You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2010/09/25 09:59:40 UTC
svn commit: r1001159 - in /geronimo/server/trunk/plugins:
j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/
jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/
jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8...
Author: djencks
Date: Sat Sep 25 07:59:39 2010
New Revision: 1001159
URL: http://svn.apache.org/viewvc?rev=1001159&view=rev
Log:
GERONIMO-5624 For jetty, overide jetty internal methods (that I just added) instead of wrapping the ServletContext.Dynamic
Removed:
geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/GeronimoApplicationServletRegistrationAdapter.java
geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JACCSecurityEventListener.java
Modified:
geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/WebSecurityConstraintStore.java
geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/WebAppContextWrapper.java
geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/GeronimoWebAppContext.java
geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/JaccSecurityHandler.java
Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/WebSecurityConstraintStore.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/WebSecurityConstraintStore.java?rev=1001159&r1=1001158&r2=1001159&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/WebSecurityConstraintStore.java (original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/WebSecurityConstraintStore.java Sat Sep 25 07:59:39 2010
@@ -29,6 +29,7 @@ import java.util.Set;
import javax.servlet.HttpMethodConstraintElement;
import javax.servlet.ServletContext;
+import javax.servlet.ServletRegistration;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
@@ -152,6 +153,12 @@ public class WebSecurityConstraintStore
return containerCreatedDynamicServlets.containsKey(servlet);
}
+ public Set<String> setDynamicServletSecurity(ServletRegistration.Dynamic registration, ServletSecurityElement constraint) {
+ dynamicServletNameSecurityElementMap.put(registration.getName(), constraint);
+ Set<String> uneffectedUrlPatterns = new HashSet<String>(registration.getMappings());
+ uneffectedUrlPatterns.retainAll(webXmlConstraintUrlPatterns);
+ return uneffectedUrlPatterns;
+ }
public Set<String> setDynamicServletSecurity(String servletName, ServletSecurityElement constraint, Collection<String> urlPatterns) {
dynamicServletNameSecurityElementMap.put(servletName, constraint);
Set<String> uneffectedUrlPatterns = new HashSet<String>(urlPatterns);
Modified: geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/WebAppContextWrapper.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/WebAppContextWrapper.java?rev=1001159&r1=1001158&r2=1001159&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/WebAppContextWrapper.java (original)
+++ geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/WebAppContextWrapper.java Sat Sep 25 07:59:39 2010
@@ -44,7 +44,6 @@ import org.apache.geronimo.j2ee.jndi.Con
import org.apache.geronimo.j2ee.management.impl.InvalidObjectNameException;
import org.apache.geronimo.jetty8.handler.GeronimoWebAppContext;
import org.apache.geronimo.jetty8.handler.IntegrationContext;
-import org.apache.geronimo.jetty8.security.JACCSecurityEventListener;
import org.apache.geronimo.jetty8.security.SecurityHandlerFactory;
import org.apache.geronimo.kernel.Kernel;
import org.apache.geronimo.kernel.ObjectNameUtil;
@@ -55,7 +54,6 @@ import org.apache.geronimo.management.ge
import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
import org.apache.geronimo.security.jacc.RunAsSource;
import org.apache.geronimo.transaction.GeronimoUserTransaction;
-import org.apache.geronimo.web.WebAttributeName;
import org.apache.geronimo.web.info.WebAppInfo;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.security.SecurityHandler;
@@ -181,7 +179,7 @@ public class WebAppContextWrapper implem
Context componentContext = contextSource.getContext();
UserTransaction userTransaction = new GeronimoUserTransaction(transactionManager);
IntegrationContext integrationContext = new IntegrationContext(componentContext, unshareableResources, applicationManagedSecurityResources, trackedConnectionAssociator, userTransaction, bundle, holder);
- webAppContext = new GeronimoWebAppContext(securityHandler, sessionHandler, servletHandler, null, integrationContext, classLoader, modulePath, webAppInfo);
+ webAppContext = new GeronimoWebAppContext(securityHandler, sessionHandler, servletHandler, null, integrationContext, classLoader, modulePath, webAppInfo, policyContextID, applicationPolicyConfigurationManager);
webAppContext.setContextPath(contextPath);
//See Jetty-386. Setting this to true can expose secured content.
webAppContext.setCompactPath(compactPath);
@@ -234,7 +232,6 @@ public class WebAppContextWrapper implem
if (contextParamMap != null) {
webAppContext.getInitParams().putAll(contextParamMap);
}
-// setListenerClassNames(listenerClassNames);
webAppContext.setDistributable(distributable);
webAppContext.setWelcomeFiles(welcomeFiles);
setLocaleEncodingMapping(localeEncodingMapping);
@@ -246,13 +243,6 @@ public class WebAppContextWrapper implem
}
//supply web.xml to jasper
webAppContext.setAttribute(JASPER_WEB_XML_NAME, originalSpecDD);
-
- if (securityHandlerFactory != null) {
- float schemaVersion = (Float) deploymentAttributes.get(WebAttributeName.SCHEMA_VERSION.name());
- boolean metaComplete = (Boolean) deploymentAttributes.get(WebAttributeName.META_COMPLETE.name());
- webAppContext.addLifeCycleListener(new JACCSecurityEventListener(bundle, webAppInfo, schemaVersion >= 2.5f && !metaComplete, applicationPolicyConfigurationManager, policyContextID,
- (GeronimoWebAppContext.SecurityContext) webAppContext.getServletContext()));
- }
}
Modified: geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/GeronimoWebAppContext.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/GeronimoWebAppContext.java?rev=1001159&r1=1001158&r2=1001159&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/GeronimoWebAppContext.java (original)
+++ geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/GeronimoWebAppContext.java Sat Sep 25 07:59:39 2010
@@ -26,14 +26,20 @@ import java.net.URL;
import java.util.Collections;
import java.util.Enumeration;
import java.util.EventListener;
+import java.util.HashMap;
import java.util.HashSet;
+import java.util.Map;
import java.util.Set;
import javax.naming.NamingException;
+import javax.security.auth.login.LoginException;
+import javax.security.jacc.PolicyContextException;
import javax.servlet.Filter;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
import javax.servlet.ServletRegistration.Dynamic;
+import javax.servlet.ServletSecurityElement;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -41,8 +47,11 @@ import org.apache.geronimo.connector.out
import org.apache.geronimo.connector.outbound.connectiontracking.SharedConnectorInstanceContext;
import org.apache.geronimo.osgi.web.WebApplicationConstants;
import org.apache.geronimo.osgi.web.WebApplicationUtils;
+import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
+import org.apache.geronimo.security.jacc.ComponentPermissions;
import org.apache.geronimo.web.assembler.Assembler;
import org.apache.geronimo.web.info.WebAppInfo;
+import org.apache.geronimo.web.security.SpecSecurityBuilder;
import org.apache.geronimo.web.security.WebSecurityConstraintStore;
import org.apache.xbean.osgi.bundle.util.BundleUtils;
import org.eclipse.jetty.security.SecurityHandler;
@@ -67,12 +76,22 @@ public class GeronimoWebAppContext exten
private final String modulePath;
private final ClassLoader classLoader;
private final WebAppInfo webAppInfo;
+ private final WebSecurityConstraintStore webSecurityConstraintStore;
+ private final String policyContextId;
+ private final ApplicationPolicyConfigurationManager applicationPolicyConfigurationManager;
private ServiceRegistration serviceRegistration;
boolean fullyStarted = false;
- public GeronimoWebAppContext(SecurityHandler securityHandler, SessionHandler sessionHandler, ServletHandler servletHandler, ErrorHandler errorHandler, IntegrationContext integrationContext, ClassLoader classLoader, String modulePath, WebAppInfo webAppInfo) {
+ public GeronimoWebAppContext(SecurityHandler securityHandler,
+ SessionHandler sessionHandler,
+ ServletHandler servletHandler,
+ ErrorHandler errorHandler,
+ IntegrationContext integrationContext,
+ ClassLoader classLoader,
+ String modulePath,
+ WebAppInfo webAppInfo, String policyContextId, ApplicationPolicyConfigurationManager applicationPolicyConfigurationManager) {
super(sessionHandler, securityHandler, servletHandler, errorHandler);
- _scontext = securityHandler == null ? new Context() : new SecurityContext();
+ _scontext = new Context();
this.integrationContext = integrationContext;
setClassLoader(classLoader);
this.classLoader = classLoader;
@@ -87,6 +106,12 @@ public class GeronimoWebAppContext exten
}
this.modulePath = modulePath;
this.webAppInfo = webAppInfo;
+ this.policyContextId = policyContextId;
+ this.applicationPolicyConfigurationManager = applicationPolicyConfigurationManager;
+ //TODO schemaVersion >= 2.5f && !metaComplete but only for a while....
+ boolean annotationScanRequired = true;
+ webSecurityConstraintStore = new WebSecurityConstraintStore(webAppInfo, integrationContext.getBundle(), annotationScanRequired, _scontext);
+
}
public void registerServletContext() {
@@ -116,6 +141,24 @@ public class GeronimoWebAppContext exten
assembler.assemble(getServletContext(), webAppInfo);
((GeronimoWebAppContext.Context) _scontext).webXmlProcessed = true;
super.doStart();
+ if (applicationPolicyConfigurationManager != null) {
+ SpecSecurityBuilder specSecurityBuilder = new SpecSecurityBuilder(webSecurityConstraintStore.exportMergedWebAppInfo());
+ Map<String, ComponentPermissions> contextIdPermissionsMap = new HashMap<String, ComponentPermissions>();
+ contextIdPermissionsMap.put(policyContextId, specSecurityBuilder.buildSpecSecurityConfig());
+ //Update ApplicationPolicyConfigurationManager
+ try {
+ applicationPolicyConfigurationManager.updateApplicationPolicyConfiguration(contextIdPermissionsMap);
+ } catch (LoginException e) {
+ throw new RuntimeException("Fail to set application policy configurations", e);
+ } catch (PolicyContextException e) {
+ throw new RuntimeException("Fail to set application policy configurations", e);
+ } catch (ClassNotFoundException e) {
+ throw new RuntimeException("Fail to set application policy configurations", e);
+ } finally {
+ //Clear SpecSecurityBuilder
+ specSecurityBuilder.clear();
+ }
+ }
fullyStarted = true;
} finally {
setRestrictListeners(true);
@@ -227,6 +270,17 @@ public class GeronimoWebAppContext exten
return paths;
}
+
+ @Override
+ public Set<String> setServletSecurity(ServletRegistration.Dynamic registration, ServletSecurityElement servletSecurityElement) {
+ return webSecurityConstraintStore.setDynamicServletSecurity(registration, servletSecurityElement);
+ }
+
+ @Override
+ protected void addRoles(String... roles) {
+ webSecurityConstraintStore.declareRoles(roles);
+ }
+
private Resource lookupResource(String uriInContext) {
Bundle bundle = integrationContext.getBundle();
URL url = BundleUtils.getEntry(bundle, uriInContext);
@@ -286,82 +340,8 @@ public class GeronimoWebAppContext exten
@Override
public <T extends Servlet> T createServlet(Class<T> c) throws ServletException {
try {
- return (T) integrationContext.getHolder().newInstance(c.getName(), classLoader, integrationContext.getComponentContext());
- } catch (IllegalAccessException e) {
- throw new ServletException("Could not create servlet " + c.getName(), e);
- } catch (InstantiationException e) {
- throw new ServletException("Could not create servlet " + c.getName(), e);
- }
- }
- }
-
- public class SecurityContext extends Context {
-
- private WebSecurityConstraintStore webSecurityConstraintStore;
-
- @Override
- public Dynamic addServlet(String servletName, Class<? extends Servlet> servletClass) {
- Dynamic dynamic = super.addServlet(servletName, servletClass);
- if (!webXmlProcessed) {
- return dynamic;
- }
- webSecurityConstraintStore.addContainerCreatedDynamicServletEntry(servletName, servletClass.getName());
- return createGeronimoApplicationServletRegistrationAdapter(dynamic, servletName);
- }
-
- @Override
- public Dynamic addServlet(String servletName, Servlet servlet) {
- Dynamic dynamic = super.addServlet(servletName, servlet);
- if (!webXmlProcessed) {
- return dynamic;
- }
- if (webSecurityConstraintStore.isContainerCreatedDynamicServlet(servlet)) {
- webSecurityConstraintStore.addContainerCreatedDynamicServletEntry(servletName, servlet.getClass().getName());
- }
- return createGeronimoApplicationServletRegistrationAdapter(dynamic, servletName);
- }
-
- @Override
- public Dynamic addServlet(String servletName, String className) {
- Dynamic dynamic = super.addServlet(servletName, className);
- if (!webXmlProcessed) {
- return dynamic;
- }
- webSecurityConstraintStore.addContainerCreatedDynamicServletEntry(servletName, className);
- return createGeronimoApplicationServletRegistrationAdapter(dynamic, servletName);
- }
-
- @Override
- public void declareRoles(String... roles) {
- if (!isStarting())
- throw new IllegalStateException();
- if (!_enabled)
- throw new UnsupportedOperationException();
- webSecurityConstraintStore.declareRoles(roles);
- }
-
- protected Dynamic createGeronimoApplicationServletRegistrationAdapter(Dynamic applicationServletRegistration, String servletName) {
- if (applicationServletRegistration == null) {
- return null;
- }
- return new GeronimoApplicationServletRegistrationAdapter(GeronimoWebAppContext.this, applicationServletRegistration);
- }
-
- public WebSecurityConstraintStore getWebSecurityConstraintStore() {
- return webSecurityConstraintStore;
- }
-
- public void setWebSecurityConstraintStore(WebSecurityConstraintStore webSecurityConstraintStore) {
- this.webSecurityConstraintStore = webSecurityConstraintStore;
- }
-
- @Override
- public <T extends Servlet> T createServlet(Class<T> c) throws ServletException {
- try {
T servlet = (T) integrationContext.getHolder().newInstance(c.getName(), classLoader, integrationContext.getComponentContext());
- if (isStarting()) {
- webSecurityConstraintStore.addContainerCreatedDynamicServlet(servlet);
- }
+ webSecurityConstraintStore.addContainerCreatedDynamicServlet(servlet);
return servlet;
} catch (IllegalAccessException e) {
throw new ServletException("Could not create servlet " + c.getName(), e);
@@ -369,5 +349,7 @@ public class GeronimoWebAppContext exten
throw new ServletException("Could not create servlet " + c.getName(), e);
}
}
+
}
+
}
Modified: geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/JaccSecurityHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/JaccSecurityHandler.java?rev=1001159&r1=1001158&r2=1001159&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/JaccSecurityHandler.java (original)
+++ geronimo/server/trunk/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/handler/JaccSecurityHandler.java Sat Sep 25 07:59:39 2010
@@ -19,11 +19,15 @@ package org.apache.geronimo.jetty8.handl
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
+import java.util.Collections;
+import java.util.Set;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
+import javax.servlet.ServletSecurityElement;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -71,6 +75,7 @@ public class JaccSecurityHandler extends
* javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse, int)
*/
+ @Override
public void handle(String target, Request baseRequest, HttpServletRequest request,
HttpServletResponse response) throws IOException,
ServletException {
@@ -89,10 +94,12 @@ public class JaccSecurityHandler extends
}
}
+ @Override
protected Object prepareConstraintInfo(String pathInContext, Request request) {
return null;
}
+ @Override
protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException {
boolean notIntegral = request.isSecure() || !request.getConnection().isIntegral(request);
@@ -122,10 +129,12 @@ public class JaccSecurityHandler extends
return result;
}
+ @Override
protected boolean isAuthMandatory(Request base_request, Response base_response, Object constraintInfo) {
return !checkWebResourcePermission(base_request, defaultAcc);
}
+ @Override
protected boolean checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException {
if (!(userIdentity instanceof GeronimoUserIdentity)){
//we already checked against default_acc and got false