From c1b2eedadce864ba85e88bd37970a45b50f0aa3b Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Tue, 17 Jan 2012 22:53:53 +1100 Subject: 368773 process data constraints without realm --- .../jetty/security/ConstraintSecurityHandler.java | 11 +- .../eclipse/jetty/security/SecurityHandler.java | 37 +++-- .../jetty/security/DataConstraintsTest.java | 178 +++++++++++++++++++++ 3 files changed, 214 insertions(+), 12 deletions(-) create mode 100644 jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java (limited to 'jetty-security/src') diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java index 44280872b4..e6356026ce 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java @@ -358,7 +358,7 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr { if (connector.isIntegral(request)) return true; - if (connector.getConfidentialPort() > 0) + if (connector.getIntegralPort() > 0) { String url = connector.getIntegralScheme() + "://" + request.getServerName() + ":" + connector.getIntegralPort() + request.getRequestURI(); if (request.getQueryString() != null) @@ -440,6 +440,13 @@ public class ConstraintSecurityHandler extends SecurityHandler implements Constr public void dump(Appendable out,String indent) throws IOException { dumpThis(out); - dump(out,indent,TypeUtil.asList(getHandlers()),getBeans(),Collections.singleton(_roles),_constraintMap.entrySet()); + dump(out,indent, + Collections.singleton(getLoginService()), + Collections.singleton(getIdentityService()), + Collections.singleton(getAuthenticator()), + Collections.singleton(_roles), + _constraintMap.entrySet(), + getBeans(), + TypeUtil.asList(getHandlers())); } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java index 7e4232c579..da34f2d633 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java @@ -244,16 +244,19 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti return _initParameters.put(key,value); } - /* ------------------------------------------------------------ */ protected LoginService findLoginService() { List list = getServer().getBeans(LoginService.class); - for (LoginService service : list) - if (service.getName()!=null && service.getName().equals(getRealmName())) - return service; - if (list.size()>0) + String realm=getRealmName(); + if (realm!=null) + { + for (LoginService service : list) + if (service.getName()!=null && service.getName().equals(realm)) + return service; + } + else if (list.size()==1) return list.get(0); return null; } @@ -414,7 +417,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti final Authenticator authenticator = _authenticator; - if (authenticator!=null && checkSecurity(baseRequest)) + if (checkSecurity(baseRequest)) { Object constraintInfo = prepareConstraintInfo(pathInContext, baseRequest); @@ -433,13 +436,24 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti boolean isAuthMandatory = isAuthMandatory(baseRequest, base_response, constraintInfo); + if (isAuthMandatory && authenticator==null) + { + LOG.warn("No authenticator for: "+constraintInfo); + if (!baseRequest.isHandled()) + { + response.sendError(Response.SC_FORBIDDEN); + baseRequest.setHandled(true); + } + return; + } + // check authentication Object previousIdentity = null; try { Authentication authentication = baseRequest.getAuthentication(); if (authentication==null || authentication==Authentication.NOT_CHECKED) - authentication=authenticator.validateRequest(request, response, isAuthMandatory); + authentication=authenticator==null?Authentication.UNAUTHENTICATED:authenticator.validateRequest(request, response, isAuthMandatory); if (authentication instanceof Authentication.Wrapped) { @@ -500,9 +514,11 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti else { baseRequest.setAuthentication(authentication); - previousIdentity = _identityService.associate(null); + if (_identityService!=null) + previousIdentity = _identityService.associate(null); handler.handle(pathInContext, baseRequest, request, response); - authenticator.secureResponse(request, response, isAuthMandatory, null); + if (authenticator!=null) + authenticator.secureResponse(request, response, isAuthMandatory, null); } } catch (ServerAuthException e) @@ -513,7 +529,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti } finally { - _identityService.disassociate(previousIdentity); + if (_identityService!=null) + _identityService.disassociate(previousIdentity); } } else diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java new file mode 100644 index 0000000000..8b3ab58041 --- /dev/null +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DataConstraintsTest.java @@ -0,0 +1,178 @@ +// ======================================================================== +// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd. +// ------------------------------------------------------------------------ +// All rights reserved. This program and the accompanying materials +// are made available under the terms of the Eclipse Public License v1.0 +// and Apache License v2.0 which accompanies this distribution. +// The Eclipse Public License is available at +// http://www.eclipse.org/legal/epl-v10.html +// The Apache License v2.0 is available at +// http://www.opensource.org/licenses/apache2.0.php +// You may elect to redistribute this code under either of these licenses. +// ======================================================================== + +package org.eclipse.jetty.security; + +import static org.junit.Assert.assertThat; +import static org.junit.matchers.JUnitMatchers.containsString; + +import java.io.IOException; +import java.util.Arrays; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.eclipse.jetty.http.HttpSchemes; +import org.eclipse.jetty.io.EndPoint; +import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.server.LocalConnector; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.server.handler.AbstractHandler; +import org.eclipse.jetty.server.handler.ContextHandler; +import org.eclipse.jetty.server.session.SessionHandler; +import org.eclipse.jetty.util.security.Constraint; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +/** + * @version $Revision: 1441 $ $Date: 2010-04-02 12:28:17 +0200 (Fri, 02 Apr 2010) $ + */ +public class DataConstraintsTest +{ + private Server _server; + private LocalConnector _connector; + private LocalConnector _connectorS; + private SessionHandler _session; + private ConstraintSecurityHandler _security; + + @Before + public void startServer() + { + _server = new Server(); + _connector = new LocalConnector(); + _connector.setIntegralPort(9998); + _connector.setIntegralScheme("FTP"); + _connector.setConfidentialPort(9999); + _connector.setConfidentialScheme("SPDY"); + _connectorS = new LocalConnector() + { + @Override + public void customize(EndPoint endpoint, Request request) throws IOException + { + super.customize(endpoint,request); + request.setScheme(HttpSchemes.HTTPS); + } + + @Override + public boolean isIntegral(Request request) + { + return true; + } + + @Override + public boolean isConfidential(Request request) + { + return true; + } + }; + _server.setConnectors(new Connector[]{_connector,_connectorS}); + + ContextHandler _context = new ContextHandler(); + _session = new SessionHandler(); + + _context.setContextPath("/ctx"); + _server.setHandler(_context); + _context.setHandler(_session); + + _security = new ConstraintSecurityHandler(); + _session.setHandler(_security); + + _security.setHandler(new AbstractHandler() + { + public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException + { + baseRequest.setHandled(true); + response.sendError(404); + } + }); + + } + + @After + public void stopServer() throws Exception + { + if (_server.isRunning()) + { + _server.stop(); + _server.join(); + } + } + + @Test + public void testIntegral() throws Exception + { + Constraint constraint0 = new Constraint(); + constraint0.setAuthenticate(false); + constraint0.setName("integral"); + constraint0.setDataConstraint(Constraint.DC_INTEGRAL); + ConstraintMapping mapping0 = new ConstraintMapping(); + mapping0.setPathSpec("/integral/*"); + mapping0.setConstraint(constraint0); + + _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[] + { + mapping0 + })); + + _server.start(); + + String response; + response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n"); + assertThat(response, containsString("HTTP/1.1 404 Not Found")); + + response = _connector.getResponses("GET /ctx/integral/info HTTP/1.0\r\n\r\n"); + assertThat(response, containsString("HTTP/1.1 302 Found")); + assertThat(response, containsString("Location: FTP://")); + assertThat(response, containsString(":9998")); + + response = _connectorS.getResponses("GET /ctx/integral/info HTTP/1.0\r\n\r\n"); + assertThat(response, containsString("HTTP/1.1 404 Not Found")); + + } + + @Test + public void testConfidential() throws Exception + { + Constraint constraint0 = new Constraint(); + constraint0.setAuthenticate(false); + constraint0.setName("confid"); + constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL); + ConstraintMapping mapping0 = new ConstraintMapping(); + mapping0.setPathSpec("/confid/*"); + mapping0.setConstraint(constraint0); + + _security.setConstraintMappings(Arrays.asList(new ConstraintMapping[] + { + mapping0 + })); + + _server.start(); + + String response; + response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n"); + assertThat(response, containsString("HTTP/1.1 404 Not Found")); + + response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n"); + assertThat(response, containsString("HTTP/1.1 302 Found")); + assertThat(response, containsString("Location: SPDY://")); + assertThat(response, containsString(":9999")); + + response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n"); + assertThat(response, containsString("HTTP/1.1 404 Not Found")); + + } + +} -- cgit v1.2.3