jbossweb-commits July 2013

jbossweb-commits@lists.jboss.org

1 participants
11 discussions

JBossWeb SVN: r2227 - in branches/8.0.x/src/main/java/org: apache/catalina/core and 3 other directories.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2013-07-04 05:55:49 -0400 (Thu, 04 Jul 2013) New Revision: 2227 Modified: branches/8.0.x/src/main/java/org/apache/catalina/Context.java branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java Log: Adapt omitted methods code from Tomcat. Modified: branches/8.0.x/src/main/java/org/apache/catalina/Context.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/Context.java 2013-06-21 00:49:29 UTC (rev 2226) +++ branches/8.0.x/src/main/java/org/apache/catalina/Context.java 2013-07-04 09:55:49 UTC (rev 2227) @@ -289,6 +289,20 @@ /** + * Return the deny-uncovered-http-methods flag for this web application. + */ + public boolean getDenyUncoveredHttpMethods(); + + + /** + * Set the deny-uncovered-http-methods flag for this web application. + * + * @param denyUncoveredHttpMethods The new deny-uncovered-http-methods flag + */ + public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods); + + + /** * Return the display name of this web application. */ public String getDisplayName(); Modified: branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java 2013-06-21 00:49:29 UTC (rev 2226) +++ branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java 2013-07-04 09:55:49 UTC (rev 2227) @@ -319,6 +319,9 @@ protected String encodedPath = null; + private boolean denyUncoveredHttpMethods; + + /** * The display name of this web application. */ @@ -1064,6 +1067,16 @@ this.tldScanTime = tldScanTime; } + @Override + public boolean getDenyUncoveredHttpMethods() { + return denyUncoveredHttpMethods; + } + + @Override + public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods) { + this.denyUncoveredHttpMethods = denyUncoveredHttpMethods; + } + /** * Return the display name of this web application. */ Modified: branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java 2013-06-21 00:49:29 UTC (rev 2226) +++ branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java 2013-07-04 09:55:49 UTC (rev 2227) @@ -19,8 +19,17 @@ package org.apache.catalina.deploy; import java.io.Serializable; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.jboss.web.CatalinaLogger; + /** * Representation of a security constraint element for a web application, * as represented in a <code><security-constraint></code> element in the @@ -509,4 +518,168 @@ } + public static SecurityConstraint[] findUncoveredHttpMethods( + SecurityConstraint[] constraints, + boolean denyUncoveredHttpMethods) { + + Set<String> coveredPatterns = new HashSet<>(); + Map<String,Set<String>> urlMethodMap = new HashMap<>(); + Map<String,Set<String>> urlOmittedMethodMap = new HashMap<>(); + + List<SecurityConstraint> newConstraints = new ArrayList<>(); + + // First build the lists of covered patterns and those patterns that + // might be uncovered + for (SecurityConstraint constraint : constraints) { + SecurityCollection[] collections = constraint.findCollections(); + for (SecurityCollection collection : collections) { + String[] patterns = collection.findPatterns(); + String[] methods = collection.findMethods(); + String[] omittedMethods = collection.findMethodOmissions(); + // Simple case: no methods + if (methods.length == 0 && omittedMethods.length == 0) { + for (String pattern : patterns) { + coveredPatterns.add(pattern); + } + continue; + } + + // Pre-calculate so we don't do this for every iteration of the + // following loop + List<String> omNew = null; + if (omittedMethods.length != 0) { + omNew = Arrays.asList(omittedMethods); + } + + // Only need to process uncovered patterns + for (String pattern : patterns) { + if (!coveredPatterns.contains(pattern)) { + if (methods.length == 0) { + // Build the interset of omitted methods for this + // pattern + Set<String> om = urlOmittedMethodMap.get(pattern); + if (om == null) { + om = new HashSet<>(); + urlOmittedMethodMap.put(pattern, om); + om.addAll(omNew); + } else { + om.retainAll(omNew); + } + } else { + // Build the union of methods for this pattern + Set<String> m = urlMethodMap.get(pattern); + if (m == null) { + m = new HashSet<>(); + urlMethodMap.put(pattern, m); + } + for (String method : methods) { + m.add(method); + } + } + } + } + } + } + + // Now check the potentially uncovered patterns + for (Map.Entry<String, Set<String>> entry : urlMethodMap.entrySet()) { + String pattern = entry.getKey(); + if (coveredPatterns.contains(pattern)) { + // Fully covered. Ignore any partial coverage + urlOmittedMethodMap.remove(pattern); + continue; + } + + Set<String> omittedMethods = urlOmittedMethodMap.remove(pattern); + Set<String> methods = entry.getValue(); + + if (omittedMethods == null) { + StringBuilder msg = new StringBuilder(); + for (String method : methods) { + msg.append(method); + msg.append(' '); + } + if (denyUncoveredHttpMethods) { + CatalinaLogger.STARTUP_LOGGER.addingUncoveredMethodConstraint(pattern, msg.toString().trim()); + SecurityCollection collection = new SecurityCollection(); + for (String method : methods) { + collection.addMethodOmission(method); + } + collection.addPattern(pattern); + collection.setName("deny-uncovered-http-methods"); + SecurityConstraint constraint = new SecurityConstraint(); + constraint.setAuthConstraint(true); + constraint.addCollection(collection); + newConstraints.add(constraint); + } else { + CatalinaLogger.STARTUP_LOGGER.uncoveredMethodWarning(pattern, msg.toString().trim()); + } + continue; + } + + // As long as every omitted method as a corresponding method the + // pattern is fully covered. + omittedMethods.removeAll(methods); + + if (omittedMethods.size() > 0) { + StringBuilder msg = new StringBuilder(); + for (String method : omittedMethods) { + msg.append(method); + msg.append(' '); + } + if (denyUncoveredHttpMethods) { + CatalinaLogger.STARTUP_LOGGER.addingUncoveredOmittedMethodConstraint(pattern, msg.toString().trim()); + SecurityCollection collection = new SecurityCollection(); + for (String method : omittedMethods) { + collection.addMethod(method); + } + collection.addPattern(pattern); + collection.setName("deny-uncovered-http-methods"); + SecurityConstraint constraint = new SecurityConstraint(); + constraint.setAuthConstraint(true); + constraint.addCollection(collection); + newConstraints.add(constraint); + } else { + CatalinaLogger.STARTUP_LOGGER.uncoveredOmittedMethodWarning(pattern, msg.toString().trim()); + } + } + } + for (Map.Entry<String, Set<String>> entry : + urlOmittedMethodMap.entrySet()) { + String pattern = entry.getKey(); + if (coveredPatterns.contains(pattern)) { + // Fully covered. Ignore any partial coverage + continue; + } + + Set<String> omittedMethods = entry.getValue(); + + if (omittedMethods.size() > 0) { + StringBuilder msg = new StringBuilder(); + for (String method : omittedMethods) { + msg.append(method); + msg.append(' '); + } + if (denyUncoveredHttpMethods) { + CatalinaLogger.STARTUP_LOGGER.addingUncoveredOmittedMethodConstraint(pattern, msg.toString().trim()); + SecurityCollection collection = new SecurityCollection(); + for (String method : omittedMethods) { + collection.addMethod(method); + } + collection.addPattern(pattern); + collection.setName("deny-uncovered-http-methods"); + SecurityConstraint constraint = new SecurityConstraint(); + constraint.setAuthConstraint(true); + constraint.addCollection(collection); + newConstraints.add(constraint); + } else { + CatalinaLogger.STARTUP_LOGGER.uncoveredOmittedMethodWarning(pattern, msg.toString().trim()); + } + } + } + + return newConstraints.toArray( + new SecurityConstraint[newConstraints.size()]); + } + } Modified: branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java 2013-06-21 00:49:29 UTC (rev 2226) +++ branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java 2013-07-04 09:55:49 UTC (rev 2227) @@ -639,6 +639,13 @@ } } + // Add constraints for uncovered methods, if needed + SecurityConstraint[] newConstraints = + SecurityConstraint.findUncoveredHttpMethods(context.findConstraints(), + context.getDenyUncoveredHttpMethods()); + for (SecurityConstraint constraint : newConstraints) { + context.addConstraint(constraint); + } } Modified: branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java =================================================================== --- branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java 2013-06-21 00:49:29 UTC (rev 2226) +++ branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java 2013-07-04 09:55:49 UTC (rev 2227) @@ -689,4 +689,20 @@ @Message(id = 1150, value = "X param in wrong format. Needs to be 'x-#(...)'") void extendedAccessLogBadXParam(); + @LogMessage(level = INFO) + @Message(id = 1151, value = "Adding security constraints with URL pattern [%s] to deny access with the uncovered HTTP methods that are not one of the following [%s]") + void addingUncoveredMethodConstraint(String urlPattern, String method); + + @LogMessage(level = ERROR) + @Message(id = 1152, value = "For security constraints with URL pattern [%s] only the HTTP methods [%s] are covered. All other methods are uncovered.") + void uncoveredMethodWarning(String urlPattern, String method); + + @LogMessage(level = INFO) + @Message(id = 1153, value = "Adding security constraints with URL pattern [%s] to deny access with the uncovered HTTP methods [%s]") + void addingUncoveredOmittedMethodConstraint(String urlPattern, String method); + + @LogMessage(level = ERROR) + @Message(id = 1154, value = "For security constraints with URL pattern [%s] the HTTP methods [%s] are uncovered.") + void uncoveredOmittedMethodWarning(String urlPattern, String method); + }

11 years, 8 months

1
0
0 / 0

← Newer
1
2
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

jbossweb-commits July 2013