private SecurityPathMatches buildSecurityConstraints() { SecurityPathMatches.Builder builder = SecurityPathMatches.builder(super.getDeployment().getDeploymentInfo()); final Set<String> urlPatterns = new HashSet<>(); for (SecurityConstraint constraint : super.getDeployment().getDeploymentInfo().getSecurityConstraints()) { builder.addSecurityConstraint(constraint); for (WebResourceCollection webResources : constraint.getWebResourceCollections()) { urlPatterns.addAll(webResources.getUrlPatterns()); } } for (final ServletInfo servlet : super.getDeployment().getDeploymentInfo().getServlets().values()) { final ServletSecurityInfo securityInfo = servlet.getServletSecurityInfo(); if (securityInfo != null) { final Set<String> mappings = new HashSet<>(servlet.getMappings()); mappings.removeAll(urlPatterns); if (!mappings.isEmpty()) { final Set<String> methods = new HashSet<>(); for (HttpMethodSecurityInfo method : securityInfo.getHttpMethodSecurityInfo()) { methods.add(method.getMethod()); if (method.getRolesAllowed().isEmpty() && method.getEmptyRoleSemantic() == EmptyRoleSemantic.PERMIT) { // this is an implict allow continue; } SecurityConstraint newConstraint = new SecurityConstraint() .addRolesAllowed(method.getRolesAllowed()) .setTransportGuaranteeType(method.getTransportGuaranteeType()) .addWebResourceCollection( new WebResourceCollection() .addUrlPatterns(mappings) .addHttpMethod(method.getMethod())); builder.addSecurityConstraint(newConstraint); } // now add the constraint, unless it has all default values and method constrains where // specified if (!securityInfo.getRolesAllowed().isEmpty() || securityInfo.getEmptyRoleSemantic() != EmptyRoleSemantic.PERMIT || methods.isEmpty()) { SecurityConstraint newConstraint = new SecurityConstraint() .setEmptyRoleSemantic(securityInfo.getEmptyRoleSemantic()) .addRolesAllowed(securityInfo.getRolesAllowed()) .setTransportGuaranteeType(securityInfo.getTransportGuaranteeType()) .addWebResourceCollection( new WebResourceCollection() .addUrlPatterns(mappings) .addHttpMethodOmissions(methods)); builder.addSecurityConstraint(newConstraint); } } } } return builder.build(); }
/** * sets up the outer security handlers. * * <p>the handler that actually performs the access check happens later in the chain, it is not * setup here * * @param initialHandler The handler to wrap with security handlers */ private HttpHandler setupSecurityHandlers(HttpHandler initialHandler) { final DeploymentInfo deploymentInfo = deployment.getDeploymentInfo(); final LoginConfig loginConfig = deploymentInfo.getLoginConfig(); HttpHandler current = initialHandler; final SecurityPathMatches securityPathMatches = buildSecurityConstraints(); current = new AuthenticationCallHandler(current); if (!securityPathMatches.isEmpty()) { current = new ServletAuthenticationConstraintHandler(current); } current = new ServletConfidentialityConstraintHandler( deploymentInfo.getConfidentialPortManager(), current); if (!securityPathMatches.isEmpty()) { current = new ServletSecurityConstraintHandler(securityPathMatches, current); } final String mechName; if (loginConfig != null) { List<AuthenticationMechanism> authenticationMechanisms = new LinkedList<AuthenticationMechanism>(); authenticationMechanisms.add(new CachedAuthenticatedSessionMechanism()); mechName = loginConfig.getAuthMethod(); if (mechName.equalsIgnoreCase(BASIC_AUTH)) { // The mechanism name is passed in from the HttpServletRequest interface as the name // reported needs to be comparable using '==' authenticationMechanisms.add( new BasicAuthenticationMechanism(loginConfig.getRealmName(), BASIC_AUTH)); } else if (mechName.equalsIgnoreCase(FORM_AUTH)) { // The mechanism name is passed in from the HttpServletRequest interface as the name // reported needs to be comparable using '==' authenticationMechanisms.add( new ServletFormAuthenticationMechanism( FORM_AUTH, loginConfig.getLoginPage(), loginConfig.getErrorPage())); } else if (mechName.equalsIgnoreCase(CLIENT_CERT_AUTH)) { authenticationMechanisms.add(new ClientCertAuthenticationMechanism(CLIENT_CERT_AUTH)); } else { // NYI } current = new AuthenticationMechanismsHandler(current, authenticationMechanisms); } else { mechName = null; } current = new CachedAuthenticatedSessionHandler(current, this.deployment.getServletContext()); List<NotificationReceiver> notificationReceivers = deploymentInfo.getNotificationReceivers(); if (notificationReceivers.isEmpty() == false) { current = new NotificationReceiverHandler(current, notificationReceivers); } // TODO - A switch to constraint driven could be configurable, however before we can support // that with servlets we would // need additional tracking within sessions if a servlet has specifically requested that // authentication occurs. current = new SecurityInitialHandler( AuthenticationMode.PRO_ACTIVE, deploymentInfo.getIdentityManager(), mechName, current); return current; }
private HttpHandler setupSecurityHandlers(HttpHandler initialHandler) { final DeploymentInfo deploymentInfo = super.getDeployment().getDeploymentInfo(); final LoginConfig loginConfig = deploymentInfo.getLoginConfig(); final Map<String, AuthenticationMechanismFactory> factoryMap = new HashMap<>(deploymentInfo.getAuthenticationMechanisms()); if (!factoryMap.containsKey(BASIC_AUTH)) { factoryMap.put(BASIC_AUTH, BasicAuthenticationMechanism.FACTORY); } if (!factoryMap.containsKey(FORM_AUTH)) { factoryMap.put(FORM_AUTH, ServletFormAuthenticationMechanism.FACTORY); } if (!factoryMap.containsKey(DIGEST_AUTH)) { factoryMap.put(DIGEST_AUTH, DigestAuthenticationMechanism.FACTORY); } if (!factoryMap.containsKey(CLIENT_CERT_AUTH)) { factoryMap.put(CLIENT_CERT_AUTH, ClientCertAuthenticationMechanism.FACTORY); } if (!factoryMap.containsKey(ExternalAuthenticationMechanism.NAME)) { factoryMap.put(ExternalAuthenticationMechanism.NAME, ExternalAuthenticationMechanism.FACTORY); } HttpHandler current = initialHandler; current = new SSLInformationAssociationHandler(current); final SecurityPathMatches securityPathMatches = buildSecurityConstraints(); current = new ServletAuthenticationCallHandler(current); if (deploymentInfo.isDisableCachingForSecuredPages()) { current = Handlers.predicate(Predicates.authRequired(), Handlers.disableCache(current), current); } if (!securityPathMatches.isEmpty()) { current = new ServletAuthenticationConstraintHandler(current); } current = new ServletConfidentialityConstraintHandler( deploymentInfo.getConfidentialPortManager(), current); if (!securityPathMatches.isEmpty()) { current = new ServletSecurityConstraintHandler(securityPathMatches, current); } List<AuthenticationMechanism> authenticationMechanisms = new LinkedList<>(); authenticationMechanisms.add( new CachedAuthenticatedSessionMechanism()); // TODO: does this really need to be hard coded? String mechName = null; if (loginConfig != null || deploymentInfo.getJaspiAuthenticationMechanism() != null) { // we don't allow multipart requests, and always use the default encoding FormParserFactory parser = FormParserFactory.builder(false) .addParser( new FormEncodedDataDefinition() .setDefaultEncoding(deploymentInfo.getDefaultEncoding())) .build(); List<AuthMethodConfig> authMethods = Collections.<AuthMethodConfig>emptyList(); if (loginConfig != null) { authMethods = loginConfig.getAuthMethods(); } for (AuthMethodConfig method : authMethods) { AuthenticationMechanismFactory factory = factoryMap.get(method.getName()); if (factory == null) { throw UndertowServletMessages.MESSAGES.unknownAuthenticationMechanism(method.getName()); } if (mechName == null) { mechName = method.getName(); } final Map<String, String> properties = new HashMap<>(); properties.put( AuthenticationMechanismFactory.CONTEXT_PATH, deploymentInfo.getContextPath()); properties.put(AuthenticationMechanismFactory.REALM, loginConfig.getRealmName()); properties.put(AuthenticationMechanismFactory.ERROR_PAGE, loginConfig.getErrorPage()); properties.put(AuthenticationMechanismFactory.LOGIN_PAGE, loginConfig.getLoginPage()); properties.putAll(method.getProperties()); String name = method.getName().toUpperCase(Locale.US); // The mechanism name is passed in from the HttpServletRequest interface as the name // reported needs to be // comparable using '==' name = name.equals(FORM_AUTH) ? FORM_AUTH : name; name = name.equals(BASIC_AUTH) ? BASIC_AUTH : name; name = name.equals(DIGEST_AUTH) ? DIGEST_AUTH : name; name = name.equals(CLIENT_CERT_AUTH) ? CLIENT_CERT_AUTH : name; authenticationMechanisms.add(factory.create(name, parser, properties)); } } ((DeploymentImpl) super.getDeployment()).setAuthenticationMechanisms(authenticationMechanisms); // if the JASPI auth mechanism is set then it takes over if (deploymentInfo.getJaspiAuthenticationMechanism() == null) { current = new AuthenticationMechanismsHandler(current, authenticationMechanisms); } else { current = new AuthenticationMechanismsHandler( current, Collections.<AuthenticationMechanism>singletonList( deploymentInfo.getJaspiAuthenticationMechanism())); } current = new CachedAuthenticatedSessionHandler(current, super.getDeployment().getServletContext()); List<NotificationReceiver> notificationReceivers = deploymentInfo.getNotificationReceivers(); if (!notificationReceivers.isEmpty()) { current = new NotificationReceiverHandler(current, notificationReceivers); } // TODO - A switch to constraint driven could be configurable, however before we can support // that with servlets we would // need additional tracking within sessions if a servlet has specifically requested that // authentication occurs. SecurityContextFactory contextFactory = deploymentInfo.getSecurityContextFactory(); if (contextFactory == null) { contextFactory = SecurityContextFactoryImpl.INSTANCE; } current = new SecurityInitialHandler( AuthenticationMode.PRO_ACTIVE, deploymentInfo.getIdentityManager(), mechName, contextFactory, current); return current; }