View | Details | Raw Unified | Return to bug 50015
Collapse All | Expand All

(-)java/org/apache/catalina/core/ApplicationServletRegistration.java (-50 / +6 lines)
Lines 117-126 Link Here
117
117
118
        // Have to add in a separate loop since spec requires no updates at all
118
        // Have to add in a separate loop since spec requires no updates at all
119
        // if there is an issue
119
        // if there is an issue
120
        for (Map.Entry<String, String> entry : initParameters.entrySet()) {
120
        if (conflicts.isEmpty()) {
121
            setInitParameter(entry.getKey(), entry.getValue());
121
            for (Map.Entry<String, String> entry : initParameters.entrySet()) {
122
                setInitParameter(entry.getKey(), entry.getValue());
123
            }
122
        }
124
        }
123
        
125
124
        return conflicts;
126
        return conflicts;
125
    }
127
    }
126
128
Lines 158-210 Link Here
158
                    getName(), context.getPath()));
160
                    getName(), context.getPath()));
159
        }
161
        }
160
162
161
        Set<String> conflicts = new HashSet<String>();
163
        return context.addServletSecurity(this, constraint);
162
163
        Collection<String> urlPatterns = getMappings();
164
        for (String urlPattern : urlPatterns) {
165
            boolean foundConflict = false;
166
            
167
            SecurityConstraint[] securityConstraints =
168
                context.findConstraints();
169
            for (SecurityConstraint securityConstraint : securityConstraints) {
170
                
171
                SecurityCollection[] collections =
172
                    securityConstraint.findCollections();
173
                for (SecurityCollection collection : collections) {
174
                    if (collection.findPattern(urlPattern)) {
175
                        // First pattern found will indicate if there is a
176
                        // conflict since for any given pattern all matching
177
                        // constraints will be from either the descriptor or
178
                        // not. It is not permitted to have a mixture
179
                        if (collection.isFromDescriptor()) {
180
                            // Skip this pattern
181
                            foundConflict = true;
182
                        } else {
183
                            // Need to overwrite constraint for this pattern
184
                            // so remove every pattern found
185
                            context.removeConstraint(securityConstraint);
186
                        }
187
                    }
188
                    if (foundConflict) {
189
                        break;
190
                    }
191
                }
192
                if (foundConflict) {
193
                    break;
194
                }
195
            }
196
            if (!foundConflict) {
197
                SecurityConstraint[] newSecurityConstraints =
198
                        SecurityConstraint.createConstraints(constraint,
199
                                urlPattern);
200
                for (SecurityConstraint securityConstraint :
201
                        newSecurityConstraints) {
202
                    context.addConstraint(securityConstraint);
203
                }
204
            }
205
        }
206
        
207
        return conflicts;
208
    }
164
    }
209
165
210
166
(-)java/org/apache/catalina/core/StandardContext.java (+78 lines)
Lines 26-32 Link Here
26
import java.net.URL;
26
import java.net.URL;
27
import java.util.ArrayList;
27
import java.util.ArrayList;
28
import java.util.Arrays;
28
import java.util.Arrays;
29
import java.util.Collection;
29
import java.util.HashMap;
30
import java.util.HashMap;
31
import java.util.HashSet;
30
import java.util.Hashtable;
32
import java.util.Hashtable;
31
import java.util.Iterator;
33
import java.util.Iterator;
32
import java.util.LinkedHashMap;
34
import java.util.LinkedHashMap;
Lines 47-60 Link Here
47
import javax.naming.NamingException;
49
import javax.naming.NamingException;
48
import javax.naming.directory.DirContext;
50
import javax.naming.directory.DirContext;
49
import javax.servlet.FilterConfig;
51
import javax.servlet.FilterConfig;
52
import javax.servlet.Servlet;
50
import javax.servlet.ServletContainerInitializer;
53
import javax.servlet.ServletContainerInitializer;
51
import javax.servlet.ServletContext;
54
import javax.servlet.ServletContext;
52
import javax.servlet.ServletContextAttributeListener;
55
import javax.servlet.ServletContextAttributeListener;
53
import javax.servlet.ServletContextEvent;
56
import javax.servlet.ServletContextEvent;
54
import javax.servlet.ServletContextListener;
57
import javax.servlet.ServletContextListener;
55
import javax.servlet.ServletException;
58
import javax.servlet.ServletException;
59
import javax.servlet.ServletRegistration;
56
import javax.servlet.ServletRequestAttributeListener;
60
import javax.servlet.ServletRequestAttributeListener;
57
import javax.servlet.ServletRequestListener;
61
import javax.servlet.ServletRequestListener;
62
import javax.servlet.ServletSecurityElement;
58
import javax.servlet.descriptor.JspConfigDescriptor;
63
import javax.servlet.descriptor.JspConfigDescriptor;
59
import javax.servlet.http.HttpSessionAttributeListener;
64
import javax.servlet.http.HttpSessionAttributeListener;
60
import javax.servlet.http.HttpSessionListener;
65
import javax.servlet.http.HttpSessionListener;
Lines 4009-4016 Link Here
4009
        return null;
4014
        return null;
4010
    }
4015
    }
4011
4016
4017
    /**
4018
     * hook to register that we need to scan for security annotations.
4019
     * @param registration
4020
     */
4021
    public ServletRegistration.Dynamic dynamicServletAdded(Wrapper wrapper) {
4022
        return new ApplicationServletRegistration(wrapper, this);
4023
    }
4012
4024
4013
    /**
4025
    /**
4026
     * hook to track which registrations need annotation scanning
4027
     * @param servlet
4028
     */
4029
    public void dynamicServletCreated(Servlet servlet) {
4030
4031
    }
4032
4033
4034
    /**
4014
     * A helper class to manage the filter mappings in a Context.
4035
     * A helper class to manage the filter mappings in a Context.
4015
     */
4036
     */
4016
    private static final class ContextFilterMaps {
4037
    private static final class ContextFilterMaps {
Lines 5075-5081 Link Here
5075
5096
5076
    }
5097
    }
5077
5098
5099
    public Set<String> addServletSecurity(ApplicationServletRegistration registration, ServletSecurityElement servletSecurityElement) {
5100
        Set<String> conflicts = new HashSet<String>();
5078
5101
5102
        Collection<String> urlPatterns = registration.getMappings();
5103
        for (String urlPattern : urlPatterns) {
5104
            boolean foundConflict = false;
5105
5106
            SecurityConstraint[] securityConstraints =
5107
                findConstraints();
5108
            for (SecurityConstraint securityConstraint : securityConstraints) {
5109
5110
                SecurityCollection[] collections =
5111
                    securityConstraint.findCollections();
5112
                for (SecurityCollection collection : collections) {
5113
                    if (collection.findPattern(urlPattern)) {
5114
                        // First pattern found will indicate if there is a
5115
                        // conflict since for any given pattern all matching
5116
                        // constraints will be from either the descriptor or
5117
                        // not. It is not permitted to have a mixture
5118
                        if (collection.isFromDescriptor()) {
5119
                            // Skip this pattern
5120
                            foundConflict = true;
5121
                            conflicts.add(urlPattern);
5122
                        } else {
5123
                            // Need to overwrite constraint for this pattern
5124
                            // so remove every pattern found
5125
5126
                            //TODO spec 13.4.2 appears to say only the conflicting pattern is overwritten, not the entire security constraint.
5127
                            removeConstraint(securityConstraint);
5128
                        }
5129
                    }
5130
                    if (foundConflict) {
5131
                        break;
5132
                    }
5133
                }
5134
                if (foundConflict) {
5135
                    break;
5136
                }
5137
            }
5138
            //TODO spec 13.4.2 appears to say that non-conflicting patterns are still used.
5139
            //TODO you can't calculate the eventual security constraint now, you have to wait until the context is started,
5140
            //since application code can add url patterns after calling setSecurity.
5141
            if (!foundConflict) {
5142
                SecurityConstraint[] newSecurityConstraints =
5143
                        SecurityConstraint.createConstraints(servletSecurityElement,
5144
                                urlPattern);
5145
                for (SecurityConstraint securityConstraint :
5146
                        newSecurityConstraints) {
5147
                    addConstraint(securityConstraint);
5148
                }
5149
            }
5150
        }
5151
5152
        return conflicts;
5153
5154
    }
5155
5156
5079
    /**
5157
    /**
5080
     * Return a File object representing the base directory for the
5158
     * Return a File object representing the base directory for the
5081
     * entire servlet container (i.e. the Engine container if present).
5159
     * entire servlet container (i.e. the Engine container if present).
(-)java/org/apache/catalina/core/ApplicationContext.java (-4 / +5 lines)
Lines 1067-1083 Link Here
1067
        } else {
1067
        } else {
1068
            wrapper.setServletClass(servlet.getClass().getName());
1068
            wrapper.setServletClass(servlet.getClass().getName());
1069
            wrapper.setServlet(servlet);
1069
            wrapper.setServlet(servlet);
1070
       }
1070
        }
1071
        
1072
        return new ApplicationServletRegistration(wrapper, context);
1073
    } 
1074
1071
1072
        return context.dynamicServletAdded(wrapper);
1073
    }
1075
1074
1075
1076
    public <T extends Servlet> T createServlet(Class<T> c)
1076
    public <T extends Servlet> T createServlet(Class<T> c)
1077
    throws ServletException {
1077
    throws ServletException {
1078
        try {
1078
        try {
1079
            @SuppressWarnings("unchecked")
1079
            @SuppressWarnings("unchecked")
1080
            T servlet = (T) context.getInstanceManager().newInstance(c.getName());
1080
            T servlet = (T) context.getInstanceManager().newInstance(c.getName());
1081
            context.dynamicServletCreated(servlet);
1081
            return servlet;
1082
            return servlet;
1082
        } catch (IllegalAccessException e) {
1083
        } catch (IllegalAccessException e) {
1083
            throw new ServletException(e);
1084
            throw new ServletException(e);
(-)java/org/apache/catalina/Context.java (+10 lines)
Lines 24-31 Link Here
24
24
25
import javax.servlet.ServletContainerInitializer;
25
import javax.servlet.ServletContainerInitializer;
26
import javax.servlet.ServletContext;
26
import javax.servlet.ServletContext;
27
import javax.servlet.ServletSecurityElement;
27
import javax.servlet.descriptor.JspConfigDescriptor;
28
import javax.servlet.descriptor.JspConfigDescriptor;
28
29
30
import org.apache.catalina.core.ApplicationServletRegistration;
29
import org.apache.tomcat.InstanceManager;
31
import org.apache.tomcat.InstanceManager;
30
import org.apache.tomcat.JarScanner;
32
import org.apache.tomcat.JarScanner;
31
import org.apache.tomcat.util.http.mapper.Mapper;
33
import org.apache.tomcat.util.http.mapper.Mapper;
Lines 1224-1228 Link Here
1224
    boolean isServlet22();
1226
    boolean isServlet22();
1225
1227
1226
    InstanceManager getInstanceManager();
1228
    InstanceManager getInstanceManager();
1229
1230
    /**
1231
     * Notification that servlet security has been dynamically set in a ServletRegistration.Dynamic
1232
     * @param registration servlet security was modified for
1233
     * @param servletSecurityElement new security constraints for this servlet
1234
     * @return urls currently mapped to this registration that are already present in web.xml
1235
     */
1236
    Set<String> addServletSecurity(ApplicationServletRegistration registration, ServletSecurityElement servletSecurityElement);
1227
}
1237
}
1228
1238

Return to bug 50015