1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.annotations;
20
21 import java.util.ArrayList;
22 import java.util.List;
23
24 import javax.servlet.ServletSecurityElement;
25 import javax.servlet.annotation.ServletSecurity;
26 import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
27 import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
28
29 import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
30 import org.eclipse.jetty.security.ConstraintAware;
31 import org.eclipse.jetty.security.ConstraintMapping;
32 import org.eclipse.jetty.security.ConstraintSecurityHandler;
33 import org.eclipse.jetty.servlet.ServletHolder;
34 import org.eclipse.jetty.servlet.ServletMapping;
35 import org.eclipse.jetty.util.log.Log;
36 import org.eclipse.jetty.util.log.Logger;
37 import org.eclipse.jetty.util.security.Constraint;
38 import org.eclipse.jetty.webapp.WebAppContext;
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57 public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler
58 {
59 private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class);
60
61 private WebAppContext _context;
62
63 public ServletSecurityAnnotationHandler(WebAppContext wac)
64 {
65 super(false);
66 _context = wac;
67 }
68
69
70
71
72 public void doHandle(Class clazz)
73 {
74 if (!(_context.getSecurityHandler() instanceof ConstraintAware))
75 {
76 LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
77 return;
78 }
79
80 ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class);
81 if (servletSecurity == null)
82 return;
83
84
85
86
87 List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
88 List<ConstraintMapping> constraintMappings = ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings();
89
90 if (constraintsExist(servletMappings, constraintMappings))
91 {
92 LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation");
93 return;
94 }
95
96
97 constraintMappings = new ArrayList<ConstraintMapping>();
98
99 ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
100 for (ServletMapping sm : servletMappings)
101 {
102 for (String url : sm.getPathSpecs())
103 {
104 _context.getMetaData().setOrigin("constraint.url."+url,servletSecurity,clazz);
105 constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
106 }
107 }
108
109
110 ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler();
111
112 for (ConstraintMapping m:constraintMappings)
113 securityHandler.addConstraintMapping(m);
114
115
116 securityHandler.checkPathsWithUncoveredHttpMethods();
117 }
118
119
120
121
122
123
124
125
126
127
128
129
130
131 protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport)
132 {
133 return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport);
134 }
135
136
137
138
139
140
141
142
143 protected List<ServletMapping> getServletMappings(String className)
144 {
145 List<ServletMapping> results = new ArrayList<ServletMapping>();
146 ServletMapping[] mappings = _context.getServletHandler().getServletMappings();
147 for (ServletMapping mapping : mappings)
148 {
149
150 ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName());
151 if (holder.getClassName() != null && holder.getClassName().equals(className))
152 results.add(mapping);
153 }
154 return results;
155 }
156
157
158
159
160
161
162
163
164
165
166
167 protected boolean constraintsExist (List<ServletMapping> servletMappings, List<ConstraintMapping> constraintMappings)
168 {
169 boolean exists = false;
170
171
172
173 for (ServletMapping mapping : servletMappings)
174 {
175
176 String[] pathSpecs = mapping.getPathSpecs();
177 if (pathSpecs == null)
178 continue;
179
180
181
182
183 for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++)
184 {
185 for (int j=0; j < pathSpecs.length; j++)
186 {
187
188 if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec()))
189 {
190 exists = true;
191 break;
192 }
193 }
194 }
195 }
196 return exists;
197 }
198
199 }