1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.annotations;
20
21 import java.util.ArrayList;
22 import java.util.List;
23
24 import javax.servlet.ServletSecurityElement;
25 import javax.servlet.annotation.ServletSecurity;
26 import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
27 import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
28
29 import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
30 import org.eclipse.jetty.security.ConstraintAware;
31 import org.eclipse.jetty.security.ConstraintMapping;
32 import org.eclipse.jetty.security.ConstraintSecurityHandler;
33 import org.eclipse.jetty.servlet.ServletHolder;
34 import org.eclipse.jetty.servlet.ServletMapping;
35 import org.eclipse.jetty.util.log.Log;
36 import org.eclipse.jetty.util.log.Logger;
37 import org.eclipse.jetty.util.security.Constraint;
38 import org.eclipse.jetty.webapp.Origin;
39 import org.eclipse.jetty.webapp.WebAppContext;
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58 public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler
59 {
60 private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class);
61
62 private WebAppContext _context;
63
64 public ServletSecurityAnnotationHandler(WebAppContext wac)
65 {
66 super(false);
67 _context = wac;
68 }
69
70
71
72
73 public void doHandle(Class clazz)
74 {
75 if (!(_context.getSecurityHandler() instanceof ConstraintAware))
76 {
77 LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
78 return;
79 }
80
81 ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class);
82 if (servletSecurity == null)
83 return;
84
85
86
87
88 List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
89 List<ConstraintMapping> constraintMappings = ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings();
90
91 if (constraintsExist(servletMappings, constraintMappings))
92 {
93 LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation");
94 return;
95 }
96
97
98 constraintMappings = new ArrayList<ConstraintMapping>();
99
100 ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
101 for (ServletMapping sm : servletMappings)
102 {
103 for (String url : sm.getPathSpecs())
104 {
105 _context.getMetaData().setOrigin("constraint.url."+url, Origin.Annotation);
106 constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
107 }
108 }
109
110
111 ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler();
112
113 for (ConstraintMapping m:constraintMappings)
114 securityHandler.addConstraintMapping(m);
115 }
116
117
118
119
120
121
122
123
124
125
126
127
128 protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport)
129 {
130 return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport);
131
132
133
134
135
136
137 }
138
139
140
141
142
143
144
145
146 protected List<ServletMapping> getServletMappings(String className)
147 {
148 List<ServletMapping> results = new ArrayList<ServletMapping>();
149 ServletMapping[] mappings = _context.getServletHandler().getServletMappings();
150 for (ServletMapping mapping : mappings)
151 {
152
153 ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName());
154 if (holder.getClassName() != null && holder.getClassName().equals(className))
155 results.add(mapping);
156 }
157 return results;
158 }
159
160
161
162
163
164
165
166
167
168 protected boolean constraintsExist (List<ServletMapping> servletMappings, List<ConstraintMapping> constraintMappings)
169 {
170 boolean exists = false;
171
172
173
174 for (ServletMapping mapping : servletMappings)
175 {
176
177 String[] pathSpecs = mapping.getPathSpecs();
178 if (pathSpecs == null)
179 continue;
180
181
182
183
184 for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++)
185 {
186 for (int j=0; j < pathSpecs.length; j++)
187 {
188
189 if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec()))
190 {
191 exists = true;
192 break;
193 }
194 }
195 }
196 }
197 return exists;
198 }
199
200 }