You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2010/09/27 19:45:10 UTC
svn commit: r1001833 - in
/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina:
Context.java core/ApplicationContext.java
core/ApplicationServletRegistration.java core/StandardContext.java
Author: djencks
Date: Mon Sep 27 17:45:10 2010
New Revision: 1001833
URL: http://svn.apache.org/viewvc?rev=1001833&view=rev
Log:
GERONIMO-5626 Further proposed changes to tomcat security api to support dynamically setting security
Modified:
geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Context.java
geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationContext.java
geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationServletRegistration.java
geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/StandardContext.java
Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Context.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Context.java?rev=1001833&r1=1001832&r2=1001833&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Context.java (original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/Context.java Mon Sep 27 17:45:10 2010
@@ -24,8 +24,10 @@ import java.util.Set;
import javax.servlet.ServletContainerInitializer;
import javax.servlet.ServletContext;
+import javax.servlet.ServletSecurityElement;
import javax.servlet.descriptor.JspConfigDescriptor;
+import org.apache.catalina.core.ApplicationServletRegistration;
import org.apache.tomcat.InstanceManager;
import org.apache.tomcat.JarScanner;
import org.apache.tomcat.util.http.mapper.Mapper;
@@ -1224,5 +1226,13 @@ public interface Context extends Contain
boolean isServlet22();
InstanceManager getInstanceManager();
+
+ /**
+ * Notification that servlet security has been dynamically set in a ServletRegistration.Dynamic
+ * @param registration servlet security was modified for
+ * @param servletSecurityElement new security constraints for this servlet
+ * @return urls currently mapped to this registration that are already present in web.xml
+ */
+ Set<String> addServletSecurity(ApplicationServletRegistration registration, ServletSecurityElement servletSecurityElement);
}
Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationContext.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationContext.java?rev=1001833&r1=1001832&r2=1001833&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationContext.java (original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationContext.java Mon Sep 27 17:45:10 2010
@@ -1067,10 +1067,10 @@ public class ApplicationContext
} else {
wrapper.setServletClass(servlet.getClass().getName());
wrapper.setServlet(servlet);
- }
-
- return new ApplicationServletRegistration(wrapper, context);
- }
+ }
+
+ return context.dynamicServletAdded(wrapper);
+ }
public <T extends Servlet> T createServlet(Class<T> c)
@@ -1078,6 +1078,7 @@ public class ApplicationContext
try {
@SuppressWarnings("unchecked")
T servlet = (T) context.getInstanceManager().newInstance(c.getName());
+ context.dynamicServletCreated(servlet);
return servlet;
} catch (IllegalAccessException e) {
throw new ServletException(e);
Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationServletRegistration.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationServletRegistration.java?rev=1001833&r1=1001832&r2=1001833&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationServletRegistration.java (original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/ApplicationServletRegistration.java Mon Sep 27 17:45:10 2010
@@ -117,10 +117,12 @@ public class ApplicationServletRegistrat
// Have to add in a separate loop since spec requires no updates at all
// if there is an issue
- for (Map.Entry<String, String> entry : initParameters.entrySet()) {
- setInitParameter(entry.getKey(), entry.getValue());
+ if (conflicts.isEmpty()) {
+ for (Map.Entry<String, String> entry : initParameters.entrySet()) {
+ setInitParameter(entry.getKey(), entry.getValue());
+ }
}
-
+
return conflicts;
}
@@ -158,53 +160,7 @@ public class ApplicationServletRegistrat
getName(), context.getPath()));
}
- Set<String> conflicts = new HashSet<String>();
-
- Collection<String> urlPatterns = getMappings();
- for (String urlPattern : urlPatterns) {
- boolean foundConflict = false;
-
- SecurityConstraint[] securityConstraints =
- context.findConstraints();
- for (SecurityConstraint securityConstraint : securityConstraints) {
-
- SecurityCollection[] collections =
- securityConstraint.findCollections();
- for (SecurityCollection collection : collections) {
- if (collection.findPattern(urlPattern)) {
- // First pattern found will indicate if there is a
- // conflict since for any given pattern all matching
- // constraints will be from either the descriptor or
- // not. It is not permitted to have a mixture
- if (collection.isFromDescriptor()) {
- // Skip this pattern
- foundConflict = true;
- } else {
- // Need to overwrite constraint for this pattern
- // so remove every pattern found
- context.removeConstraint(securityConstraint);
- }
- }
- if (foundConflict) {
- break;
- }
- }
- if (foundConflict) {
- break;
- }
- }
- if (!foundConflict) {
- SecurityConstraint[] newSecurityConstraints =
- SecurityConstraint.createConstraints(constraint,
- urlPattern);
- for (SecurityConstraint securityConstraint :
- newSecurityConstraints) {
- context.addConstraint(securityConstraint);
- }
- }
- }
-
- return conflicts;
+ return context.addServletSecurity(this, constraint);
}
Modified: geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/StandardContext.java?rev=1001833&r1=1001832&r2=1001833&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/StandardContext.java (original)
+++ geronimo/external/trunk/tomcat-parent-7.0.0/catalina/src/main/java/org/apache/catalina/core/StandardContext.java Mon Sep 27 17:45:10 2010
@@ -26,7 +26,9 @@ import java.io.InputStreamReader;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedHashMap;
@@ -47,14 +49,17 @@ import javax.management.ObjectName;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.servlet.FilterConfig;
+import javax.servlet.Servlet;
import javax.servlet.ServletContainerInitializer;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextAttributeListener;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
import javax.servlet.ServletRequestAttributeListener;
import javax.servlet.ServletRequestListener;
+import javax.servlet.ServletSecurityElement;
import javax.servlet.descriptor.JspConfigDescriptor;
import javax.servlet.http.HttpSessionAttributeListener;
import javax.servlet.http.HttpSessionListener;
@@ -4009,6 +4014,22 @@ public class StandardContext extends Con
return null;
}
+ /**
+ * hook to register that we need to scan for security annotations.
+ * @param registration
+ */
+ public ServletRegistration.Dynamic dynamicServletAdded(Wrapper wrapper) {
+ return new ApplicationServletRegistration(wrapper, this);
+ }
+
+ /**
+ * hook to track which registrations need annotation scanning
+ * @param servlet
+ */
+ public void dynamicServletCreated(Servlet servlet) {
+
+ }
+
/**
* A helper class to manage the filter mappings in a Context.
@@ -5075,6 +5096,63 @@ public class StandardContext extends Con
}
+ public Set<String> addServletSecurity(ApplicationServletRegistration registration, ServletSecurityElement servletSecurityElement) {
+ Set<String> conflicts = new HashSet<String>();
+
+ Collection<String> urlPatterns = registration.getMappings();
+ for (String urlPattern : urlPatterns) {
+ boolean foundConflict = false;
+
+ SecurityConstraint[] securityConstraints =
+ findConstraints();
+ for (SecurityConstraint securityConstraint : securityConstraints) {
+
+ SecurityCollection[] collections =
+ securityConstraint.findCollections();
+ for (SecurityCollection collection : collections) {
+ if (collection.findPattern(urlPattern)) {
+ // First pattern found will indicate if there is a
+ // conflict since for any given pattern all matching
+ // constraints will be from either the descriptor or
+ // not. It is not permitted to have a mixture
+ if (collection.isFromDescriptor()) {
+ // Skip this pattern
+ foundConflict = true;
+ conflicts.add(urlPattern);
+ } else {
+ // Need to overwrite constraint for this pattern
+ // so remove every pattern found
+
+ //TODO spec 13.4.2 appears to say only the conflicting pattern is overwritten, not the entire security constraint.
+ removeConstraint(securityConstraint);
+ }
+ }
+ if (foundConflict) {
+ break;
+ }
+ }
+ if (foundConflict) {
+ break;
+ }
+ }
+ //TODO spec 13.4.2 appears to say that non-conflicting patterns are still used.
+ //TODO you can't calculate the eventual security constraint now, you have to wait until the context is started,
+ //since application code can add url patterns after calling setSecurity.
+ if (!foundConflict) {
+ SecurityConstraint[] newSecurityConstraints =
+ SecurityConstraint.createConstraints(servletSecurityElement,
+ urlPattern);
+ for (SecurityConstraint securityConstraint :
+ newSecurityConstraints) {
+ addConstraint(securityConstraint);
+ }
+ }
+ }
+
+ return conflicts;
+
+ }
+
/**
* Return a File object representing the base directory for the