.
void	dump(Appendable out, String indent)	Dump this object (and children) into an Appendable using the provided indent after any new lines.
List<ConstraintMapping>	getConstraintMappings()
static List<ConstraintMapping>	getConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)
protected Set<String>	getOmittedMethods(String omission)	Given a string of the form <method>.<method>.omission split out the individual method names.
Set<String>	getPathsWithUncoveredHttpMethods()	Servlet spec 3.1 pg.
Set<String>	getRoles()
protected boolean	isAuthMandatory(Request baseRequest, Response baseResponse, Object constraintInfo)
boolean	isDenyUncoveredHttpMethods()
protected boolean	omissionsExist(String path, Map<String,RoleInfo> methodMappings)	Check if any http method omissions exist in the list of method to auth info mappings.
protected RoleInfo	prepareConstraintInfo(String pathInContext, Request request)	Find constraints that apply to the given path.
protected void	processConstraintMapping(ConstraintMapping mapping)	Create and combine the constraint with the existing processed constraints.
protected void	processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String,RoleInfo> mappings)	Constraints that name method omissions are dealt with differently.
static List<ConstraintMapping>	removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)	Take out of the constraint mappings those that match the given path.
void	setConstraintMappings(List<ConstraintMapping> constraintMappings)	Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
void	setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles)	Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
void	setConstraintMappings(ConstraintMapping[] constraintMappings)	Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
void	setDenyUncoveredHttpMethods(boolean deny)	See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.
void	setRoles(Set<String> roles)	Set the known roles.

Methods inherited from class org.eclipse.jetty.security.SecurityHandler

checkSecurity, findIdentityService, findLoginService, getAuthenticator, getAuthenticatorFactory, getAuthMethod, getCurrentSecurityHandler, getIdentityService, getInitParameter, getInitParameterNames, getKnownAuthenticatorFactories, getLoginService, getRealmName, getSessionMaxInactiveIntervalOnAuthentication, handle, isCheckWelcomeFiles, isSessionRenewedOnAuthentication, logout, setAuthenticator, setAuthenticatorFactory, setAuthMethod, setCheckWelcomeFiles, setIdentityService, setInitParameter, setLoginService, setRealmName, setSessionMaxInactiveIntervalOnAuthentication, setSessionRenewedOnAuthentication

Methods inherited from class org.eclipse.jetty.server.handler.HandlerWrapper

destroy, expandChildren, getHandler, getHandlers, insertHandler, setHandler

Methods inherited from class org.eclipse.jetty.server.handler.AbstractHandlerContainer

expandHandler, findContainerOf, getChildHandlerByClass, getChildHandlers, getChildHandlersByClass, setServer

Methods inherited from class org.eclipse.jetty.server.handler.AbstractHandler

doError, getServer

Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle

addBean, addBean, addEventListener, addManaged, contains, dump, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.util.component.Container

getCachedBeans, getEventListeners

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable

dumpSelf

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer

isDumpable

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

addEventListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeEventListener, start, stop

Constructor Details

ConstraintSecurityHandler

public ConstraintSecurityHandler()

Method Details

createConstraint

public static Constraint createConstraint()

createConstraint

public static Constraint createConstraint(Constraint constraint)

createConstraint

public static Constraint createConstraint(String name,
 boolean authenticate,
 String[] roles,
 int dataConstraint)

Create a security constraint

Parameters:

name - the name of the constraint

authenticate - true to authenticate

roles - list of roles

dataConstraint - the data constraint

Returns:

the constraint

createConstraint

public static Constraint createConstraint(String name,
 javax.servlet.HttpConstraintElement element)

Create a Constraint

Parameters:

name - the name

element - the http constraint element

Returns:

the created constraint

createConstraint

public static Constraint createConstraint(String name,
 String[] rolesAllowed,
 javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny,
 javax.servlet.annotation.ServletSecurity.TransportGuarantee transport)

Create Constraint

Parameters:

name - the name

rolesAllowed - the list of allowed roles

permitOrDeny - the permission semantic

transport - the transport guarantee

Returns:

the created constraint

getConstraintMappingsForPath

public static List<ConstraintMapping> getConstraintMappingsForPath(String pathSpec,
 List<ConstraintMapping> constraintMappings)

removeConstraintMappingsForPath

public static List<ConstraintMapping> removeConstraintMappingsForPath(String pathSpec,
 List<ConstraintMapping> constraintMappings)

Take out of the constraint mappings those that match the given path.

Parameters:

pathSpec - the path spec

constraintMappings - a new list minus the matching constraints

Returns:

the list of constraint mappings

createConstraintsWithMappingsForPath

public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name,
 String pathSpec,
 javax.servlet.ServletSecurityElement securityElement)

Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement

Parameters:

name - the name

pathSpec - the path spec

securityElement - the servlet security element

Returns:

the list of constraint mappings

getConstraintMappings

public List<ConstraintMapping> getConstraintMappings()

Specified by:

getConstraintMappings in interface ConstraintAware

getRoles

public Set<String> getRoles()

Specified by:

getRoles in interface ConstraintAware

setConstraintMappings

public void setConstraintMappings(List<ConstraintMapping> constraintMappings)

Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.

Parameters:

constraintMappings - The constraintMappings to set, from which the set of known roles is determined.

setConstraintMappings

public void setConstraintMappings(ConstraintMapping[] constraintMappings)

Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.

Parameters:

constraintMappings - The constraintMappings to set as array, from which the set of known roles is determined. Needed to retain API compatibility for 7.x

setConstraintMappings

public void setConstraintMappings(List<ConstraintMapping> constraintMappings,
 Set<String> roles)

Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.

Specified by:

setConstraintMappings in interface ConstraintAware

Parameters:

constraintMappings - The constraintMappings to set.

roles - The known roles (or null to determine them from the mappings)

setRoles

public void setRoles(Set<String> roles)

Set the known roles. This may be overridden by a subsequent call to setConstraintMappings(ConstraintMapping[]) or setConstraintMappings(List, Set).

Parameters:

roles - The known roles (or null to determine them from the mappings)

addConstraintMapping

public void addConstraintMapping(ConstraintMapping mapping)

Description copied from interface: ConstraintAware

Add a Constraint Mapping. May be called for running webapplication as an annotated servlet is instantiated.

Specified by:

addConstraintMapping in interface ConstraintAware

Parameters:

mapping - the mapping

addRole

public void addRole(String role)

Description copied from interface: ConstraintAware

Add a Role definition. May be called on running webapplication as an annotated servlet is instantiated.

Specified by:

addRole in interface ConstraintAware

Parameters:

role - the role

doStart

protected void doStart()
                throws Exception

Description copied from class: ContainerLifeCycle

Starts the managed lifecycle beans in the order they were added.

Overrides:

doStart in class SecurityHandler

Throws:

Exception - If there was a problem starting. Will cause a transition to FAILED state

doStop

protected void doStop()
               throws Exception

Description copied from class: ContainerLifeCycle

Stops the managed lifecycle beans in the reverse order they were added.

Overrides:

doStop in class SecurityHandler

Throws:

Exception - If there was a problem stopping. Will cause a transition to FAILED state

processConstraintMapping

protected void processConstraintMapping(ConstraintMapping mapping)

Create and combine the constraint with the existing processed constraints.

Parameters:

mapping - the constraint mapping

asPathSpec

protected PathSpec asPathSpec(ConstraintMapping mapping)

processConstraintMappingWithMethodOmissions

protected void processConstraintMappingWithMethodOmissions(ConstraintMapping mapping,
 Map<String,RoleInfo> mappings)

Constraints that name method omissions are dealt with differently. We create an entry in the mappings with key "<method>.omission". This entry is only ever combined with other omissions for the same method to produce a consolidated RoleInfo. Then, when we wish to find the relevant constraints for a given Request (in prepareConstraintInfo()), we consult 3 types of entries in the mappings: an entry that names the method of the Request specifically, an entry that names constraints that apply to all methods, entries of the form <method>.omission, where the method of the Request is not named in the omission.

Parameters:

mapping - the constraint mapping

mappings - the mappings of roles

configureRoleInfo

protected void configureRoleInfo(RoleInfo ri,
 ConstraintMapping mapping)

Initialize or update the RoleInfo from the constraint

Parameters:

ri - the role info

mapping - the constraint mapping

prepareConstraintInfo

protected RoleInfo prepareConstraintInfo(String pathInContext,
 Request request)

Find constraints that apply to the given path. In order to do this, we consult 3 different types of information stored in the mappings for each path - each mapping represents a merged set of user data constraints, roles etc -:

1. A mapping of an exact method name
2. A mapping with key * that matches every method name
3. Mappings with keys of the form "<method>.<method>.<method>.omission" that indicates it will match every method name EXCEPT those given

Specified by:

prepareConstraintInfo in class SecurityHandler

See Also:

• SecurityHandler.prepareConstraintInfo(java.lang.String, org.eclipse.jetty.server.Request)

checkUserDataPermissions

protected boolean checkUserDataPermissions(String pathInContext,
 Request request,
 Response response,
 RoleInfo roleInfo)
                                    throws IOException

Specified by:

checkUserDataPermissions in class SecurityHandler

Throws:

IOException

isAuthMandatory

protected boolean isAuthMandatory(Request baseRequest,
 Response baseResponse,
 Object constraintInfo)

Specified by:

isAuthMandatory in class SecurityHandler

checkWebResourcePermissions

protected boolean checkWebResourcePermissions(String pathInContext,
 Request request,
 Response response,
 Object constraintInfo,
 UserIdentity userIdentity)
                                       throws IOException

Specified by:

checkWebResourcePermissions in class SecurityHandler

Throws:

IOException

dump

public void dump(Appendable out,
 String indent)
          throws IOException

Description copied from interface: Dumpable

Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.

Specified by:

dump in interface Dumpable

Overrides:

dump in class ContainerLifeCycle

Parameters:

out - The appendable to dump to

indent - The indent to apply after any new lines.

Throws:

IOException - if unable to write to Appendable

setDenyUncoveredHttpMethods

public void setDenyUncoveredHttpMethods(boolean deny)

Description copied from interface: ConstraintAware

See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.

Specified by:

setDenyUncoveredHttpMethods in interface ConstraintAware

Parameters:

deny - true for denied method access

isDenyUncoveredHttpMethods

public boolean isDenyUncoveredHttpMethods()

Specified by:

isDenyUncoveredHttpMethods in interface ConstraintAware

checkPathsWithUncoveredHttpMethods

public boolean checkPathsWithUncoveredHttpMethods()

Servlet spec 3.1 pg. 147.

Specified by:

checkPathsWithUncoveredHttpMethods in interface ConstraintAware

Returns:

true if urls with uncovered http methods

getPathsWithUncoveredHttpMethods

public Set<String> getPathsWithUncoveredHttpMethods()

Servlet spec 3.1 pg. 147. The container must check all the combined security constraint information and log any methods that are not protected and the urls at which they are not protected

Returns:

list of paths for which there are uncovered methods

omissionsExist

protected boolean omissionsExist(String path,
 Map<String,RoleInfo> methodMappings)

Check if any http method omissions exist in the list of method to auth info mappings.

Parameters:

path - the path

methodMappings - the method mappings

Returns:

true if omission exist

getOmittedMethods

protected Set<String> getOmittedMethods(String omission)

Given a string of the form <method>.<method>.omission split out the individual method names.

Parameters:

omission - the method

Returns:

the list of strings