org.eclipse.jetty.annotations.ServletSecurityAnnotationHandler Maven / Gradle / Ivy
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.annotations;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
import org.eclipse.jetty.security.ConstraintAware;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.servlet.ServletMapping;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.webapp.Origin;
import org.eclipse.jetty.webapp.WebAppContext;
/**
* ServletSecurityAnnotationHandler
*
* Inspect a class to see if it has an @ServletSecurity annotation on it,
* setting up the s.
*
* A servlet can be defined in:
*
* - web.xml
*
- web-fragment.xml
*
- @WebServlet annotation discovered
*
- ServletContext.createServlet
*
*
* The ServletSecurity annotation for a servlet should only be processed
* iff metadata-complete == false.
*/
public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler
{
private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class);
private WebAppContext _context;
public ServletSecurityAnnotationHandler(WebAppContext wac)
{
super(false);
_context = wac;
}
/**
* @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class)
*/
public void doHandle(Class clazz)
{
if (!(_context.getSecurityHandler() instanceof ConstraintAware))
{
LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
return;
}
ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class);
if (servletSecurity == null)
return;
//If there are already constraints defined (ie from web.xml) that match any
//of the url patterns defined for this servlet, then skip the security annotation.
List servletMappings = getServletMappings(clazz.getCanonicalName());
List constraintMappings = ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings();
if (constraintsExist(servletMappings, constraintMappings))
{
LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation");
return;
}
//Make a fresh list
constraintMappings = new ArrayList();
ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
for (ServletMapping sm : servletMappings)
{
for (String url : sm.getPathSpecs())
{
_context.getMetaData().setOrigin("constraint.url."+url, Origin.Annotation);
constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
}
}
//set up the security constraints produced by the annotation
ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler();
for (ConstraintMapping m:constraintMappings)
securityHandler.addConstraintMapping(m);
}
/**
* Make a jetty Constraint object, which represents the and
* elements, based on the security annotation.
* @param servlet
* @param rolesAllowed
* @param permitOrDeny
* @param transport
* @return
*/
protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport)
{
return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport);
}
/**
* Get the ServletMappings for the servlet's class.
* @param className
* @return
*/
protected List getServletMappings(String className)
{
List results = new ArrayList();
ServletMapping[] mappings = _context.getServletHandler().getServletMappings();
for (ServletMapping mapping : mappings)
{
//Check the name of the servlet that this mapping applies to, and then find the ServletHolder for it to find it's class
ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName());
if (holder.getClassName() != null && holder.getClassName().equals(className))
results.add(mapping);
}
return results;
}
/**
* Check if there are already elements defined that match the url-patterns for
* the servlet.
* @param servletMappings
* @return
*/
protected boolean constraintsExist (List servletMappings, List constraintMappings)
{
boolean exists = false;
//Check to see if the path spec on each constraint mapping matches a pathSpec in the servlet mappings.
//If it does, then we should ignore the security annotations.
for (ServletMapping mapping : servletMappings)
{
//Get its url mappings
String[] pathSpecs = mapping.getPathSpecs();
if (pathSpecs == null)
continue;
//Check through the constraints to see if there are any whose pathSpecs (url mappings)
//match the servlet. If so, then we already have constraints defined for this servlet,
//and we will not be processing the annotation (ie web.xml or programmatic override).
for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++)
{
for (int j=0; j < pathSpecs.length; j++)
{
//TODO decide if we need to check the origin
if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec()))
{
exists = true;
break;
}
}
}
}
return exists;
}
}