geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From xuhaih...@apache.org
Subject svn commit: r935935 - in /geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src: main/java/org/apache/geronimo/web25/deployment/merge/annotation/ main/java/org/apache/geronimo/web25/deployment/merge/webfragment/ main/java/org/apache/geronimo/...
Date Tue, 20 Apr 2010 14:20:56 GMT
Author: xuhaihong
Date: Tue Apr 20 14:20:56 2010
New Revision: 935935

URL: http://svn.apache.org/viewvc?rev=935935&view=rev
Log:
1. Support http-omission-method configuration in web deployment xml file
2. Move out the http method checking logic, so we could throw Exception as early as possible

Added:
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
  (with props)
Modified:
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/annotation/ServletSecurityAnnotationMergeHandler.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/FilterMappingUrlPatternMergeHandler.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/SecurityConstraintMergeHandler.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/ServletMappingUrlPatternMergeHandler.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/HTTPMethods.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/utils/WebDeploymentValidationUtils.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/annotation/ServletSecurityAnnotationMergeHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/annotation/ServletSecurityAnnotationMergeHandler.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/annotation/ServletSecurityAnnotationMergeHandler.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/annotation/ServletSecurityAnnotationMergeHandler.java
Tue Apr 20 14:20:56 2010
@@ -31,6 +31,7 @@ import javax.servlet.annotation.ServletS
 import org.apache.geronimo.common.DeploymentException;
 import org.apache.geronimo.web25.deployment.merge.MergeContext;
 import org.apache.geronimo.web25.deployment.merge.webfragment.ServletMappingMergeHandler;
+import org.apache.geronimo.web25.deployment.utils.WebDeploymentValidationUtils;
 import org.apache.geronimo.xbeans.javaee6.AuthConstraintType;
 import org.apache.geronimo.xbeans.javaee6.SecurityConstraintType;
 import org.apache.geronimo.xbeans.javaee6.ServletMappingType;
@@ -166,8 +167,12 @@ public class ServletSecurityAnnotationMe
     }
 
     private String normalizeHTTPMethod(String servletClassName, String httpMethod) throws
DeploymentException {
-        if (httpMethod == null || httpMethod.isEmpty()) {
-            throw new DeploymentException("HTTP protocol method could not be null or empty
string in the ServletSecurity anntation of the class " + servletClassName);
+        if (httpMethod == null || httpMethod.trim().isEmpty()) {
+            throw new DeploymentException("HTTP protocol method could not be null or empty
string in the ServletSecurity annotation of the class " + servletClassName);
+        }
+        httpMethod = httpMethod.trim();
+        if (!WebDeploymentValidationUtils.isValidHTTPMethod(httpMethod)) {
+            throw new DeploymentException("Invalid HTTP method value is found in the ServletSecurity
annotation of the class " + servletClassName);
         }
         return httpMethod;
     }

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/FilterMappingUrlPatternMergeHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/FilterMappingUrlPatternMergeHandler.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/FilterMappingUrlPatternMergeHandler.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/FilterMappingUrlPatternMergeHandler.java
Tue Apr 20 14:20:56 2010
@@ -35,7 +35,7 @@ public class FilterMappingUrlPatternMerg
         String filterName = filterMapping.getFilterName().getStringValue();
         for (UrlPatternType urlPattern : filterMapping.getUrlPatternArray()) {
             String urlPatternStr = urlPattern.getStringValue();
-            if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPatternStr)) {
+            if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPatternStr)) {
                 throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("filter-mapping",
filterName, urlPatternStr, "web-fragment.xml located in "
                         + mergeContext.getCurrentJarUrl()));
             }
@@ -51,7 +51,7 @@ public class FilterMappingUrlPatternMerg
             String filterMappingUrlPatternKey = createFilterMappingUrlPatternKey(filterName,
urlPatternStr);
             if (!mergeContext.containsAttribute(filterMappingUrlPatternKey)) {
                 UrlPatternType newUrlPattern = (UrlPatternType) targetFilterMapping.addNewUrlPattern().set(urlPattern);
-                if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPatternStr)) {
+                if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPatternStr)) {
                     throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("filter-mapping",
filterName, urlPatternStr, "web-fragment.xml located in "
                             + mergeContext.getCurrentJarUrl()));
                 }
@@ -70,7 +70,7 @@ public class FilterMappingUrlPatternMerg
             String filterName = filterMapping.getFilterName().getStringValue();
             for (UrlPatternType urlPattern : filterMapping.getUrlPatternArray()) {
                 String urlPatternStr = urlPattern.getStringValue();
-                if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPatternStr)) {
+                if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPatternStr)) {
                     throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("filter-mapping",
filterName, urlPatternStr, "web.xml"));
                 }
                 context.setAttribute(createFilterMappingUrlPatternKey(filterName, urlPatternStr),
urlPattern);

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/SecurityConstraintMergeHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/SecurityConstraintMergeHandler.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/SecurityConstraintMergeHandler.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/SecurityConstraintMergeHandler.java
Tue Apr 20 14:20:56 2010
@@ -39,11 +39,13 @@ public class SecurityConstraintMergeHand
             for (WebResourceCollectionType webResourceCollection : securityConstraint.getWebResourceCollectionArray())
{
                 for (UrlPatternType pattern : webResourceCollection.getUrlPatternArray())
{
                     String urlPattern = pattern.getStringValue();
-                    if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPattern)) {
+                    if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPattern)) {
                         throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("security-constraint",
webResourceCollection.getWebResourceName().getStringValue(),
                                 urlPattern, "web-fragment.xml located in " + mergeContext.getCurrentJarUrl()));
                     }
                 }
+                validateHTTPMethods(webResourceCollection.getHttpMethodArray(), mergeContext.getCurrentJarUrl());
+                validateHTTPMethods(webResourceCollection.getHttpMethodOmissionArray(), mergeContext.getCurrentJarUrl());
             }
             webApp.addNewSecurityConstraint().set(securityConstraint);
         }
@@ -59,11 +61,21 @@ public class SecurityConstraintMergeHand
             for (WebResourceCollectionType webResourceCollection : securityConstraint.getWebResourceCollectionArray())
{
                 for (UrlPatternType pattern : webResourceCollection.getUrlPatternArray())
{
                     String urlPattern = pattern.getStringValue();
-                    if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPattern)) {
+                    if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPattern)) {
                         throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("security-constraint",
webResourceCollection.getWebResourceName().getStringValue(),
                                 urlPattern, "web.xml "));
                     }
                 }
+                validateHTTPMethods(webResourceCollection.getHttpMethodArray(), "web.xml");
+                validateHTTPMethods(webResourceCollection.getHttpMethodOmissionArray(), "web.xml");
+            }
+        }
+    }
+
+    private void validateHTTPMethods(String[] httpMethods, String source) throws DeploymentException
{
+        for (String httpMethod : httpMethods) {
+            if (!WebDeploymentValidationUtils.isValidHTTPMethod(httpMethod)) {
+                throw new DeploymentException("Invalid HTTP method value is found in " +
source);
             }
         }
     }

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/ServletMappingUrlPatternMergeHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/ServletMappingUrlPatternMergeHandler.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/ServletMappingUrlPatternMergeHandler.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/merge/webfragment/ServletMappingUrlPatternMergeHandler.java
Tue Apr 20 14:20:56 2010
@@ -35,7 +35,7 @@ public class ServletMappingUrlPatternMer
         String servletName = servletMapping.getServletName().getStringValue();
         for (UrlPatternType urlPattern : servletMapping.getUrlPatternArray()) {
             String urlPatternStr = urlPattern.getStringValue();
-            if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPatternStr)) {
+            if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPatternStr)) {
                 throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("servlet-mapping",
servletName, urlPatternStr, "web-fragment.xml located in "
                         + mergeContext.getCurrentJarUrl()));
             }
@@ -51,7 +51,7 @@ public class ServletMappingUrlPatternMer
             String servletMappingUrlPatternKey = createServletMappingUrlPatternKey(servletName,
urlPatternStr);
             if (!mergeContext.containsAttribute(servletMappingUrlPatternKey)) {
                 UrlPatternType newUrlPattern = (UrlPatternType) targetServletMapping.addNewUrlPattern().set(urlPattern);
-                if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPatternStr)) {
+                if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPatternStr)) {
                     throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("servlet-mapping",
servletName, urlPatternStr, "web-fragment.xml located in "
                             + mergeContext.getCurrentJarUrl()));
                 }
@@ -70,7 +70,7 @@ public class ServletMappingUrlPatternMer
             String servletName = servletMapping.getServletName().getStringValue();
             for (UrlPatternType urlPattern : servletMapping.getUrlPatternArray()) {
                 String urlPatternStr = urlPattern.getStringValue();
-                if (!WebDeploymentValidationUtils.isUrlPatternValid(urlPatternStr)) {
+                if (!WebDeploymentValidationUtils.isValidUrlPattern(urlPatternStr)) {
                     throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("servlet-mapping",
servletName, urlPatternStr, "web.xml"));
                 }
                 context.setAttribute(createServletMappingUrlPatternKey(servletName, urlPatternStr),
urlPattern);

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/HTTPMethods.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/HTTPMethods.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/HTTPMethods.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/HTTPMethods.java
Tue Apr 20 14:20:56 2010
@@ -17,12 +17,10 @@
  * under the License.
  */
 
-
 package org.apache.geronimo.web25.deployment.security;
 
-import java.util.Set;
 import java.util.HashSet;
-import java.util.regex.Pattern;
+import java.util.Set;
 
 /**
  * Tracks sets of HTTP actions for use while computing permissions during web deployment.
@@ -31,13 +29,13 @@ import java.util.regex.Pattern;
  */
 public class HTTPMethods {
 
-    private static final Pattern TOKEN_PATTERN = Pattern.compile("[!-~&&[^\\(\\)\\<\\>@,;:\\\\\"/\\[\\]\\?=\\{\\}]]*");
-
     private final Set<String> methods = new HashSet<String>();
-    private boolean isExcluded = false;
 
+    private boolean isExcluded = false;
 
-    public HTTPMethods() {
+    public HTTPMethods(Set<String> httpMethods, boolean isExcluded) {
+        this.isExcluded = isExcluded;
+        methods.addAll(httpMethods);
     }
 
     public HTTPMethods(HTTPMethods httpMethods, boolean complemented) {
@@ -45,40 +43,59 @@ public class HTTPMethods {
         methods.addAll(httpMethods.methods);
     }
 
-    public void add(String httpMethod) {
-        if (isExcluded) {
-            checkToken(httpMethod);
-            methods.remove(httpMethod);
-        } else if (httpMethod == null || httpMethod.length() == 0) {
-            isExcluded = true;
+    /**
+     * Generally speaking, add method is to perform a union action between the caller and
the parameters
+     * @param httpMethods
+     * @param addedMethodsExcluded
+     */
+    public void add(Set<String> httpMethods, boolean addedMethodsExcluded) {
+        //JACC 3.1.3.2 Combining HTTP Methods
+        //An empty list combines with any other list to yield the empty list.
+        if (isExcluded && httpMethods.isEmpty()) {
+            return;
+        }
+        if (httpMethods.size() == 0) {
+            isExcluded = addedMethodsExcluded;
             methods.clear();
-        } else {
-            checkToken(httpMethod);
-            methods.add(httpMethod);
+            return;
         }
-    }
-
-    public HTTPMethods add(HTTPMethods httpMethods) {
+        //JACC 3.1.3.2 Combing HTTP Methods
+        //Lists of http-method elements combine to yield a list of http-method elements containing
the union (without duplicates) of the http-method elements that occur in the individual lists.
+        //Lists of http-method-omission elements combine to yield a list containing only
the http-method-omission elements that occur in all of the individual lists (i.e., the intersection).
+        //A list of http-method-omission elements combines with a list of http-method elements
to yield the list of http-method-omission elements minus any elements whose method name occurs
in the http-method list
         if (isExcluded) {
-            if (httpMethods.isExcluded) {
-                methods.retainAll(httpMethods.methods);
+            if (addedMethodsExcluded) {
+                //ExceptionList + ExceptionList
+                methods.retainAll(httpMethods);
             } else {
-                methods.removeAll(httpMethods.methods);
+                //ExceptionList + List
+                methods.removeAll(httpMethods);
             }
         } else {
-            if (httpMethods.isExcluded) {
-                isExcluded = true;
-                Set<String> toRemove = new HashSet<String>(methods);
+            if (addedMethodsExcluded) {
+                //List + ExceptionList
+                Set<String> tempHttpMethods = new HashSet<String>(httpMethods);
+                tempHttpMethods.removeAll(methods);
                 methods.clear();
-                methods.addAll(httpMethods.methods);
-                methods.removeAll(toRemove);
+                methods.addAll(tempHttpMethods);
+                isExcluded = true;
             } else {
-                methods.addAll(httpMethods.methods);
+                //List + List
+                methods.addAll(httpMethods);
             }
         }
+    }
+
+    public HTTPMethods add(HTTPMethods httpMethods) {
+        add(httpMethods.methods, httpMethods.isExcluded);
         return this;
     }
 
+    /**
+     * Remove methods is only used while we wish to remove those configurations in role/unchecked
constraints, which are also configured in excluded constraints
+     * @param httpMethods
+     * @return
+     */
     public HTTPMethods remove(HTTPMethods httpMethods) {
         if (isExcluded) {
             if (httpMethods.isExcluded) {
@@ -116,7 +133,7 @@ public class HTTPMethods {
         return getHttpMethodsBuffer(!isExcluded).toString();
     }
 
-    private StringBuilder getHttpMethodsBuffer( boolean excluded) {
+    private StringBuilder getHttpMethodsBuffer(boolean excluded) {
         StringBuilder buffer = new StringBuilder();
         if (excluded) {
             buffer.append("!");
@@ -133,13 +150,6 @@ public class HTTPMethods {
         return buffer;
     }
 
-    private void checkToken(String method) {
-        if (!TOKEN_PATTERN.matcher(method).matches()) {
-            throw new IllegalArgumentException("Invalid HTTPMethodSpec");
-        }
-    }
-
-
     public boolean isNone() {
         return !isExcluded && methods.isEmpty();
     }

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
Tue Apr 20 14:20:56 2010
@@ -22,10 +22,9 @@ package org.apache.geronimo.web25.deploy
 import java.security.Permission;
 import java.security.PermissionCollection;
 import java.security.Permissions;
-import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -66,8 +65,6 @@ public class SpecSecurityBuilder {
 
     private final Map<String, URLPattern> allMap = new HashMap<String, URLPattern>();
//uncheckedPatterns union excludedPatterns union rolesPatterns.
 
-    //Currently, we always enable the useExcluded feature
-    //private boolean useExcluded = true;
     private final RecordingPolicyConfiguration policyConfiguration = new RecordingPolicyConfiguration(true);
 
     public ComponentPermissions buildSpecSecurityConfig(WebAppType webApp) {
@@ -79,7 +76,6 @@ public class SpecSecurityBuilder {
             //add the role-ref permissions for unmapped jsps
             addUnmappedJSPPermissions();
             analyzeSecurityConstraints(webApp.getSecurityConstraintArray());
-            //Currently, we always enable the useExcluded feature
             removeExcludedDups();
             return buildComponentPermissions();
         } catch (PolicyContextException e) {
@@ -106,33 +102,40 @@ public class SpecSecurityBuilder {
             WebResourceCollectionType[] webResourceCollectionTypeArray = securityConstraintType.getWebResourceCollectionArray();
             for (WebResourceCollectionType webResourceCollectionType : webResourceCollectionTypeArray)
{
                 //Calculate HTTP methods list
-                List<String> httpMethods = new ArrayList<String>();
+                Set<String> httpMethods = new HashSet<String>();
+                //While using HTTP omission methods and empty methods (which means all methods)
as the configurations, isExcluded value is true
+                //While using HTTP methods as the configurations, isExcluded value is false
+                boolean isExcludedList = true;
                 if (webResourceCollectionType.getHttpMethodArray().length > 0) {
+                    isExcludedList = false;
                     for (String httpMethod : webResourceCollectionType.getHttpMethodArray())
{
                         if (httpMethod != null) {
                             httpMethods.add(httpMethod.trim());
                         }
                     }
-                } else {
-                    httpMethods.add("");
+                } else if (webResourceCollectionType.getHttpMethodOmissionArray().length
> 0) {
+                    for (String httpMethodOmission : webResourceCollectionType.getHttpMethodOmissionArray())
{
+                        if (httpMethodOmission != null) {
+                            httpMethods.add(httpMethodOmission.trim());
+                        }
+                    }
                 }
                 for (UrlPatternType urlPatternType : webResourceCollectionType.getUrlPatternArray())
{
                     String url = urlPatternType.getStringValue().trim();
                     URLPattern pattern = currentPatterns.get(url);
                     if (pattern == null) {
-                        pattern = new URLPattern(url);
+                        pattern = new URLPattern(url, httpMethods, isExcludedList);
                         currentPatterns.put(url, pattern);
+                    } else {
+                        pattern.addMethods(httpMethods, isExcludedList);
                     }
                     URLPattern allPattern = allMap.get(url);
                     if (allPattern == null) {
-                        allPattern = new URLPattern(url);
+                        allPattern = new URLPattern(url, httpMethods, isExcludedList);
                         allSet.add(allPattern);
                         allMap.put(url, allPattern);
-                    }
-                    //Add HTTP methods to those url patterns
-                    for (String httpMethod : httpMethods) {
-                        pattern.addMethod(httpMethod);
-                        allPattern.addMethod(httpMethod);
+                    } else {
+                        allPattern.addMethods(httpMethods, isExcludedList);
                     }
                     if (currentPatterns == rolesPatterns) {
                         RoleNameType[] roleNameTypeArray = securityConstraintType.getAuthConstraint().getRoleNameArray();
@@ -170,7 +173,6 @@ public class SpecSecurityBuilder {
     }
 
     public ComponentPermissions buildComponentPermissions() throws PolicyContextException
{
-        //Currently, we always enable excluded configuration
         for (URLPattern pattern : excludedPatterns.values()) {
             String name = pattern.getQualifiedPattern(allSet);
             String actions = pattern.getMethods();
@@ -213,8 +215,9 @@ public class SpecSecurityBuilder {
             addOrUpdatePattern(uncheckedResourcePatterns, name, methods, URLPattern.NA);
             addOrUpdatePattern(uncheckedUserPatterns, name, methods, URLPattern.NA);
         }
-        URLPattern pattern = new URLPattern("/");
-        if (!allSet.contains(pattern)) {
+
+        if (!allMap.containsKey("/")) {
+            URLPattern pattern = new URLPattern("/", Collections.EMPTY_SET, false);
             String name = pattern.getQualifiedPattern(allSet);
             HTTPMethods methods = pattern.getComplementedHTTPMethods();
             addOrUpdatePattern(uncheckedResourcePatterns, name, methods, URLPattern.NA);
@@ -240,9 +243,9 @@ public class SpecSecurityBuilder {
         HTTPMethods existingActions = patternMap.get(item);
         if (existingActions != null) {
             patternMap.put(item, existingActions.add(actions));
-            return;
+        } else {
+            patternMap.put(item, new HTTPMethods(actions, false));
         }
-        patternMap.put(item, new HTTPMethods(actions, false));
     }
 
     protected void processRoleRefPermissions(ServletType servletType) throws PolicyContextException
{

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
Tue Apr 20 14:20:56 2010
@@ -36,7 +36,7 @@ public class URLPattern {
 
     private final URLPatternCheck type;
     private final String pattern;
-    private final HTTPMethods httpMethods = new HTTPMethods();
+    private final HTTPMethods httpMethods;
     private int transport;
     private final HashSet<String> roles = new HashSet<String>();
 
@@ -46,10 +46,11 @@ public class URLPattern {
      * @param pat the URL pattern that this instance is to collect information on
      * @see "JSR 115, section 3.1.3" Translating Servlet Deployment Descriptors
      */
-    public URLPattern(String pat) {
-        if (pat == null) throw new java.lang.IllegalArgumentException("URL pattern cannot
be null");
-        if (pat.length() == 0) throw new java.lang.IllegalArgumentException("URL pattern
cannot be empty");
-
+    public URLPattern(String pat, Set<String> methods, boolean isHttpMethodExcluded)
{
+        if (pat == null)
+            throw new java.lang.IllegalArgumentException("URL pattern cannot be null");
+        if (pat.length() == 0)
+            throw new java.lang.IllegalArgumentException("URL pattern cannot be empty");
         if (pat.equals("/") || pat.equals("/*")) {
             type = DEFAULT;
             pat = "/";
@@ -61,6 +62,7 @@ public class URLPattern {
             type = EXACT;
         }
         pattern = pat;
+        httpMethods = new HTTPMethods(methods, isHttpMethodExcluded);
     }
 
     /**
@@ -74,33 +76,33 @@ public class URLPattern {
         if (type == EXACT) {
             return pattern;
         } else {
-            HashSet<String> bucket = new HashSet<String>();
+            //HashSet<String> bucket = new HashSet<String>();
             StringBuilder result = new StringBuilder(pattern);
-
             // Collect a set of qualifying patterns, depending on the type of this pattern.
             for (URLPattern p : patterns) {
                 if (type.check(this, p)) {
-                    bucket.add(p.pattern);
+                    //bucket.add(p.pattern);
+                    result.append(':');
+                    result.append(p.pattern);
                 }
             }
-
             // append the set of qualifying patterns
-            for (String aBucket : bucket) {
+            /*for (String aBucket : bucket) {
                 result.append(':');
                 result.append(aBucket);
-            }
+            }*/
             return result.toString();
         }
     }
 
     /**
-     * Add a method to the union of HTTP methods associated with this URL pattern.  An empty
string is short hand for
+     * Add a method to the union of HTTP methods associated with this URL pattern.  An empty
Set  is short hand for
      * the set of all HTTP methods.
      *
-     * @param method the HTTP method to be added to the set.
+     * @param method the HTTP methods to be added to the set.
      */
-    public void addMethod(String method) {
-        httpMethods.add(method);
+    public void addMethods(Set<String> methods, boolean isExcluded) {
+        httpMethods.add(methods, isExcluded);
     }
 
     public boolean removeMethods(URLPattern other) {

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/utils/WebDeploymentValidationUtils.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/utils/WebDeploymentValidationUtils.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/utils/WebDeploymentValidationUtils.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/utils/WebDeploymentValidationUtils.java
Tue Apr 20 14:20:56 2010
@@ -17,6 +17,8 @@
 
 package org.apache.geronimo.web25.deployment.utils;
 
+import java.util.regex.Pattern;
+
 import org.apache.geronimo.common.DeploymentException;
 import org.apache.geronimo.xbeans.javaee6.FilterMappingType;
 import org.apache.geronimo.xbeans.javaee6.SecurityConstraintType;
@@ -30,11 +32,17 @@ import org.apache.geronimo.xbeans.javaee
  */
 public class WebDeploymentValidationUtils {
 
-    public static boolean isUrlPatternValid(String urlPattern) {
+    private static final Pattern HTTP_METHOD_PATTERN = Pattern.compile("[!-~&&[^\\(\\)\\<\\>@,;:\\\\\"/\\[\\]\\?=\\{\\}]]*");
+
+    public static boolean isValidUrlPattern(String urlPattern) {
         //j2ee_1_4.xsd explicitly requires preserving all whitespace. Do not trim.
         return urlPattern.indexOf(0x0D) < 0 && urlPattern.indexOf(0x0A) < 0;
     }
 
+    public static boolean isValidHTTPMethod(String httpMethod) {
+        return HTTP_METHOD_PATTERN.matcher(httpMethod).matches();
+    }
+
     public static void validateWebApp(WebAppType webApp) throws DeploymentException {
         checkURLPattern(webApp);
         checkMultiplicities(webApp);
@@ -44,7 +52,7 @@ public class WebDeploymentValidationUtil
         FilterMappingType[] filterMappings = webApp.getFilterMappingArray();
         for (FilterMappingType filterMapping : filterMappings) {
             for (UrlPatternType urlPattern : filterMapping.getUrlPatternArray()) {
-                if (!isUrlPatternValid(urlPattern.getStringValue().trim())) {
+                if (!isValidUrlPattern(urlPattern.getStringValue().trim())) {
                     throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("filter-mapping",
filterMapping.getFilterName().getStringValue(), urlPattern
                             .getStringValue(), "web.xml"));
                 }
@@ -53,7 +61,7 @@ public class WebDeploymentValidationUtil
         ServletMappingType[] servletMappings = webApp.getServletMappingArray();
         for (ServletMappingType servletMapping : servletMappings) {
             for (UrlPatternType urlPattern : servletMapping.getUrlPatternArray()) {
-                if (!isUrlPatternValid(urlPattern.getStringValue().trim())) {
+                if (!isValidUrlPattern(urlPattern.getStringValue().trim())) {
                     throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("servlet-mapping",
servletMapping.getServletName().getStringValue(), urlPattern
                             .getStringValue(), "web.xml"));
                 }
@@ -65,7 +73,7 @@ public class WebDeploymentValidationUtil
             for (WebResourceCollectionType collection : collections) {
                 UrlPatternType[] patterns = collection.getUrlPatternArray();
                 for (UrlPatternType pattern : patterns) {
-                    if (!isUrlPatternValid(pattern.getStringValue().trim())) {
+                    if (!isValidUrlPattern(pattern.getStringValue().trim())) {
                         throw new DeploymentException(WebDeploymentMessageUtils.createInvalidUrlPatternErrorMessage("security-constraint",
collection.getWebResourceName().getStringValue(), pattern
                                 .getStringValue(), "web.xml"));
                     }

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java?rev=935935&r1=935934&r2=935935&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
Tue Apr 20 14:20:56 2010
@@ -21,30 +21,16 @@
 package org.apache.geronimo.web25.deployment.security;
 
 import java.net.URL;
-import java.util.Collection;
-import java.util.Set;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.Collections;
-import java.util.jar.JarFile;
-import java.security.PermissionCollection;
 import java.security.Permission;
-
+import java.security.PermissionCollection;
 import javax.security.jacc.WebResourcePermission;
 import javax.security.jacc.WebUserDataPermission;
 
 import junit.framework.TestCase;
-import org.apache.geronimo.common.DeploymentException;
-import org.apache.geronimo.deployment.ModuleIDBuilder;
-import org.apache.geronimo.gbean.AbstractName;
-import org.apache.geronimo.j2ee.deployment.EARContext;
-import org.apache.geronimo.j2ee.deployment.Module;
-import org.apache.geronimo.kernel.Naming;
-import org.apache.geronimo.xbeans.javaee6.WebAppType;
-import org.apache.geronimo.xbeans.javaee6.WebAppDocument;
+
 import org.apache.geronimo.security.jacc.ComponentPermissions;
-import org.apache.geronimo.web25.deployment.AbstractWebModuleBuilder;
+import org.apache.geronimo.xbeans.javaee6.WebAppDocument;
+import org.apache.geronimo.xbeans.javaee6.WebAppType;
 import org.apache.xmlbeans.XmlOptions;
 
 /**
@@ -86,7 +72,7 @@ public class SpecSecurityParsingTest ext
         assertFalse(implies(new WebResourcePermission("/Test", ""), permissions, null));
         assertFalse(implies(new WebResourcePermission("/Test", "!"), permissions, null));
     }
-    
+
     public void testExcludedConstraint() throws Exception {
         URL srcXml = classLoader.getResource("security/web3.xml");
         WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
@@ -164,6 +150,18 @@ public class SpecSecurityParsingTest ext
         assertTrue(implies(p, permissions, null));
     }
 
+    public void testHTTPOmissionMethodsConstraint() throws Exception {
+        URL srcXml = classLoader.getResource("security/web6.xml");
+        WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
+        WebAppType webAppType = webAppDoc.getWebApp();
+        SpecSecurityBuilder builder = new SpecSecurityBuilder();
+        ComponentPermissions permissions = builder.buildSpecSecurityConfig(webAppType);
+        Permission p = new WebResourcePermission("/app/*", "GET");
+        assertFalse(implies(p, permissions, null));
+        p = new WebResourcePermission("/app/home", "POST");
+        assertTrue(implies(p, permissions, null));
+    }
+
     private boolean implies(Permission p, ComponentPermissions permissions, String role)
{
         PermissionCollection excluded = permissions.getExcludedPermissions();
         if (excluded.implies(p)) return false;

Added: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml?rev=935935&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
(added)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
Tue Apr 20 14:20:56 2010
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>resource1</web-resource-name>
+            <url-pattern>/app/*</url-pattern>            
+            <url-pattern>/a</url-pattern>
+            <url-pattern>/app/home</url-pattern>
+            <http-method-omission>GET</http-method-omission>
+            <http-method-omission>POST</http-method-omission>
+        </web-resource-collection>
+        <web-resource-collection>
+            <web-resource-name>resource2</web-resource-name>
+            <url-pattern>*.jsp</url-pattern>
+        </web-resource-collection>
+        <auth-constraint/>
+    </security-constraint>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>resource3</web-resource-name>
+            <url-pattern>/app/*</url-pattern>
+            <url-pattern>/b/*</url-pattern>
+            <http-method>GET</http-method>
+        </web-resource-collection>        
+        <auth-constraint>
+            <role-name>user</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+</web-app>
\ No newline at end of file

Propchange: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
    svn:mime-type = text/xml



Mime
View raw message