tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security Constants.java HttpBasicAuth.java SecurityInterceptor.java LocalStrings.properties
Date Thu, 20 Jan 2000 06:38:07 GMT
craigmcc    00/01/19 22:38:07

  Added:       proposals/catalina/src/share/org/apache/tomcat/security
                        Constants.java HttpBasicAuth.java
                        SecurityInterceptor.java LocalStrings.properties
  Log:
  Check-in of a security interceptor implementation for the
  "Catalina" proposal.
  
  Revision  Changes    Path
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/Constants.java
  
  Index: Constants.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/Constants.java,v
1.1 2000/01/20 06:38:07 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/01/20 06:38:07 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:  
   *       "This product includes software developed by the 
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written 
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */ 
  
  
  package org.apache.tomcat.security;
  
  
  public class Constants {
  
      public static final String Package = "org.apache.tomcat.security";
  
      public static final String BASIC_METHOD = "BASIC";
      public static final String CERT_METHOD = "CLIENT-CERT";
      public static final String DIGEST_METHOD = "DIGEST";
      public static final String FORM_METHOD = "FORM";
  
  
  }
  
  
  
  
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpBasicAuth.java
  
  Index: HttpBasicAuth.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpBasicAuth.java,v
1.1 2000/01/20 06:38:07 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/01/20 06:38:07 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:  
   *       "This product includes software developed by the 
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written 
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */ 
  
  
  package org.apache.tomcat.security;
  
  
  import java.io.IOException;
  import java.security.Principal;
  import javax.servlet.http.HttpServletResponse;
  import org.apache.tomcat.Realm;
  import org.apache.tomcat.Request;
  import org.apache.tomcat.Response;
  import org.apache.tomcat.deployment.LoginConfiguration;
  
  
  /**
   * Utility methods that support HTTP Basic Authentication for the
   * <code>SecurityInterceptor</code> implementation.
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2000/01/20 06:38:07 $
   */
  
  final class HttpBasicAuth {
  
  
      // --------------------------------------------------------- Public Methods
  
  
      /**
       * Authenticate the user making this request, using HTTP BASIC
       * authentication (see RFC 2617).  Return <code>true</code> if the
       * user has already been authenticated successfully, or
       * <code>false</code> if we have issued an authentication challenge.
       *
       * @param request Request we are processing
       * @param response Response we are creating
       * @param login LoginConfiguration describing how authentication
       *  should be performed
       * @param realm Realm used to authenticate individual users
       *
       * @exception IOException if an input/output error occurs
       */
      public static boolean authenticate(Request request, Response response,
  				       LoginConfiguration config, Realm realm)
  	throws IOException {
  
  	// Validate any credentials already included with this request
  	String authorization = request.getRequest().getHeader("Authorization");
  	if (authorization != null) {
  	    Principal principal = findPrincipal(authorization, realm);
  	    if (principal != null) {
  		request.setUserPrincipal(principal);
  		return (true);
  	    }
  	}
  
  	// Send an "unauthorized" response and an appropriate challenge
  	String realmName = config.getRealmName();
  	if (realmName == null)
  	    realmName = request.getRequest().getServerName() + ":" +
  		request.getRequest().getServerPort();
  	response.getResponse().setHeader
  	    ("WWW-Authenticate", "Basic \"" + realmName + "\"");
  	response.getResponse().setStatus(HttpServletResponse.SC_UNAUTHORIZED);
  	response.flush();
  	return (false);
  
      }
  
  
      /**
       * Parse the specified authorization credentials, and return the
       * associated Principal that these credentials authenticate (if any)
       * from the specified Realm.  If there is no such Principal, return
       * <code>null</code>.
       *
       * @param authorization Authorization credentials from this request
       * @param realm Realm used to authenticate Principals
       */
      public static Principal findPrincipal(String authorization, Realm realm) {
  
  	// Validate the authorization credentials format
  	if (authorization == null)
  	    return (null);
  	if (!authorization.startsWith("Basic "))
  	    return (null);
  	authorization = authorization.substring(6).trim();
  
  	// Decode and parse the authorization credentials
  	String unencoded = authorization;	// XXX - Base64 Decoder needed!
  	int colon = unencoded.indexOf(':');
  	if (colon < 0)
  	    return (null);
  	String username = unencoded.substring(0, colon);
  	String password = unencoded.substring(colon + 1);
  
  	// Validate these credentials in our associated realm
  	return (realm.authenticate(username, password));
  
      }
  
  
  }
  
  
  
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/SecurityInterceptor.java
  
  Index: SecurityInterceptor.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/SecurityInterceptor.java,v
1.1 2000/01/20 06:38:07 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/01/20 06:38:07 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:  
   *       "This product includes software developed by the 
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written 
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */ 
  
  
  package org.apache.tomcat.security;
  
  
  import java.io.IOException;
  import java.security.Principal;
  import java.util.Enumeration;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletResponse;
  import org.apache.tomcat.Container;
  import org.apache.tomcat.Context;
  import org.apache.tomcat.Interceptor;
  import org.apache.tomcat.Lifecycle;
  import org.apache.tomcat.LifecycleException;
  import org.apache.tomcat.Realm;
  import org.apache.tomcat.Request;
  import org.apache.tomcat.Response;
  import org.apache.tomcat.deployment.AuthorizationConstraint;
  import org.apache.tomcat.deployment.LoginConfiguration;
  import org.apache.tomcat.deployment.SecurityConstraint;
  import org.apache.tomcat.deployment.SecurityRole;
  import org.apache.tomcat.deployment.SecurityRoleReference;
  import org.apache.tomcat.deployment.ServletDescriptor;
  import org.apache.tomcat.deployment.UserDataConstraint;
  import org.apache.tomcat.deployment.WebApplicationDescriptor;
  import org.apache.tomcat.deployment.WebResourceCollection;
  import org.apache.tomcat.util.StringManager;
  import org.w3c.dom.NamedNodeMap;
  import org.w3c.dom.Node;
  
  
  /**
   * Implementation of the <b>Interceptor</b> interface that enforces the
   * <code>&lt;security-constraint&gt;</code> elements in the web application
   * deployment descriptor.  This functionality is implemented as an
   * Interceptor so that it can be omitted in environments that do not require
   * these features.
   * <p>
   * <b>USAGE CONSTRAINT</b>:  When this class is utilized, the Context to
   * which it is attached (or a parent Container in a hierarchy) must have an
   * associated Realm that can be used for authenticating users and enumerating
   * the roles to which they have been assigned.
   * <p>
   * XXX - Unimplemented Features:
   * <ul>
   * <li>Role mapping for per-servlet <code>&lt;security-role-ref&gt;</code>
   *     elements in the deployment descriptor.
   * <li>HTTP Digest Authentication support.
   * <li>HTTPS Client Authentication support.
   * <li>Form Based Authentication support.
   * </ul>
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2000/01/20 06:38:07 $
   */
  
  
  public final class SecurityInterceptor
      implements Interceptor, Lifecycle {
  
  
      // ----------------------------------------------------- Instance Variables
  
  
      /**
       * Has this component been configured?
       */
      private boolean configured = false;
  
  
      /**
       * The Context to which this Interceptor is attached.
       */
      private Context context = null;
  
  
      /**
       * Descriptive information about this implementation.
       */
      private static final String info =
  	"org.apache.tomcat.security.SecurityInterceptor/1.0";
  
  
      /**
       * The string manager for this package.
       */
      private StringManager sm =
  	StringManager.getManager(Constants.Package);
  
  
      /**
       * Has this component been started?
       */
      private boolean started = false;
  
  
      // ------------------------------------------------------------- Properties
  
  
      /**
       * Return the Container to which this Interceptor is attached.
       */
      public Container getContainer() {
  
  	return (this.context);
  
      }
  
  
      /**
       * Set the Container to which this Interceptor is attached.
       *
       * @param container The container to which we are attached
       */
      public void setContainer(Container container) {
  
  	if (!(container instanceof Context))
  	    throw new IllegalArgumentException
  		(sm.getString("securityInterceptor.notContext"));
  
  	this.context = (Context) container;
  
      }
  
  
      /**
       * Return descriptive information about this Interceptor implementation.
       */
      public String getInfo() {
  
  	return (this.info);
  
      }
  
  
      // --------------------------------------------------------- Public Methods
  
  
      /**
       * Perform pre-processing for this request.  Return <code>true</code> if
       * processing should continue, or <code>false</code> if this method has
       * created the corresponding response already.
       *
       * @param request Request to be processed
       * @param response Response to be processed
       *
       * @exception IOException if an input/output error occurs
       * @exception ServletException if thrown by a processing element
       */
      public boolean preService(Request request, Response response)
  	throws IOException, ServletException {
  
  	// Acquire the WebApplicationDescriptor for this Context
  	WebApplicationDescriptor descriptor = context.getDescriptor();
  	if (descriptor == null)
  	    return (true);
  
  	// Is this request URI subject to a security constraint?
  	SecurityConstraint constraint = findConstraint(request, descriptor);
  	if (constraint == null)
  	    return (true);
  
  	// Enforce any user data constraint for this security constraint
  	if (!checkUserData(request, response,
  			   constraint.getUserDataConstraint()))
  	    return (false);
  
  	// Authenticate based upon the specified login configuration
  	if (!authenticate(request, response,
  			  descriptor.getLoginConfiguration()))
  	    return (false);
  
  	// Perform access control based on the specified role(s)
  	if (!accessControl(request, response,
  			   constraint.getAuthorizationConstraint()))
  	    return (false);
  
  	// Any and all specified constraints have been satisfied
  	return (true);
  
      }
  
  
      /**
       * Perform post-processing for this request.  For this Interceptor,
       * no post-processing is required.
       *
       * @param request Request to be processed
       * @param response Response to be processed
       *
       * @exception IOException if an input/output error occurs
       * @exception ServletException if thrown by a processing element
       */
      public void postService(Request request, Response response)
  	throws IOException, ServletException {
  
  	;	// No post-processing is required
  
      }
  
  
      // -------------------------------------------------------- Private Methods
  
  
      /**
       * Perform access control based on the specified authorization constraint.
       * Return <code>true</code> if this constraint is satisfied and processing
       * should continue, or <code>false</code> otherwise.
       *
       * @param request Request we are processing
       * @param response Response we are creating
       * @param auth Authorization constraint we are enforcing
       *
       * @exception IOException if an input/output error occurs
       */
      private boolean accessControl(Request request, Response response,
  				  AuthorizationConstraint auth)
  	throws IOException {
  
  	// Which user principal have we already authenticated?
  	Principal principal = request.getRequest().getUserPrincipal();
  	if (principal == null) {
  	    response.getResponse().sendError
  		(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
  		 sm.getString("securityInterceptor.missingMethod"));
  	    return (false);
  	}
  
  	// Check each role included in this constraint
  	Realm realm = context.getRealm();
  	Enumeration roles = auth.getSecurityRoles();
  	while (roles.hasMoreElements()) {
  	    SecurityRole role = (SecurityRole) roles.nextElement();
  	    if (realm.hasRole(principal, role.getName()))
  		return (true);
  	}
  
  	// Return a "Forbidden" message denying access to this resource
  	response.getResponse().sendError
  	    (HttpServletResponse.SC_FORBIDDEN,
  	     sm.getString("securityInterceptor.forbidden"));
  	return (false);
  
      }
  
  
      /**
       * Authenticate the user making this request, based on the specified
       * login configuration.  Return <code>true</code> if any specified
       * constraint has been satisfied, or <code>false</code> if we have
       * created a response challenge already.
       *
       * @param request Request we are processing
       * @param response Response we are creating
       * @param login LoginConfiguration describing how authentication
       *  should be performed
       *
       * @exception IOException if an input/output error occurs
       */
      private boolean authenticate(Request request, Response response,
  				 LoginConfiguration config)
  	throws IOException {
  
  	// Has a login configuration element been specified?
  	if (config == null)
  	    return (true);
  
  	// Identify the requested (or default) login mechanism
  	String method = config.getAuthenticationMethod();
  	if (method == null)
  	    method = Constants.BASIC_METHOD; // XXX - Is this default correct?
  
  	// Apply the requested login mechanism
  	if (method.equals(Constants.BASIC_METHOD))
  	    return (HttpBasicAuth.authenticate(request, response,
  					       config, context.getRealm()));
  	/*
  	else if (method.equals(Constants.CERT_METHOD))
  	    return (ClientCertAuth.authenticate(request, response,
  						config, context.getRealm()));
  	else if (method.equals(Constants.DIGEST_METHOD))
  	    return (ClientCertAuth.authenticate(request, response,
  						config, context.getRealm()));
  	else if (method.equals(Constants.FORM_METHOD))
  	    return (LoginFormAuth.authenticate(request, response,
  					       config, context.getRealm()));
  	*/
  	else {
  	    response.getResponse().sendError
  		(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
  		 sm.getString("securityInterceptor.unknownMethod", method));
  	    return (false);
  	}
  
      }
  
  
      /**
       * Enforce any user data constraint required by the security constraint
       * guarding this request URI.  Return <code>true</code> if this constraint
       * was not violated and processing should continue, or <code>false</code>
       * if we have created a response already.
       *
       * @param request Request we are processing
       * @param response Response we are creating
       * @param user UserDataConstraint we are enforcing
       *
       * @exception IOException if an input/output error occurs
       */
      private boolean checkUserData(Request request, Response response,
  				  UserDataConstraint user)
  	throws IOException {
  
  	if (user == null)
  	    return (true);
  	String guarantee = user.getTransportGuarantee();
  	if (guarantee == null)
  	    return (true);
  	if (guarantee.equals(UserDataConstraint.NONE_TRANSPORT))
  	    return (true);
  	if (!request.getRequest().isSecure()) {
  	    response.getResponse().sendError
  		(HttpServletResponse.SC_BAD_REQUEST,
  		 sm.getString("securityInterceptor.userDataConstraint"));
  	    return (false);
  	}
  	return (true);
  
      }
  
  
      /**
       * Return the SecurityConstraint configured to guard the request URI for
       * this request, or <code>null</code> if there is no such constraint.
       *
       * @param request Request we are processing
       * @param descriptor WebApplicationDescriptor within which we are operating
       */
      private SecurityConstraint findConstraint(Request request,
  					WebApplicationDescriptor descriptor) {
  
  	// Are there any defined security constraints?
  	if (descriptor == null)
  	    return (null);
  	Enumeration constraints = descriptor.getSecurityConstraints();
  	if (constraints == null)
  	    return (null);
  
  	// Check each defined security constraint
  	while (constraints.hasMoreElements()) {
  	    SecurityConstraint constraint =
  		(SecurityConstraint) constraints.nextElement();
  	    Enumeration collections = constraint.getWebResourceCollections();
  	    while (collections.hasMoreElements()) {
  		WebResourceCollection collection =
  		    (WebResourceCollection) collections.nextElement();
  		if (matchCollection(request, collection))
  		    return (constraint);
  	    }
  	}
  
  	// No applicable security constraint was found
  	return (null);
  
      }
  
  
      /**
       * Do the characteristics of this request match the protection patterns
       * of the specified web resource collection?  Matching is done based on
       * both the URL pattern and HTTP method (if any) restrictions.
       *
       * @param request Request we are processing
       * @param collection WebResourceCollection to test against
       */
      private boolean matchCollection(Request request,
  				    WebResourceCollection collection) {
  
  	// Test against the HTTP method(s) listed in the collection
  	String method = request.getRequest().getMethod();
  	int n = 0;
  	boolean match = false;
  	Enumeration methods = collection.getHttpMethods();
  	while (methods.hasMoreElements()) {
  	    n++;
  	    if (method.equals((String) methods.nextElement())) {
  		match = true;
  		break;
  	    }
  	}
  	if ((!match) && (n > 0))
  	    return (false);
  
  	// Test against the URL pattern(s) listed in the collection
  	// XXX - Should this do a "longest match" comparison?
  	String path = request.getRequest().getServletPath();
  	if (path == null)
  	    path = "";
  	if (request.getRequest().getPathInfo() != null)
  	    path += request.getRequest().getPathInfo();
  	Enumeration patterns = collection.getUrlPatterns();
  	while (patterns.hasMoreElements()) {
  	    String pattern = (String) patterns.nextElement();
  	    if (matchPattern(path, pattern))
  		return (true);
  	}
  
  	return (false);
  
      }
  
  
      /**
       * Does the specified request path match the specified URL pattern?
       *
       * XXX - Shouldn't this be a shared utility method someplace?
       *
       * @param path Context-relative request path to be checked
       *  (must start with '/')
       * @param pattern URL pattern to be compared against
       */
      private boolean matchPattern(String path, String pattern) {
  
  	// Normalize the argument strings
  	if ((path == null) || (path.length() == 0))
  	    path = "/";
  	if ((pattern == null) || (pattern.length() == 0))
  	    pattern = "/";
  
  	// Check for exact match
  	if (path.equals(pattern))
  	    return (true);
  
  	// Check for universal mapping
  	if (pattern.equals("/"))
  	    return (true);
  
  	// Check for path prefix matching
  	if (pattern.startsWith("/") && pattern.endsWith("/*")) {
  	    pattern = pattern.substring(0, pattern.length() - 2);
  	    if (pattern.length() == 0)
  		return (true);	// "/*" is the same as "/"
  	    if (path.endsWith("/"))
  		path = path.substring(0, path.length() - 1);
  	    while (true) {
  		if (pattern.equals(path))
  		    return (true);
  		int slash = path.lastIndexOf('/');
  		if (slash <= 0)
  		    break;
  		path = path.substring(0, slash);
  	    }
  	    return (false);
  	}
  
  	// Check for suffix matching
  	else if (pattern.startsWith("*.")) {
  	    int slash = path.lastIndexOf('/');
  	    int period = path.lastIndexOf('.');
  	    if ((slash >= 0) && (period > slash) &&
  		path.endsWith(pattern.substring(1))) {
  		return (true);
  	    }
  	}
  
  	return (false);
  
      }
  
  
      // ------------------------------------------------------ Lifecycle Methods
  
  
      /**
       * Configure this component, based on the specified configuration
       * parameters.  This method should be called immediately after the
       * component instance is created, and before <code>start()</code>
       * is called.
       *
       * @param parameters Configuration parameters for this component
       *  (<B>FIXME: What object type should this really be?)
       *
       * @exception IllegalStateException if this component has already been
       *  configured and/or started
       * @exception LifecycleException if this component detects a fatal error
       *  in the configuration parameters it was given
       */
      public void configure(Node parameters)
  	throws LifecycleException {
  
  	// Validate and update our current component state
  	if (configured)
  	    throw new LifecycleException
  		(sm.getString("securityInterceptor.alreadyConfigured"));
  	configured = true;
  	if (parameters == null)
  	    return;
  
  	// Parse and process our configuration parameters
  
      }
  
  
      /**
       * Prepare for the beginning of active use of the public methods of this
       * component.  This method should be called after <code>configure()</code>,
       * and before any of the public methods of the component are utilized.
       *
       * @exception IllegalStateException if this component has not yet been
       *  configured (if required for this component)
       * @exception IllegalStateException if this component has already been
       *  started
       * @exception LifecycleException if this component detects a fatal error
       *  that prevents this component from being used
       */
      public void start() throws LifecycleException {
  
  	// Validate and update our current component state
  	if (!configured)
  	    throw new LifecycleException
  		(sm.getString("securityInterceptor.notConfigured"));
  	if (started)
  	    throw new LifecycleException
  		(sm.getString("securityInterceptor.alreadyStarted"));
  	started = true;
  
      }
  
  
      /**
       * Gracefully terminate the active use of the public methods of this
       * component.  This method should be the last one called on a given
       * instance of this component.
       *
       * @exception IllegalStateException if this component has not been started
       * @exception IllegalStateException if this component has already
       *  been stopped
       * @exception LifecycleException if this component detects a fatal error
       *  that needs to be reported
       */
      public void stop() throws LifecycleException {
  
  	// Validate and update our current component state
  	if (!started)
  	    throw new LifecycleException
  		(sm.getString("securityInterceptor.notStarted"));
  	started = false;
  
      }
  
  
  }
  
  
  
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/LocalStrings.properties
  
  Index: LocalStrings.properties
  ===================================================================
  securityInterceptor.alreadyConfigured=Security Interceptor has already been configured
  securityInterceptor.alreadyStarted=Security Interceptor has already been started
  securityInterceptor.forbidden=Access to the requested resource has been denied
  securityInterceptor.missingMethod=No authentication method configured for this application
  securityInterceptor.notContext=Configuration error:  Must be attached to a Context
  securityInterceptor.notConfigured=Security Interceptor has not yet been configured
  securityInterceptor.notStarted=Security Interceptor has not yet been started
  securityInterceptor.unknownMethod=Unknown authentication method $0 configured for this application
  securityInterceptor.userDataConstraint=This request violates a User Data constraint for
this application
  
  
  

Mime
View raw message