View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.annotations;
20  
21  import java.util.ArrayList;
22  import java.util.List;
23  
24  import javax.servlet.ServletSecurityElement;
25  import javax.servlet.annotation.ServletSecurity;
26  import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
27  import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
28  
29  import org.eclipse.jetty.annotations.AnnotationIntrospector.AbstractIntrospectableAnnotationHandler;
30  import org.eclipse.jetty.security.ConstraintAware;
31  import org.eclipse.jetty.security.ConstraintMapping;
32  import org.eclipse.jetty.security.ConstraintSecurityHandler;
33  import org.eclipse.jetty.servlet.ServletHolder;
34  import org.eclipse.jetty.servlet.ServletMapping;
35  import org.eclipse.jetty.util.log.Log;
36  import org.eclipse.jetty.util.log.Logger;
37  import org.eclipse.jetty.util.security.Constraint;
38  import org.eclipse.jetty.webapp.WebAppContext;
39  
40  /**
41   * ServletSecurityAnnotationHandler
42   *
43   * Inspect a class to see if it has an @ServletSecurity annotation on it,
44   * setting up the <security-constraint>s.
45   *
46   * A servlet can be defined in:
47   * <ul>
48   * <li>web.xml
49   * <li>web-fragment.xml
50   * <li>@WebServlet annotation discovered
51   * <li>ServletContext.createServlet
52   * </ul>
53   *
54   * The ServletSecurity annotation for a servlet should only be processed
55   * iff metadata-complete == false.
56   */
57  public class ServletSecurityAnnotationHandler extends AbstractIntrospectableAnnotationHandler
58  {
59      private static final Logger LOG = Log.getLogger(ServletSecurityAnnotationHandler.class);
60  
61      private WebAppContext _context;
62  
63      public ServletSecurityAnnotationHandler(WebAppContext wac)
64      {
65          super(false);
66          _context = wac;
67      }
68  
69      /**
70       * @see org.eclipse.jetty.annotations.AnnotationIntrospector.IntrospectableAnnotationHandler#handle(java.lang.Class)
71       */
72      public void doHandle(Class clazz)
73      {
74          if (!(_context.getSecurityHandler() instanceof ConstraintAware))
75          {
76              LOG.warn("SecurityHandler not ConstraintAware, skipping security annotation processing");
77              return;
78          }
79  
80         ServletSecurity servletSecurity = (ServletSecurity)clazz.getAnnotation(ServletSecurity.class);
81         if (servletSecurity == null)
82             return;
83  
84         //If there are already constraints defined (ie from web.xml) that match any 
85         //of the url patterns defined for this servlet, then skip the security annotation.
86  
87         List<ServletMapping> servletMappings = getServletMappings(clazz.getCanonicalName());
88         List<ConstraintMapping> constraintMappings =  ((ConstraintAware)_context.getSecurityHandler()).getConstraintMappings();
89  
90         if (constraintsExist(servletMappings, constraintMappings))
91         {
92             LOG.warn("Constraints already defined for "+clazz.getName()+", skipping ServletSecurity annotation");
93             return;
94         }
95  
96         //Make a fresh list
97         constraintMappings = new ArrayList<ConstraintMapping>();
98  
99         ServletSecurityElement securityElement = new ServletSecurityElement(servletSecurity);
100        for (ServletMapping sm : servletMappings)
101        {
102            for (String url : sm.getPathSpecs())
103            {
104                _context.getMetaData().setOrigin("constraint.url."+url,servletSecurity,clazz);
105                constraintMappings.addAll(ConstraintSecurityHandler.createConstraintsWithMappingsForPath(clazz.getName(), url, securityElement));
106            }
107        }
108 
109        //set up the security constraints produced by the annotation
110        ConstraintAware securityHandler = (ConstraintAware)_context.getSecurityHandler();
111 
112        for (ConstraintMapping m:constraintMappings)
113            securityHandler.addConstraintMapping(m);
114        
115        //Servlet Spec 3.1 requires paths with uncovered http methods to be reported
116        securityHandler.checkPathsWithUncoveredHttpMethods();
117     }
118 
119 
120 
121     /**
122      * Make a jetty Constraint object, which represents the <auth-constraint> and
123      * <user-data-constraint> elements, based on the security annotation.
124      * @param servlet
125      * @param rolesAllowed
126      * @param permitOrDeny
127      * @param transport
128      */
129     protected Constraint makeConstraint (Class servlet, String[] rolesAllowed, EmptyRoleSemantic permitOrDeny, TransportGuarantee transport)
130     {
131         return ConstraintSecurityHandler.createConstraint(servlet.getName(), rolesAllowed, permitOrDeny, transport);
132     }
133 
134 
135 
136     /**
137      * Get the ServletMappings for the servlet's class.
138      * @param className
139      */
140     protected List<ServletMapping> getServletMappings(String className)
141     {
142         List<ServletMapping> results = new ArrayList<ServletMapping>();
143         ServletMapping[] mappings = _context.getServletHandler().getServletMappings();
144         for (ServletMapping mapping : mappings)
145         {
146             //Check the name of the servlet that this mapping applies to, and then find the ServletHolder for it to find it's class
147             ServletHolder holder = _context.getServletHandler().getServlet(mapping.getServletName());
148             if (holder.getClassName() != null && holder.getClassName().equals(className))
149               results.add(mapping);
150         }
151         return results;
152     }
153 
154 
155 
156     /**
157      * Check if there are already <security-constraint> elements defined that match the url-patterns for
158      * the servlet.
159      * @param servletMappings
160      */
161     protected boolean constraintsExist (List<ServletMapping> servletMappings, List<ConstraintMapping> constraintMappings)
162     {
163         boolean exists = false;
164 
165         //Check to see if the path spec on each constraint mapping matches a pathSpec in the servlet mappings.
166         //If it does, then we should ignore the security annotations.
167         for (ServletMapping mapping : servletMappings)
168         {
169             //Get its url mappings
170             String[] pathSpecs = mapping.getPathSpecs();
171             if (pathSpecs == null)
172                 continue;
173 
174             //Check through the constraints to see if there are any whose pathSpecs (url mappings)
175             //match the servlet. If so, then we already have constraints defined for this servlet,
176             //and we will not be processing the annotation (ie web.xml or programmatic override).
177            for (int i=0; constraintMappings != null && i < constraintMappings.size() && !exists; i++)
178            {
179                for (int j=0; j < pathSpecs.length; j++)
180                {
181                    //TODO decide if we need to check the origin
182                    if (pathSpecs[j].equals(constraintMappings.get(i).getPathSpec()))
183                    {
184                        exists = true;
185                        break;
186                    }
187                }
188            }
189         }
190         return exists;
191     }
192 
193 }