diff options
author | Greg Wilkins | 2012-10-12 10:19:21 +0000 |
---|---|---|
committer | Greg Wilkins | 2012-10-12 10:19:21 +0000 |
commit | fac580c374127acd8fc9b955f415cedd8b5ec6dc (patch) | |
tree | abfe7aec8f782c512c47f8e7a71a319322ca39de /jetty-security/src/main/java/org | |
parent | 6c011025b67635004e3c3471a5315f2429755852 (diff) | |
parent | 7625f0b8b3a1ceced86b46f8e4c5722430323468 (diff) | |
download | org.eclipse.jetty.project-fac580c374127acd8fc9b955f415cedd8b5ec6dc.tar.gz org.eclipse.jetty.project-fac580c374127acd8fc9b955f415cedd8b5ec6dc.tar.xz org.eclipse.jetty.project-fac580c374127acd8fc9b955f415cedd8b5ec6dc.zip |
Merge remote-tracking branch 'origin/jetty-8' into jetty-9
Conflicts:
VERSION.txt
example-async-rest/async-rest-jar/pom.xml
example-async-rest/async-rest-webapp/pom.xml
example-async-rest/pom.xml
example-jetty-embedded/pom.xml
jetty-aggregate/jetty-all-server/pom.xml
jetty-aggregate/jetty-all/pom.xml
jetty-aggregate/jetty-client/pom.xml
jetty-aggregate/jetty-server/pom.xml
jetty-aggregate/jetty-servlet/pom.xml
jetty-aggregate/jetty-webapp/pom.xml
jetty-aggregate/jetty-websocket/pom.xml
jetty-aggregate/pom.xml
jetty-ajp/src/main/java/org/eclipse/jetty/ajp/Ajp13Generator.java
jetty-annotations/pom.xml
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/AbstractDiscoverableAnnotationHandler.java
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/AnnotationConfiguration.java
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/AnnotationParser.java
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/ServletContainerInitializerListener.java
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/ServletSecurityAnnotationHandler.java
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/WebServletAnnotation.java
jetty-annotations/src/main/java/org/eclipse/jetty/annotations/WebServletAnnotationHandler.java
jetty-client/pom.xml
jetty-continuation/pom.xml
jetty-deploy/pom.xml
jetty-distribution/pom.xml
jetty-http-spi/pom.xml
jetty-http/pom.xml
jetty-http/src/main/java/org/eclipse/jetty/http/Generator.java
jetty-http/src/main/java/org/eclipse/jetty/http/HttpFields.java
jetty-http/src/main/java/org/eclipse/jetty/http/HttpGenerator.java
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java
jetty-http/src/main/java/org/eclipse/jetty/http/MimeTypes.java
jetty-http/src/test/java/org/eclipse/jetty/http/HttpFieldsTest.java
jetty-io/pom.xml
jetty-io/src/main/java/org/eclipse/jetty/io/AbstractBuffer.java
jetty-io/src/main/java/org/eclipse/jetty/io/Buffer.java
jetty-io/src/main/java/org/eclipse/jetty/io/BufferUtil.java
jetty-jaspi/pom.xml
jetty-jmx/pom.xml
jetty-jndi/pom.xml
jetty-jndi/src/main/java/org/eclipse/jetty/jndi/ContextFactory.java
jetty-jndi/src/test/java/org/eclipse/jetty/jndi/java/TestJNDI.java
jetty-jsp/pom.xml
jetty-monitor/pom.xml
jetty-nested/pom.xml
jetty-nosql/pom.xml
jetty-osgi/jetty-osgi-boot-jsp/pom.xml
jetty-osgi/jetty-osgi-boot-warurl/pom.xml
jetty-osgi/jetty-osgi-boot/pom.xml
jetty-osgi/jetty-osgi-boot/src/main/java/org/eclipse/jetty/osgi/boot/OSGiDeployer.java
jetty-osgi/jetty-osgi-httpservice/pom.xml
jetty-osgi/pom.xml
jetty-osgi/test-jetty-osgi-context/pom.xml
jetty-osgi/test-jetty-osgi-webapp/pom.xml
jetty-osgi/test-jetty-osgi/pom.xml
jetty-overlay-deployer/pom.xml
jetty-plus/pom.xml
jetty-policy/pom.xml
jetty-rewrite/pom.xml
jetty-runner/pom.xml
jetty-security/pom.xml
jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
jetty-server/pom.xml
jetty-server/src/main/java/org/eclipse/jetty/server/AbstractHttpConnection.java
jetty-server/src/main/java/org/eclipse/jetty/server/AsyncHttpConnection.java
jetty-server/src/main/java/org/eclipse/jetty/server/HttpInput.java
jetty-server/src/main/java/org/eclipse/jetty/server/HttpOutput.java
jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
jetty-server/src/main/java/org/eclipse/jetty/server/bio/SocketConnector.java
jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionHandler.java
jetty-server/src/test/java/org/eclipse/jetty/server/HttpServerTestBase.java
jetty-server/src/test/java/org/eclipse/jetty/server/HttpURITest.java
jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SelectChannelServerSslTest.java
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslSocketServerTest.java
jetty-server/src/test/resources/jetty-logging.properties
jetty-servlet/pom.xml
jetty-servlet/src/main/java/org/eclipse/jetty/servlet/DefaultServlet.java
jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletContextHandler.java
jetty-servlet/src/main/java/org/eclipse/jetty/servlet/ServletHolder.java
jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DispatcherTest.java
jetty-servlets/pom.xml
jetty-servlets/src/main/java/org/eclipse/jetty/servlets/GzipFilter.java
jetty-servlets/src/main/java/org/eclipse/jetty/servlets/MultiPartFilter.java
jetty-servlets/src/test/java/org/eclipse/jetty/servlets/MultipartFilterTest.java
jetty-servlets/src/test/java/org/eclipse/jetty/servlets/gzip/GzipTester.java
jetty-spdy/pom.xml
jetty-spdy/spdy-client/pom.xml
jetty-spdy/spdy-core/pom.xml
jetty-spdy/spdy-example-webapp/pom.xml
jetty-spdy/spdy-http-server/pom.xml
jetty-spdy/spdy-jetty-http/src/main/java/org/eclipse/jetty/spdy/http/ServerHTTPSPDYAsyncConnection.java
jetty-start/pom.xml
jetty-start/src/test/java/org/eclipse/jetty/start/CommandLineBuilderTest.java
jetty-start/src/test/java/org/eclipse/jetty/start/MainTest.java
jetty-util-ajax/pom.xml
jetty-util/pom.xml
jetty-util/src/main/java/org/eclipse/jetty/util/MultiPartInputStream.java
jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java
jetty-util/src/test/java/org/eclipse/jetty/util/MultiPartInputStreamTest.java
jetty-webapp/pom.xml
jetty-webapp/src/main/java/org/eclipse/jetty/webapp/StandardDescriptorProcessor.java
jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebAppContext.java
jetty-websocket/pom.xml
jetty-websocket/src/test/java/org/eclipse/jetty/websocket/WebSocketServletRFCTest.java
jetty-websocket/src/test/java/org/eclipse/jetty/websocket/helper/MessageSender.java
jetty-websocket/websocket-server/src/test/java/org/eclipse/jetty/websocket/server/UnitGenerator.java
jetty-xml/pom.xml
pom.xml
test-continuation/pom.xml
test-jetty-nested/pom.xml
test-jetty-servlet/pom.xml
test-jetty-webapp/pom.xml
test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
tests/pom.xml
tests/test-integration/pom.xml
tests/test-loginservice/pom.xml
tests/test-sessions/pom.xml
tests/test-sessions/test-hash-sessions/pom.xml
tests/test-sessions/test-jdbc-sessions/pom.xml
tests/test-sessions/test-mongodb-sessions/pom.xml
tests/test-sessions/test-sessions-common/pom.xml
tests/test-webapps/pom.xml
tests/test-webapps/test-webapp-rfc2616/pom.xml
Diffstat (limited to 'jetty-security/src/main/java/org')
2 files changed, 394 insertions, 48 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index ec998dd131..eb9235ab42 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -19,15 +19,24 @@ package org.eclipse.jetty.security; import java.io.IOException; +import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Map.Entry; import java.util.Set; import java.util.concurrent.CopyOnWriteArrayList; import java.util.concurrent.CopyOnWriteArraySet; +import javax.servlet.HttpConstraintElement; +import javax.servlet.HttpMethodConstraintElement; +import javax.servlet.ServletSecurityElement; +import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic; +import javax.servlet.annotation.ServletSecurity.TransportGuarantee; + import org.eclipse.jetty.http.HttpStatus; import org.eclipse.jetty.http.PathMap; import org.eclipse.jetty.server.HttpChannel; @@ -36,18 +45,18 @@ import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Response; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.StringMap; -import org.eclipse.jetty.util.TypeUtil; import org.eclipse.jetty.util.security.Constraint; /* ------------------------------------------------------------ */ /** * Handler to enforce SecurityConstraints. This implementation is servlet spec - * 2.4 compliant and pre-computes the constraint combinations for runtime + * 3.0 compliant and pre-computes the constraint combinations for runtime * efficiency. * */ public class ConstraintSecurityHandler extends SecurityHandler implements ConstraintAware { + private static final String OMISSION_SUFFIX = ".omission"; private static final String ALL_METHODS = "*"; private final List<ConstraintMapping> _constraintMappings= new CopyOnWriteArrayList<>(); private final Set<String> _roles = new CopyOnWriteArraySet<>(); @@ -55,6 +64,212 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr private boolean _strict = true; /* ------------------------------------------------------------ */ + /** + * @return + */ + public static Constraint createConstraint() + { + return new Constraint(); + } + + /* ------------------------------------------------------------ */ + /** + * @param constraint + * @return + */ + public static Constraint createConstraint(Constraint constraint) + { + try + { + return (Constraint)constraint.clone(); + } + catch (CloneNotSupportedException e) + { + throw new IllegalStateException (e); + } + } + + /* ------------------------------------------------------------ */ + /** + * Create a security constraint + * + * @param name + * @param authenticate + * @param roles + * @param dataConstraint + * @return + */ + public static Constraint createConstraint (String name, boolean authenticate, String[] roles, int dataConstraint) + { + Constraint constraint = createConstraint(); + if (name != null) + constraint.setName(name); + constraint.setAuthenticate(authenticate); + constraint.setRoles(roles); + constraint.setDataConstraint(dataConstraint); + return constraint; + } + + + /* ------------------------------------------------------------ */ + /** + * @param name + * @param element + * @return + */ + public static Constraint createConstraint (String name, HttpConstraintElement element) + { + return createConstraint(name, element.getRolesAllowed(), element.getEmptyRoleSemantic(), element.getTransportGuarantee()); + } + + + /* ------------------------------------------------------------ */ + /** + * @param name + * @param rolesAllowed + * @param permitOrDeny + * @param transport + * @return + */ + public static Constraint createConstraint (String name, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport) + { + Constraint constraint = createConstraint(); + + if (rolesAllowed == null || rolesAllowed.length==0) + { + if (permitOrDeny.equals(EmptyRoleSemantic.DENY)) + { + //Equivalent to <auth-constraint> with no roles + constraint.setName(name+"-Deny"); + constraint.setAuthenticate(true); + } + else + { + //Equivalent to no <auth-constraint> + constraint.setName(name+"-Permit"); + constraint.setAuthenticate(false); + } + } + else + { + //Equivalent to <auth-constraint> with list of <security-role-name>s + constraint.setAuthenticate(true); + constraint.setRoles(rolesAllowed); + constraint.setName(name+"-RolesAllowed"); + } + + //Equivalent to //<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint> + constraint.setDataConstraint((transport.equals(TransportGuarantee.CONFIDENTIAL)?Constraint.DC_CONFIDENTIAL:Constraint.DC_NONE)); + return constraint; + } + + + + /* ------------------------------------------------------------ */ + /** + * @param pathSpec + * @param constraintMappings + * @return + */ + public static List<ConstraintMapping> getConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings) + { + if (pathSpec == null || "".equals(pathSpec.trim()) || constraintMappings == null || constraintMappings.size() == 0) + return Collections.emptyList(); + + List<ConstraintMapping> mappings = new ArrayList<ConstraintMapping>(); + for (ConstraintMapping mapping:constraintMappings) + { + if (pathSpec.equals(mapping.getPathSpec())) + { + mappings.add(mapping); + } + } + return mappings; + } + + + /* ------------------------------------------------------------ */ + /** Take out of the constraint mappings those that match the + * given path. + * + * @param pathSpec + * @param constraintMappings a new list minus the matching constraints + * @return + */ + public static List<ConstraintMapping> removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings) + { + if (pathSpec == null || "".equals(pathSpec.trim()) || constraintMappings == null || constraintMappings.size() == 0) + return Collections.emptyList(); + + List<ConstraintMapping> mappings = new ArrayList<ConstraintMapping>(); + for (ConstraintMapping mapping:constraintMappings) + { + //Remove the matching mappings by only copying in non-matching mappings + if (!pathSpec.equals(mapping.getPathSpec())) + { + mappings.add(mapping); + } + } + return mappings; + } + + + + /* ------------------------------------------------------------ */ + /** Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement + * + * @param name + * @param pathSpec + * @param securityElement + * @return + */ + public static List<ConstraintMapping> createConstraintsWithMappingsForPath (String name, String pathSpec, ServletSecurityElement securityElement) + { + List<ConstraintMapping> mappings = new ArrayList<ConstraintMapping>(); + + //Create a constraint that will describe the default case (ie if not overridden by specific HttpMethodConstraints) + Constraint constraint = ConstraintSecurityHandler.createConstraint(name, securityElement); + + //Create a mapping for the pathSpec for the default case + ConstraintMapping defaultMapping = new ConstraintMapping(); + defaultMapping.setPathSpec(pathSpec); + defaultMapping.setConstraint(constraint); + mappings.add(defaultMapping); + + + //See Spec 13.4.1.2 p127 + List<String> methodOmissions = new ArrayList<String>(); + + //make constraint mappings for this url for each of the HttpMethodConstraintElements + Collection<HttpMethodConstraintElement> methodConstraints = securityElement.getHttpMethodConstraints(); + if (methodConstraints != null) + { + for (HttpMethodConstraintElement methodConstraint:methodConstraints) + { + //Make a Constraint that captures the <auth-constraint> and <user-data-constraint> elements supplied for the HttpMethodConstraintElement + Constraint mconstraint = ConstraintSecurityHandler.createConstraint(name, methodConstraint); + ConstraintMapping mapping = new ConstraintMapping(); + mapping.setConstraint(mconstraint); + mapping.setPathSpec(pathSpec); + if (methodConstraint.getMethodName() != null) + { + mapping.setMethod(methodConstraint.getMethodName()); + //See spec 13.4.1.2 p127 - add an omission for every method name to the default constraint + methodOmissions.add(methodConstraint.getMethodName()); + } + mappings.add(mapping); + } + } + //See spec 13.4.1.2 p127 - add an omission for every method name to the default constraint + if (methodOmissions.size() > 0) + defaultMapping.setMethodOmissions(methodOmissions.toArray(new String[methodOmissions.size()])); + + return mappings; + } + + + + /* ------------------------------------------------------------ */ /** Get the strict mode. * @return true if the security handler is running in strict mode. */ @@ -140,8 +355,6 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr @Override public void setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles) { - if (isStarted()) - throw new IllegalStateException("Started"); _constraintMappings.clear(); _constraintMappings.addAll(constraintMappings); @@ -160,6 +373,14 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr } } setRoles(roles); + + if (isStarted()) + { + for (ConstraintMapping mapping : _constraintMappings) + { + processConstraintMapping(mapping); + } + } } /* ------------------------------------------------------------ */ @@ -172,9 +393,6 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr */ public void setRoles(Set<String> roles) { - if (isStarted()) - throw new IllegalStateException("Started"); - _roles.clear(); _roles.addAll(roles); } @@ -238,14 +456,24 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr } super.doStart(); } - + + + /* ------------------------------------------------------------ */ @Override protected void doStop() throws Exception { super.doStop(); _constraintMap.clear(); } - + + + /* ------------------------------------------------------------ */ + /** + * Create and combine the constraint with the existing processed + * constraints. + * + * @param mapping + */ protected void processConstraintMapping(ConstraintMapping mapping) { Map<String, RoleInfo> mappings = _constraintMap.get(mapping.getPathSpec()); @@ -258,6 +486,12 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr if (allMethodsRoleInfo != null && allMethodsRoleInfo.isForbidden()) return; + if (mapping.getMethodOmissions() != null && mapping.getMethodOmissions().length > 0) + { + processConstraintMappingWithMethodOmissions(mapping, mappings); + return; + } + String httpMethod = mapping.getMethod(); if (httpMethod==null) httpMethod=ALL_METHODS; @@ -274,10 +508,10 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr if (roleInfo.isForbidden()) return; - Constraint constraint = mapping.getConstraint(); - boolean forbidden = constraint.isForbidden(); - roleInfo.setForbidden(forbidden); - if (forbidden) + //add in info from the constraint + configureRoleInfo(roleInfo, mapping); + + if (roleInfo.isForbidden()) { if (httpMethod.equals(ALL_METHODS)) { @@ -287,41 +521,12 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr } else { - UserDataConstraint userDataConstraint = UserDataConstraint.get(constraint.getDataConstraint()); - roleInfo.setUserDataConstraint(userDataConstraint); - - boolean checked = constraint.getAuthenticate(); - roleInfo.setChecked(checked); - if (roleInfo.isChecked()) - { - if (constraint.isAnyRole()) - { - if (_strict) - { - // * means "all defined roles" - for (String role : _roles) - roleInfo.addRole(role); - } - else - // * means any role - roleInfo.setAnyRole(true); - } - else - { - String[] newRoles = constraint.getRoles(); - for (String role : newRoles) - { - if (_strict &&!_roles.contains(role)) - throw new IllegalArgumentException("Attempt to use undeclared role: " + role + ", known roles: " + _roles); - roleInfo.addRole(role); - } - } - } - if (httpMethod.equals(ALL_METHODS)) + //combine with any entry that covers all methods + if (httpMethod == null) { for (Map.Entry<String, RoleInfo> entry : mappings.entrySet()) { - if (!entry.getKey().equals(ALL_METHODS)) + if (entry.getKey() != null) { RoleInfo specific = entry.getValue(); specific.combine(roleInfo); @@ -331,17 +536,145 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr } } + /* ------------------------------------------------------------ */ + /** Constraints that name method omissions are dealt with differently. + * We create an entry in the mappings with key "method.omission". This entry + * is only ever combined with other omissions for the same method to produce a + * consolidated RoleInfo. Then, when we wish to find the relevant constraints for + * a given Request (in prepareConstraintInfo()), we consult 3 types of entries in + * the mappings: an entry that names the method of the Request specifically, an + * entry that names constraints that apply to all methods, entries of the form + * method.omission, where the method of the Request is not named in the omission. + * @param mapping + * @param mappings + */ + protected void processConstraintMappingWithMethodOmissions (ConstraintMapping mapping, Map<String, RoleInfo> mappings) + { + String[] omissions = mapping.getMethodOmissions(); + + for (String omission:omissions) + { + //for each method omission, see if there is already a RoleInfo for it in mappings + RoleInfo ri = mappings.get(omission+OMISSION_SUFFIX); + if (ri == null) + { + //if not, make one + ri = new RoleInfo(); + mappings.put(omission+OMISSION_SUFFIX, ri); + } + + //initialize RoleInfo or combine from ConstraintMapping + configureRoleInfo(ri, mapping); + } + } + + + /* ------------------------------------------------------------ */ + /** + * Initialize or update the RoleInfo from the constraint + * @param ri + * @param mapping + */ + protected void configureRoleInfo (RoleInfo ri, ConstraintMapping mapping) + { + Constraint constraint = mapping.getConstraint(); + boolean forbidden = constraint.isForbidden(); + ri.setForbidden(forbidden); + + //set up the data constraint (NOTE: must be done after setForbidden, as it nulls out the data constraint + //which we need in order to do combining of omissions in prepareConstraintInfo + UserDataConstraint userDataConstraint = UserDataConstraint.get(mapping.getConstraint().getDataConstraint()); + ri.setUserDataConstraint(userDataConstraint); + + + //if forbidden, no point setting up roles + if (!ri.isForbidden()) + { + //add in the roles + boolean checked = mapping.getConstraint().getAuthenticate(); + ri.setChecked(checked); + if (ri.isChecked()) + { + if (mapping.getConstraint().isAnyRole()) + { + if (_strict) + { + // * means "all defined roles" + for (String role : _roles) + ri.addRole(role); + } + else + // * means any role + ri.setAnyRole(true); + } + else + { + String[] newRoles = mapping.getConstraint().getRoles(); + for (String role : newRoles) + { + if (_strict &&!_roles.contains(role)) + throw new IllegalArgumentException("Attempt to use undeclared role: " + role + ", known roles: " + _roles); + ri.addRole(role); + } + } + } + } + } + + + /* ------------------------------------------------------------ */ + /** + * Find constraints that apply to the given path. + * In order to do this, we consult 3 different types of information stored in the mappings for each path - each mapping + * represents a merged set of user data constraints, roles etc -: + * <ol> + * <li>A mapping of an exact method name </li> + * <li>A mapping will null key that matches every method name</li> + * <li>Mappings with keys of the form "method.omission" that indicates it will match every method name EXCEPT that given</li> + * </ol> + * + * @see org.eclipse.jetty.security.SecurityHandler#prepareConstraintInfo(java.lang.String, org.eclipse.jetty.server.Request) + */ @Override protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) { - Map<String, RoleInfo> mappings = _constraintMap.match(pathInContext); + Map<String, RoleInfo> mappings = (Map<String, RoleInfo>)_constraintMap.match(pathInContext); if (mappings != null) { String httpMethod = request.getMethod(); RoleInfo roleInfo = mappings.get(httpMethod); if (roleInfo == null) - roleInfo = mappings.get(ALL_METHODS); + { + //No specific http-method names matched + List<RoleInfo> applicableConstraints = new ArrayList<RoleInfo>(); + + //Get info for constraint that matches all methods if it exists + RoleInfo all = mappings.get(ALL_METHODS); + if (all != null) + applicableConstraints.add(all); + + + //Get info for constraints that name method omissions where target method name is not omitted + //(ie matches because target method is not omitted, hence considered covered by the constraint) + for (Entry<String, RoleInfo> entry: mappings.entrySet()) + { + if (entry.getKey() != null && entry.getKey().contains(OMISSION_SUFFIX) && !(httpMethod+OMISSION_SUFFIX).equals(entry.getKey())) + applicableConstraints.add(entry.getValue()); + } + + if (applicableConstraints.size() == 1) + roleInfo = applicableConstraints.get(0); + else + { + roleInfo = new RoleInfo(); + roleInfo.setUserDataConstraint(UserDataConstraint.None); + + for (RoleInfo r:applicableConstraints) + roleInfo.combine(r); + } + + } return roleInfo; } @@ -396,7 +729,12 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr { return constraintInfo != null && ((RoleInfo)constraintInfo).isChecked(); } - + + + /* ------------------------------------------------------------ */ + /** + * @see org.eclipse.jetty.security.SecurityHandler#checkWebResourcePermissions(java.lang.String, org.eclipse.jetty.server.Request, org.eclipse.jetty.server.Response, java.lang.Object, org.eclipse.jetty.server.UserIdentity) + */ @Override protected boolean checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException @@ -435,4 +773,5 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr Collections.singleton(_roles), _constraintMap.entrySet()); } + } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index 7e7ec72d49..9e94282364 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -119,18 +119,25 @@ public class SessionAuthentication implements Authentication.User, Serializable, @Override public void sessionWillPassivate(HttpSessionEvent se) { + } @Override public void sessionDidActivate(HttpSessionEvent se) { if (_session==null) + { _session=se.getSession(); + } } @Override public void valueBound(HttpSessionBindingEvent event) { + if (_session==null) + { + _session=event.getSession(); + } } @Override |