1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.annotations;
20
21 import java.util.ArrayList;
22 import java.util.List;
23
24 import javax.servlet.ServletSecurityElement;
25 import javax.servlet.annotation.HttpConstraint;
26 import javax.servlet.annotation.HttpMethodConstraint;
27 import javax.servlet.annotation.ServletSecurity;
28 import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
29 import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
30
31 import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
32 import org.eclipse.jetty.security.ConstraintAware;
33 import org.eclipse.jetty.security.ConstraintMapping;
34 import org.eclipse.jetty.security.ConstraintSecurityHandler;
35 import org.eclipse.jetty.servlet.ServletHolder;
36 import org.eclipse.jetty.servlet.ServletMapping;
37 import org.eclipse.jetty.util.log.Log;
38 import org.eclipse.jetty.util.log.Logger;
39 import org.eclipse.jetty.util.security.Constraint;
40 import org.eclipse.jetty.webapp.Origin;
41 import org.eclipse.jetty.webapp.WebAppContext;
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60 public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler
61 {
62 private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class);
63
64 private WebAppContext _context;
65
66 public ServletSecurityAnnotationHandler(WebAppContext wac)
67 {
68 super(false);
69 _context = wac;
70 }
71
72
73
74
75 public void doHandle(Class clazz)
76 {
77 if (!(_context.getSecurityHandler() instanceof ConstraintAware))
78 {
79 LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
80 return;
81 }
82
83 ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class);
84 if (servletSecurity == null)
85 return;
86
87
88
89
90 List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
91 List<ConstraintMapping> constraintMappings = ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings();
92
93 if (constraintsExist(servletMappings, constraintMappings))
94 {
95 LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation");
96 return;
97 }
98
99
100 constraintMappings = new ArrayList<ConstraintMapping>();
101
102 ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
103 for (ServletMapping sm : servletMappings)
104 {
105 for (String url : sm.getPathSpecs())
106 {
107 _context.getMetaData().setOrigin("constraint.url."+url, Origin.Annotation);
108 constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
109 }
110 }
111
112
113 ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler();
114
115 for (ConstraintMapping m:constraintMappings)
116 securityHandler.addConstraintMapping(m);
117 }
118
119
120
121
122
123
124
125
126
127
128
129
130 protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport)
131 {
132 return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport);
133 }
134
135
136
137
138
139
140
141
142 protected List<ServletMapping> getServletMappings(String className)
143 {
144 List<ServletMapping> results = new ArrayList<ServletMapping>();
145 ServletMapping[] mappings = _context.getServletHandler().getServletMappings();
146 for (ServletMapping mapping : mappings)
147 {
148
149 ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName());
150 if (holder.getClassName() != null && holder.getClassName().equals(className))
151 results.add(mapping);
152 }
153 return results;
154 }
155
156
157
158
159
160
161
162
163
164 protected boolean constraintsExist (List<ServletMapping> servletMappings, List<ConstraintMapping> constraintMappings)
165 {
166 boolean exists = false;
167
168
169
170 for (ServletMapping mapping : servletMappings)
171 {
172
173 String[] pathSpecs = mapping.getPathSpecs();
174 if (pathSpecs == null)
175 continue;
176
177
178
179
180 for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++)
181 {
182 for (int j=0; j < pathSpecs.length; j++)
183 {
184
185 if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec()))
186 {
187 exists = true;
188 break;
189 }
190 }
191 }
192 }
193 return exists;
194 }
195
196 }