tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security Constants.java HttpBasicAuth.java SecurityValve.java
Date Sun, 13 Feb 2000 01:43:50 GMT
craigmcc    00/02/12 17:43:50

  Modified:    proposals/catalina/src/share/org/apache/tomcat Context.java
               proposals/catalina/src/share/org/apache/tomcat/core
                        ApplicationContext.java StandardContext.java
               proposals/catalina/src/share/org/apache/tomcat/security
                        Constants.java HttpBasicAuth.java
                        SecurityValve.java
  Added:       proposals/catalina/src/share/org/apache/tomcat/deploy
                        LoginConfig.java SecurityCollection.java
                        SecurityConstraint.java
  Log:
  Remove WebApplicationDescriptor from Context, replacing calls that ask for
  it by corresponding context properties and data structures methods.  This
  makes Catalina totally independent of the original
  "org.apache.tomcat.deployment" package, which will not be required by the
  Catalina startup shell.
  
  Convert the SecurityValve implementation (which enforces the security
  constraints specified in the deployment descriptor) to use the new Context
  properties where required.
  
  Revision  Changes    Path
  1.5       +41 -21    jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/Context.java
  
  Index: Context.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/Context.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- Context.java	2000/02/12 23:15:45	1.4
  +++ Context.java	2000/02/13 01:43:43	1.5
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/Context.java,v 1.4 2000/02/12 23:15:45 craigmcc Exp $
  - * $Revision: 1.4 $
  - * $Date: 2000/02/12 23:15:45 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/Context.java,v 1.5 2000/02/13 01:43:43 craigmcc Exp $
  + * $Revision: 1.5 $
  + * $Date: 2000/02/13 01:43:43 $
    *
    * ====================================================================
    *
  @@ -69,7 +69,8 @@
   import org.apache.tomcat.deploy.ContextEjb;
   import org.apache.tomcat.deploy.ContextEnvironment;
   import org.apache.tomcat.deploy.ContextResource;
  -import org.apache.tomcat.deployment.WebApplicationDescriptor;
  +import org.apache.tomcat.deploy.LoginConfig;
  +import org.apache.tomcat.deploy.SecurityConstraint;
   
   
   /**
  @@ -87,11 +88,9 @@
    * The child containers attached to a Context are generally implementations
    * of Wrapper (representing individual servlet definitions).
    * <p>
  - * <b>FIXME:  Context initialization parameters have descriptions in the
  - * deployment descriptor!</b>
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.4 $ $Date: 2000/02/12 23:15:45 $
  + * @version $Revision: 1.5 $ $Date: 2000/02/13 01:43:43 $
    */
   
   public interface Context extends Container {
  @@ -101,20 +100,6 @@
   
   
       /**
  -     * Return the context configuration descriptor for this web application.
  -     */
  -    public WebApplicationDescriptor getDescriptor();
  -
  -
  -    /**
  -     * Set the context configuration descriptor for this web application.
  -     *
  -     * @param descriptor The new context configuration descriptor
  -     */
  -    public void setDescriptor(WebApplicationDescriptor descriptor);
  -
  -
  -    /**
        * Return the distributable flag for this web application.
        */
       public boolean getDistributable();
  @@ -129,6 +114,20 @@
   
   
       /**
  +     * Return the login configuration descriptor for this web application.
  +     */
  +    public LoginConfig getLoginConfig();
  +
  +
  +    /**
  +     * Set the login configuration descriptor for this web application.
  +     *
  +     * @param config The new login configuration
  +     */
  +    public void setLoginConfig(LoginConfig config);
  +
  +
  +    /**
        * Return the context path for this web application.
        */
       public String getPath();
  @@ -168,6 +167,12 @@
   
   
       /**
  +     * Add a security constraint to the set for this web application.
  +     */
  +    public void addConstraint(SecurityConstraint constraint);
  +
  +
  +    /**
        * Add an EJB resource reference for this web application.
        *
        * @param ejb New EJB resource reference
  @@ -274,6 +279,13 @@
   
   
       /**
  +     * Return the set of security constraints for this web application.
  +     * If there are none, a zero-length array is returned.
  +     */
  +    public SecurityConstraint[] findConstraints();
  +
  +
  +    /**
        * Return the EJB resource reference with the specified name, if any;
        * otherwise, return <code>null</code>.
        *
  @@ -463,6 +475,14 @@
        * @param uri Context-relative URI, which must start with a "/"
        */
       public Wrapper map(String uri);
  +
  +
  +    /**
  +     * Remove the specified security constraint from this web application.
  +     *
  +     * @param constraint Constraint to be removed
  +     */
  +    public void removeConstraint(SecurityConstraint constraint);
   
   
       /**
  
  
  
  1.2       +7 -37     jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/ApplicationContext.java
  
  Index: ApplicationContext.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/ApplicationContext.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- ApplicationContext.java	2000/01/20 06:34:49	1.1
  +++ ApplicationContext.java	2000/02/13 01:43:44	1.2
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/ApplicationContext.java,v 1.1 2000/01/20 06:34:49 craigmcc Exp $
  - * $Revision: 1.1 $
  - * $Date: 2000/01/20 06:34:49 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/ApplicationContext.java,v 1.2 2000/02/13 01:43:44 craigmcc Exp $
  + * $Revision: 1.2 $
  + * $Date: 2000/02/13 01:43:44 $
    *
    * ====================================================================
    *
  @@ -81,7 +81,6 @@
   import org.apache.tomcat.Resources;
   import org.apache.tomcat.Wrapper;
   import org.apache.tomcat.deployment.ContextParameter;
  -import org.apache.tomcat.deployment.WebApplicationDescriptor;
   
   
   /**
  @@ -90,7 +89,7 @@
    * associated with each instance of <code>StandardContext</code>.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.1 $ $Date: 2000/01/20 06:34:49 $
  + * @version $Revision: 1.2 $ $Date: 2000/02/13 01:43:44 $
    */
   
   final class ApplicationContext
  @@ -205,25 +204,8 @@
        */
       public String getInitParameter(String name) {
   
  -	// Acquire the context parameters for this Context.
  -	WebApplicationDescriptor descriptor = context.getDescriptor();
  -	if (descriptor == null)
  -	    return (null);
  -	Enumeration params = descriptor.getContextParameters();
  -	if (params == null)
  -	    return (null);
  -
  -	// Return the specified parameter value if it is present
  -	while (params.hasMoreElements()) {
  -	    ContextParameter param = (ContextParameter) params.nextElement();
  -	    if (!name.equals(param.getName()))
  -		continue;
  -	    return (param.getValue());
  -	}
  +	return (context.findParameter(name));
   
  -	// The specified initialization parameter is not present
  -	return (null);
  -
       }
   
   
  @@ -233,22 +215,10 @@
        */
       public Enumeration getInitParameterNames() {
   
  +	String parameters[] = context.findParameters();
   	Vector results = new Vector();
  -
  -	// Acquire the context parameters for this Context
  -	WebApplicationDescriptor descriptor = context.getDescriptor();
  -	if (descriptor == null)
  -	    return (results.elements());
  -
  -	// Enumerate the context parameter names for this Context
  -	Enumeration params = descriptor.getContextParameters();
  -	if (params == null)
  -	    return (results.elements());
  -	while (params.hasMoreElements()) {
  -	    ContextParameter param = (ContextParameter) params.nextElement();
  -	    results.addElement(param.getName());
  -	}
  -
  +	for (int i = 0; i < parameters.length; i++)
  +	    results.addElement(parameters[i]);
   	return (results.elements());
   
       }
  
  
  
  1.7       +88 -36    jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/StandardContext.java
  
  Index: StandardContext.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/StandardContext.java,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- StandardContext.java	2000/02/12 23:15:45	1.6
  +++ StandardContext.java	2000/02/13 01:43:45	1.7
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/StandardContext.java,v 1.6 2000/02/12 23:15:45 craigmcc Exp $
  - * $Revision: 1.6 $
  - * $Date: 2000/02/12 23:15:45 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/core/StandardContext.java,v 1.7 2000/02/13 01:43:45 craigmcc Exp $
  + * $Revision: 1.7 $
  + * $Date: 2000/02/13 01:43:45 $
    *
    * ====================================================================
    *
  @@ -80,7 +80,8 @@
   import org.apache.tomcat.deploy.ContextEjb;
   import org.apache.tomcat.deploy.ContextEnvironment;
   import org.apache.tomcat.deploy.ContextResource;
  -import org.apache.tomcat.deployment.WebApplicationDescriptor;
  +import org.apache.tomcat.deploy.LoginConfig;
  +import org.apache.tomcat.deploy.SecurityConstraint;
   
   
   /**
  @@ -89,7 +90,7 @@
    * requests directed to a particular servlet.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.6 $ $Date: 2000/02/12 23:15:45 $
  + * @version $Revision: 1.7 $ $Date: 2000/02/13 01:43:45 $
    */
   
   public final class StandardContext
  @@ -115,15 +116,15 @@
   
   
       /**
  -     * The ServletContext implementation associated with this Context.
  +     * The security constraints for this web application.
        */
  -    private ApplicationContext context = null;
  +    private Vector constraints = new Vector();
   
   
       /**
  -     * The web application deployment descriptor associated with this context.
  +     * The ServletContext implementation associated with this Context.
        */
  -    private WebApplicationDescriptor descriptor = null;
  +    private ApplicationContext context = null;
   
   
       /**
  @@ -159,6 +160,12 @@
   
   
       /**
  +     * The login configuration descriptor for this web application.
  +     */
  +    private LoginConfig loginConfig = null;
  +
  +
  +    /**
        * The MIME mappings for this web application, keyed by extension.
        */
       private Hashtable mimeMappings = new Hashtable();
  @@ -219,33 +226,6 @@
   
   
       /**
  -     * Return the context configuration descriptor for this web application.
  -     */
  -    public WebApplicationDescriptor getDescriptor() {
  -
  -	return (this.descriptor);
  -
  -    }
  -
  -
  -    /**
  -     * Set the context configuration descriptor for this web application.
  -     *
  -     * @param descriptor The new context configuration descriptor
  -     */
  -    public void setDescriptor(WebApplicationDescriptor descriptor) {
  -
  -	WebApplicationDescriptor oldDescriptor = this.descriptor;
  -	this.descriptor = descriptor;
  -	support.firePropertyChange("descriptor", oldDescriptor,
  -				   this.descriptor);
  -
  -	// FIXME - Parse out the stuff we will use a lot?
  -
  -    }
  -
  -
  -    /**
        * Return the distributable flag for this web application.
        */
       public boolean getDistributable() {
  @@ -272,6 +252,31 @@
   
   
       /**
  +     * Return the login configuration descriptor for this web application.
  +     */
  +    public LoginConfig getLoginConfig() {
  +
  +	return (this.loginConfig);
  +
  +    }
  +
  +
  +    /**
  +     * Set the login configuration descriptor for this web application.
  +     *
  +     * @param config The new login configuration
  +     */
  +    public void setLoginConfig(LoginConfig config) {
  +
  +	LoginConfig oldLoginConfig = this.loginConfig;
  +	this.loginConfig = config;
  +	support.firePropertyChange("loginConfig",
  +				   oldLoginConfig, this.loginConfig);
  +
  +    }
  +
  +
  +    /**
        * Return the context path for this Context.
        */
       public String getPath() {
  @@ -356,6 +361,20 @@
   
   
       /**
  +     * Add a security constraint to the set for this web application.
  +     */
  +    public void addConstraint(SecurityConstraint constraint) {
  +
  +	if (!constraints.contains(constraint)) {
  +	    constraints.addElement(constraint);
  +	    fireContainerEvent("addConstraint", constraint);
  +	}
  +
  +    }
  +
  +
  +
  +    /**
        * Add an EJB resource reference for this web application.
        *
        * @param ejb New EJB resource reference
  @@ -521,6 +540,24 @@
   
   
       /**
  +     * Return the security constraints for this web application.
  +     * If there are none, a zero-length array is returned.
  +     */
  +    public SecurityConstraint[] findConstraints() {
  +
  +	synchronized (constraints) {
  +	    SecurityConstraint results[] =
  +		new SecurityConstraint[constraints.size()];
  +	    Enumeration elements = constraints.elements();
  +	    for (int i = 0; i < results.length; i++)
  +		results[i] = (SecurityConstraint) elements.nextElement();
  +	    return (results);
  +	}
  +
  +    }
  +
  +
  +    /**
        * Return the EJB resource reference with the specified name, if any;
        * otherwise, return <code>null</code>.
        *
  @@ -878,6 +915,21 @@
       public Wrapper map(String uri) {
   
   	return (null);	// FIXME - map() via servlet mappings
  +
  +    }
  +
  +
  +    /**
  +     * Remove the specified security constraint from this web application.
  +     *
  +     * @param constraint Constraint to be removed
  +     */
  +    public void removeConstraint(SecurityConstraint constraint) {
  +
  +	if (constraints.contains(constraint)) {
  +	    constraints.removeElement(constraint);
  +	    fireContainerEvent("removeConstraint", constraint);
  +	}
   
       }
   
  
  
  
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/deploy/LoginConfig.java
  
  Index: LoginConfig.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/deploy/LoginConfig.java,v 1.1 2000/02/13 01:43:45 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/02/13 01:43:45 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:  
   *       "This product includes software developed by the 
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written 
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */ 
  
  
  package org.apache.tomcat.deploy;
  
  
  /**
   * Representation of a login configuration element for a web application,
   * as represented in a <code>&lt;login-config&gt;</code> element in the
   * deployment descriptor.
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2000/02/13 01:43:45 $
   */
  
  public final class LoginConfig {
  
  
      // ----------------------------------------------------------- Constructors
  
  
      /**
       * Construct a new login configuration with the specified properties
       *
       * @param authMethod Authentication method to use, if any
       * @param realmName Realm name to use in security challenges
       * @param loginPage Context-relative URI of the login page
       * @param errorPage Context-relative URI of the error page
       */
      public LoginConfig(String authMethod, String realmName,
  		       String loginPage, String errorPage) {
  
  	super();
  	if (authMethod != null)
  	    this.authMethod = authMethod;
  	if (realmName != null)
  	    this.realmName = realmName;
  	if (loginPage != null)
  	    this.loginPage = loginPage;
  	if (errorPage != null)
  	    this.errorPage = errorPage;
  
      }
  
  
      // ----------------------------------------------------- Instance Variables
  
  
      /**
       * The authentication method to use for application login.  Must be
       * BASIC, DIGEST, FORM, or CLIENT-CERT.
       */
      private String authMethod = null;
  
  
      /**
       * The context-relative URI of the error page for form login.
       */
      private String errorPage = null;
  
  
      /**
       * The context-relative URI of the login page for form login.
       */
      private String loginPage = null;
  
  
      /**
       * The realm name used when challenging the user for authentication
       * credentials.
       */
      private String realmName = null;
  
  
      // ------------------------------------------------------------- Properties
  
  
      /**
       * Return the authentication method for this web application.
       */
      public String getAuthMethod() {
  
  	return (this.authMethod);
  
      }
  
  
      /**
       * Return the error page URI for form login for this web application.
       */
      public String getErrorPage() {
  
  	return (this.errorPage);
  
      }
  
  
      /**
       * Return the login page URI for form login for this web application.
       */
      public String getLoginPage() {
  
  	return (this.loginPage);
  
      }
  
  
      /**
       * Return the realm name for this web application.
       */
      public String getRealmName() {
  
  	return (this.realmName);
  
      }
  
  
  }
  
  
  
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/deploy/SecurityCollection.java
  
  Index: SecurityCollection.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/deploy/SecurityCollection.java,v 1.1 2000/02/13 01:43:45 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/02/13 01:43:45 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:  
   *       "This product includes software developed by the 
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written 
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */ 
  
  
  package org.apache.tomcat.deploy;
  
  
  import java.util.Enumeration;
  import java.util.Hashtable;
  
  
  /**
   * Representation of a web resource collection for a web application's security
   * constraint, as represented in a <code>&lt;web-resource-collection&gt;</code>
   * element in the deployment descriptor.
   * <p>
   * <b>WARNING</b>:  The property setting methods in this class are for use by
   * the application logic that parses a web application deployment descriptor.
   * They should not be called by a Context implementation (or an associated
   * Valve or Interceptor that implements the authentication and authorization
   * constraints expressed here).
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2000/02/13 01:43:45 $
   */
  
  public final class SecurityCollection {
  
  
      // ----------------------------------------------------------- Constructors
  
  
      /**
       * Construct a new security collection instance with default values.
       *
       * @param constraint Security constraint we are attached to
       * @param name Name of this security collection
       */
      public SecurityCollection(SecurityConstraint constraint, String name) {
  
  	super();
  	this.constraint = constraint;
  	this.name = name;
  
      }
  
  
      // ----------------------------------------------------- Instance Variables
  
  
      /**
       * The security constraint we are attached to.
       */
      private SecurityConstraint constraint = null;
  
  
      /**
       * The HTTP methods covered by this web resource collection.
       */
      private String[] methods = new String[0];
  
  
      /**
       * The name of this web resource collection.
       */
      private String name = null;
  
  
      /**
       * The URL patterns protected by this security collection, keyed by
       * pattern.
       */
      private Hashtable patterns = new Hashtable();
  
  
      // ------------------------------------------------------------- Properties
  
  
      /**
       * Return the security constraint we are attached to.
       */
      public SecurityConstraint getConstraint() {
  
  	return (this.constraint);
  
      }
  
  
      /**
       * Return the name of this web resource collection.
       */
      public String getName() {
  
  	return (this.name);
  
      }
  
  
      // --------------------------------------------------------- Public Methods
  
  
      /**
       * Add an HTTP request method to be part of this web resource collection.
       */
      public void addMethod(String method) {
  
  	if (method == null)
  	    return;
  	synchronized (methods) {
  	    String results[] = new String[methods.length + 1];
  	    for (int i = 0; i < methods.length; i++) {
  		if (method.equals(methods[i]))
  		    return;
  		results[i] = methods[i];
  	    }
  	    results[results.length - 1] = method;
  	    methods = results;
  	}
  
      }
  
  
      /**
       * Add a URL pattern to be part of this web resource collection.
       */
      public void addPattern(String pattern) {
  
  	patterns.put(pattern, pattern);
  	constraint.addPattern(pattern, this);
  
      }
  
  
      /**
       * Return <code>true</code> if the specified HTTP request method is
       * part of this web resource collection.
       *
       * @param method Request method to check
       */
      public boolean findMethod(String method) {
  
  	if (method == null)
  	    return (false);
  	if (methods.length == 0)
  	    return (true);
  	for (int i = 0; i < methods.length; i++) {
  	    if (method.equals(methods[i]))
  		return (true);
  	}
  	return (false);
  
      }
  
  
      /**
       * Is the specified pattern part of this web resource collection?
       *
       * @param pattern Pattern to be compared
       */
      public boolean findPattern(String pattern) {
  
  	return (patterns.get(pattern) != null);
  
      }
  
  
      /**
       * Return the set of URL patterns that are part of this web resource
       * collection.  If none have been specified, a zero-length array is
       * returned.
       */
      public String[] findPatterns() {
  
  	synchronized (patterns) {
  	    String results[] = new String[patterns.size()];
  	    Enumeration urls = patterns.keys();
  	    for (int i = 0; i < results.length; i++)
  		results[i] = (String) urls.nextElement();
  	    return (results);
  	}
  
      }
  
  
      /**
       * Remove the specified HTTP request method from those that are part
       * of this web resource collection.
       *
       * @param method Request method to be removed
       */
      public void removeMethod(String method) {
  
  	if (method == null)
  	    return;
  	synchronized (methods) {
  	    int n = -1;
  	    for (int i = 0; i < methods.length; i++) {
  		if (method.equals(methods[i])) {
  		    n = i;
  		    break;
  		}
  	    }
  	    if (n < 0)
  		return;
  	    String results[] = new String[methods.length - 1];
  	    int j = 0;
  	    for (int i = 0; i < methods.length; i++) {
  		if (i == n)
  		    continue;
  		results[j++] = methods[i];
  	    }
  	    methods = results;
  	}
  
      }
  
  
      /**
       * Remove the specified URL pattern from those that are part of this
       * web resource collection.
       *
       * @param pattern Pattern to be removed
       */
      public void removePattern(String pattern) {
  
  	patterns.remove(pattern);
  	constraint.removePattern(pattern);
  
      }
  
  
  }
  
  
  
  1.1                  jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/deploy/SecurityConstraint.java
  
  Index: SecurityConstraint.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/deploy/SecurityConstraint.java,v 1.1 2000/02/13 01:43:45 craigmcc Exp $
   * $Revision: 1.1 $
   * $Date: 2000/02/13 01:43:45 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights 
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer. 
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:  
   *       "This product includes software developed by the 
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written 
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */ 
  
  
  package org.apache.tomcat.deploy;
  
  
  import java.util.Enumeration;
  import java.util.Hashtable;
  
  
  /**
   * Representation of a security constraint element for a web application,
   * as represented in a <code>&lt;security-constraint&gt;</code> element in the
   * deployment descriptor.
   * <p>
   * <b>WARNING</b>:  The property setting methods in this class are for use by
   * the application logic that parses a web application deployment descriptor.
   * They should not be called by a Context implementation (or an associated
   * Valve or Interceptor that implements the authentication and authorization
   * constraints expressed here).
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2000/02/13 01:43:45 $
   */
  
  public final class SecurityConstraint {
  
  
      // ----------------------------------------------------------- Constructors
  
  
      /**
       * Construct a new security constraint instance with default values.
       */
      public SecurityConstraint() {
  
  	super();
  
      }
  
  
      // ----------------------------------------------------- Instance Variables
  
  
      /**
       * The set of roles permitted to access resources protected by this
       * security constraint.
       */
      private String authRoles[] = new String[0];
  
  
      /**
       * The set of web resource collections protected by this security
       * constraint, keyed by resource collection name.
       */
      private Hashtable collections = new Hashtable();
  
  
      /**
       * The URL patterns that are parts of the web resource collections
       * managed by this security constraint.  The key is the pattern itself,
       * while the value is the corresponding collection.
       */
      private Hashtable patterns = new Hashtable();
  
  
      /**
       * The user data constraint for this security constraint.  Must be NONE,
       * INTEGRAL, or CONFIDENTIAL.
       */
      private String userConstraint = "NONE";
  
  
      // ------------------------------------------------------------- Properties
  
  
      /**
       * Return the user data constraint for this security constraint.
       */
      public String getUserConstraint() {
  
  	return (userConstraint);
  
      }
  
  
      /**
       * Set the user data constraint for this security constraint.
       *
       * @param userConstraint The new user data constraint
       */
      public void setUserConstraint(String userConstraint) {
  
  	if (userConstraint != null)
  	    this.userConstraint = userConstraint;
  
      }
  
  
      // --------------------------------------------------------- Public Methods
  
  
      /**
       * Add an authorization role, which is a role name that will be
       * permitted access to the resources protected by this security constraint.
       *
       * @param role Role name to be added
       */
      public void addAuthRole(String role) {
  
  	if (role == null)
  	    return;
  	synchronized (authRoles) {
  	    if (findAuthRole(role))
  		return;
  	    String newRoles[] = new String[authRoles.length + 1];
  	    for (int i = 0; i < authRoles.length; i++)
  		newRoles[i] = authRoles[i];
  	    newRoles[newRoles.length - 1] = role;
  	    authRoles = newRoles;
  	}
  
      }
  
  
      /**
       * Add a new web resource collection to those protected by this
       * security constraint.
       *
       * @param collection The new web resource collection
       */
      public void addCollection(SecurityCollection collection) {
  
  	collections.put(collection.getName(), collection);
  
      }
  
  
      /**
       * Create and return a web resource collection with default values.
       *
       * @param name Name of the new web resource collection
       */
      public SecurityCollection createCollection(String name) {
  
  	return (new SecurityCollection(this, name));
  
      }
  
  
      /**
       * Return <code>true</code> if the specified role is permitted access to
       * the resources protected by this security constraint.
       *
       * @param role Role name to be checked
       */
      public boolean findAuthRole(String role) {
  
  	if (role == null)
  	    return (false);
  	synchronized (authRoles) {
  	    for (int i = 0; i < authRoles.length; i++) {
  		if (role.equals(authRoles[i]))
  		    return (true);
  	    }
  	}
  	return (false);
  
      }
  
  
      /**
       * Return the set of roles that are permitted access to the resources
       * protected by this security constraint.  If none have been defined,
       * a zero-length array is returned (which implies that all authenticated
       * users are permitted access).
       */
      public String[] findAuthRoles() {
  
  	return (authRoles);	// Assumption - caller will not modify
  
      }
  
  
      /**
       * Return the web resource collection for the specified name, if any;
       * otherwise, return <code>null</code>.
       *
       * @param name Web resource collection name to return
       */
      public SecurityCollection findCollection(String name) {
  
  	return ((SecurityCollection) collections.get(name));
  
      }
  
  
      /**
       * Return the names of all web resource collections protected by this
       * security constraint.  If there are none, a zero-length array is
       * returned.
       */
      public String[] findCollections() {
  
  	synchronized (collections) {
  	    String results[] = new String[collections.size()];
  	    Enumeration names = collections.keys();
  	    for (int i = 0; i < results.length; i++)
  		results[i] = (String) names.nextElement();
  	    return (results);
  	}
  
      }
  
  
      /**
       * Return <code>true</code> if the specified context-relative URI (and
       * associated HTTP method) are protected by this security constraint.
       *
       * @param uri Context-relative URI to check
       * @param method Request method being used
       */
      public boolean included(String uri, String method) {
  
  	// Check all defined patterns
  	SecurityCollection collection = null;
  	Enumeration patterns = this.patterns.keys();
  	while (patterns.hasMoreElements()) {
  	    String pattern = (String) patterns.nextElement();
  	    if (matchPattern(uri, pattern)) {
  		collection = (SecurityCollection) this.patterns.get(pattern);
  		break;
  	    }
  	}
  
  	// Match on HTTP request method as well
  	if (collection == null)
  	    return (false);
  	else
  	    return (collection.findMethod(method));
  
      }
  
  
      /**
       * Remove the specified role from the set of roles permitted to access
       * the resources protected by this security constraint.
       *
       * @param role Role name to be removed
       */
      public void removeAuthRole(String role) {
  
  	if (role == null)
  	    return;
  	synchronized (authRoles) {
  	    if (!findAuthRole(role))
  		return;
  	    String newRoles[] = new String[authRoles.length - 1];
  	    int j = 0;
  	    for (int i = 0; i < authRoles.length; i++) {
  		if (role.equals(authRoles[i]))
  		    continue;
  		newRoles[j++] = authRoles[i];
  	    }
  	    authRoles = newRoles;
  	}
  
      }
  
  
      /**
       * Remove the specified web resource collection from those protected by
       * this security constraint.
       *
       * @param collection Web resource collection to be removed
       */
      public void removeCollection(SecurityCollection collection) {
  
  	collections.remove(collection.getName());
  
      }
  
  
      // ------------------------------------------------ Package Private Methods
  
  
      /**
       * Add a URL pattern that is part of one of our constituent web resource
       * collections.
       *
       * @param pattern URL pattern to be added
       * @param collection The corresponding collection
       */
      void addPattern(String pattern, SecurityCollection collection) {
  
  	patterns.put(pattern, collection);
  
      }
  
  
      /**
       * Remove a URL pattern that was part of one of our constituent web
       * resource collections.
       *
       * @param pattern URL pattern to be removed
       */
      void removePattern(String pattern) {
  
  	patterns.remove(pattern);
  
      }
  
  
      // -------------------------------------------------------- Private Methods
  
  
      /**
       * Does the specified request path match the specified URL pattern?
       *
       * XXX - Shouldn't this be a shared utility method someplace?
       *
       * @param path Context-relative request path to be checked
       *  (must start with '/')
       * @param pattern URL pattern to be compared against
       */
      private boolean matchPattern(String path, String pattern) {
  
  	// Normalize the argument strings
  	if ((path == null) || (path.length() == 0))
  	    path = "/";
  	if ((pattern == null) || (pattern.length() == 0))
  	    pattern = "/";
  
  	// Check for exact match
  	if (path.equals(pattern))
  	    return (true);
  
  	// Check for universal mapping
  	if (pattern.equals("/"))
  	    return (true);
  
  	// Check for path prefix matching
  	if (pattern.startsWith("/") && pattern.endsWith("/*")) {
  	    pattern = pattern.substring(0, pattern.length() - 2);
  	    if (pattern.length() == 0)
  		return (true);	// "/*" is the same as "/"
  	    if (path.endsWith("/"))
  		path = path.substring(0, path.length() - 1);
  	    while (true) {
  		if (pattern.equals(path))
  		    return (true);
  		int slash = path.lastIndexOf('/');
  		if (slash <= 0)
  		    break;
  		path = path.substring(0, slash);
  	    }
  	    return (false);
  	}
  
  	// Check for suffix matching
  	else if (pattern.startsWith("*.")) {
  	    int slash = path.lastIndexOf('/');
  	    int period = path.lastIndexOf('.');
  	    if ((slash >= 0) && (period > slash) &&
  		path.endsWith(pattern.substring(1))) {
  		return (true);
  	    }
  	}
  
  	return (false);
  
      }
  
  
  }
  
  
  
  1.2       +7 -2      jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/Constants.java
  
  Index: Constants.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/Constants.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- Constants.java	2000/01/20 06:38:07	1.1
  +++ Constants.java	2000/02/13 01:43:47	1.2
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/Constants.java,v 1.1 2000/01/20 06:38:07 craigmcc Exp $
  - * $Revision: 1.1 $
  - * $Date: 2000/01/20 06:38:07 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/Constants.java,v 1.2 2000/02/13 01:43:47 craigmcc Exp $
  + * $Revision: 1.2 $
  + * $Date: 2000/02/13 01:43:47 $
    *
    * ====================================================================
    *
  @@ -69,11 +69,16 @@
   
       public static final String Package = "org.apache.tomcat.security";
   
  +    // Authentication methods for login configuration
       public static final String BASIC_METHOD = "BASIC";
       public static final String CERT_METHOD = "CLIENT-CERT";
       public static final String DIGEST_METHOD = "DIGEST";
       public static final String FORM_METHOD = "FORM";
   
  +    // User data constraints for transport guarantee
  +    public static final String NONE_TRANSPORT = "NONE";
  +    public static final String INTEGRAL_TRANSPORT = "INTEGRAL";
  +    public static final String CONFIDENTIAL_TRANSPORT = "CONFIDENTIAL";
   
   }
   
  
  
  
  1.2       +7 -7      jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpBasicAuth.java
  
  Index: HttpBasicAuth.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpBasicAuth.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- HttpBasicAuth.java	2000/01/20 06:38:07	1.1
  +++ HttpBasicAuth.java	2000/02/13 01:43:47	1.2
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpBasicAuth.java,v 1.1 2000/01/20 06:38:07 craigmcc Exp $
  - * $Revision: 1.1 $
  - * $Date: 2000/01/20 06:38:07 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpBasicAuth.java,v 1.2 2000/02/13 01:43:47 craigmcc Exp $
  + * $Revision: 1.2 $
  + * $Date: 2000/02/13 01:43:47 $
    *
    * ====================================================================
    *
  @@ -71,7 +71,7 @@
   import org.apache.tomcat.Realm;
   import org.apache.tomcat.Request;
   import org.apache.tomcat.Response;
  -import org.apache.tomcat.deployment.LoginConfiguration;
  +import org.apache.tomcat.deploy.LoginConfig;
   
   
   /**
  @@ -79,7 +79,7 @@
    * <code>SecurityInterceptor</code> implementation.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.1 $ $Date: 2000/01/20 06:38:07 $
  + * @version $Revision: 1.2 $ $Date: 2000/02/13 01:43:47 $
    */
   
   final class HttpBasicAuth {
  @@ -96,14 +96,14 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login LoginConfiguration describing how authentication
  +     * @param login LoginConfig describing how authentication
        *  should be performed
        * @param realm Realm used to authenticate individual users
        *
        * @exception IOException if an input/output error occurs
        */
       public static boolean authenticate(Request request, Response response,
  -				       LoginConfiguration config, Realm realm)
  +				       LoginConfig config, Realm realm)
   	throws IOException {
   
   	// Validate any credentials already included with this request
  
  
  
  1.4       +43 -163   jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/SecurityValve.java
  
  Index: SecurityValve.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/SecurityValve.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- SecurityValve.java	2000/01/31 04:38:45	1.3
  +++ SecurityValve.java	2000/02/13 01:43:47	1.4
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/SecurityValve.java,v 1.3 2000/01/31 04:38:45 craigmcc Exp $
  - * $Revision: 1.3 $
  - * $Date: 2000/01/31 04:38:45 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/SecurityValve.java,v 1.4 2000/02/13 01:43:47 craigmcc Exp $
  + * $Revision: 1.4 $
  + * $Date: 2000/02/13 01:43:47 $
    *
    * ====================================================================
    *
  @@ -78,15 +78,8 @@
   import org.apache.tomcat.Request;
   import org.apache.tomcat.Response;
   import org.apache.tomcat.Valve;
  -import org.apache.tomcat.deployment.AuthorizationConstraint;
  -import org.apache.tomcat.deployment.LoginConfiguration;
  -import org.apache.tomcat.deployment.SecurityConstraint;
  -import org.apache.tomcat.deployment.SecurityRole;
  -import org.apache.tomcat.deployment.SecurityRoleReference;
  -import org.apache.tomcat.deployment.ServletDescriptor;
  -import org.apache.tomcat.deployment.UserDataConstraint;
  -import org.apache.tomcat.deployment.WebApplicationDescriptor;
  -import org.apache.tomcat.deployment.WebResourceCollection;
  +import org.apache.tomcat.deploy.LoginConfig;
  +import org.apache.tomcat.deploy.SecurityConstraint;
   import org.apache.tomcat.util.StringManager;
   import org.apache.tomcat.valves.ValveBase;
   
  @@ -113,7 +106,7 @@
    * </ul>
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.3 $ $Date: 2000/01/31 04:38:45 $
  + * @version $Revision: 1.4 $ $Date: 2000/02/13 01:43:47 $
    */
   
   
  @@ -206,35 +199,25 @@
       public void invoke(Request request, Response response)
   	throws IOException, ServletException {
   
  -	// Acquire the WebApplicationDescriptor for this Context
  -	WebApplicationDescriptor descriptor = context.getDescriptor();
  -	if (descriptor == null) {
  -	    invokeNext(request, response);
  -	    return;
  -	}
  -
   	// Is this request URI subject to a security constraint?
  -	SecurityConstraint constraint = findConstraint(request, descriptor);
  +	SecurityConstraint constraint = findConstraint(request);
   	if (constraint == null) {
   	    invokeNext(request, response);
   	    return;
   	}
   
   	// Enforce any user data constraint for this security constraint
  -	if (!checkUserData(request, response,
  -			   constraint.getUserDataConstraint())) {
  +	if (!checkUserData(request, response, constraint)) {
   	    return;
   	}
   
   	// Authenticate based upon the specified login configuration
  -	if (!authenticate(request, response,
  -			  descriptor.getLoginConfiguration())) {
  +	if (!authenticate(request, response, context.getLoginConfig())) {
   	    return;
   	}
   
   	// Perform access control based on the specified role(s)
  -	if (!accessControl(request, response,
  -			   constraint.getAuthorizationConstraint())) {
  +	if (!accessControl(request, response, constraint)) {
   	    return;
   	}
   
  @@ -274,12 +257,12 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param auth Authorization constraint we are enforcing
  +     * @param constraint Security constraint we are enforcing
        *
        * @exception IOException if an input/output error occurs
        */
       private boolean accessControl(Request request, Response response,
  -				  AuthorizationConstraint auth)
  +				  SecurityConstraint constraint)
   	throws IOException {
   
   	// Which user principal have we already authenticated?
  @@ -293,10 +276,13 @@
   
   	// Check each role included in this constraint
   	Realm realm = context.getRealm();
  -	Enumeration roles = auth.getSecurityRoles();
  -	while (roles.hasMoreElements()) {
  -	    SecurityRole role = (SecurityRole) roles.nextElement();
  -	    if (realm.hasRole(principal, role.getName()))
  +	String roles[] = constraint.findAuthRoles();
  +	if (roles == null)
  +	    roles = new String[0];
  +	if (roles.length == 0)
  +	    return (true);	// Authenticated user is sufficient
  +	for (int i = 0; i < roles.length; i++) {
  +	    if (realm.hasRole(principal, roles[i]))
   		return (true);
   	}
   
  @@ -317,21 +303,26 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login LoginConfiguration describing how authentication
  +     * @param login LoginConfig describing how authentication
        *  should be performed
        *
        * @exception IOException if an input/output error occurs
        */
       private boolean authenticate(Request request, Response response,
  -				 LoginConfiguration config)
  +				 LoginConfig config)
   	throws IOException {
   
   	// Has a login configuration element been specified?
   	if (config == null)
   	    return (true);
   
  +	// Have we already authenticated someone?
  +	Principal principal = request.getRequest().getUserPrincipal();
  +	if (principal != null)
  +	    return (true);
  +
   	// Identify the requested (or default) login mechanism
  -	String method = config.getAuthenticationMethod();
  +	String method = config.getAuthMethod();
   	if (method == null)
   	    method = Constants.BASIC_METHOD; // XXX - Is this default correct?
   
  @@ -368,20 +359,18 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param user UserDataConstraint we are enforcing
  +     * @param constraint Security constraint being checked
        *
        * @exception IOException if an input/output error occurs
        */
       private boolean checkUserData(Request request, Response response,
  -				  UserDataConstraint user)
  +				  SecurityConstraint constraint)
   	throws IOException {
   
  -	if (user == null)
  -	    return (true);
  -	String guarantee = user.getTransportGuarantee();
  -	if (guarantee == null)
  +	String userConstraint = constraint.getUserConstraint();
  +	if (userConstraint == null)
   	    return (true);
  -	if (guarantee.equals(UserDataConstraint.NONE_TRANSPORT))
  +	if (userConstraint.equals(Constants.NONE_TRANSPORT))
   	    return (true);
   	if (!request.getRequest().isSecure()) {
   	    response.getResponse().sendError
  @@ -399,136 +388,27 @@
        * this request, or <code>null</code> if there is no such constraint.
        *
        * @param request Request we are processing
  -     * @param descriptor WebApplicationDescriptor within which we are operating
        */
  -    private SecurityConstraint findConstraint(Request request,
  -					WebApplicationDescriptor descriptor) {
  +    private SecurityConstraint findConstraint(Request request) {
   
   	// Are there any defined security constraints?
  -	if (descriptor == null)
  -	    return (null);
  -	Enumeration constraints = descriptor.getSecurityConstraints();
  -	if (constraints == null)
  +	SecurityConstraint constraints[] = context.findConstraints();
  +	if ((constraints == null) || (constraints.length == 0))
   	    return (null);
   
   	// Check each defined security constraint
  -	while (constraints.hasMoreElements()) {
  -	    SecurityConstraint constraint =
  -		(SecurityConstraint) constraints.nextElement();
  -	    Enumeration collections = constraint.getWebResourceCollections();
  -	    while (collections.hasMoreElements()) {
  -		WebResourceCollection collection =
  -		    (WebResourceCollection) collections.nextElement();
  -		if (matchCollection(request, collection))
  -		    return (constraint);
  -	    }
  +	String uri = request.getRequest().getRequestURI();
  +	String contextPath = request.getRequest().getContextPath();
  +	if (contextPath.length() > 0)
  +	    uri = uri.substring(contextPath.length());
  +	String method = request.getRequest().getMethod();
  +	for (int i = 0; i < constraints.length; i++) {
  +	    if (constraints[i].included(uri, method))
  +		return (constraints[i]);
   	}
   
   	// No applicable security constraint was found
   	return (null);
  -
  -    }
  -
  -
  -    /**
  -     * Do the characteristics of this request match the protection patterns
  -     * of the specified web resource collection?  Matching is done based on
  -     * both the URL pattern and HTTP method (if any) restrictions.
  -     *
  -     * @param request Request we are processing
  -     * @param collection WebResourceCollection to test against
  -     */
  -    private boolean matchCollection(Request request,
  -				    WebResourceCollection collection) {
  -
  -	// Test against the HTTP method(s) listed in the collection
  -	String method = request.getRequest().getMethod();
  -	int n = 0;
  -	boolean match = false;
  -	Enumeration methods = collection.getHttpMethods();
  -	while (methods.hasMoreElements()) {
  -	    n++;
  -	    if (method.equals((String) methods.nextElement())) {
  -		match = true;
  -		break;
  -	    }
  -	}
  -	if ((!match) && (n > 0))
  -	    return (false);
  -
  -	// Test against the URL pattern(s) listed in the collection
  -	// XXX - Should this do a "longest match" comparison?
  -	String path = request.getRequest().getServletPath();
  -	if (path == null)
  -	    path = "";
  -	if (request.getRequest().getPathInfo() != null)
  -	    path += request.getRequest().getPathInfo();
  -	Enumeration patterns = collection.getUrlPatterns();
  -	while (patterns.hasMoreElements()) {
  -	    String pattern = (String) patterns.nextElement();
  -	    if (matchPattern(path, pattern))
  -		return (true);
  -	}
  -
  -	return (false);
  -
  -    }
  -
  -
  -    /**
  -     * Does the specified request path match the specified URL pattern?
  -     *
  -     * XXX - Shouldn't this be a shared utility method someplace?
  -     *
  -     * @param path Context-relative request path to be checked
  -     *  (must start with '/')
  -     * @param pattern URL pattern to be compared against
  -     */
  -    private boolean matchPattern(String path, String pattern) {
  -
  -	// Normalize the argument strings
  -	if ((path == null) || (path.length() == 0))
  -	    path = "/";
  -	if ((pattern == null) || (pattern.length() == 0))
  -	    pattern = "/";
  -
  -	// Check for exact match
  -	if (path.equals(pattern))
  -	    return (true);
  -
  -	// Check for universal mapping
  -	if (pattern.equals("/"))
  -	    return (true);
  -
  -	// Check for path prefix matching
  -	if (pattern.startsWith("/") && pattern.endsWith("/*")) {
  -	    pattern = pattern.substring(0, pattern.length() - 2);
  -	    if (pattern.length() == 0)
  -		return (true);	// "/*" is the same as "/"
  -	    if (path.endsWith("/"))
  -		path = path.substring(0, path.length() - 1);
  -	    while (true) {
  -		if (pattern.equals(path))
  -		    return (true);
  -		int slash = path.lastIndexOf('/');
  -		if (slash <= 0)
  -		    break;
  -		path = path.substring(0, slash);
  -	    }
  -	    return (false);
  -	}
  -
  -	// Check for suffix matching
  -	else if (pattern.startsWith("*.")) {
  -	    int slash = path.lastIndexOf('/');
  -	    int period = path.lastIndexOf('.');
  -	    if ((slash >= 0) && (period > slash) &&
  -		path.endsWith(pattern.substring(1))) {
  -		return (true);
  -	    }
  -	}
  -
  -	return (false);
   
       }
   
  
  
  

Mime
View raw message