From 8100196e8507efdf732ddb6a0354e0637905b30d Mon Sep 17 00:00:00 2001 From: markt Date: Tue, 29 Dec 2009 21:21:59 +0000 Subject: [PATCH] Add support for http-method-omission git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@894483 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/catalina/core/LocalStrings.properties | 1 + java/org/apache/catalina/core/StandardContext.java | 5 ++ .../apache/catalina/deploy/SecurityCollection.java | 94 +++++++++++++++++++--- java/org/apache/catalina/startup/WebRuleSet.java | 2 + java/org/apache/catalina/startup/WebXml.java | 3 + 5 files changed, 93 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/core/LocalStrings.properties b/java/org/apache/catalina/core/LocalStrings.properties index bf961a548..39527a56c 100644 --- a/java/org/apache/catalina/core/LocalStrings.properties +++ b/java/org/apache/catalina/core/LocalStrings.properties @@ -115,6 +115,7 @@ standardContext.reloadingCompleted=Reloading Context with path [{0}] is complete standardContext.reloadingFailed=Reloading this Context failed due to previous errors standardContext.reloadingStarted=Reloading Context with path [{0}] has started standardContext.resourcesStart=Error starting static Resources +standardContext.securityConstraint.mixHttpMethod=It is not permitted to mix and in the same web resource collection standardContext.securityConstraint.pattern=Invalid {0} in security constraint standardContext.servletMap.name=Servlet mapping specifies an unknown servlet name {0} standardContext.servletMap.pattern=Invalid {0} in servlet mapping diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java index e0ef78e64..047a1fa6d 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java @@ -2287,6 +2287,11 @@ public class StandardContext ("standardContext.securityConstraint.pattern", patterns[j])); } + if (collections[i].findMethods().length > 0 && + collections[i].findOmittedMethods().length > 0) { + throw new IllegalArgumentException(sm.getString( + "standardContext.securityConstraint.mixHttpMethod")); + } } // Add this constraint to the set for our web application diff --git a/java/org/apache/catalina/deploy/SecurityCollection.java b/java/org/apache/catalina/deploy/SecurityCollection.java index d039316c2..13223ced4 100644 --- a/java/org/apache/catalina/deploy/SecurityCollection.java +++ b/java/org/apache/catalina/deploy/SecurityCollection.java @@ -93,12 +93,17 @@ public class SecurityCollection implements Serializable { /** - * The HTTP methods covered by this web resource collection. + * The HTTP methods explicitly covered by this web resource collection. */ private String methods[] = new String[0]; /** + * The HTTP methods explicitly excluded from this web resource collection. + */ + private String omittedMethods[] = new String[0]; + + /** * The name of this web resource collection. */ private String name = null; @@ -161,7 +166,8 @@ public class SecurityCollection implements Serializable { /** - * Add an HTTP request method to be part of this web resource collection. + * Add an HTTP request method to be explicitly part of this web resource + * collection. */ public void addMethod(String method) { @@ -177,6 +183,20 @@ public class SecurityCollection implements Serializable { /** + * Add an HTTP request method to the methods explicitly excluded from this + * web resource collection. + */ + public void addOmittedMethod(String method) { + if (method == null) + return; + String results[] = new String[omittedMethods.length + 1]; + for (int i = 0; i < omittedMethods.length; i++) + results[i] = omittedMethods[i]; + results[omittedMethods.length] = method; + omittedMethods = results; + } + + /** * Add a URL pattern to be part of this web resource collection. */ public void addPattern(String pattern) { @@ -184,12 +204,12 @@ public class SecurityCollection implements Serializable { if (pattern == null) return; - pattern = RequestUtil.URLDecode(pattern); + String decodedPattern = RequestUtil.URLDecode(pattern); String results[] = new String[patterns.length + 1]; for (int i = 0; i < patterns.length; i++) { results[i] = patterns[i]; } - results[patterns.length] = pattern; + results[patterns.length] = decodedPattern; patterns = results; } @@ -203,21 +223,29 @@ public class SecurityCollection implements Serializable { */ public boolean findMethod(String method) { - if (methods.length == 0) + if (methods.length == 0 && omittedMethods.length == 0) return (true); - for (int i = 0; i < methods.length; i++) { - if (methods[i].equals(method)) - return (true); + if (methods.length > 0) { + for (int i = 0; i < methods.length; i++) { + if (methods[i].equals(method)) + return true; + } + return false; } - return (false); - + if (omittedMethods.length > 0) { + for (int i = 0; i < omittedMethods.length; i++) { + if (omittedMethods[i].equals(method)) + return false; + } + } + return true; } /** * Return the set of HTTP request methods that are part of this web - * resource collection, or a zero-length array if all request methods - * are included. + * resource collection, or a zero-length array if no methods have been + * explicitly included. */ public String[] findMethods() { @@ -227,6 +255,18 @@ public class SecurityCollection implements Serializable { /** + * Return the set of HTTP request methods that are explicitly excluded from + * this web resource collection, or a zero-length array if no request + * methods are excluded. + */ + public String[] findOmittedMethods() { + + return (omittedMethods); + + } + + + /** * Is the specified pattern part of this web resource collection? * * @param pattern Pattern to be compared @@ -285,6 +325,36 @@ public class SecurityCollection implements Serializable { /** + * Remove the specified HTTP request method from those that are explicitly + * excluded from this web resource collection. + * + * @param method Request method to be removed + */ + public void removeOmittedMethod(String method) { + + if (method == null) + return; + int n = -1; + for (int i = 0; i < omittedMethods.length; i++) { + if (omittedMethods[i].equals(method)) { + n = i; + break; + } + } + if (n >= 0) { + int j = 0; + String results[] = new String[omittedMethods.length - 1]; + for (int i = 0; i < omittedMethods.length; i++) { + if (i != n) + results[j++] = omittedMethods[i]; + } + omittedMethods = results; + } + + } + + + /** * Remove the specified URL pattern from those that are part of this * web resource collection. * diff --git a/java/org/apache/catalina/startup/WebRuleSet.java b/java/org/apache/catalina/startup/WebRuleSet.java index ec6454c8c..55fc3b2de 100644 --- a/java/org/apache/catalina/startup/WebRuleSet.java +++ b/java/org/apache/catalina/startup/WebRuleSet.java @@ -337,6 +337,8 @@ public class WebRuleSet extends RuleSetBase { "org.apache.catalina.deploy.SecurityCollection"); digester.addCallMethod(fullPrefix + "/security-constraint/web-resource-collection/http-method", "addMethod", 0); + digester.addCallMethod(fullPrefix + "/security-constraint/web-resource-collection/http-method-omission", + "addOmittedMethod", 0); digester.addCallMethod(fullPrefix + "/security-constraint/web-resource-collection/url-pattern", "addPattern", 0); digester.addCallMethod(fullPrefix + "/security-constraint/web-resource-collection/web-resource-name", diff --git a/java/org/apache/catalina/startup/WebXml.java b/java/org/apache/catalina/startup/WebXml.java index 64d0d9182..598503102 100644 --- a/java/org/apache/catalina/startup/WebXml.java +++ b/java/org/apache/catalina/startup/WebXml.java @@ -734,6 +734,9 @@ public class WebXml { for (String method : collection.findMethods()) { appendElement(sb, INDENT6, "http-method", method); } + for (String method : collection.findOmittedMethods()) { + appendElement(sb, INDENT6, "http-method-omission", method); + } sb.append(" \n"); } if (constraint.findAuthRoles().length > 0) { -- 2.11.0