[jbossweb-commits] JBossWeb SVN: r2227 - in branches/8.0.x/src/main/java/org: apache/catalina/core and 3 other directories.
jbossweb-commits at lists.jboss.org
jbossweb-commits at lists.jboss.org
Thu Jul 4 05:55:50 EDT 2013
Author: remy.maucherat at jboss.com
Date: 2013-07-04 05:55:49 -0400 (Thu, 04 Jul 2013)
New Revision: 2227
Modified:
branches/8.0.x/src/main/java/org/apache/catalina/Context.java
branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java
branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java
branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java
branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java
Log:
Adapt omitted methods code from Tomcat.
Modified: branches/8.0.x/src/main/java/org/apache/catalina/Context.java
===================================================================
--- branches/8.0.x/src/main/java/org/apache/catalina/Context.java 2013-06-21 00:49:29 UTC (rev 2226)
+++ branches/8.0.x/src/main/java/org/apache/catalina/Context.java 2013-07-04 09:55:49 UTC (rev 2227)
@@ -289,6 +289,20 @@
/**
+ * Return the deny-uncovered-http-methods flag for this web application.
+ */
+ public boolean getDenyUncoveredHttpMethods();
+
+
+ /**
+ * Set the deny-uncovered-http-methods flag for this web application.
+ *
+ * @param denyUncoveredHttpMethods The new deny-uncovered-http-methods flag
+ */
+ public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods);
+
+
+ /**
* Return the display name of this web application.
*/
public String getDisplayName();
Modified: branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java
===================================================================
--- branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java 2013-06-21 00:49:29 UTC (rev 2226)
+++ branches/8.0.x/src/main/java/org/apache/catalina/core/StandardContext.java 2013-07-04 09:55:49 UTC (rev 2227)
@@ -319,6 +319,9 @@
protected String encodedPath = null;
+ private boolean denyUncoveredHttpMethods;
+
+
/**
* The display name of this web application.
*/
@@ -1064,6 +1067,16 @@
this.tldScanTime = tldScanTime;
}
+ @Override
+ public boolean getDenyUncoveredHttpMethods() {
+ return denyUncoveredHttpMethods;
+ }
+
+ @Override
+ public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods) {
+ this.denyUncoveredHttpMethods = denyUncoveredHttpMethods;
+ }
+
/**
* Return the display name of this web application.
*/
Modified: branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java
===================================================================
--- branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java 2013-06-21 00:49:29 UTC (rev 2226)
+++ branches/8.0.x/src/main/java/org/apache/catalina/deploy/SecurityConstraint.java 2013-07-04 09:55:49 UTC (rev 2227)
@@ -19,8 +19,17 @@
package org.apache.catalina.deploy;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.jboss.web.CatalinaLogger;
+
/**
* Representation of a security constraint element for a web application,
* as represented in a <code><security-constraint></code> element in the
@@ -509,4 +518,168 @@
}
+ public static SecurityConstraint[] findUncoveredHttpMethods(
+ SecurityConstraint[] constraints,
+ boolean denyUncoveredHttpMethods) {
+
+ Set<String> coveredPatterns = new HashSet<>();
+ Map<String,Set<String>> urlMethodMap = new HashMap<>();
+ Map<String,Set<String>> urlOmittedMethodMap = new HashMap<>();
+
+ List<SecurityConstraint> newConstraints = new ArrayList<>();
+
+ // First build the lists of covered patterns and those patterns that
+ // might be uncovered
+ for (SecurityConstraint constraint : constraints) {
+ SecurityCollection[] collections = constraint.findCollections();
+ for (SecurityCollection collection : collections) {
+ String[] patterns = collection.findPatterns();
+ String[] methods = collection.findMethods();
+ String[] omittedMethods = collection.findMethodOmissions();
+ // Simple case: no methods
+ if (methods.length == 0 && omittedMethods.length == 0) {
+ for (String pattern : patterns) {
+ coveredPatterns.add(pattern);
+ }
+ continue;
+ }
+
+ // Pre-calculate so we don't do this for every iteration of the
+ // following loop
+ List<String> omNew = null;
+ if (omittedMethods.length != 0) {
+ omNew = Arrays.asList(omittedMethods);
+ }
+
+ // Only need to process uncovered patterns
+ for (String pattern : patterns) {
+ if (!coveredPatterns.contains(pattern)) {
+ if (methods.length == 0) {
+ // Build the interset of omitted methods for this
+ // pattern
+ Set<String> om = urlOmittedMethodMap.get(pattern);
+ if (om == null) {
+ om = new HashSet<>();
+ urlOmittedMethodMap.put(pattern, om);
+ om.addAll(omNew);
+ } else {
+ om.retainAll(omNew);
+ }
+ } else {
+ // Build the union of methods for this pattern
+ Set<String> m = urlMethodMap.get(pattern);
+ if (m == null) {
+ m = new HashSet<>();
+ urlMethodMap.put(pattern, m);
+ }
+ for (String method : methods) {
+ m.add(method);
+ }
+ }
+ }
+ }
+ }
+ }
+
+ // Now check the potentially uncovered patterns
+ for (Map.Entry<String, Set<String>> entry : urlMethodMap.entrySet()) {
+ String pattern = entry.getKey();
+ if (coveredPatterns.contains(pattern)) {
+ // Fully covered. Ignore any partial coverage
+ urlOmittedMethodMap.remove(pattern);
+ continue;
+ }
+
+ Set<String> omittedMethods = urlOmittedMethodMap.remove(pattern);
+ Set<String> methods = entry.getValue();
+
+ if (omittedMethods == null) {
+ StringBuilder msg = new StringBuilder();
+ for (String method : methods) {
+ msg.append(method);
+ msg.append(' ');
+ }
+ if (denyUncoveredHttpMethods) {
+ CatalinaLogger.STARTUP_LOGGER.addingUncoveredMethodConstraint(pattern, msg.toString().trim());
+ SecurityCollection collection = new SecurityCollection();
+ for (String method : methods) {
+ collection.addMethodOmission(method);
+ }
+ collection.addPattern(pattern);
+ collection.setName("deny-uncovered-http-methods");
+ SecurityConstraint constraint = new SecurityConstraint();
+ constraint.setAuthConstraint(true);
+ constraint.addCollection(collection);
+ newConstraints.add(constraint);
+ } else {
+ CatalinaLogger.STARTUP_LOGGER.uncoveredMethodWarning(pattern, msg.toString().trim());
+ }
+ continue;
+ }
+
+ // As long as every omitted method as a corresponding method the
+ // pattern is fully covered.
+ omittedMethods.removeAll(methods);
+
+ if (omittedMethods.size() > 0) {
+ StringBuilder msg = new StringBuilder();
+ for (String method : omittedMethods) {
+ msg.append(method);
+ msg.append(' ');
+ }
+ if (denyUncoveredHttpMethods) {
+ CatalinaLogger.STARTUP_LOGGER.addingUncoveredOmittedMethodConstraint(pattern, msg.toString().trim());
+ SecurityCollection collection = new SecurityCollection();
+ for (String method : omittedMethods) {
+ collection.addMethod(method);
+ }
+ collection.addPattern(pattern);
+ collection.setName("deny-uncovered-http-methods");
+ SecurityConstraint constraint = new SecurityConstraint();
+ constraint.setAuthConstraint(true);
+ constraint.addCollection(collection);
+ newConstraints.add(constraint);
+ } else {
+ CatalinaLogger.STARTUP_LOGGER.uncoveredOmittedMethodWarning(pattern, msg.toString().trim());
+ }
+ }
+ }
+ for (Map.Entry<String, Set<String>> entry :
+ urlOmittedMethodMap.entrySet()) {
+ String pattern = entry.getKey();
+ if (coveredPatterns.contains(pattern)) {
+ // Fully covered. Ignore any partial coverage
+ continue;
+ }
+
+ Set<String> omittedMethods = entry.getValue();
+
+ if (omittedMethods.size() > 0) {
+ StringBuilder msg = new StringBuilder();
+ for (String method : omittedMethods) {
+ msg.append(method);
+ msg.append(' ');
+ }
+ if (denyUncoveredHttpMethods) {
+ CatalinaLogger.STARTUP_LOGGER.addingUncoveredOmittedMethodConstraint(pattern, msg.toString().trim());
+ SecurityCollection collection = new SecurityCollection();
+ for (String method : omittedMethods) {
+ collection.addMethod(method);
+ }
+ collection.addPattern(pattern);
+ collection.setName("deny-uncovered-http-methods");
+ SecurityConstraint constraint = new SecurityConstraint();
+ constraint.setAuthConstraint(true);
+ constraint.addCollection(collection);
+ newConstraints.add(constraint);
+ } else {
+ CatalinaLogger.STARTUP_LOGGER.uncoveredOmittedMethodWarning(pattern, msg.toString().trim());
+ }
+ }
+ }
+
+ return newConstraints.toArray(
+ new SecurityConstraint[newConstraints.size()]);
+ }
+
}
Modified: branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java
===================================================================
--- branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java 2013-06-21 00:49:29 UTC (rev 2226)
+++ branches/8.0.x/src/main/java/org/apache/catalina/startup/ContextConfig.java 2013-07-04 09:55:49 UTC (rev 2227)
@@ -639,6 +639,13 @@
}
}
+ // Add constraints for uncovered methods, if needed
+ SecurityConstraint[] newConstraints =
+ SecurityConstraint.findUncoveredHttpMethods(context.findConstraints(),
+ context.getDenyUncoveredHttpMethods());
+ for (SecurityConstraint constraint : newConstraints) {
+ context.addConstraint(constraint);
+ }
}
Modified: branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java
===================================================================
--- branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java 2013-06-21 00:49:29 UTC (rev 2226)
+++ branches/8.0.x/src/main/java/org/jboss/web/CatalinaLogger.java 2013-07-04 09:55:49 UTC (rev 2227)
@@ -689,4 +689,20 @@
@Message(id = 1150, value = "X param in wrong format. Needs to be 'x-#(...)'")
void extendedAccessLogBadXParam();
+ @LogMessage(level = INFO)
+ @Message(id = 1151, value = "Adding security constraints with URL pattern [%s] to deny access with the uncovered HTTP methods that are not one of the following [%s]")
+ void addingUncoveredMethodConstraint(String urlPattern, String method);
+
+ @LogMessage(level = ERROR)
+ @Message(id = 1152, value = "For security constraints with URL pattern [%s] only the HTTP methods [%s] are covered. All other methods are uncovered.")
+ void uncoveredMethodWarning(String urlPattern, String method);
+
+ @LogMessage(level = INFO)
+ @Message(id = 1153, value = "Adding security constraints with URL pattern [%s] to deny access with the uncovered HTTP methods [%s]")
+ void addingUncoveredOmittedMethodConstraint(String urlPattern, String method);
+
+ @LogMessage(level = ERROR)
+ @Message(id = 1154, value = "For security constraints with URL pattern [%s] the HTTP methods [%s] are uncovered.")
+ void uncoveredOmittedMethodWarning(String urlPattern, String method);
+
}
More information about the jbossweb-commits
mailing list