Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Bartel2013-04-23 00:57:52 -0400
committerJan Bartel2013-04-23 00:57:52 -0400
commit6c2ae7b74b7c7f6fbe463a61be6f220c89912f90 (patch)
tree395bbd896f29b59594514ab4e560418c29689106 /jetty-security/src/main
parent586a5dee7a38f6a9d89b7bda5ee170202ac2c2ee (diff)
downloadorg.eclipse.jetty.project-6c2ae7b74b7c7f6fbe463a61be6f220c89912f90.tar.gz
org.eclipse.jetty.project-6c2ae7b74b7c7f6fbe463a61be6f220c89912f90.tar.xz
org.eclipse.jetty.project-6c2ae7b74b7c7f6fbe463a61be6f220c89912f90.zip
406272 Security constraints with multiple http-method-omissions can be incorrectly applied
Diffstat (limited to 'jetty-security/src/main')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java29
1 files changed, 13 insertions, 16 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
index 7878479bc4..fd9a415d66 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java
@@ -551,23 +551,20 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
protected void processConstraintMappingWithMethodOmissions (ConstraintMapping mapping, Map<String, RoleInfo> mappings)
{
String[] omissions = mapping.getMethodOmissions();
-
- for (String omission:omissions)
+ StringBuilder sb = new StringBuilder();
+ for (int i=0; i<omissions.length; i++)
{
- //for each method omission, see if there is already a RoleInfo for it in mappings
- RoleInfo ri = mappings.get(omission+OMISSION_SUFFIX);
- if (ri == null)
- {
- //if not, make one
- ri = new RoleInfo();
- mappings.put(omission+OMISSION_SUFFIX, ri);
- }
-
- //initialize RoleInfo or combine from ConstraintMapping
- configureRoleInfo(ri, mapping);
+ if (i > 0)
+ sb.append(".");
+ sb.append(omissions[i]);
}
+ sb.append(OMISSION_SUFFIX);
+
+ RoleInfo ri = new RoleInfo();
+ mappings.put(sb.toString(), ri);
+ configureRoleInfo(ri, mapping);
}
-
+
/* ------------------------------------------------------------ */
/**
@@ -630,7 +627,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
* <ol>
* <li>A mapping of an exact method name </li>
* <li>A mapping will null key that matches every method name</li>
- * <li>Mappings with keys of the form "method.omission" that indicates it will match every method name EXCEPT that given</li>
+ * <li>Mappings with keys of the form "&lt;method&gt;.&lt;method&gt;.&lt;method&gt;.omission" that indicates it will match every method name EXCEPT those given</li>
* </ol>
*
* @see org.eclipse.jetty.security.SecurityHandler#prepareConstraintInfo(java.lang.String, org.eclipse.jetty.server.Request)
@@ -659,7 +656,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr
//(ie matches because target method is not omitted, hence considered covered by the constraint)
for (Entry<String, RoleInfo> entry: mappings.entrySet())
{
- if (entry.getKey() != null && entry.getKey().contains(OMISSION_SUFFIX) && !(httpMethod+OMISSION_SUFFIX).equals(entry.getKey()))
+ if (entry.getKey() != null && entry.getKey().endsWith(OMISSION_SUFFIX) && ! entry.getKey().contains(httpMethod))
applicableConstraints.add(entry.getValue());
}

Back to the top