io.undertow.servlet.api.SecurityInfo Java Examples

The following examples show how to use io.undertow.servlet.api.SecurityInfo. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ServletContextImpl.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public Void run() {
    final ServletSecurity security = servletInfo.getServletClass().getAnnotation(ServletSecurity.class);
    if (security != null) {

        ServletSecurityInfo servletSecurityInfo = new ServletSecurityInfo()
                .setEmptyRoleSemantic(security.value().value() == ServletSecurity.EmptyRoleSemantic.DENY ? SecurityInfo.EmptyRoleSemantic.DENY : SecurityInfo.EmptyRoleSemantic.PERMIT)
                .setTransportGuaranteeType(security.value().transportGuarantee() == ServletSecurity.TransportGuarantee.CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
                .addRolesAllowed(security.value().rolesAllowed());
        for (HttpMethodConstraint constraint : security.httpMethodConstraints()) {
            servletSecurityInfo.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo()
                    .setMethod(constraint.value()))
                    .setEmptyRoleSemantic(constraint.emptyRoleSemantic() == ServletSecurity.EmptyRoleSemantic.DENY ? SecurityInfo.EmptyRoleSemantic.DENY : SecurityInfo.EmptyRoleSemantic.PERMIT)
                    .setTransportGuaranteeType(constraint.transportGuarantee() == ServletSecurity.TransportGuarantee.CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
                    .addRolesAllowed(constraint.rolesAllowed());
        }
        servletInfo.setServletSecurityInfo(servletSecurityInfo);
    }
    final MultipartConfig multipartConfig = servletInfo.getServletClass().getAnnotation(MultipartConfig.class);
    if (multipartConfig != null) {
        servletInfo.setMultipartConfig(new MultipartConfigElement(multipartConfig.location(), multipartConfig.maxFileSize(), multipartConfig.maxRequestSize(), multipartConfig.fileSizeThreshold()));
    }
    final RunAs runAs = servletInfo.getServletClass().getAnnotation(RunAs.class);
    if (runAs != null) {
        servletInfo.setRunAs(runAs.value());
    }
    final DeclareRoles declareRoles = servletInfo.getServletClass().getAnnotation(DeclareRoles.class);
    if (declareRoles != null) {
        deploymentInfo.addSecurityRoles(declareRoles.value());
    }
    return null;
}
 
Example #2
Source File: SecurityPathMatches.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
/**
 * merge all constraints, as per 13.8.1 Combining Constraints
 */
private SingleConstraintMatch mergeConstraints(final RuntimeMatch currentMatch) {
    if (currentMatch.uncovered && denyUncoveredHttpMethods) {
        return new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.DENY, Collections.<String>emptySet());
    }
    final Set<String> allowedRoles = new HashSet<>();
    for (SingleConstraintMatch match : currentMatch.constraints) {
        if (match.getRequiredRoles().isEmpty()) {
            return new SingleConstraintMatch(match.getEmptyRoleSemantic(), Collections.<String>emptySet());
        } else {
            allowedRoles.addAll(match.getRequiredRoles());
        }
    }
    return new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.PERMIT, allowedRoles);
}
 
Example #3
Source File: ServletClientCertAuthTestCase.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setup() throws ServletException, IOException {
    DefaultServer.startSSLServer();
    clientSSLContext = DefaultServer.getClientSSLContext();


    final PathHandler path = new PathHandler();

    final ServletContainer container = ServletContainer.Factory.newInstance();

    ServletInfo usernameServlet = new ServletInfo("Username Servlet", SendUsernameServlet.class)
            .addMapping("/secured/username");

    ServletInfo authTypeServlet = new ServletInfo("Auth Type Servlet", SendAuthTypeServlet.class)
            .addMapping("/secured/authType");

    LoginConfig loginConfig = new LoginConfig(REALM_NAME);
    loginConfig.addFirstAuthMethod(new AuthMethodConfig("CLIENT_CERT"));
    DeploymentInfo builder = new DeploymentInfo()
            .setClassLoader(SimpleServletTestCase.class.getClassLoader())
            .setContextPath("/servletContext")
            .setClassIntrospecter(TestClassIntrospector.INSTANCE)
            .setDeploymentName("servletContext.war")
            .setIdentityManager(identityManager)
            .setLoginConfig(loginConfig)
            .addServlets(usernameServlet, authTypeServlet);

    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/secured/*"))
            .addRoleAllowed("role1")
            .setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic.DENY));

    DeploymentManager manager = container.addDeployment(builder);
    manager.deploy();
    path.addPrefixPath(builder.getContextPath(), manager.start());

    DefaultServer.setRootHandler(path);
}
 
Example #4
Source File: UndertowDeploymentRecorder.java    From quarkus with Apache License 2.0 5 votes vote down vote up
public void addSecurityConstraint(RuntimeValue<DeploymentInfo> deployment, SecurityInfo.EmptyRoleSemantic emptyRoleSemantic,
        TransportGuaranteeType transportGuaranteeType,
        Set<String> rolesAllowed, Set<WebResourceCollection> webResourceCollections) {

    SecurityConstraint securityConstraint = new SecurityConstraint()
            .setEmptyRoleSemantic(emptyRoleSemantic)
            .addRolesAllowed(rolesAllowed)
            .setTransportGuaranteeType(transportGuaranteeType)
            .addWebResourceCollections(webResourceCollections.toArray(new WebResourceCollection[0]));
    deployment.getValue().addSecurityConstraint(securityConstraint);

}
 
Example #5
Source File: ServletContextImpl.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
@Override
public Void run() {
    final ServletSecurity security = servletInfo.getServletClass().getAnnotation(ServletSecurity.class);
    if (security != null) {

        ServletSecurityInfo servletSecurityInfo = new ServletSecurityInfo()
                .setEmptyRoleSemantic(security.value().value() == ServletSecurity.EmptyRoleSemantic.DENY ? SecurityInfo.EmptyRoleSemantic.DENY : SecurityInfo.EmptyRoleSemantic.PERMIT)
                .setTransportGuaranteeType(security.value().transportGuarantee() == ServletSecurity.TransportGuarantee.CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
                .addRolesAllowed(security.value().rolesAllowed());
        for (HttpMethodConstraint constraint : security.httpMethodConstraints()) {
            servletSecurityInfo.addHttpMethodSecurityInfo(new HttpMethodSecurityInfo()
                    .setMethod(constraint.value()))
                    .setEmptyRoleSemantic(constraint.emptyRoleSemantic() == ServletSecurity.EmptyRoleSemantic.DENY ? SecurityInfo.EmptyRoleSemantic.DENY : SecurityInfo.EmptyRoleSemantic.PERMIT)
                    .setTransportGuaranteeType(constraint.transportGuarantee() == ServletSecurity.TransportGuarantee.CONFIDENTIAL ? TransportGuaranteeType.CONFIDENTIAL : TransportGuaranteeType.NONE)
                    .addRolesAllowed(constraint.rolesAllowed());
        }
        servletInfo.setServletSecurityInfo(servletSecurityInfo);
    }
    final MultipartConfig multipartConfig = servletInfo.getServletClass().getAnnotation(MultipartConfig.class);
    if (multipartConfig != null) {
        servletInfo.setMultipartConfig(new MultipartConfigElement(multipartConfig.location(), multipartConfig.maxFileSize(), multipartConfig.maxRequestSize(), multipartConfig.fileSizeThreshold()));
    }
    final RunAs runAs = servletInfo.getServletClass().getAnnotation(RunAs.class);
    if (runAs != null) {
        servletInfo.setRunAs(runAs.value());
    }
    final DeclareRoles declareRoles = servletInfo.getServletClass().getAnnotation(DeclareRoles.class);
    if (declareRoles != null) {
        deploymentInfo.addSecurityRoles(declareRoles.value());
    }
    return null;
}
 
Example #6
Source File: SecurityPathMatches.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * merge all constraints, as per 13.8.1 Combining Constraints
 */
private SingleConstraintMatch mergeConstraints(final RuntimeMatch currentMatch) {
    if (currentMatch.uncovered && denyUncoveredHttpMethods) {
        return new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.DENY, Collections.<String>emptySet());
    }
    final Set<String> allowedRoles = new HashSet<>();
    for (SingleConstraintMatch match : currentMatch.constraints) {
        if (match.getRequiredRoles().isEmpty()) {
            return new SingleConstraintMatch(match.getEmptyRoleSemantic(), Collections.<String>emptySet());
        } else {
            allowedRoles.addAll(match.getRequiredRoles());
        }
    }
    return new SingleConstraintMatch(SecurityInfo.EmptyRoleSemantic.PERMIT, allowedRoles);
}
 
Example #7
Source File: SecurityPathMatches.java    From quarkus-http with Apache License 2.0 4 votes vote down vote up
private SecurityInformation(final Set<String> roles, final TransportGuaranteeType transportGuaranteeType, final SecurityInfo.EmptyRoleSemantic emptyRoleSemantic) {
    this.emptyRoleSemantic = emptyRoleSemantic;
    this.roles = new HashSet<>(roles);
    this.transportGuaranteeType = transportGuaranteeType;
}
 
Example #8
Source File: DefaultAuthorizationManager.java    From quarkus-http with Apache License 2.0 4 votes vote down vote up
@Override
public boolean canAccessResource(List<SingleConstraintMatch> constraints, Account account, ServletInfo servletInfo, HttpServletRequest request, Deployment deployment) {
    if (constraints == null || constraints.isEmpty()) {
        return true;
    }
    for (final SingleConstraintMatch constraint : constraints) {

        boolean found = false;

        Set<String> roleSet = constraint.getRequiredRoles();
        if (roleSet.isEmpty() && constraint.getEmptyRoleSemantic() != SecurityInfo.EmptyRoleSemantic.DENY) {
                /*
                 * The EmptyRoleSemantic was either PERMIT or AUTHENTICATE, either way a roles check is not needed.
                 */
            found = true;
        } else if (account != null) {
            if(roleSet.contains("**") && !deployment.getDeploymentInfo().getSecurityRoles().contains("**")) {
                found = true;
            } else {
                final Set<String> roles = deployment.getDeploymentInfo().getPrincipalVersusRolesMap().get(account.getPrincipal().getName());

                for (String role : roleSet) {
                    if (roles != null) {
                        if (roles.contains(role)) {
                            found = true;
                            break;
                        }
                    }
                    if (account.getRoles().contains(role)) {
                        found = true;
                        break;
                    }
                }
            }
        }
        if (!found) {
            return false;
        }
    }
    return true;

}
 
Example #9
Source File: SecurityConstraintUrlMappingTestCase.java    From quarkus-http with Apache License 2.0 4 votes vote down vote up
@BeforeClass
public static void setup() throws ServletException {

    final PathHandler root = new PathHandler();
    final ServletContainer container = ServletContainer.Factory.newInstance();

    ServletInfo s = new ServletInfo("servlet", AuthenticationMessageServlet.class)
            .addInitParam(MessageServlet.MESSAGE, HELLO_WORLD)
            .addMapping("/role1")
            .addMapping("/role2")
            .addMapping("/starstar")
            .addMapping("/secured/role2/*")
            .addMapping("/secured/1/2/*")
            .addMapping("/public/*")
            .addMapping("/extension/*");

    ServletIdentityManager identityManager = new ServletIdentityManager();
    identityManager.addUser("user1", "password1", "role1");
    identityManager.addUser("user2", "password2", "role2", "**");
    identityManager.addUser("user3", "password3", "role1", "role2");
    identityManager.addUser("user4", "password4", "badRole");

    DeploymentInfo builder = new DeploymentInfo()
            .setClassLoader(SimpleServletTestCase.class.getClassLoader())
            .setContextPath("/servletContext")
            .setClassIntrospecter(TestClassIntrospector.INSTANCE)
            .setDeploymentName("servletContext.war")
            .setIdentityManager(identityManager)
            .setLoginConfig(new LoginConfig("BASIC", "Test Realm"))
            .addServlet(s);

    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/role1"))
            .addRoleAllowed("role1"));

    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/starstar"))
            .addRoleAllowed("**"));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/secured/*"))
            .addRoleAllowed("role2"));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/secured/*"))
            .addRoleAllowed("role2"));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/secured/1/*"))
            .addRoleAllowed("role1"));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/secured/1/2/*"))
            .addRoleAllowed("role2"));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("*.html"))
            .addRoleAllowed("role2"));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/public/*")).setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic.PERMIT));
    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/public/postSecured/*")
                    .addHttpMethod("POST"))
            .addRoleAllowed("role1"));

    DeploymentManager manager = container.addDeployment(builder);
    manager.deploy();
    root.addPrefixPath(builder.getContextPath(), manager.start());

    builder = new DeploymentInfo()
            .setClassLoader(SimpleServletTestCase.class.getClassLoader())
            .setContextPath("/star")
            .setClassIntrospecter(TestClassIntrospector.INSTANCE)
            .setDeploymentName("servletContext.war")
            .setIdentityManager(identityManager)
            .setLoginConfig(new LoginConfig("BASIC", "Test Realm"))
            .addSecurityRole("**")
            .addServlet(s);

    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/starstar"))
            .addRoleAllowed("**"));

    manager = container.addDeployment(builder);
    manager.deploy();
    root.addPrefixPath(builder.getContextPath(), manager.start());
    DefaultServer.setRootHandler(root);
}
 
Example #10
Source File: ServletBasicAuthTestCase.java    From quarkus-http with Apache License 2.0 4 votes vote down vote up
@BeforeClass
public static void setup() throws ServletException {

    final PathHandler path = new PathHandler();

    final ServletContainer container = ServletContainer.Factory.newInstance();

    ServletInfo usernameServlet = new ServletInfo("Username Servlet", SendUsernameServlet.class)
            .addMapping("/secured/username");

    ServletInfo authTypeServlet = new ServletInfo("Auth Type Servlet", SendAuthTypeServlet.class)
            .addMapping("/secured/authType");

    ServletIdentityManager identityManager = new ServletIdentityManager();
    identityManager.addUser("user1", "password1", "role1");
    identityManager.addUser("charsetUser", "password-ΓΌ", "role1");

    LoginConfig loginConfig = new LoginConfig(REALM_NAME);
    Map<String, String> props = new HashMap<>();
    props.put("charset", "ISO_8859_1");
    props.put("user-agent-charsets", "Chrome,UTF-8,OPR,UTF-8");
    loginConfig.addFirstAuthMethod(new AuthMethodConfig("BASIC", props));
    DeploymentInfo builder = new DeploymentInfo()
            .setClassLoader(SimpleServletTestCase.class.getClassLoader())
            .setContextPath("/servletContext")
            .setClassIntrospecter(TestClassIntrospector.INSTANCE)
            .setDeploymentName("servletContext.war")
            .setIdentityManager(identityManager)
            .setLoginConfig(loginConfig)
            .addServlets(usernameServlet, authTypeServlet);

    builder.addSecurityConstraint(new SecurityConstraint()
            .addWebResourceCollection(new WebResourceCollection()
                    .addUrlPattern("/secured/*"))
            .addRoleAllowed("role1")
            .setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic.DENY));

    DeploymentManager manager = container.addDeployment(builder);
    manager.deploy();
    path.addPrefixPath(builder.getContextPath(), manager.start());

    DefaultServer.setRootHandler(path);
}
 
Example #11
Source File: ServletSecurityInfoProxy.java    From quarkus with Apache License 2.0 4 votes vote down vote up
public SecurityInfo.EmptyRoleSemantic getEmptyRoleSemantic() {
    return emptyRoleSemantic;
}
 
Example #12
Source File: ServletSecurityInfoProxy.java    From quarkus with Apache License 2.0 4 votes vote down vote up
public ServletSecurityInfoProxy setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic emptyRoleSemantic) {
    this.emptyRoleSemantic = emptyRoleSemantic;
    return this;
}
 
Example #13
Source File: SecurityPathMatches.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
private SecurityInformation(final Set<String> roles, final TransportGuaranteeType transportGuaranteeType, final SecurityInfo.EmptyRoleSemantic emptyRoleSemantic) {
    this.emptyRoleSemantic = emptyRoleSemantic;
    this.roles = new HashSet<>(roles);
    this.transportGuaranteeType = transportGuaranteeType;
}
 
Example #14
Source File: DefaultAuthorizationManager.java    From lams with GNU General Public License v2.0 4 votes vote down vote up
@Override
public boolean canAccessResource(List<SingleConstraintMatch> constraints, Account account, ServletInfo servletInfo, HttpServletRequest request, Deployment deployment) {
    if (constraints == null || constraints.isEmpty()) {
        return true;
    }
    for (final SingleConstraintMatch constraint : constraints) {

        boolean found = false;

        Set<String> roleSet = constraint.getRequiredRoles();
        if (roleSet.isEmpty() && constraint.getEmptyRoleSemantic() != SecurityInfo.EmptyRoleSemantic.DENY) {
                /*
                 * The EmptyRoleSemantic was either PERMIT or AUTHENTICATE, either way a roles check is not needed.
                 */
            found = true;
        } else if (account != null) {
            if(roleSet.contains("**") && !deployment.getDeploymentInfo().getSecurityRoles().contains("**")) {
                found = true;
            } else {
                final Set<String> roles = deployment.getDeploymentInfo().getPrincipalVersusRolesMap().get(account.getPrincipal().getName());

                for (String role : roleSet) {
                    if (roles != null) {
                        if (roles.contains(role)) {
                            found = true;
                            break;
                        }
                    }
                    if (account.getRoles().contains(role)) {
                        found = true;
                        break;
                    }
                }
            }
        }
        if (!found) {
            return false;
        }
    }
    return true;

}
 
Example #15
Source File: DeploymentManagerFactory.java    From seed with Mozilla Public License 2.0 4 votes vote down vote up
@SuppressFBWarnings(value = "BC_UNCONFIRMED_CAST_OF_RETURN_VALUE", justification = "False positive")
private DeploymentInfo configureDeploymentInfo() {
    // Basic deployment attributes
    DeploymentInfo deploymentInfo = Servlets.deployment()
            .setEagerFilterInit(true)
            .setClassLoader(mostCompleteClassLoader)
            .setDeploymentName(applicationConfig.getId())
            .setDisplayName(applicationConfig.getName())
            .setDefaultSessionTimeout(serverConfig.getDefaultSessionTimeout())
            .setResourceManager(new ClassPathResourceManager(mostCompleteClassLoader, META_INF_RESOURCES))
            .addWelcomePages(serverConfig.getWelcomeFiles())
            .addErrorPages(buildUndertowErrorPages(serverConfig.getErrorPages()))
            .setContextPath(serverConfig.getContextPath());

    // Configure WebSockets if enabled
    if (serverConfig.webSocket().isEnabled()) {
        LOGGER.info("WebSocket support is enabled");
        deploymentInfo.addServletContextAttribute(
                WebSocketDeploymentInfo.ATTRIBUTE_NAME,
                new WebSocketDeploymentInfo()
                        .setBuffers(new DefaultByteBufferPool(
                                undertowConfig.isDirectBuffers(),
                                undertowConfig.getBufferSize()))
                        .setWorker(xnioWorker)
        );
    }

    // Redirect to HTTPS if configured
    if (serverConfig.isHttp() && serverConfig.isHttps() && serverConfig.isPreferHttps()) {
        LOGGER.info("Automatic redirection to HTTPS is enabled");
        deploymentInfo
                .addSecurityConstraint(new SecurityConstraint()
                        .addWebResourceCollection(new WebResourceCollection().addUrlPattern("/*"))
                        .setTransportGuaranteeType(TransportGuaranteeType.CONFIDENTIAL)
                        .setEmptyRoleSemantic(SecurityInfo.EmptyRoleSemantic.PERMIT))
                .setConfidentialPortManager(ex -> serverConfig.getSecurePort());
    }

    // Add custom init parameters
    for (Map.Entry<String, String> initParameter : initParameters.entrySet()) {
        LOGGER.debug("Servlet init parameter {} = {}", initParameter.getKey(), initParameter.getValue());
        deploymentInfo.addInitParameter(initParameter.getKey(), initParameter.getValue());
    }

    // Register ServletContainerInitializers
    for (ServletContainerInitializer sci : loadServletContainerInitializers()) {
        LOGGER.debug("Registering ServletContainerInitializer {}", sci.getClass().getName());
        deploymentInfo.addServletContainerInitializer(createServletContainerInitializerInfo(sci));
    }

    return deploymentInfo;
}