diff options
Diffstat (limited to 'jetty-security')
13 files changed, 31 insertions, 221 deletions
diff --git a/jetty-security/pom.xml b/jetty-security/pom.xml index 962f135f7c..838749b24f 100644 --- a/jetty-security/pom.xml +++ b/jetty-security/pom.xml @@ -2,7 +2,7 @@ <parent> <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-project</artifactId> - <version>9.2.8-SNAPSHOT</version> + <version>9.3.0-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>jetty-security</artifactId> @@ -33,35 +33,6 @@ </executions> </plugin> <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-assembly-plugin</artifactId> - <executions> - <execution> - <phase>package</phase> - <goals> - <goal>single</goal> - </goals> - <configuration> - <descriptorRefs> - <descriptorRef>config</descriptorRef> - </descriptorRefs> - </configuration> - </execution> - </executions> - </plugin> - <plugin> - <!-- - Required for OSGI - --> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - <configuration> - <archive> - <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile> - </archive> - </configuration> - </plugin> - <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>findbugs-maven-plugin</artifactId> <configuration> diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 28b2f59b5c..f15e20113b 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -675,7 +675,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr if (dataConstraint == null || dataConstraint == UserDataConstraint.None) return true; - HttpConfiguration httpConfig = HttpChannel.getCurrentHttpChannel().getHttpConfiguration(); + HttpConfiguration httpConfig = Request.getBaseRequest(request).getHttpChannel().getHttpConfiguration(); if (dataConstraint == UserDataConstraint.Confidential || dataConstraint == UserDataConstraint.Integral) { diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java b/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java deleted file mode 100644 index 711a8e884f..0000000000 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/CrossContextPsuedoSession.java +++ /dev/null @@ -1,37 +0,0 @@ -// -// ======================================================================== -// Copyright (c) 1995-2015 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== -// - -package org.eclipse.jetty.security; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -/** - * @version $Rev: 4466 $ $Date: 2009-02-10 23:42:54 +0100 (Tue, 10 Feb 2009) $ - * @deprecated - */ -public interface CrossContextPsuedoSession<T> -{ - - T fetch(HttpServletRequest request); - - void store(T data, HttpServletResponse response); - - void clear(HttpServletRequest request); - -} diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java deleted file mode 100644 index 61d8e3329e..0000000000 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashCrossContextPsuedoSession.java +++ /dev/null @@ -1,100 +0,0 @@ -// -// ======================================================================== -// Copyright (c) 1995-2015 Mort Bay Consulting Pty. Ltd. -// ------------------------------------------------------------------------ -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== -// - -package org.eclipse.jetty.security; - -import java.security.SecureRandom; -import java.util.HashMap; -import java.util.Map; -import java.util.Random; - -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -/** - * @version $Rev: 4660 $ $Date: 2009-02-25 17:29:53 +0100 (Wed, 25 Feb 2009) $ - * @deprecated - */ -public class HashCrossContextPsuedoSession<T> implements CrossContextPsuedoSession<T> -{ - private final String _cookieName; - - private final String _cookiePath; - - private final Random _random = new SecureRandom(); - - private final Map<String, T> _data = new HashMap<String, T>(); - - public HashCrossContextPsuedoSession(String cookieName, String cookiePath) - { - this._cookieName = cookieName; - this._cookiePath = cookiePath == null ? "/" : cookiePath; - } - - public T fetch(HttpServletRequest request) - { - Cookie[] cookies = request.getCookies(); - if (cookies == null) - return null; - - for (Cookie cookie : cookies) - { - if (_cookieName.equals(cookie.getName())) - { - String key = cookie.getValue(); - return _data.get(key); - } - } - return null; - } - - public void store(T datum, HttpServletResponse response) - { - String key; - - synchronized (_data) - { - // Create new ID - while (true) - { - key = Long.toString(Math.abs(_random.nextLong()), 30 + (int) (System.currentTimeMillis() % 7)); - if (!_data.containsKey(key)) break; - } - - _data.put(key, datum); - } - - Cookie cookie = new Cookie(_cookieName, key); - cookie.setPath(_cookiePath); - response.addCookie(cookie); - } - - public void clear(HttpServletRequest request) - { - for (Cookie cookie : request.getCookies()) - { - if (_cookieName.equals(cookie.getName())) - { - String key = cookie.getValue(); - _data.remove(key); - break; - } - } - } -} diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java index d0cd9905e7..089b894911 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java @@ -29,6 +29,8 @@ import java.util.ArrayList; import java.util.List; import java.util.Properties; +import javax.servlet.ServletRequest; + import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.Loader; import org.eclipse.jetty.util.log.Log; @@ -209,7 +211,7 @@ public class JDBCLoginService extends MappedLoginService /* ------------------------------------------------------------ */ @Override - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { long now = System.currentTimeMillis(); if (now - _lastHashPurge > _cacheTime || _cacheTime == 0) @@ -219,7 +221,7 @@ public class JDBCLoginService extends MappedLoginService closeConnection(); } - return super.login(username,credentials); + return super.login(username,credentials, request); } /* ------------------------------------------------------------ */ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java index 653f7c69fc..e481ca97d4 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/LoginService.java @@ -18,6 +18,8 @@ package org.eclipse.jetty.security; +import javax.servlet.ServletRequest; + import org.eclipse.jetty.server.UserIdentity; @@ -42,14 +44,15 @@ public interface LoginService /** Login a user. * @param username The user name * @param credentials The users credentials + * @param request TODO * @return A UserIdentity if the credentials matched, otherwise null */ - UserIdentity login(String username,Object credentials); + UserIdentity login(String username,Object credentials, ServletRequest request); /* ------------------------------------------------------------ */ /** Validate a user identity. * Validate that a UserIdentity previously created by a call - * to {@link #login(String, Object)} is still valid. + * to {@link #login(String, Object, ServletRequest)} is still valid. * @param user The user to validate * @return true if authentication has not been revoked for the user. */ diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java index 752fd26a46..70b4c95329 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java @@ -27,6 +27,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import javax.security.auth.Subject; +import javax.servlet.ServletRequest; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.component.AbstractLifeCycle; @@ -208,9 +209,9 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo /* ------------------------------------------------------------ */ /** - * @see org.eclipse.jetty.security.LoginService#login(java.lang.String, java.lang.Object) + * @see org.eclipse.jetty.security.LoginService#login(java.lang.String, java.lang.Object, ServletRequest) */ - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { if (username == null) return null; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 8462f7e488..ffd4db6939 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -309,33 +309,6 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti getInitParameter(name)==null) setInitParameter(name,context.getInitParameter(name)); } - - //register a session listener to handle securing sessions when authentication is performed - context.getContextHandler().addEventListener(new HttpSessionListener() - { - @Override - public void sessionDestroyed(HttpSessionEvent se) - { - } - - @Override - public void sessionCreated(HttpSessionEvent se) - { - //if current request is authenticated, then as we have just created the session, mark it as secure, as it has not yet been returned to a user - HttpChannel<?> channel = HttpChannel.getCurrentHttpChannel(); - - if (channel == null) - return; - Request request = channel.getRequest(); - if (request == null) - return; - - if (request.isSecure()) - { - se.getSession().setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); - } - } - }); } // complicated resolution of login and identity service to handle diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java index cc59b47ebe..3614ab5559 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SpnegoLoginService.java @@ -21,6 +21,7 @@ package org.eclipse.jetty.security; import java.util.Properties; import javax.security.auth.Subject; +import javax.servlet.ServletRequest; import org.eclipse.jetty.server.UserIdentity; import org.eclipse.jetty.util.B64Code; @@ -112,7 +113,7 @@ public class SpnegoLoginService extends AbstractLifeCycle implements LoginServic * username will be null since the credentials will contain all the relevant info */ @Override - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { String encodedAuthToken = (String)credentials; diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 302f6517bd..a0c71fd31f 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -235,9 +235,8 @@ public class FormAuthenticator extends LoginAuthenticator //restore the original request's method on this request if (LOG.isDebugEnabled()) LOG.debug("Restoring original method {} for {} with method {}", method, juri,httpRequest.getMethod()); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); - HttpMethod m = HttpMethod.fromString(method); - base_request.setMethod(m,m.asString()); + Request base_request = Request.getBaseRequest(request); + base_request.setMethod(method); } /* ------------------------------------------------------------ */ @@ -246,6 +245,9 @@ public class FormAuthenticator extends LoginAuthenticator { HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; + Request base_request = Request.getBaseRequest(request); + Response base_response = base_request.getResponse(); + String uri = request.getRequestURI(); if (uri==null) uri=URIUtil.SLASH; @@ -290,8 +292,6 @@ public class FormAuthenticator extends LoginAuthenticator LOG.debug("authenticated {}->{}",form_auth,nuri); response.setContentLength(0); - Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); base_response.sendRedirect(redirectCode, response.encodeRedirectURL(nuri)); return form_auth; @@ -317,8 +317,6 @@ public class FormAuthenticator extends LoginAuthenticator else { LOG.debug("auth failed {}->{}",username,_formErrorPage); - Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage))); } @@ -358,7 +356,6 @@ public class FormAuthenticator extends LoginAuthenticator if (j_post!=null) { LOG.debug("auth rePOST {}->{}",authentication,j_uri); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); base_request.setContentParameters(j_post); } session.removeAttribute(__J_URI); @@ -393,7 +390,6 @@ public class FormAuthenticator extends LoginAuthenticator if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod())) { - Request base_request = (req instanceof Request)?(Request)req:HttpChannel.getCurrentHttpChannel().getRequest(); MultiMap<String> formParameters = new MultiMap<>(); base_request.extractFormParameters(formParameters); session.setAttribute(__J_POST, formParameters); @@ -413,8 +409,6 @@ public class FormAuthenticator extends LoginAuthenticator else { LOG.debug("challenge {}->{}",session.getId(),_formLoginPage); - Response base_response = HttpChannel.getCurrentHttpChannel().getResponse(); - Request base_request = HttpChannel.getCurrentHttpChannel().getRequest(); int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER); base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage))); } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index 0f2e09732b..ea559ff6c7 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -58,7 +58,7 @@ public abstract class LoginAuthenticator implements Authenticator /* ------------------------------------------------------------ */ public UserIdentity login(String username, Object password, ServletRequest request) { - UserIdentity user = _loginService.login(username,password); + UserIdentity user = _loginService.login(username,password, request); if (user!=null) { renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null)); @@ -109,14 +109,14 @@ public abstract class LoginAuthenticator implements Authenticator { //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users //(indicated by SESSION_SECURED not being set on the session) then we should change id - if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) + if (httpSession.getAttribute(AbstractSession.SESSION_CREATED_SECURE)!=Boolean.TRUE) { if (httpSession instanceof AbstractSession) { AbstractSession abstractSession = (AbstractSession)httpSession; String oldId = abstractSession.getId(); abstractSession.renewId(request); - abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + abstractSession.setAttribute(AbstractSession.SESSION_CREATED_SECURE, Boolean.TRUE); if (abstractSession.isIdChanged() && response != null && (response instanceof Response)) ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure())); LOG.debug("renew {}->{}",oldId,abstractSession.getId()); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java index ddc1732d55..3a7c006b51 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java @@ -71,7 +71,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements if (login_service==null) throw new IllegalStateException("!LoginService"); - _userIdentity=login_service.login(_name,_credentials); + _userIdentity=login_service.login(_name,_credentials, null); LOG.debug("Deserialized and relogged in {}",this); } @@ -89,7 +89,7 @@ public class SessionAuthentication extends AbstractUserAuthentication implements if (security!=null) security.logout(this); if (_session!=null) - _session.removeAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED); + _session.removeAttribute(AbstractSession.SESSION_CREATED_SECURE); } @Override diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java index aec891a6ea..77f4dd9475 100644 --- a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java @@ -20,7 +20,9 @@ package org.eclipse.jetty.security; import java.io.IOException; import java.util.Arrays; + import javax.servlet.ServletException; +import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -375,10 +377,10 @@ public class DataConstraintsTest response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n"); Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden")); - response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n Authorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n"); + response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n"); Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden")); - response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n Authorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n"); + response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n"); Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden")); } @@ -436,7 +438,7 @@ public class DataConstraintsTest } @Override - public UserIdentity login(String username, Object credentials) + public UserIdentity login(String username, Object credentials, ServletRequest request) { if("admin".equals(username) && "password".equals(credentials)) return new DefaultUserIdentity(null,null,new String[] { "admin" } ); |