📄 realmbase.java
字号:
if (validate) {
for (int i = 0; i < certs.length; i++) {
if (log.isDebugEnabled())
log.debug(" Checking validity for '" +
certs[i].getSubjectDN().getName() + "'");
try {
certs[i].checkValidity();
} catch (Exception e) {
if (log.isDebugEnabled())
log.debug(" Validity exception", e);
return (null);
}
}
}
// Check the existence of the client Principal in our database
return (getPrincipal(certs[0].getSubjectDN().getName()));
}
/**
* Return the SecurityConstraints configured to guard the request URI for
* this request, or <code>null</code> if there is no such constraint.
*
* @param request Request we are processing
* @param context Context the Request is mapped to
*/
public SecurityConstraint [] findSecurityConstraints(HttpRequest request,
Context context) {
ArrayList results = null;
// Are there any defined security constraints?
SecurityConstraint constraints[] = context.findConstraints();
if ((constraints == null) || (constraints.length == 0)) {
if (log.isDebugEnabled())
log.debug(" No applicable constraints defined");
return (null);
}
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
String uri = request.getRequestPathMB().toString();
String method = hreq.getMethod();
int i;
boolean found = false;
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
if (log.isDebugEnabled())
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k < patterns.length; k++) {
if(uri.equals(patterns[k])) {
found = true;
if(collection[j].findMethod(method)) {
if(results == null) {
results = new ArrayList();
}
results.add(constraints[i]);
}
}
}
}
}
if(found) {
return resultsToArray(results);
}
int longest = -1;
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
if (log.isDebugEnabled())
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
boolean matched = false;
int length = -1;
for(int k=0; k < patterns.length; k++) {
String pattern = patterns[k];
if(pattern.startsWith("/") && pattern.endsWith("/*") &&
pattern.length() >= longest) {
if(pattern.length() == 2) {
matched = true;
length = pattern.length();
} else if(pattern.regionMatches(0,uri,0,
pattern.length()-1) ||
(pattern.length()-2 == uri.length() &&
pattern.regionMatches(0,uri,0,
pattern.length()-2))) {
matched = true;
length = pattern.length();
}
}
}
if(matched) {
found = true;
if(length > longest) {
if(results != null) {
results.clear();
}
longest = length;
}
if(collection[j].findMethod(method)) {
if(results == null) {
results = new ArrayList();
}
results.add(constraints[i]);
}
}
}
}
if(found) {
return resultsToArray(results);
}
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
if (log.isDebugEnabled())
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
boolean matched = false;
int pos = -1;
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k < patterns.length && !matched; k++) {
String pattern = patterns[k];
if(pattern.startsWith("*.")){
int slash = uri.lastIndexOf("/");
int dot = uri.lastIndexOf(".");
if(slash >= 0 && dot > slash &&
dot != uri.length()-1 &&
uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
pos = j;
}
}
}
}
}
if(matched) {
found = true;
if(collection[pos].findMethod(method)) {
if(results == null) {
results = new ArrayList();
}
results.add(constraints[i]);
}
}
}
if(found) {
return resultsToArray(results);
}
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
if (log.isDebugEnabled())
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
boolean matched = false;
for(int k=0; k < patterns.length && !matched; k++) {
String pattern = patterns[k];
if(pattern.equals("/")){
matched = true;
}
}
if(matched) {
if(results == null) {
results = new ArrayList();
}
results.add(constraints[i]);
}
}
}
if(results == null) {
// No applicable security constraint was found
if (log.isDebugEnabled())
log.debug(" No applicable constraint located");
}
return resultsToArray(results);
}
/**
* Convert an ArrayList to a SecurityContraint [].
*/
private SecurityConstraint [] resultsToArray(ArrayList results) {
if(results == null) {
return null;
}
SecurityConstraint [] array = new SecurityConstraint[results.size()];
results.toArray(array);
return array;
}
/**
* Perform access control based on the specified authorization constraint.
* Return <code>true</code> if this constraint is satisfied and processing
* should continue, or <code>false</code> otherwise.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraint Security constraint we are enforcing
* @param The Context to which client of this class is attached.
*
* @exception IOException if an input/output error occurs
*/
public boolean hasResourcePermission(HttpRequest request,
HttpResponse response,
SecurityConstraint []constraints,
Context context)
throws IOException {
if (constraints == null || constraints.length == 0)
return (true);
// Specifically allow access to the form login and form error pages
// and the "j_security_check" action
LoginConfig config = context.getLoginConfig();
if ((config != null) &&
(Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
String requestURI = request.getDecodedRequestURI();
String loginPage = context.getPath() + config.getLoginPage();
if (loginPage.equals(requestURI)) {
if (log.isDebugEnabled())
log.debug(" Allow access to login page " + loginPage);
return (true);
}
String errorPage = context.getPath() + config.getErrorPage();
if (errorPage.equals(requestURI)) {
if (log.isDebugEnabled())
log.debug(" Allow access to error page " + errorPage);
return (true);
}
if (requestURI.endsWith(Constants.FORM_ACTION)) {
if (log.isDebugEnabled())
log.debug(" Allow access to username/password submission");
return (true);
}
}
// Which user principal have we already authenticated?
Principal principal =
((HttpServletRequest) request.getRequest()).getUserPrincipal();
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String roles[] = constraint.findAuthRoles();
if (roles == null)
roles = new String[0];
if (constraint.getAllRoles())
return (true);
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
if (roles.length == 0) {
if(constraint.getAuthConstraint()) {
((HttpServletResponse) response.getResponse()).sendError
(HttpServletResponse.SC_FORBIDDEN,
sm.getString("realmBase.forbidden"));
if( log.isDebugEnabled() ) log.debug("No roles ");
return (false); // No listed roles means no access at all
} else {
log.debug("Passing all access");
return (true);
}
} else if (principal == null) {
if (log.isDebugEnabled())
log.debug(" No user authenticated, cannot grant access");
((HttpServletResponse) response.getResponse()).sendError
(HttpServletResponse.SC_FORBIDDEN,
sm.getString("realmBase.notAuthenticated"));
return (false);
}
for (int j = 0; j < roles.length; j++) {
if (hasRole(principal, roles[j]))
return (true);
if( log.isDebugEnabled() )
log.debug( "No role found: " + roles[j]);
}
}
// Return a "Forbidden" message denying access to this resource
((HttpServletResponse) response.getResponse()).sendError
(HttpServletResponse.SC_FORBIDDEN,
sm.getString("realmBase.forbidden"));
return (false);
}
/**
* Return <code>true</code> if the specified Principal has the specified
* security role, within the context of this Realm; otherwise return
* <code>false</code>. This method can be overridden by Realm
* implementations, but the default is adequate when an instance of
* <code>GenericPrincipal</code> is used to represent authenticated
* Principals from this Realm.
*
* @param principal Principal for whom the role is to be checked
* @param role Security role to be checked
*/
public boolean hasRole(Principal principal, String role) {
// Should be overriten in JAASRealm - to avoid pretty inefficient conversions
if ((principal == null) || (role == null) ||
!(principal instanceof GenericPrincipal))
return (false);
GenericPrincipal gp = (GenericPrincipal) principal;
if (!(gp.getRealm() == this)) {
log.debug("Different realm " + this + " " + gp.getRealm());// return (false);
}
boolean result = gp.hasRole(role);
if (log.isDebugEnabled()) {
String name = principal.getName();
if (result)
log.debug(sm.getString("realmBase.hasRoleSuccess", name, role));
else
log.debug(sm.getString("realmBase.hasRoleFailure", name, role));
}
return (result);
}
/**
* Enforce any user data constraint required by the security constraint
* guarding this request URI. Return <code>true</code> if this constraint
* was not violated and processing should continue, or <code>false</code>
* if we have created a response already.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraint Security constraint being checked
*
* @exception IOException if an input/output error occurs
*/
public boolean hasUserDataPermission(HttpRequest request,
HttpResponse response,
SecurityConstraint []constraints)
throws IOException {
// Is there a relevant user data constraint?
if (constraints == null || constraints.length == 0) {
if (log.isDebugEnabled())
log.debug(" No applicable security constraint defined");
return (true);
}
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String userConstraint = constraint.getUserConstraint();
if (userConstraint == null) {
if (log.isDebugEnabled())
log.debug(" No applicable user data constraint defined");
return (true);
}
if (userConstraint.equals(Constants.NONE_TRANSPORT)) {
if (log.isDebugEnabled())
log.debug(" User data constraint has no restrictions");
return (true);
}
}
// Validate the request against the user data constraint
if (request.getRequest().isSecure()) {
if (log.isDebugEnabled())
log.debug(" User data constraint already satisfied");
return (true);
}
// Initialize variables we need to determine the appropriate action
HttpServletRequest hrequest =
(HttpServletRequest) request.getRequest();
HttpServletResponse hresponse =
(HttpServletResponse) response.getResponse();
int redirectPort = request.getConnector().getRedirectPort();
// Is redirecting disabled?
if (redirectPort <= 0) {
if (log.isDebugEnabled())
log.debug(" SSL redirect is disabled");
hresponse.sendError
(HttpServletResponse.SC_FORBIDDEN,
hrequest.getRequestURI());
return (false);
}
// Redirect to the corresponding SSL port
StringBuffer file = new StringBuffer();
String protocol = "https";
String host = hrequest.getServerName();
// Protocol
file.append(protocol).append("://");
// Host with port
file.append(host).append(":").append(redirectPort);
// URI
file.append(hrequest.getRequestURI());
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -