All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.eclipse.jetty.ee11.annotations.ServletSecurityAnnotationHandler Maven / Gradle / Ivy

//
// ========================================================================
// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//

package org.eclipse.jetty.ee11.annotations;

import java.util.ArrayList;
import java.util.List;

import jakarta.servlet.ServletSecurityElement;
import jakarta.servlet.annotation.ServletSecurity;
import org.eclipse.jetty.ee11.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
import org.eclipse.jetty.ee11.servlet.ServletHolder;
import org.eclipse.jetty.ee11.servlet.ServletMapping;
import org.eclipse.jetty.ee11.servlet.security.ConstraintAware;
import org.eclipse.jetty.ee11.servlet.security.ConstraintMapping;
import org.eclipse.jetty.ee11.servlet.security.ConstraintSecurityHandler;
import org.eclipse.jetty.ee11.webapp.WebAppContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * 

Inspect a class to see if it has an @ServletSecurity annotation on it, * setting up the <security-constraint>s. *

*

A servlet can be defined in:

*
    *
  • web.xml
  • *
  • web-fragment.xml
  • *
  • @WebServlet annotation discovered
  • *
  • ServletContext.createServlet
  • *
*

* The ServletSecurity annotation for a servlet should only be processed * iff metadata-complete == false.

*/ public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler { private static final Logger LOG = LoggerFactory.getLogger(ServletSecurityAnnotationHandler.class); public ServletSecurityAnnotationHandler(WebAppContext wac) { super(false, wac); } @Override public void doHandle(Class clazz) { if (!(_context.getSecurityHandler() instanceof ConstraintAware securityHandler)) { LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing"); return; } ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class); if (servletSecurity == null) return; //If there are already constraints defined (ie from web.xml) that match any //of the url patterns defined for this servlet, then skip the security annotation. List servletMappings = getServletMappings(clazz.getCanonicalName()); List constraintMappings = ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings(); if (constraintsExist(servletMappings, constraintMappings)) { LOG.warn("Constraints already defined for {}, skipping ServletSecurity annotation", clazz.getName()); return; } //Make a fresh list constraintMappings = new ArrayList<>(); ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity); for (ServletMapping sm : servletMappings) { for (String url : sm.getPathSpecs()) { _context.getMetaData().setOrigin("constraint.url." + url, servletSecurity, clazz); constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement)); } } //set up the security constraints produced by the annotation constraintMappings.forEach(securityHandler::addConstraintMapping); //Servlet Spec 3.1 requires paths with uncovered http methods to be reported securityHandler.checkPathsWithUncoveredHttpMethods(); } /** * Get the ServletMappings for the servlet's class. * * @param className the class name * @return the servlet mappings for the class */ protected List getServletMappings(String className) { List results = new ArrayList<>(); ServletMapping[] mappings = _context.getServletHandler().getServletMappings(); for (ServletMapping mapping : mappings) { //Check the name of the servlet that this mapping applies to, and then find the ServletHolder for it to find it's class ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName()); if (holder.getClassName() != null && holder.getClassName().equals(className)) results.add(mapping); } return results; } /** * Check if there are already <security-constraint> elements defined that match the url-patterns for * the servlet. * * @param servletMappings the servlet mappings * @param constraintMappings the constraint mappings * @return true if constraint exists */ protected boolean constraintsExist(List servletMappings, List constraintMappings) { boolean exists = false; //Check to see if the path spec on each constraint mapping matches a pathSpec in the servlet mappings. //If it does, then we should ignore the security annotations. for (ServletMapping mapping : servletMappings) { //Get its url mappings String[] pathSpecs = mapping.getPathSpecs(); if (pathSpecs == null) continue; //Check through the constraints to see if there are any whose pathSpecs (url mappings) //match the servlet. If so, then we already have constraints defined for this servlet, //and we will not be processing the annotation (ie web.xml or programmatic override). for (int i = 0; constraintMappings != null && i < constraintMappings.size() && !exists; i++) { for (String pathSpec : pathSpecs) { //TODO decide if we need to check the origin if (pathSpec.equals(constraintMappings.get(i).getPathSpec())) { exists = true; break; } } } } return exists; } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy