Class ConstraintSecurityHandler

All Implemented Interfaces:
Authenticator.AuthConfiguration, ConstraintAware, Handler, HandlerContainer, Container, Destroyable, Dumpable, Dumpable.DumpableContainer, LifeCycle

public class ConstraintSecurityHandler extends SecurityHandler implements ConstraintAware
ConstraintSecurityHandler

Handler to enforce SecurityConstraints. This implementation is servlet spec 3.1 compliant and pre-computes the constraint combinations for runtime efficiency.

  • Constructor Details

    • ConstraintSecurityHandler

      public ConstraintSecurityHandler()
  • Method Details

    • createConstraint

      public static Constraint createConstraint()
    • createConstraint

      public static Constraint createConstraint(Constraint constraint)
    • createConstraint

      public static Constraint createConstraint(String name, boolean authenticate, String[] roles, int dataConstraint)
      Create a security constraint
      Parameters:
      name - the name of the constraint
      authenticate - true to authenticate
      roles - list of roles
      dataConstraint - the data constraint
      Returns:
      the constraint
    • createConstraint

      public static Constraint createConstraint(String name, jakarta.servlet.HttpConstraintElement element)
      Create a Constraint
      Parameters:
      name - the name
      element - the http constraint element
      Returns:
      the created constraint
    • createConstraint

      public static Constraint createConstraint(String name, String[] rolesAllowed, jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport)
      Create Constraint
      Parameters:
      name - the name
      rolesAllowed - the list of allowed roles
      permitOrDeny - the permission semantic
      transport - the transport guarantee
      Returns:
      the created constraint
    • getConstraintMappingsForPath

      public static List<ConstraintMapping> getConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)
    • removeConstraintMappingsForPath

      public static List<ConstraintMapping> removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)
      Take out of the constraint mappings those that match the given path.
      Parameters:
      pathSpec - the path spec
      constraintMappings - a new list minus the matching constraints
      Returns:
      the list of constraint mappings
    • createConstraintsWithMappingsForPath

      public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name, String pathSpec, jakarta.servlet.ServletSecurityElement securityElement)
      Generate Constraints and ContraintMappings for the given url pattern and ServletSecurityElement
      Parameters:
      name - the name
      pathSpec - the path spec
      securityElement - the servlet security element
      Returns:
      the list of constraint mappings
    • getConstraintMappings

      public List<ConstraintMapping> getConstraintMappings()
      Specified by:
      getConstraintMappings in interface ConstraintAware
    • getRoles

      public Set<String> getRoles()
      Specified by:
      getRoles in interface ConstraintAware
    • setConstraintMappings

      public void setConstraintMappings(List<ConstraintMapping> constraintMappings)
      Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
      Parameters:
      constraintMappings - The constraintMappings to set, from which the set of known roles is determined.
    • setConstraintMappings

      public void setConstraintMappings(ConstraintMapping[] constraintMappings)
      Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
      Parameters:
      constraintMappings - The constraintMappings to set as array, from which the set of known roles is determined. Needed to retain API compatibility for 7.x
    • setConstraintMappings

      public void setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles)
      Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the RoleInfo class.
      Specified by:
      setConstraintMappings in interface ConstraintAware
      Parameters:
      constraintMappings - The constraintMappings to set.
      roles - The known roles (or null to determine them from the mappings)
    • setRoles

      public void setRoles(Set<String> roles)
      Set the known roles. This may be overridden by a subsequent call to setConstraintMappings(ConstraintMapping[]) or setConstraintMappings(List, Set).
      Parameters:
      roles - The known roles (or null to determine them from the mappings)
    • addConstraintMapping

      public void addConstraintMapping(ConstraintMapping mapping)
      Description copied from interface: ConstraintAware
      Add a Constraint Mapping. May be called for running webapplication as an annotated servlet is instantiated.
      Specified by:
      addConstraintMapping in interface ConstraintAware
      Parameters:
      mapping - the mapping
    • addRole

      public void addRole(String role)
      Description copied from interface: ConstraintAware
      Add a Role definition. May be called on running webapplication as an annotated servlet is instantiated.
      Specified by:
      addRole in interface ConstraintAware
      Parameters:
      role - the role
    • doStart

      protected void doStart() throws Exception
      Description copied from class: ContainerLifeCycle
      Starts the managed lifecycle beans in the order they were added.
      Overrides:
      doStart in class SecurityHandler
      Throws:
      AbstractLifeCycle.StopException - If thrown, the lifecycle will immediately be stopped.
      Exception - If there was a problem starting. Will cause a transition to FAILED state
    • doStop

      protected void doStop() throws Exception
      Description copied from class: ContainerLifeCycle
      Stops the managed lifecycle beans in the reverse order they were added.
      Overrides:
      doStop in class SecurityHandler
      Throws:
      Exception - If there was a problem stopping. Will cause a transition to FAILED state
    • processConstraintMapping

      protected void processConstraintMapping(ConstraintMapping mapping)
      Create and combine the constraint with the existing processed constraints.
      Parameters:
      mapping - the constraint mapping
    • asPathSpec

      protected PathSpec asPathSpec(ConstraintMapping mapping)
    • processConstraintMappingWithMethodOmissions

      protected void processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String,RoleInfo> mappings)
      Constraints that name method omissions are dealt with differently. We create an entry in the mappings with key "<method>.omission". This entry is only ever combined with other omissions for the same method to produce a consolidated RoleInfo. Then, when we wish to find the relevant constraints for a given Request (in prepareConstraintInfo()), we consult 3 types of entries in the mappings: an entry that names the method of the Request specifically, an entry that names constraints that apply to all methods, entries of the form <method>.omission, where the method of the Request is not named in the omission.
      Parameters:
      mapping - the constraint mapping
      mappings - the mappings of roles
    • configureRoleInfo

      protected void configureRoleInfo(RoleInfo ri, ConstraintMapping mapping)
      Initialize or update the RoleInfo from the constraint
      Parameters:
      ri - the role info
      mapping - the constraint mapping
    • prepareConstraintInfo

      protected RoleInfo prepareConstraintInfo(String pathInContext, Request request)
      Find constraints that apply to the given path. In order to do this, we consult 3 different types of information stored in the mappings for each path - each mapping represents a merged set of user data constraints, roles etc -:
      1. A mapping of an exact method name
      2. A mapping with key * that matches every method name
      3. Mappings with keys of the form "<method>.<method>.<method>.omission" that indicates it will match every method name EXCEPT those given
      Specified by:
      prepareConstraintInfo in class SecurityHandler
      See Also:
    • checkUserDataPermissions

      protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo roleInfo) throws IOException
      Specified by:
      checkUserDataPermissions in class SecurityHandler
      Throws:
      IOException
    • isAuthMandatory

      protected boolean isAuthMandatory(Request baseRequest, Response baseResponse, Object constraintInfo)
      Specified by:
      isAuthMandatory in class SecurityHandler
    • checkWebResourcePermissions

      protected boolean checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException
      Specified by:
      checkWebResourcePermissions in class SecurityHandler
      Throws:
      IOException
    • dump

      public void dump(Appendable out, String indent) throws IOException
      Description copied from interface: Dumpable
      Dump this object (and children) into an Appendable using the provided indent after any new lines. The indent should not be applied to the first object dumped.
      Specified by:
      dump in interface Dumpable
      Overrides:
      dump in class ContainerLifeCycle
      Parameters:
      out - The appendable to dump to
      indent - The indent to apply after any new lines.
      Throws:
      IOException - if unable to write to Appendable
    • setDenyUncoveredHttpMethods

      public void setDenyUncoveredHttpMethods(boolean deny)
      Description copied from interface: ConstraintAware
      See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.
      Specified by:
      setDenyUncoveredHttpMethods in interface ConstraintAware
      Parameters:
      deny - true for denied method access
    • isDenyUncoveredHttpMethods

      public boolean isDenyUncoveredHttpMethods()
      Specified by:
      isDenyUncoveredHttpMethods in interface ConstraintAware
    • checkPathsWithUncoveredHttpMethods

      public boolean checkPathsWithUncoveredHttpMethods()
      Servlet spec 3.1 pg. 147.
      Specified by:
      checkPathsWithUncoveredHttpMethods in interface ConstraintAware
      Returns:
      true if urls with uncovered http methods
    • getPathsWithUncoveredHttpMethods

      public Set<String> getPathsWithUncoveredHttpMethods()
      Servlet spec 3.1 pg. 147. The container must check all the combined security constraint information and log any methods that are not protected and the urls at which they are not protected
      Returns:
      list of paths for which there are uncovered methods
    • omissionsExist

      protected boolean omissionsExist(String path, Map<String,RoleInfo> methodMappings)
      Check if any http method omissions exist in the list of method to auth info mappings.
      Parameters:
      path - the path
      methodMappings - the method mappings
      Returns:
      true if omission exist
    • getOmittedMethods

      protected Set<String> getOmittedMethods(String omission)
      Given a string of the form <method>.<method>.omission split out the individual method names.
      Parameters:
      omission - the method
      Returns:
      the list of strings