Class ConstraintSecurityHandler

java.lang.Object
org.eclipse.jetty.util.component.AbstractLifeCycle
org.eclipse.jetty.util.component.ContainerLifeCycle
org.eclipse.jetty.server.Handler.Abstract
org.eclipse.jetty.server.Handler.AbstractContainer
org.eclipse.jetty.server.Handler.Wrapper
org.eclipse.jetty.security.SecurityHandler
org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler
All Implemented Interfaces:
ConstraintAware, org.eclipse.jetty.security.Authenticator.Configuration, org.eclipse.jetty.server.Handler, org.eclipse.jetty.server.Handler.Container, org.eclipse.jetty.server.Handler.Singleton, org.eclipse.jetty.server.Request.Handler, org.eclipse.jetty.util.component.Container, org.eclipse.jetty.util.component.Destroyable, org.eclipse.jetty.util.component.Dumpable, org.eclipse.jetty.util.component.Dumpable.DumpableContainer, org.eclipse.jetty.util.component.LifeCycle, org.eclipse.jetty.util.thread.Invocable
public class ConstraintSecurityHandler extends org.eclipse.jetty.security.SecurityHandler implements ConstraintAware
ConstraintSecurityHandler

Handler to enforce SecurityConstraints. This implementation is servlet spec 3.1 compliant and pre-computes the constraint combinations for runtime efficiency.

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.eclipse.jetty.security.SecurityHandler

    org.eclipse.jetty.security.SecurityHandler.NotChecked, org.eclipse.jetty.security.SecurityHandler.PathMapped, org.eclipse.jetty.security.SecurityHandler.PathMethodMapped

    Nested classes/interfaces inherited from class org.eclipse.jetty.server.Handler.Abstract

    org.eclipse.jetty.server.Handler.Abstract.NonBlocking

    Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

    org.eclipse.jetty.util.component.AbstractLifeCycle.AbstractLifeCycleListener, org.eclipse.jetty.util.component.AbstractLifeCycle.StopException

    Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator.Configuration

    org.eclipse.jetty.security.Authenticator.Configuration.Wrapper

    Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container

    org.eclipse.jetty.util.component.Container.InheritedListener, org.eclipse.jetty.util.component.Container.Listener

    Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable

    org.eclipse.jetty.util.component.Dumpable.DumpableContainer, org.eclipse.jetty.util.component.Dumpable.DumpAppendable

    Nested classes/interfaces inherited from interface org.eclipse.jetty.server.Handler

    org.eclipse.jetty.server.Handler.Abstract, org.eclipse.jetty.server.Handler.AbstractContainer, org.eclipse.jetty.server.Handler.Collection, org.eclipse.jetty.server.Handler.Container, org.eclipse.jetty.server.Handler.Sequence, org.eclipse.jetty.server.Handler.Singleton, org.eclipse.jetty.server.Handler.Wrapper

    Nested classes/interfaces inherited from interface org.eclipse.jetty.util.thread.Invocable

    org.eclipse.jetty.util.thread.Invocable.Callable, org.eclipse.jetty.util.thread.Invocable.InvocationType, org.eclipse.jetty.util.thread.Invocable.ReadyTask, org.eclipse.jetty.util.thread.Invocable.Task

    Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

    org.eclipse.jetty.util.component.LifeCycle.Listener

    Nested classes/interfaces inherited from interface org.eclipse.jetty.server.Request.Handler

    org.eclipse.jetty.server.Request.Handler.AbortException

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    ANY_KNOWN_ROLE
     
    static final String
    ANY_ROLE
     

    Fields inherited from class org.eclipse.jetty.security.SecurityHandler

    SESSION_AUTHENTICATED_ATTRIBUTE

    Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

    FAILED, STARTED, STARTING, STOPPED, STOPPING

    Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

    LEGEND

    Fields inherited from interface org.eclipse.jetty.util.thread.Invocable

    __nonBlocking, NOOP

  • Constructor Summary

    Constructors
    Constructor
    Description
    ConstraintSecurityHandler()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addConstraintMapping(ConstraintMapping mapping)
    Add a Constraint Mapping.
    void
    addKnownRole(String role)
    Add a Role definition.
    boolean
    checkPathsWithUncoveredHttpMethods()
    Servlet spec 3.1 pg. 147.
    protected org.eclipse.jetty.security.Constraint
    combineServletConstraints(org.eclipse.jetty.security.Constraint constraintA, org.eclipse.jetty.security.Constraint constraintB)
    Combine constrains as per the servlet specification.
    static org.eclipse.jetty.security.Constraint
    createConstraint(String name, jakarta.servlet.HttpConstraintElement element)
    Create a Constraint
    static org.eclipse.jetty.security.Constraint
    createConstraint(String name, String[] rolesAllowed, jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport)
    Create Constraint
    static List<ConstraintMapping>
    createConstraintsWithMappingsForPath(String name, String pathSpec, jakarta.servlet.ServletSecurityElement securityElement)
    Generate Constraints and ConstraintMappings for the given url pattern and ServletSecurityElement
    protected void
    doStart()
     
    protected void
    doStop()
     
    void
    dump(Appendable out, String indent)
     
    protected org.eclipse.jetty.security.Constraint
    getConstraint(String pathInContext, org.eclipse.jetty.server.Request request)
     
    List<ConstraintMapping>
    getConstraintMappings()
     
    Set<String>
    getKnownRoles()
     
    protected Set<String>
    getOmittedMethods(String omission)
    Given a string of the form <method>.<method>.omission split out the individual method names.
    Set<String>
    getPathsWithUncoveredHttpMethods()
    Servlet spec 3.1 pg. 147.
    boolean
    isDenyUncoveredHttpMethods()
     
    protected boolean
    omissionsExist(Map<String, org.eclipse.jetty.security.Constraint> methodMappings)
    Check if any http method omissions exist in the list of method to auth info mappings.
    protected void
    processConstraintMapping(ConstraintMapping mapping)
    Create and combine the constraint with the existing processed constraints.
    protected void
    processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String, org.eclipse.jetty.security.Constraint> mappings)
    Constraints that name method omissions are dealt with differently.
    static List<ConstraintMapping>
    removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)
    Take out of the constraint mappings those that match the given path.
    void
    setConstraintMappings(List<ConstraintMapping> constraintMappings)
    Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
    void
    setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles)
    Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
    void
    setConstraintMappings(ConstraintMapping[] constraintMappings)
    Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
    void
    setDenyUncoveredHttpMethods(boolean deny)
    See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.
    void
    setRoles(Set<String> roles)
    Set the known roles.

    Methods inherited from class org.eclipse.jetty.security.SecurityHandler

    findIdentityService, findLoginService, getAuthenticationType, getAuthenticator, getAuthenticatorFactory, getCurrentSecurityHandler, getIdentityService, getKnownAuthenticatorFactories, getLoginService, getParameter, getParameterNames, getRealmName, getSessionMaxInactiveIntervalOnAuthentication, handle, isAuthorized, isSessionRenewedOnAuthentication, redirectToSecure, setAuthenticationType, setAuthenticator, setAuthenticatorFactory, setIdentityService, setLoginService, setParameter, setRealmName, setSessionMaxInactiveIntervalOnAuthentication, setSessionRenewedOnAuthentication

    Methods inherited from class org.eclipse.jetty.server.Handler.Wrapper

    getHandler, getInvocationType, setHandler

    Methods inherited from class org.eclipse.jetty.server.Handler.AbstractContainer

    findContainerOf, getDescendant, getDescendants, isDynamic, setDynamic, setServer

    Methods inherited from class org.eclipse.jetty.server.Handler.Abstract

    destroy, getServer

    Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle

    addBean, addBean, addEventListener, addManaged, contains, dump, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, installBean, installBean, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans

    Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

    getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop, toString

    Methods inherited from class Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    Methods inherited from interface org.eclipse.jetty.util.component.Container

    getCachedBeans, getEventListeners

    Methods inherited from interface org.eclipse.jetty.util.component.Destroyable

    destroy

    Methods inherited from interface org.eclipse.jetty.util.component.Dumpable

    dumpSelf

    Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer

    isDumpable

    Methods inherited from interface org.eclipse.jetty.server.Handler

    getServer, setServer

    Methods inherited from interface org.eclipse.jetty.server.Handler.Container

    getContainer, getDescendant, getDescendants, getDescendants

    Methods inherited from interface org.eclipse.jetty.server.Handler.Singleton

    getHandlers, getTail, insertHandler, setHandler

    Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

    addEventListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeEventListener, start, stop

  • Field Details

  • Constructor Details

    • ConstraintSecurityHandler

      public ConstraintSecurityHandler()

  • Method Details

    • getConstraint

      protected org.eclipse.jetty.security.Constraint getConstraint(String pathInContext, org.eclipse.jetty.server.Request request)
      Specified by:
      getConstraint in class org.eclipse.jetty.security.SecurityHandler

    • createConstraint

      public static org.eclipse.jetty.security.Constraint createConstraint(String name, jakarta.servlet.HttpConstraintElement element)
      Create a Constraint
      Parameters:
      name - the name
      element - the http constraint element
      Returns:
      the created constraint

    • createConstraint

      public static org.eclipse.jetty.security.Constraint createConstraint(String name, String[] rolesAllowed, jakarta.servlet.annotation.ServletSecurity.EmptyRoleSemantic permitOrDeny, jakarta.servlet.annotation.ServletSecurity.TransportGuarantee transport)
      Create Constraint
      Parameters:
      name - the name
      rolesAllowed - the list of allowed roles
      permitOrDeny - the permission semantic
      transport - the transport guarantee
      Returns:
      the created constraint

    • removeConstraintMappingsForPath

      public static List<ConstraintMapping> removeConstraintMappingsForPath(String pathSpec, List<ConstraintMapping> constraintMappings)
      Take out of the constraint mappings those that match the given path.
      Parameters:
      pathSpec - the path spec
      constraintMappings - a new list minus the matching constraints
      Returns:
      the list of constraint mappings

    • createConstraintsWithMappingsForPath

      public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String name, String pathSpec, jakarta.servlet.ServletSecurityElement securityElement)
      Generate Constraints and ConstraintMappings for the given url pattern and ServletSecurityElement
      Parameters:
      name - the name
      pathSpec - the path spec
      securityElement - the servlet security element
      Returns:
      the list of constraint mappings

    • getConstraintMappings

      public List<ConstraintMapping> getConstraintMappings()
      Specified by:
      getConstraintMappings in interface ConstraintAware

    • getKnownRoles

      public Set<String> getKnownRoles()
      Specified by:
      getKnownRoles in interface ConstraintAware
      Overrides:
      getKnownRoles in class org.eclipse.jetty.security.SecurityHandler

    • setConstraintMappings

      public void setConstraintMappings(List<ConstraintMapping> constraintMappings)
      Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
      Parameters:
      constraintMappings - The constraintMappings to set, from which the set of known roles is determined.

    • setConstraintMappings

      public void setConstraintMappings(ConstraintMapping[] constraintMappings)
      Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
      Parameters:
      constraintMappings - The constraintMappings to set as array, from which the set of known roles is determined. Needed to retain API compatibility for 7.x

    • setConstraintMappings

      public void setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles)
      Process the constraints following the combining rules in Servlet 3.0 EA spec section 13.7.1 Note that much of the logic is in the Constraint class.
      Specified by:
      setConstraintMappings in interface ConstraintAware
      Parameters:
      constraintMappings - The constraintMappings to set.
      roles - The known roles (or null to determine them from the mappings)

    • setRoles

      public void setRoles(Set<String> roles)
      Set the known roles. This may be overridden by a subsequent call to setConstraintMappings(ConstraintMapping[]) or setConstraintMappings(List, Set).
      Parameters:
      roles - The known roles (or null to determine them from the mappings)

    • addConstraintMapping

      public void addConstraintMapping(ConstraintMapping mapping)
      Description copied from interface: ConstraintAware
      Add a Constraint Mapping. May be called for running webapplication as an annotated servlet is instantiated.
      Specified by:
      addConstraintMapping in interface ConstraintAware
      Parameters:
      mapping - the mapping

    • addKnownRole

      public void addKnownRole(String role)
      Description copied from interface: ConstraintAware
      Add a Role definition. May be called on running webapplication as an annotated servlet is instantiated.
      Specified by:
      addKnownRole in interface ConstraintAware
      Parameters:
      role - the role

    • doStart

      protected void doStart() throws Exception
      Overrides:
      doStart in class org.eclipse.jetty.security.SecurityHandler
      Throws:
      Exception

    • doStop

      protected void doStop() throws Exception
      Overrides:
      doStop in class org.eclipse.jetty.security.SecurityHandler
      Throws:
      Exception

    • combineServletConstraints

      protected org.eclipse.jetty.security.Constraint combineServletConstraints(org.eclipse.jetty.security.Constraint constraintA, org.eclipse.jetty.security.Constraint constraintB)

      Combine constrains as per the servlet specification. This is NOT equivalent to Constraint.combine(Constraint, Constraint), which implements a more secure combination.

      Parameters:
      constraintA - A constraint
      constraintB - B constraint
      Returns:
      The combination as per the servlet specification.

    • processConstraintMapping

      protected void processConstraintMapping(ConstraintMapping mapping)
      Create and combine the constraint with the existing processed constraints.
      Parameters:
      mapping - the constraint mapping

    • processConstraintMappingWithMethodOmissions

      protected void processConstraintMappingWithMethodOmissions(ConstraintMapping mapping, Map<String, org.eclipse.jetty.security.Constraint> mappings)
      Constraints that name method omissions are dealt with differently. We create an entry in the mappings with key "<method>.omission". This entry is only ever combined with other omissions for the same method to produce a consolidated Constraint. Then, when we wish to find the relevant constraints for a given Request (in prepareConstraintInfo()), we consult 3 types of entries in the mappings: an entry that names the method of the Request specifically, an entry that names constraints that apply to all methods, entries of the form <method>.omission, where the method of the Request is not named in the omission.
      Parameters:
      mapping - the constraint mapping
      mappings - the mappings of roles

    • dump

      public void dump(Appendable out, String indent) throws IOException
      Specified by:
      dump in interface org.eclipse.jetty.util.component.Dumpable
      Overrides:
      dump in class org.eclipse.jetty.util.component.ContainerLifeCycle
      Throws:
      IOException

    • setDenyUncoveredHttpMethods

      public void setDenyUncoveredHttpMethods(boolean deny)
      Description copied from interface: ConstraintAware
      See Servlet Spec 31, sec 13.8.4, pg 145 When true, requests with http methods not explicitly covered either by inclusion or omissions in constraints, will have access denied.
      Specified by:
      setDenyUncoveredHttpMethods in interface ConstraintAware
      Parameters:
      deny - true for denied method access

    • isDenyUncoveredHttpMethods

      public boolean isDenyUncoveredHttpMethods()
      Specified by:
      isDenyUncoveredHttpMethods in interface ConstraintAware

    • checkPathsWithUncoveredHttpMethods

      public boolean checkPathsWithUncoveredHttpMethods()
      Servlet spec 3.1 pg. 147.
      Specified by:
      checkPathsWithUncoveredHttpMethods in interface ConstraintAware
      Returns:
      true if urls with uncovered http methods

    • getPathsWithUncoveredHttpMethods

      public Set<String> getPathsWithUncoveredHttpMethods()
      Servlet spec 3.1 pg. 147. The container must check all the combined security constraint information and log any methods that are not protected and the urls at which they are not protected
      Returns:
      Set of paths for which there are uncovered methods

    • omissionsExist

      protected boolean omissionsExist(Map<String, org.eclipse.jetty.security.Constraint> methodMappings)
      Check if any http method omissions exist in the list of method to auth info mappings.
      Parameters:
      methodMappings - the method mappings
      Returns:
      true if omission exist

    • getOmittedMethods

      protected Set<String> getOmittedMethods(String omission)
      Given a string of the form <method>.<method>.omission split out the individual method names.
      Parameters:
      omission - the method
      Returns:
      the set of strings