private void setUpDigest(Tomcat tomcat) throws Exception { // No file system docBase required Context ctxt = tomcat.addContext(CONTEXT_PATH_DIGEST, null); ctxt.setSessionTimeout(SHORT_TIMEOUT_SECS); // Add protected servlet Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet()); ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3"); SecurityCollection collection = new SecurityCollection(); collection.addPattern(URI_PROTECTED); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); ctxt.addConstraint(sc); // Configure the appropriate authenticator LoginConfig lc = new LoginConfig(); lc.setAuthMethod("DIGEST"); ctxt.setLoginConfig(lc); ctxt.getPipeline().addValve(new DigestAuthenticator()); }
private void doTestNon2xxResponseAndExpectation(boolean useExpectation) throws Exception { Tomcat tomcat = getTomcatInstance(); // No file system docBase required Context ctx = tomcat.addContext("", null); Tomcat.addServlet(ctx, "echo", new EchoBodyServlet()); ctx.addServletMapping("/echo", "echo"); SecurityCollection collection = new SecurityCollection("All", ""); collection.addPattern("/*"); SecurityConstraint constraint = new SecurityConstraint(); constraint.addAuthRole("Any"); constraint.addCollection(collection); ctx.addConstraint(constraint); tomcat.start(); Non2xxResponseClient client = new Non2xxResponseClient(useExpectation); client.setPort(getPort()); client.doResourceRequest("GET http://localhost:" + getPort() + "/echo HTTP/1.1", "HelloWorld"); Assert.assertTrue(client.isResponse403()); Assert.assertTrue(client.checkConnectionHeader()); }
/** * A non-authoritative, pre-emptive determination of whether the currently logged in user * has privileges to the selected resource. * * @see gov.va.med.imaging.tomcat.vistarealm.PreemptiveAuthorization#isAuthorized(java.lang.Object, java.lang.String, java.lang.String) */ @Override public PreemptiveAuthorization.Result isAuthorized( Principal principal, Object context, String contextRequestPath, String requestMethod) { getLogger().info("Preemptively checking authorization '" + principal.getName() + "' to '" + requestMethod + ":" + contextRequestPath + "'."); if(! (context instanceof Context) ) { getLogger().warn("Attempt to pre-emptively determine authorization with a context of type other than Tomcat standard Context"); return PreemptiveAuthorization.Result.Unknown; } Context tomcatContext = (Context)context; String requestContextPath = tomcatContext.getName(); String requestPathInfo = requestContextPath + contextRequestPath; getLogger().info("Preemptively checking authorization, getting security constraints."); SecurityConstraint[] securityConstraints = findSecurityConstraints(tomcatContext, requestPathInfo, requestMethod, contextRequestPath); getLogger().info("Preemptively checking authorization, checking resource permmissions."); return hasResourcePermission(tomcatContext, securityConstraints, requestPathInfo, principal) ? PreemptiveAuthorization.Result.True : PreemptiveAuthorization.Result.False; }
/** * Convert an ArrayList to a SecurityContraint []. */ private SecurityConstraint[] resultsToArray(ArrayList<SecurityConstraintMatch> results) { if (results == null || results.size() < 1) return null; SecurityConstraint[] array = new SecurityConstraint[results.size()]; int index = 0; for (SecurityConstraintMatch match : results) { array[index] = match.getSecurityConstraint(); ++index; } return array; }
private void setUpDigest(Tomcat tomcat) throws Exception { // Must have a real docBase for webapps - just use temp Context ctxt = tomcat.addContext(CONTEXT_PATH_DIGEST, System.getProperty("java.io.tmpdir")); ctxt.setSessionTimeout(SHORT_TIMEOUT_SECS); // Add protected servlet Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet()); ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3"); SecurityCollection collection = new SecurityCollection(); collection.addPattern(URI_PROTECTED); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); ctxt.addConstraint(sc); // Configure the appropriate authenticator LoginConfig lc = new LoginConfig(); lc.setAuthMethod("DIGEST"); ctxt.setLoginConfig(lc); ctxt.getPipeline().addValve(new DigestAuthenticator()); }
@Override public void begin(String namespace, String name, Attributes attributes) throws Exception { SecurityConstraint securityConstraint = (SecurityConstraint) digester.peek(); securityConstraint.setAuthConstraint(true); if (digester.getLogger().isDebugEnabled()) { digester.getLogger() .debug("Calling SecurityConstraint.setAuthConstraint(true)"); } }
/** * Validate the usage of security role names in the web application * deployment descriptor. If any problems are found, issue warning * messages (for backwards compatibility) and add the missing roles. * (To make these problems fatal instead, simply set the <code>ok</code> * instance variable to <code>false</code> as well). */ protected void validateSecurityRoles() { // Check role names used in <security-constraint> elements SecurityConstraint constraints[] = context.findConstraints(); for (int i = 0; i < constraints.length; i++) { String roles[] = constraints[i].findAuthRoles(); for (int j = 0; j < roles.length; j++) { if (!"*".equals(roles[j]) && !context.findSecurityRole(roles[j])) { log.warn(sm.getString("contextConfig.role.auth", roles[j])); context.addSecurityRole(roles[j]); } } } // Check role names used in <servlet> elements Container wrappers[] = context.findChildren(); for (int i = 0; i < wrappers.length; i++) { Wrapper wrapper = (Wrapper) wrappers[i]; String runAs = wrapper.getRunAs(); if ((runAs != null) && !context.findSecurityRole(runAs)) { log.warn(sm.getString("contextConfig.role.runas", runAs)); context.addSecurityRole(runAs); } String names[] = wrapper.findSecurityReferences(); for (int j = 0; j < names.length; j++) { String link = wrapper.findSecurityReference(names[j]); if ((link != null) && !context.findSecurityRole(link)) { log.warn(sm.getString("contextConfig.role.link", link)); context.addSecurityRole(link); } } } }
/** * Convert an ArrayList to a SecurityContraint []. */ private SecurityConstraint [] resultsToArray( ArrayList<SecurityConstraint> results) { if(results == null || results.size() == 0) { return null; } SecurityConstraint [] array = new SecurityConstraint[results.size()]; results.toArray(array); return array; }
/** * Add a security constraint to the set for this web application. */ @Override public void addConstraint(SecurityConstraint constraint) { // Validate the proposed constraint SecurityCollection collections[] = constraint.findCollections(); for (int i = 0; i < collections.length; i++) { String patterns[] = collections[i].findPatterns(); for (int j = 0; j < patterns.length; j++) { patterns[j] = adjustURLPattern(patterns[j]); if (!validateURLPattern(patterns[j])) throw new IllegalArgumentException (sm.getString ("standardContext.securityConstraint.pattern", patterns[j])); } if (collections[i].findMethods().length > 0 && collections[i].findOmittedMethods().length > 0) { throw new IllegalArgumentException(sm.getString( "standardContext.securityConstraint.mixHttpMethod")); } } // Add this constraint to the set for our web application synchronized (constraintsLock) { SecurityConstraint results[] = new SecurityConstraint[constraints.length + 1]; for (int i = 0; i < constraints.length; i++) results[i] = constraints[i]; results[constraints.length] = constraint; constraints = results; } }
/** * Remove the specified security constraint from this web application. * * @param constraint Constraint to be removed */ @Override public void removeConstraint(SecurityConstraint constraint) { synchronized (constraintsLock) { // Make sure this constraint is currently present int n = -1; for (int i = 0; i < constraints.length; i++) { if (constraints[i].equals(constraint)) { n = i; break; } } if (n < 0) return; // Remove the specified constraint int j = 0; SecurityConstraint results[] = new SecurityConstraint[constraints.length - 1]; for (int i = 0; i < constraints.length; i++) { if (i != n) results[j++] = constraints[i]; } constraints = results; } // Inform interested listeners fireContainerEvent("removeConstraint", constraint); }
private void setUpNonLogin(Tomcat tomcat) throws Exception { // No file system docBase required Context ctxt = tomcat.addContext(CONTEXT_PATH_NOLOGIN, null); ctxt.setSessionTimeout(LONG_TIMEOUT_SECS); // Add protected servlet Tomcat.addServlet(ctxt, "TesterServlet1", new TesterServlet()); ctxt.addServletMapping(URI_PROTECTED, "TesterServlet1"); SecurityCollection collection1 = new SecurityCollection(); collection1.addPattern(URI_PROTECTED); SecurityConstraint sc1 = new SecurityConstraint(); sc1.addAuthRole(ROLE); sc1.addCollection(collection1); ctxt.addConstraint(sc1); // Add unprotected servlet Tomcat.addServlet(ctxt, "TesterServlet2", new TesterServlet()); ctxt.addServletMapping(URI_PUBLIC, "TesterServlet2"); SecurityCollection collection2 = new SecurityCollection(); collection2.addPattern(URI_PUBLIC); SecurityConstraint sc2 = new SecurityConstraint(); // do not add a role - which signals access permitted without one sc2.addCollection(collection2); ctxt.addConstraint(sc2); // Configure the appropriate authenticator LoginConfig lc = new LoginConfig(); lc.setAuthMethod("NONE"); ctxt.setLoginConfig(lc); ctxt.getPipeline().addValve(new NonLoginAuthenticator()); }
private void setUpNonLogin() throws Exception { // No file system docBase required nonloginContext = tomcat.addContext(CONTEXT_PATH_NOLOGIN, null); nonloginContext.setSessionTimeout(LONG_SESSION_TIMEOUT_MINS); // Add protected servlet to the context Tomcat.addServlet(nonloginContext, "TesterServlet1", new TesterServletEncodeUrl()); nonloginContext.addServletMapping(URI_PROTECTED, "TesterServlet1"); SecurityCollection collection1 = new SecurityCollection(); collection1.addPattern(URI_PROTECTED); SecurityConstraint sc1 = new SecurityConstraint(); sc1.addAuthRole(ROLE); sc1.addCollection(collection1); nonloginContext.addConstraint(sc1); // Add unprotected servlet to the context Tomcat.addServlet(nonloginContext, "TesterServlet2", new TesterServletEncodeUrl()); nonloginContext.addServletMapping(URI_PUBLIC, "TesterServlet2"); SecurityCollection collection2 = new SecurityCollection(); collection2.addPattern(URI_PUBLIC); SecurityConstraint sc2 = new SecurityConstraint(); // do not add a role - which signals access permitted without one sc2.addCollection(collection2); nonloginContext.addConstraint(sc2); // Configure the authenticator and inherit the Realm from Engine LoginConfig lc = new LoginConfig(); lc.setAuthMethod("NONE"); nonloginContext.setLoginConfig(lc); AuthenticatorBase nonloginAuthenticator = new NonLoginAuthenticator(); nonloginContext.getPipeline().addValve(nonloginAuthenticator); }
private void setUpLogin() throws Exception { // No file system docBase required basicContext = tomcat.addContext(CONTEXT_PATH_LOGIN, null); basicContext.setSessionTimeout(SHORT_SESSION_TIMEOUT_MINS); // Add protected servlet to the context Tomcat.addServlet(basicContext, "TesterServlet3", new TesterServletEncodeUrl()); basicContext.addServletMapping(URI_PROTECTED, "TesterServlet3"); SecurityCollection collection = new SecurityCollection(); collection.addPattern(URI_PROTECTED); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); basicContext.addConstraint(sc); // Add unprotected servlet to the context Tomcat.addServlet(basicContext, "TesterServlet4", new TesterServletEncodeUrl()); basicContext.addServletMapping(URI_PUBLIC, "TesterServlet4"); SecurityCollection collection2 = new SecurityCollection(); collection2.addPattern(URI_PUBLIC); SecurityConstraint sc2 = new SecurityConstraint(); // do not add a role - which signals access permitted without one sc2.addCollection(collection2); basicContext.addConstraint(sc2); // Configure the authenticator and inherit the Realm from Engine LoginConfig lc = new LoginConfig(); lc.setAuthMethod("BASIC"); basicContext.setLoginConfig(lc); AuthenticatorBase basicAuthenticator = new BasicAuthenticator(); basicContext.getPipeline().addValve(basicAuthenticator); }
private void setUpNonLogin() throws Exception { // No file system docBase required nonloginContext = tomcat.addContext(CONTEXT_PATH_NOLOGIN, null); nonloginContext.setSessionTimeout(LONG_SESSION_TIMEOUT_MINS); // Add protected servlet to the context Tomcat.addServlet(nonloginContext, "TesterServlet1", new TesterServlet()); nonloginContext.addServletMapping(URI_PROTECTED, "TesterServlet1"); SecurityCollection collection1 = new SecurityCollection(); collection1.addPattern(URI_PROTECTED); SecurityConstraint sc1 = new SecurityConstraint(); sc1.addAuthRole(ROLE); sc1.addCollection(collection1); nonloginContext.addConstraint(sc1); // Add unprotected servlet to the context Tomcat.addServlet(nonloginContext, "TesterServlet2", new TesterServlet()); nonloginContext.addServletMapping(URI_PUBLIC, "TesterServlet2"); SecurityCollection collection2 = new SecurityCollection(); collection2.addPattern(URI_PUBLIC); SecurityConstraint sc2 = new SecurityConstraint(); // do not add a role - which signals access permitted without one sc2.addCollection(collection2); nonloginContext.addConstraint(sc2); // Configure the authenticator and inherit the Realm from Engine LoginConfig lc = new LoginConfig(); lc.setAuthMethod("NONE"); nonloginContext.setLoginConfig(lc); AuthenticatorBase nonloginAuthenticator = new NonLoginAuthenticator(); nonloginContext.getPipeline().addValve(nonloginAuthenticator); }
private void setUpLogin() throws Exception { // No file system docBase required basicContext = tomcat.addContext(CONTEXT_PATH_LOGIN, null); basicContext.setSessionTimeout(SHORT_SESSION_TIMEOUT_MINS); // Add protected servlet to the context Tomcat.addServlet(basicContext, "TesterServlet3", new TesterServlet()); basicContext.addServletMapping(URI_PROTECTED, "TesterServlet3"); SecurityCollection collection = new SecurityCollection(); collection.addPattern(URI_PROTECTED); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); basicContext.addConstraint(sc); // Add unprotected servlet to the context Tomcat.addServlet(basicContext, "TesterServlet4", new TesterServlet()); basicContext.addServletMapping(URI_PUBLIC, "TesterServlet4"); SecurityCollection collection2 = new SecurityCollection(); collection2.addPattern(URI_PUBLIC); SecurityConstraint sc2 = new SecurityConstraint(); // do not add a role - which signals access permitted without one sc2.addCollection(collection2); basicContext.addConstraint(sc2); // Configure the authenticator and inherit the Realm from Engine LoginConfig lc = new LoginConfig(); lc.setAuthMethod("BASIC"); basicContext.setLoginConfig(lc); AuthenticatorBase basicAuthenticator = new BasicAuthenticator(); basicContext.getPipeline().addValve(basicAuthenticator); }
@Override public void setUp() throws Exception { super.setUp(); // Configure a context with digest auth and a single protected resource Tomcat tomcat = getTomcatInstance(); // No file system docBase required Context ctxt = tomcat.addContext(CONTEXT_PATH, null); // Add protected servlet Tomcat.addServlet(ctxt, "TesterServlet", new TesterServlet()); ctxt.addServletMapping(URI, "TesterServlet"); SecurityCollection collection = new SecurityCollection(); collection.addPattern(URI); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); ctxt.addConstraint(sc); // Configure the Realm MapRealm realm = new MapRealm(); realm.addUser(USER, PWD); realm.addUserRole(USER, ROLE); ctxt.setRealm(realm); // Configure the authenticator LoginConfig lc = new LoginConfig(); lc.setAuthMethod("DIGEST"); lc.setRealmName(REALM); ctxt.setLoginConfig(lc); ctxt.getPipeline().addValve(new DigestAuthenticator()); }
private void setUpApplication() throws Exception { context = tomcat.addContext(CONTEXT_PATH_LOGIN, System.getProperty("java.io.tmpdir")); context.setSessionTimeout(SHORT_SESSION_TIMEOUT_MINS); Tomcat.addServlet(context, SERVLET_NAME, new TesterServlet()); context.addServletMapping(URI_PROTECTED, SERVLET_NAME); FilterDef filterDef = new FilterDef(); filterDef.setFilterName(FILTER_NAME); filterDef.setFilterClass(RestCsrfPreventionFilter.class.getCanonicalName()); filterDef.addInitParameter(FILTER_INIT_PARAM, REMOVE_CUSTOMER + "," + ADD_CUSTOMER); context.addFilterDef(filterDef); FilterMap filterMap = new FilterMap(); filterMap.setFilterName(FILTER_NAME); filterMap.addURLPattern(URI_CSRF_PROTECTED); context.addFilterMap(filterMap); SecurityCollection collection = new SecurityCollection(); collection.addPattern(URI_PROTECTED); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); context.addConstraint(sc); LoginConfig lc = new LoginConfig(); lc.setAuthMethod(METHOD); context.setLoginConfig(lc); AuthenticatorBase basicAuthenticator = new BasicAuthenticator(); context.getPipeline().addValve(basicAuthenticator); }
protected static void configureClientCertContext(Tomcat tomcat) { TesterSupport.initSsl(tomcat); // Need a web application with a protected and unprotected URL // No file system docBase required Context ctx = tomcat.addContext("", null); Tomcat.addServlet(ctx, "simple", new SimpleServlet()); ctx.addServletMapping("/unprotected", "simple"); ctx.addServletMapping("/protected", "simple"); // Security constraints SecurityCollection collection = new SecurityCollection(); collection.addPattern("/protected"); SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole(ROLE); sc.addCollection(collection); ctx.addConstraint(sc); // Configure the Realm MapRealm realm = new MapRealm(); realm.addUser("CN=user1, C=US", "not used"); realm.addUserRole("CN=user1, C=US", ROLE); ctx.setRealm(realm); // Configure the authenticator LoginConfig lc = new LoginConfig(); lc.setAuthMethod("CLIENT-CERT"); ctx.setLoginConfig(lc); ctx.getPipeline().addValve(new SSLAuthenticator()); }
public void begin(String namespace, String name, Attributes attributes) throws Exception { SecurityConstraint securityConstraint = (SecurityConstraint) digester.peek(); securityConstraint.setAuthConstraint(true); if (digester.getLogger().isDebugEnabled()) { digester.getLogger() .debug("Calling SecurityConstraint.setAuthConstraint(true)"); } }
/** * Validate the usage of security role names in the web application * deployment descriptor. If any problems are found, issue warning * messages (for backwards compatibility) and add the missing roles. * (To make these problems fatal instead, simply set the <code>ok</code> * instance variable to <code>false</code> as well). */ protected void validateSecurityRoles() { // Check role names used in <security-constraint> elements SecurityConstraint constraints[] = context.findConstraints(); for (int i = 0; i < constraints.length; i++) { String roles[] = constraints[i].findAuthRoles(); for (int j = 0; j < roles.length; j++) { if (!"*".equals(roles[j]) && !context.findSecurityRole(roles[j])) { log.info(sm.getString("contextConfig.role.auth", roles[j])); context.addSecurityRole(roles[j]); } } } // Check role names used in <servlet> elements Container wrappers[] = context.findChildren(); for (int i = 0; i < wrappers.length; i++) { Wrapper wrapper = (Wrapper) wrappers[i]; String runAs = wrapper.getRunAs(); if ((runAs != null) && !context.findSecurityRole(runAs)) { log.info(sm.getString("contextConfig.role.runas", runAs)); context.addSecurityRole(runAs); } String names[] = wrapper.findSecurityReferences(); for (int j = 0; j < names.length; j++) { String link = wrapper.findSecurityReference(names[j]); if ((link != null) && !context.findSecurityRole(link)) { log.info(sm.getString("contextConfig.role.link", link)); context.addSecurityRole(link); } } } }
/** * Convert an ArrayList to a SecurityContraint []. */ private SecurityConstraint [] resultsToArray(ArrayList results) { if(results == null) { return null; } SecurityConstraint [] array = new SecurityConstraint[results.size()]; results.toArray(array); return array; }
/** * Return the SecurityConstraints configured to guard the request URI for * this request, or <code>null</code> if there is no such constraint. * * @param request Request we are processing * @param context Context the Request is mapped to */ public SecurityConstraint [] findSecurityConstraints(Request request, Context context) { ArrayList<SecurityConstraint> results = null; // Are there any defined security constraints? SecurityConstraint constraints[] = context.findConstraints(); if ((constraints == null) || (constraints.length == 0)) { if (context.getLogger().isDebugEnabled()) context.getLogger().debug(" No applicable constraints defined"); return (null); } // Check each defined security constraint String uri = request.getDecodedRequestURI(); String contextPath = request.getContextPath(); if (contextPath.length() > 0) uri = uri.substring(contextPath.length()); uri = RequestUtil.URLDecode(uri); // Before checking constraints String method = request.getMethod(); for (int i = 0; i < constraints.length; i++) { if (context.getLogger().isDebugEnabled()) context.getLogger().debug(" Checking constraint '" + constraints[i] + "' against " + method + " " + uri + " --> " + constraints[i].included(uri, method)); if (constraints[i].included(uri, method)) { if(results == null) { results = new ArrayList<SecurityConstraint>(); } results.add(constraints[i]); } } // No applicable security constraint was found if (context.getLogger().isDebugEnabled()) context.getLogger().debug(" No applicable constraint located"); if(results == null) return null; SecurityConstraint [] array = new SecurityConstraint[results.size()]; System.arraycopy(results.toArray(), 0, array, 0, array.length); return array; }
/** * Add a security constraint to the set for this web application. */ public void addConstraint(SecurityConstraint constraint) { // Validate the proposed constraint SecurityCollection collections[] = constraint.findCollections(); for (int i = 0; i < collections.length; i++) { String patterns[] = collections[i].findPatterns(); for (int j = 0; j < patterns.length; j++) { patterns[j] = adjustURLPattern(patterns[j]); if (!validateURLPattern(patterns[j])) throw new IllegalArgumentException (sm.getString ("standardContext.securityConstraint.pattern", patterns[j])); } } // Add this constraint to the set for our web application synchronized (constraints) { SecurityConstraint results[] = new SecurityConstraint[constraints.length + 1]; for (int i = 0; i < constraints.length; i++) results[i] = constraints[i]; results[constraints.length] = constraint; constraints = results; } }
/** * Remove the specified security constraint from this web application. * * @param constraint Constraint to be removed */ public void removeConstraint(SecurityConstraint constraint) { synchronized (constraints) { // Make sure this constraint is currently present int n = -1; for (int i = 0; i < constraints.length; i++) { if (constraints[i].equals(constraint)) { n = i; break; } } if (n < 0) return; // Remove the specified constraint int j = 0; SecurityConstraint results[] = new SecurityConstraint[constraints.length - 1]; for (int i = 0; i < constraints.length; i++) { if (i != n) results[j++] = constraints[i]; } constraints = results; } // Inform interested listeners fireContainerEvent("removeConstraint", constraint); }
public void begin(Attributes attributes) throws Exception { SecurityConstraint securityConstraint = (SecurityConstraint) digester.peek(); securityConstraint.setAuthConstraint(true); if (digester.getDebug() > 0) digester.log("Calling SecurityConstraint.setAuthConstraint(true)"); }
/** * Validate the usage of security role names in the web application * deployment descriptor. If any problems are found, issue warning * messages (for backwards compatibility) and add the missing roles. * (To make these problems fatal instead, simply set the <code>ok</code> * instance variable to <code>false</code> as well). */ private void validateSecurityRoles() { // Check role names used in <security-constraint> elements SecurityConstraint constraints[] = context.findConstraints(); for (int i = 0; i < constraints.length; i++) { String roles[] = constraints[i].findAuthRoles(); for (int j = 0; j < roles.length; j++) { if (!"*".equals(roles[j]) && !context.findSecurityRole(roles[j])) { log(sm.getString("contextConfig.role.auth", roles[j])); context.addSecurityRole(roles[j]); } } } // Check role names used in <servlet> elements Container wrappers[] = context.findChildren(); for (int i = 0; i < wrappers.length; i++) { Wrapper wrapper = (Wrapper) wrappers[i]; String runAs = wrapper.getRunAs(); if ((runAs != null) && !context.findSecurityRole(runAs)) { log(sm.getString("contextConfig.role.runas", runAs)); context.addSecurityRole(runAs); } String names[] = wrapper.findSecurityReferences(); for (int j = 0; j < names.length; j++) { String link = wrapper.findSecurityReference(names[j]); if ((link != null) && !context.findSecurityRole(link)) { log(sm.getString("contextConfig.role.link", link)); context.addSecurityRole(link); } } } }
/** * Return the SecurityConstraint configured to guard the request URI for * this request, or <code>null</code> if there is no such constraint. * * @param request Request we are processing */ protected SecurityConstraint findConstraint(HttpRequest request) { // Are there any defined security constraints? SecurityConstraint constraints[] = context.findConstraints(); if ((constraints == null) || (constraints.length == 0)) { if (debug >= 2) log(" No applicable constraints defined"); return (null); } // Check each defined security constraint HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); String uri = request.getDecodedRequestURI(); String contextPath = hreq.getContextPath(); if (contextPath.length() > 0) uri = uri.substring(contextPath.length()); String method = hreq.getMethod(); for (int i = 0; i < constraints.length; i++) { if (debug >= 2) log(" Checking constraint '" + constraints[i] + "' against " + method + " " + uri + " --> " + constraints[i].included(uri, method)); if (constraints[i].included(uri, method)) return (constraints[i]); } // No applicable security constraint was found if (debug >= 2) log(" No applicable constraint located"); return (null); }
