View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.annotations;
20  
21  import java.util.ArrayList;
22  import java.util.List;
23  
24  import javax.servlet.ServletSecurityElement;
25  import javax.servlet.annotation.ServletSecurity;
26  import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
27  import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
28  
29  import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
30  import org.eclipse.jetty.security.ConstraintAware;
31  import org.eclipse.jetty.security.ConstraintMapping;
32  import org.eclipse.jetty.security.ConstraintSecurityHandler;
33  import org.eclipse.jetty.servlet.ServletHolder;
34  import org.eclipse.jetty.servlet.ServletMapping;
35  import org.eclipse.jetty.util.log.Log;
36  import org.eclipse.jetty.util.log.Logger;
37  import org.eclipse.jetty.util.security.Constraint;
38  import org.eclipse.jetty.webapp.Origin;
39  import org.eclipse.jetty.webapp.WebAppContext;
40  
41  /**
42   * ServletSecurityAnnotationHandler
43   *
44   * Inspect a class to see if it has an @ServletSecurity annotation on it,
45   * setting up the <security-constraint>s.
46   *
47   * A servlet can be defined in:
48   * <ul>
49   * <li>web.xml
50   * <li>web-fragment.xml
51   * <li>@WebServlet annotation discovered
52   * <li>ServletContext.createServlet
53   * </ul>
54   *
55   * The ServletSecurity annotation for a servlet should only be processed
56   * iff metadata-complete == false.
57   */
58  public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler
59  {
60      private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class);
61  
62      private WebAppContext _context;
63  
64      public ServletSecurityAnnotationHandler(WebAppContext wac)
65      {
66          super(false);
67          _context = wac;
68      }
69  
70      /**
71       * @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class)
72       */
73      public void doHandle(Class clazz)
74      {
75          if (!(_context.getSecurityHandler() instanceof ConstraintAware))
76          {
77              LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
78              return;
79          }
80  
81         ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class);
82         if (servletSecurity == null)
83             return;
84  
85         //If there are already constraints defined (ie from web.xml) that match any 
86         //of the url patterns defined for this servlet, then skip the security annotation.
87  
88         List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
89         List<ConstraintMapping> constraintMappings =  ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings();
90  
91         if (constraintsExist(servletMappings, constraintMappings))
92         {
93             LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation");
94             return;
95         }
96  
97         //Make a fresh list
98         constraintMappings = new ArrayList<ConstraintMapping>();
99  
100        ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
101        for (ServletMapping sm : servletMappings)
102        {
103            for (String url : sm.getPathSpecs())
104            {
105                _context.getMetaData().setOrigin("constraint.url."+url, Origin.Annotation);
106                constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
107            }
108        }
109 
110        //set up the security constraints produced by the annotation
111        ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler();
112 
113        for (ConstraintMapping m:constraintMappings)
114            securityHandler.addConstraintMapping(m);
115     }
116 
117 
118 
119     /**
120      * Make a jetty Constraint object, which represents the <auth-constraint> and
121      * <user-data-constraint> elements, based on the security annotation.
122      * @param servlet
123      * @param rolesAllowed
124      * @param permitOrDeny
125      * @param transport
126      * @return
127      */
128     protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport)
129     {
130         return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport);
131 
132 
133 
134 
135 
136 
137     }
138 
139 
140 
141     /**
142      * Get the ServletMappings for the servlet's class.
143      * @param className
144      * @return
145      */
146     protected List<ServletMapping> getServletMappings(String className)
147     {
148         List<ServletMapping> results = new ArrayList<ServletMapping>();
149         ServletMapping[] mappings = _context.getServletHandler().getServletMappings();
150         for (ServletMapping mapping : mappings)
151         {
152             //Check the name of the servlet that this mapping applies to, and then find the ServletHolder for it to find it's class
153             ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName());
154             if (holder.getClassName() != null && holder.getClassName().equals(className))
155               results.add(mapping);
156         }
157         return results;
158     }
159 
160 
161 
162     /**
163      * Check if there are already <security-constraint> elements defined that match the url-patterns for
164      * the servlet.
165      * @param servletMappings
166      * @return
167      */
168     protected boolean constraintsExist (List<ServletMapping> servletMappings, List<ConstraintMapping> constraintMappings)
169     {
170         boolean exists = false;
171 
172         //Check to see if the path spec on each constraint mapping matches a pathSpec in the servlet mappings.
173         //If it does, then we should ignore the security annotations.
174         for (ServletMapping mapping : servletMappings)
175         {
176             //Get its url mappings
177             String[] pathSpecs = mapping.getPathSpecs();
178             if (pathSpecs == null)
179                 continue;
180 
181             //Check through the constraints to see if there are any whose pathSpecs (url mappings)
182             //match the servlet. If so, then we already have constraints defined for this servlet,
183             //and we will not be processing the annotation (ie web.xml or programmatic override).
184            for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++)
185            {
186                for (int j=0; j < pathSpecs.length; j++)
187                {
188                    //TODO decide if we need to check the origin
189                    if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec()))
190                    {
191                        exists = true;
192                        break;
193                    }
194                }
195            }
196         }
197         return exists;
198     }
199 
200 }