All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.eclipse.jetty.annotations.ServletSecurityAnnotationHandler Maven / Gradle / Ivy

//
//  ========================================================================
//  Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
//  ------------------------------------------------------------------------
//  All rights reserved. This program and the accompanying materials
//  are made available under the terms of the Eclipse Public License v1.0
//  and Apache License v2.0 which accompanies this distribution.
//
//      The Eclipse Public License is available at
//      http://www.eclipse.org/legal/epl-v10.html
//
//      The Apache License v2.0 is available at
//      http://www.opensource.org/licenses/apache2.0.php
//
//  You may elect to redistribute this code under either of these licenses.
//  ========================================================================
//

package org.eclipse.jetty.annotations;

import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.HttpConstraint;
import javax.servlet.annotation.HttpMethodConstraint;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
import javax.servlet.annotation.ServletSecurity.TransportGuarantee;

import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
import org.eclipse.jetty.security.ConstraintAware;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.servlet.ServletMapping;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.webapp.Origin;
import org.eclipse.jetty.webapp.WebAppContext;

/**
 * ServletSecurityAnnotationHandler
 *
 * Inspect a class to see if it has an @ServletSecurity annotation on it,
 * setting up the s.
 *
 * A servlet can be defined in:
 * 
    *
  • web.xml *
  • web-fragment.xml *
  • @WebServlet annotation discovered *
  • ServletContext.createServlet *
* * The ServletSecurity annotation for a servlet should only be processed * iff metadata-complete == false. */ public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler { private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class); private WebAppContext _context; public ServletSecurityAnnotationHandler(WebAppContext wac) { super(false); _context = wac; } /** * @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class) */ public void doHandle(Class clazz) { if (!(_context.getSecurityHandler() instanceof ConstraintAware)) { LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing"); return; } ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class); if (servletSecurity == null) return; //If there are already constraints defined (ie from web.xml) that match any //of the url patterns defined for this servlet, then skip the security annotation. List servletMappings = getServletMappings(clazz.getCanonicalName()); List constraintMappings = ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings(); if (constraintsExist(servletMappings, constraintMappings)) { LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation"); return; } //Make a fresh list constraintMappings = new ArrayList(); ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity); for (ServletMapping sm : servletMappings) { for (String url : sm.getPathSpecs()) { _context.getMetaData().setOrigin("constraint.url."+url, Origin.Annotation); constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement)); } } //set up the security constraints produced by the annotation ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler(); for (ConstraintMapping m:constraintMappings) securityHandler.addConstraintMapping(m); } /** * Make a jetty Constraint object, which represents the and * elements, based on the security annotation. * @param servlet * @param rolesAllowed * @param permitOrDeny * @param transport * @return */ protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport) { return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport); } /** * Get the ServletMappings for the servlet's class. * @param className * @return */ protected List getServletMappings(String className) { List results = new ArrayList(); ServletMapping[] mappings = _context.getServletHandler().getServletMappings(); for (ServletMapping mapping : mappings) { //Check the name of the servlet that this mapping applies to, and then find the ServletHolder for it to find it's class ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName()); if (holder.getClassName() != null && holder.getClassName().equals(className)) results.add(mapping); } return results; } /** * Check if there are already elements defined that match the url-patterns for * the servlet. * @param servletMappings * @return */ protected boolean constraintsExist (List servletMappings, List constraintMappings) { boolean exists = false; //Check to see if the path spec on each constraint mapping matches a pathSpec in the servlet mappings. //If it does, then we should ignore the security annotations. for (ServletMapping mapping : servletMappings) { //Get its url mappings String[] pathSpecs = mapping.getPathSpecs(); if (pathSpecs == null) continue; //Check through the constraints to see if there are any whose pathSpecs (url mappings) //match the servlet. If so, then we already have constraints defined for this servlet, //and we will not be processing the annotation (ie web.xml or programmatic override). for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++) { for (int j=0; j < pathSpecs.length; j++) { //TODO decide if we need to check the origin if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec())) { exists = true; break; } } } } return exists; } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy