Package org.eclipse.jetty.security
Class ConstraintSecurityHandler
java.lang.Object
org.eclipse.jetty.util.component.AbstractLifeCycle
org.eclipse.jetty.util.component.ContainerLifeCycle
org.eclipse.jetty.server.handler.AbstractHandler
org.eclipse.jetty.server.handler.AbstractHandlerContainer
org.eclipse.jetty.server.handler.HandlerWrapper
org.eclipse.jetty.security.SecurityHandler
org.eclipse.jetty.security.ConstraintSecurityHandler
- All Implemented Interfaces:
Authenticator.AuthConfiguration
,ConstraintAware
,Handler
,HandlerContainer
,Container
,Destroyable
,Dumpable
,Dumpable.DumpableContainer
,LifeCycle
ConstraintSecurityHandler
Handler to enforce SecurityConstraints. This implementation is servlet spec 3.1 compliant and pre-computes the constraint combinations for runtime efficiency.
-
Nested Class Summary
Nested classes/interfaces inherited from class org.eclipse.jetty.security.SecurityHandler
SecurityHandler.NotChecked
Nested classes/interfaces inherited from class org.eclipse.jetty.server.handler.AbstractHandler
AbstractHandler.ErrorDispatchHandler
Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
AbstractLifeCycle.AbstractLifeCycleListener, AbstractLifeCycle.StopException
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container
Container.InheritedListener, Container.Listener
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable
Dumpable.DumpableContainer
Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle
LifeCycle.Listener
-
Field Summary
Fields inherited from class org.eclipse.jetty.security.SecurityHandler
__NO_USER, __NOBODY
Fields inherited from class org.eclipse.jetty.server.handler.HandlerWrapper
_handler
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
addConstraintMapping
(ConstraintMapping mapping) Add a Constraint Mapping.void
Add a Role definition.protected PathSpec
asPathSpec
(ConstraintMapping mapping) boolean
Servlet spec 3.1 pg.protected boolean
checkUserDataPermissions
(String pathInContext, Request request, Response response, RoleInfo roleInfo) protected boolean
checkWebResourcePermissions
(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity) protected void
configureRoleInfo
(RoleInfo ri, ConstraintMapping mapping) Initialize or update the RoleInfo from the constraintstatic Constraint
static Constraint
createConstraint
(String name, boolean authenticate, String[] roles, int dataConstraint) Create a security constraintstatic Constraint
createConstraint
(String name, jakarta.servlet.HttpConstraintElement element) Create a Constraintstatic Constraint
createConstraint
(String name, String[] rolesAllowed, jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport) Create Constraintstatic Constraint
createConstraint
(Constraint constraint) static List<ConstraintMapping>
createConstraintsWithMappingsForPath
(String name, String pathSpec, jakarta.servlet.ServletSecurityElement securityElement) Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElementprotected void
doStart()
Starts the managed lifecycle beans in the order they were added.protected void
doStop()
Stops the managed lifecycle beans in the reverse order they were added.void
dump
(Appendable out, String indent) Dump this object (and children) into an Appendable using the provided indent after any new lines.static List<ConstraintMapping>
getConstraintMappingsForPath
(String pathSpec, List<ConstraintMapping> constraintMappings) getOmittedMethods
(String omission) Given a string of the form<method>.<method>.omission
split out the individual method names.Servlet spec 3.1 pg.getRoles()
protected boolean
isAuthMandatory
(Request baseRequest, Response baseResponse, Object constraintInfo) boolean
protected boolean
omissionsExist
(String path, Map<String, RoleInfo> methodMappings) Check if any http method omissions exist in the list of method to auth info mappings.protected RoleInfo
prepareConstraintInfo
(String pathInContext, Request request) Find constraints that apply to the given path.protected void
Create and combine the constraint with the existing processed constraints.protected void
processConstraintMappingWithMethodOmissions
(ConstraintMapping mapping, Map<String, RoleInfo> mappings) Constraints that name method omissions are dealt with differently.static List<ConstraintMapping>
removeConstraintMappingsForPath
(String pathSpec, List<ConstraintMapping> constraintMappings) Take out of the constraint mappings those that match the given path.void
setConstraintMappings
(List<ConstraintMapping> constraintMappings) Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.void
setConstraintMappings
(List<ConstraintMapping> constraintMappings, Set<String> roles) Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.void
setConstraintMappings
(ConstraintMapping[] constraintMappings) Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.void
setDenyUncoveredHttpMethods
(boolean deny) See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.void
Set the known roles.Methods inherited from class org.eclipse.jetty.security.SecurityHandler
checkSecurity, findIdentityService, findLoginService, getAuthenticator, getAuthenticatorFactory, getAuthMethod, getCurrentSecurityHandler, getIdentityService, getInitParameter, getInitParameterNames, getKnownAuthenticatorFactories, getLoginService, getRealmName, getSessionMaxInactiveIntervalOnAuthentication, handle, isCheckWelcomeFiles, isSessionRenewedOnAuthentication, logout, setAuthenticator, setAuthenticatorFactory, setAuthMethod, setCheckWelcomeFiles, setIdentityService, setInitParameter, setLoginService, setRealmName, setSessionMaxInactiveIntervalOnAuthentication, setSessionRenewedOnAuthentication
Methods inherited from class org.eclipse.jetty.server.handler.HandlerWrapper
destroy, expandChildren, getHandler, getHandlers, insertHandler, setHandler
Methods inherited from class org.eclipse.jetty.server.handler.AbstractHandlerContainer
expandHandler, findContainerOf, getChildHandlerByClass, getChildHandlers, getChildHandlersByClass, setServer
Methods inherited from class org.eclipse.jetty.server.handler.AbstractHandler
doError, getServer
Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle
addBean, addBean, addEventListener, addManaged, contains, dump, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans
Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle
getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop, toString
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface org.eclipse.jetty.util.component.Container
getCachedBeans, getEventListeners
Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer
isDumpable
Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle
addEventListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeEventListener, start, stop
-
Constructor Details
-
ConstraintSecurityHandler
public ConstraintSecurityHandler()
-
-
Method Details
-
createConstraint
-
createConstraint
-
createConstraint
public static Constraint createConstraint(String name, boolean authenticate, String[] roles, int dataConstraint) Create a security constraint- Parameters:
name
- the name of the constraintauthenticate
- true to authenticateroles
- list of rolesdataConstraint
- the data constraint- Returns:
- the constraint
-
createConstraint
public static Constraint createConstraint(String name, jakarta.servlet.HttpConstraintElement element) Create a Constraint- Parameters:
name
- the nameelement
- the http constraint element- Returns:
- the created constraint
-
createConstraint
public static Constraint createConstraint(String name, String[] rolesAllowed, jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport) Create Constraint- Parameters:
name
- the namerolesAllowed
- the list of allowed rolespermitOrDeny
- the permission semantictransport
- the transport guarantee- Returns:
- the created constraint
-
getConstraintMappingsForPath
public static List<ConstraintMapping> getConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings) -
removeConstraintMappingsForPath
public static List<ConstraintMapping> removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings) Take out of the constraint mappings those that match the given path.- Parameters:
pathSpec
- the path specconstraintMappings
- a new list minus the matching constraints- Returns:
- the list of constraint mappings
-
createConstraintsWithMappingsForPath
public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name, String pathSpec, jakarta.servlet.ServletSecurityElement securityElement) Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement- Parameters:
name
- the namepathSpec
- the path specsecurityElement
- the servlet security element- Returns:
- the list of constraint mappings
-
getConstraintMappings
- Specified by:
getConstraintMappings
in interfaceConstraintAware
-
getRoles
- Specified by:
getRoles
in interfaceConstraintAware
-
setConstraintMappings
Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.- Parameters:
constraintMappings
- The constraintMappings to set, from which the set of known roles is determined.
-
setConstraintMappings
Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.- Parameters:
constraintMappings
- The constraintMappings to set as array, from which the set of known roles is determined. Needed to retain API compatibility for 7.x
-
setConstraintMappings
Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.- Specified by:
setConstraintMappings
in interfaceConstraintAware
- Parameters:
constraintMappings
- The constraintMappings to set.roles
- The known roles (or null to determine them from the mappings)
-
setRoles
Set the known roles. This may be overridden by a subsequent call tosetConstraintMappings(ConstraintMapping[])
orsetConstraintMappings(List, Set)
.- Parameters:
roles
- The known roles (or null to determine them from the mappings)
-
addConstraintMapping
Description copied from interface:ConstraintAware
Add a Constraint Mapping. May be called for running webapplication as an annotated servlet is instantiated.- Specified by:
addConstraintMapping
in interfaceConstraintAware
- Parameters:
mapping
- the mapping
-
addRole
Description copied from interface:ConstraintAware
Add a Role definition. May be called on running webapplication as an annotated servlet is instantiated.- Specified by:
addRole
in interfaceConstraintAware
- Parameters:
role
- the role
-
doStart
Description copied from class:ContainerLifeCycle
Starts the managed lifecycle beans in the order they were added.- Overrides:
doStart
in classSecurityHandler
- Throws:
AbstractLifeCycle.StopException
- If thrown, the lifecycle will immediately be stopped.Exception
- If there was a problem starting. Will cause a transition to FAILED state
-
doStop
Description copied from class:ContainerLifeCycle
Stops the managed lifecycle beans in the reverse order they were added.- Overrides:
doStop
in classSecurityHandler
- Throws:
Exception
- If there was a problem stopping. Will cause a transition to FAILED state
-
processConstraintMapping
Create and combine the constraint with the existing processed constraints.- Parameters:
mapping
- the constraint mapping
-
asPathSpec
-
processConstraintMappingWithMethodOmissions
protected void processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String, RoleInfo> mappings) Constraints that name method omissions are dealt with differently. We create an entry in the mappings with key "<method>.omission". This entry is only ever combined with other omissions for the same method to produce a consolidated RoleInfo. Then, when we wish to find the relevant constraints for a given Request (in prepareConstraintInfo()), we consult 3 types of entries in the mappings: an entry that names the method of the Request specifically, an entry that names constraints that apply to all methods, entries of the form <method>.omission, where the method of the Request is not named in the omission.- Parameters:
mapping
- the constraint mappingmappings
- the mappings of roles
-
configureRoleInfo
Initialize or update the RoleInfo from the constraint- Parameters:
ri
- the role infomapping
- the constraint mapping
-
prepareConstraintInfo
Find constraints that apply to the given path. In order to do this, we consult 3 different types of information stored in the mappings for each path - each mapping represents a merged set of user data constraints, roles etc -:- A mapping of an exact method name
- A mapping with key * that matches every method name
- Mappings with keys of the form "<method>.<method>.<method>.omission" that indicates it will match every method name EXCEPT those given
- Specified by:
prepareConstraintInfo
in classSecurityHandler
- See Also:
-
checkUserDataPermissions
protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo roleInfo) throws IOException - Specified by:
checkUserDataPermissions
in classSecurityHandler
- Throws:
IOException
-
isAuthMandatory
protected boolean isAuthMandatory(Request baseRequest, Response baseResponse, Object constraintInfo) - Specified by:
isAuthMandatory
in classSecurityHandler
-
checkWebResourcePermissions
protected boolean checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException - Specified by:
checkWebResourcePermissions
in classSecurityHandler
- Throws:
IOException
-
dump
Description copied from interface:Dumpable
Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.- Specified by:
dump
in interfaceDumpable
- Overrides:
dump
in classContainerLifeCycle
- Parameters:
out
- The appendable to dump toindent
- The indent to apply after any new lines.- Throws:
IOException
- if unable to write to Appendable
-
setDenyUncoveredHttpMethods
public void setDenyUncoveredHttpMethods(boolean deny) Description copied from interface:ConstraintAware
See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.- Specified by:
setDenyUncoveredHttpMethods
in interfaceConstraintAware
- Parameters:
deny
- true for denied method access
-
isDenyUncoveredHttpMethods
public boolean isDenyUncoveredHttpMethods()- Specified by:
isDenyUncoveredHttpMethods
in interfaceConstraintAware
-
checkPathsWithUncoveredHttpMethods
public boolean checkPathsWithUncoveredHttpMethods()Servlet spec 3.1 pg. 147.- Specified by:
checkPathsWithUncoveredHttpMethods
in interfaceConstraintAware
- Returns:
- true if urls with uncovered http methods
-
getPathsWithUncoveredHttpMethods
Servlet spec 3.1 pg. 147. The container must check all the combined security constraint information and log any methods that are not protected and the urls at which they are not protected- Returns:
- list of paths for which there are uncovered methods
-
omissionsExist
Check if any http method omissions exist in the list of method to auth info mappings.- Parameters:
path
- the pathmethodMappings
- the method mappings- Returns:
- true if omission exist
-
getOmittedMethods
Given a string of the form<method>.<method>.omission
split out the individual method names.- Parameters:
omission
- the method- Returns:
- the list of strings
-