Author: markt
Date: Tue Jun 18 15:24:38 2013
New Revision: 1494172
URL: http://svn.apache.org/r1494172
Log:
Servlet 3.1. Implement the special role "**" and extend the unit tests to cover
it.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
tomcat/trunk/test/org/apache/catalina/connector/TesterResponse.java
tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1494172&r1=1494171&r2=1494172&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Tue Jun 18 15:24:38 2013
@@ -549,7 +549,8 @@ public abstract class AuthenticatorBase
if(!constraints[i].getAuthConstraint()) {
authRequired = false;
break;
- } else if(!constraints[i].getAllRoles()) {
+ } else if(!constraints[i].getAllRoles() &&
+ !constraints[i].getAuthenticatedUsers()) {
String [] roles = constraints[i].findAuthRoles();
if(roles == null || roles.length == 0) {
authRequired = false;
Modified: tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java?rev=1494172&r1=1494171&r2=1494172&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java Tue
Jun 18 15:24:38 2013
@@ -50,6 +50,9 @@ public class SecurityConstraint implemen
private static final long serialVersionUID = 1L;
+ public static String ROLE_ALL_ROLES = "*";
+ public static String ROLE_ALL_AUTHENTICATED_USERS = "**";
+
// ----------------------------------------------------------- Constructors
@@ -67,13 +70,21 @@ public class SecurityConstraint implemen
/**
- * Was the "all roles" wildcard included in the authorization constraints
- * for this security constraint?
+ * Was the "all roles" wildcard - {@link #ROLE_ALL_ROLES} - included in the
+ * authorization constraints for this security constraint?
*/
private boolean allRoles = false;
/**
+ * Was the "all authenticated users" wildcard -
+ * {@link #ROLE_ALL_AUTHENTICATED_USERS} - included in the authorization
+ * constraints for this security constraint?
+ */
+ private boolean authenticatedUsers = false;
+
+
+ /**
* Was an authorization constraint included in this security constraint?
* This is necessary to distinguish the case where an auth-constraint with
* no roles (signifying no direct access at all) was requested, versus
@@ -118,18 +129,27 @@ public class SecurityConstraint implemen
*/
public boolean getAllRoles() {
- return (this.allRoles);
+ return this.allRoles;
}
/**
+ * Was the "all authenticated users" wildcard included in this
+ * authentication constraint?
+ */
+ public boolean getAuthenticatedUsers() {
+ return this.authenticatedUsers;
+ }
+
+
+ /**
* Return the authorization constraint present flag for this security
* constraint.
*/
public boolean getAuthConstraint() {
- return (this.authConstraint);
+ return this.authConstraint;
}
@@ -150,7 +170,7 @@ public class SecurityConstraint implemen
*/
public String getDisplayName() {
- return (this.displayName);
+ return this.displayName;
}
@@ -170,7 +190,7 @@ public class SecurityConstraint implemen
*/
public String getUserConstraint() {
- return (userConstraint);
+ return userConstraint;
}
@@ -188,6 +208,24 @@ public class SecurityConstraint implemen
}
+ /**
+ * Called in the unlikely event that an application defines a role named
+ * "**".
+ */
+ public void treatAllAuthenticatedUsersAsApplicationRole() {
+ if (authenticatedUsers) {
+ authenticatedUsers = false;
+
+ String results[] = new String[authRoles.length + 1];
+ for (int i = 0; i < authRoles.length; i++)
+ results[i] = authRoles[i];
+ results[authRoles.length] = ROLE_ALL_AUTHENTICATED_USERS;
+ authRoles = results;
+ authConstraint = true;
+ }
+ }
+
+
// --------------------------------------------------------- Public Methods
@@ -202,18 +240,22 @@ public class SecurityConstraint implemen
if (authRole == null)
return;
- if ("*".equals(authRole)) {
+ if (ROLE_ALL_ROLES.equals(authRole)) {
allRoles = true;
return;
}
+ if (ROLE_ALL_AUTHENTICATED_USERS.equals(authRole)) {
+ authenticatedUsers = true;
+ return;
+ }
+
String results[] = new String[authRoles.length + 1];
for (int i = 0; i < authRoles.length; i++)
results[i] = authRoles[i];
results[authRoles.length] = authRole;
authRoles = results;
authConstraint = true;
-
}
@@ -341,11 +383,16 @@ public class SecurityConstraint implemen
if (authRole == null)
return;
- if ("*".equals(authRole)) {
+ if (ROLE_ALL_ROLES.equals(authRole)) {
allRoles = false;
return;
}
+ if (ROLE_ALL_AUTHENTICATED_USERS.equals(authRole)) {
+ authenticatedUsers = false;
+ return;
+ }
+
int n = -1;
for (int i = 0; i < authRoles.length; i++) {
if (authRoles[i].equals(authRole)) {
@@ -362,7 +409,6 @@ public class SecurityConstraint implemen
}
authRoles = results;
}
-
}
Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1494172&r1=1494171&r2=1494172&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Tue Jun 18
15:24:38 2013
@@ -814,7 +814,13 @@ public abstract class RealmBase extends
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
- if (roles.length == 0 && !constraint.getAllRoles()) {
+ if (constraint.getAuthenticatedUsers() && principal != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Passing all authenticated users");
+ }
+ status = true;
+ } else if (roles.length == 0 && !constraint.getAllRoles() &&
+ !constraint.getAuthenticatedUsers()) {
if(constraint.getAuthConstraint()) {
if( log.isDebugEnabled() )
log.debug("No roles");
Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java?rev=1494172&r1=1494171&r2=1494172&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java Tue Jun 18
15:24:38 2013
@@ -1342,7 +1342,13 @@ public class ContextConfig implements Li
for (ContextResource resource : webxml.getResourceRefs().values()) {
context.getNamingResources().addResource(resource);
}
+ boolean allAuthenticatedUsersIsAppRole =
+ webxml.getSecurityRoles().contains(
+ SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
for (SecurityConstraint constraint : webxml.getSecurityConstraints()) {
+ if (allAuthenticatedUsersIsAppRole) {
+ constraint.treatAllAuthenticatedUsersAsApplicationRole();
+ }
context.addConstraint(constraint);
}
for (String role : webxml.getSecurityRoles()) {
Modified: tomcat/trunk/test/org/apache/catalina/connector/TesterResponse.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/connector/TesterResponse.java?rev=1494172&r1=1494171&r2=1494172&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/connector/TesterResponse.java
(original)
+++ tomcat/trunk/test/org/apache/catalina/connector/TesterResponse.java Tue Jun
18 15:24:38 2013
@@ -31,7 +31,10 @@ public class TesterResponse extends Resp
@Override
public void sendError(int status, String message) throws IOException {
+ // NO-OP by default.
+ /*
System.out.println("TesterResponse.sendError(" + status + ", \"" +
message + "\")");
+ */
}
}
Modified: tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java?rev=1494172&r1=1494171&r2=1494172&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java (original)
+++ tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java Tue Jun 18
15:24:38 2013
@@ -110,6 +110,50 @@ public class TestRealmBase {
}
+ @Test
+ public void testAllAuthenticatedUsers() throws IOException {
+ List<String> userRoles = new ArrayList<>();
+ List<String> constraintRoles = new ArrayList<>();
+ List<String> applicationRoles = new ArrayList<>();
+
+ // Configure this test
+ constraintRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
+
+ doRoleTest(userRoles, constraintRoles, applicationRoles, true);
+ }
+
+
+ @Test
+ public void testAllAuthenticatedUsersAsAppRoleNoUser() throws IOException {
+ List<String> userRoles = new ArrayList<>();
+ List<String> constraintRoles = new ArrayList<>();
+ List<String> applicationRoles = new ArrayList<>();
+
+ // Configure this test
+ userRoles.add(ROLE1);
+ constraintRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
+ applicationRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
+
+ doRoleTest(userRoles, constraintRoles, applicationRoles, false);
+ }
+
+
+ @Test
+ public void testAllAuthenticatedUsersAsAppRoleWithUser()
+ throws IOException {
+ List<String> userRoles = new ArrayList<>();
+ List<String> constraintRoles = new ArrayList<>();
+ List<String> applicationRoles = new ArrayList<>();
+
+ // Configure this test
+ userRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
+ constraintRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
+ applicationRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
+
+ doRoleTest(userRoles, constraintRoles, applicationRoles, true);
+ }
+
+
private void doRoleTest(List<String> userRoles,
List<String> constraintRoles, List<String> applicationRoles,
boolean expected) throws IOException {
@@ -122,8 +166,13 @@ public class TestRealmBase {
// Configure the security constraints for the resource
SecurityConstraint constraint = new SecurityConstraint();
+ constraint.setAuthConstraint(true);
for (String constraintRole : constraintRoles) {
constraint.addAuthRole(constraintRole);
+ if (applicationRoles.contains(
+ SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
+ constraint.treatAllAuthenticatedUsersAsApplicationRole();
+ }
}
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
@@ -143,7 +192,7 @@ public class TestRealmBase {
GenericPrincipal gp = new GenericPrincipal(USER1, PWD1, userRoles);
request.setUserPrincipal(gp);
- // Check if user meets constaints
+ // Check if user meets constraints
boolean result = mapRealm.hasResourcePermission(
request, response, constraints, null);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
