1 // 2 // ======================================================================== 3 // Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd. 4 // ------------------------------------------------------------------------ 5 // All rights reserved. This program and the accompanying materials 6 // are made available under the terms of the Eclipse Public License v1.0 7 // and Apache License v2.0 which accompanies this distribution. 8 // 9 // The Eclipse Public License is available at 10 // http://www.eclipse.org/legal/epl-v10.html 11 // 12 // The Apache License v2.0 is available at 13 // http://www.opensource.org/licenses/apache2.0.php 14 // 15 // You may elect to redistribute this code under either of these licenses. 16 // ======================================================================== 17 // 18 19 package org.eclipse.jetty.embedded; 20 21 import java.util.Collections; 22 23 import org.eclipse.jetty.security.ConstraintMapping; 24 import org.eclipse.jetty.security.ConstraintSecurityHandler; 25 import org.eclipse.jetty.security.HashLoginService; 26 import org.eclipse.jetty.security.LoginService; 27 import org.eclipse.jetty.security.authentication.BasicAuthenticator; 28 import org.eclipse.jetty.server.Server; 29 import org.eclipse.jetty.util.security.Constraint; 30 31 public class SecuredHelloHandler 32 { 33 public static void main(String[] args) throws Exception 34 { 35 // Create a basic jetty server object that will listen on port 8080. Note that if you set this to port 0 36 // then a randomly available port will be assigned that you can either look in the logs for the port, 37 // or programmatically obtain it for use in test cases. 38 Server server = new Server(8080); 39 40 // Since this example is for our test webapp, we need to setup a LoginService so this shows how to create a 41 // very simple hashmap based one. The name of the LoginService needs to correspond to what is configured a 42 // webapp's web.xml and since it has a lifecycle of its own we register it as a bean with the Jetty server 43 // object so it can be started and stopped according to the lifecycle of the server itself. In this example 44 // the name can be whatever you like since we are not dealing with webapp realms. 45 LoginService loginService = new HashLoginService("MyRealm","src/test/resources/realm.properties"); 46 server.addBean(loginService); 47 48 // A security handler is a jetty handler that secures content behind a particular portion of a url space. The 49 // ConstraintSecurityHandler is a more specialized handler that allows matching of urls to different 50 // constraints. The server sets this as the first handler in the chain, 51 // effectively applying these constraints to all subsequent handlers in the chain. 52 ConstraintSecurityHandler security = new ConstraintSecurityHandler(); 53 server.setHandler(security); 54 55 // This constraint requires authentication and in addition that an authenticated user be a member of a given 56 // set of roles for authorization purposes. 57 Constraint constraint = new Constraint(); 58 constraint.setName("auth"); 59 constraint.setAuthenticate( true ); 60 constraint.setRoles(new String[]{"user", "admin"}); 61 62 // Binds a url pattern with the previously created constraint. The roles for this constraing mapping are 63 // mined from the Constraint itself although methods exist to declare and bind roles separately as well. 64 ConstraintMapping mapping = new ConstraintMapping(); 65 mapping.setPathSpec( "/*" ); 66 mapping.setConstraint( constraint ); 67 68 // First you see the constraint mapping being applied to the handler as a singleton list, 69 // however you can passing in as many security constraint mappings as you like so long as they follow the 70 // mapping requirements of the servlet api. Next we set a BasicAuthenticator instance which is the object 71 // that actually checks the credentials followed by the LoginService which is the store of known users, etc. 72 security.setConstraintMappings(Collections.singletonList(mapping)); 73 security.setAuthenticator(new BasicAuthenticator()); 74 security.setLoginService(loginService); 75 76 // The Hello Handler is the handler we are securing so we create one, and then set it as the handler on the 77 // security handler to complain the simple handler chain. 78 HelloHandler hh = new HelloHandler(); 79 80 // chain the hello handler into the security handler 81 security.setHandler(hh); 82 83 // Start things up! By using the server.join() the server thread will join with the current thread. 84 // See "http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/Thread.html#join()" for more details. 85 server.start(); 86 server.join(); 87 } 88 }