| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Java/Tomcat/java/org/apache/catalina/security/ (Apache Software Stiftung Version 2.4.65©) Datei vom 10.10.2023 mit Größe 15 kB |
|
Quelle SecurityUtil.java Sprache: JAVA |
|||||||||
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.catalina.security; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.security.Principal; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import javax.security.auth.Subject; import jakarta.servlet.Filter; import jakarta.servlet.Servlet; import jakarta.servlet.ServletException; import jakarta.servlet.UnavailableException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpSession; import org.apache.catalina.Globals; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.res.StringManager; /** * This utility class associates a <code>Subject</code> to the current <code>AccessControlContext< * <code>SecurityManager</code> is used, the container will always associate the called thread wi * AccessControlContext containing only the principal of the requested Servlet/Filter. This * invoke the methods. */ public final class SecurityUtil { // Note that indexes overlap. // A Servlet uses "init", "service", "event", "destroy". // A Filter uses "doFilter", "doFilterEvent", "destroy". private static final int INIT = 0; private static final int SERVICE = 1; private static final int DOFILTER = 1; private static final int EVENT = 2; private static final int DOFILTEREVENT = 2; private static final int DESTROY = 3; private static final String INIT_METHOD = "init"; private static final String DOFILTER_METHOD = "doFilter"; private static final String SERVICE_METHOD = "service"; private static final String EVENT_METHOD = "event"; private static final String DOFILTEREVENT_METHOD = "doFilterEvent"; private static final String DESTROY_METHOD = "destroy"; /** * Cache every class for which we are creating methods. */ private static final Map<Class<?>,Method[]> classCache = new ConcurrentHashMap<>(); private static final Log log = LogFactory.getLog(SecurityUtil.class); private static final boolean packageDefinitionEnabled = (System.getProperty("package.definition") == null && System.getProperty("package.acces true; /** * The string resources for this package. */ private static final StringManager sm = StringManager.getManager(Constants.PACKAGE); /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param methodName the method to apply the security restriction * @param targetObject the <code>Servlet</code> on which the method will be called. * * @throws Exception an execution error occurred */ public static void doAsPrivilege(final String methodName, final Servlet targetObject) thr doAsPrivilege(methodName, targetObject, null, null, null); } /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param methodName the method to apply the security restriction * @param targetObject the <code>Servlet</code> on which the method will be called. * @param targetType <code>Class</code> array used to instantiate a <code>Method</code> object. * @param targetArguments <code>Object</code> array contains the runtime parameters instance. * * @throws Exception an execution error occurred */ public static void doAsPrivilege(final String methodName, final Servlet targetObject, fin final Object[] targetArguments) throws Exception { doAsPrivilege(methodName, targetObject, targetType, targetArguments, null); } /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param methodName the method to apply the security restriction * @param targetObject the <code>Servlet</code> on which the method will be called. * @param targetParameterTypes <code>Class</code> array used to instantiate a <code>Method</code> o * @param targetArguments <code>Object</code> array contains the runtime parameters instance. * @param principal the <code>Principal</code> to which the security privilege applies * * @throws Exception an execution error occurred */ public static void doAsPrivilege(final String methodName, final Servlet targetObject, final Class<?>[] targetParameterTypes, final Object[] targetArguments, Principal principa throws Exception { Method method = null; Method[] methodsCache = classCache.get(Servlet.class); if (methodsCache == null) { method = createMethodAndCacheIt(null, Servlet.class, methodName, targetParameterTypes } else { method = findMethod(methodsCache, methodName); if (method == null) { method = createMethodAndCacheIt(methodsCache, Servlet.class, methodName, targetParame } } execute(method, targetObject, targetArguments, principal); } /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param methodName the method to apply the security restriction * @param targetObject the <code>Filter</code> on which the method will be called. * * @throws Exception an execution error occurred */ public static void doAsPrivilege(final String methodName, final Filter targetObject) thro doAsPrivilege(methodName, targetObject, null, null); } /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param methodName the method to apply the security restriction * @param targetObject the <code>Filter</code> on which the method will be called. * @param targetType <code>Class</code> array used to instantiate a <code>Method</code> object. * @param targetArguments <code>Object</code> array contains the runtime parameters instance. * * @throws Exception an execution error occurred */ public static void doAsPrivilege(final String methodName, final Filter targetObject, fina final Object[] targetArguments) throws Exception { doAsPrivilege(methodName, targetObject, targetType, targetArguments, null); } /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param methodName the method to apply the security restriction * @param targetObject the <code>Filter</code> on which the method will be called. * @param targetParameterTypes <code>Class</code> array used to instantiate a <code>Method</code> o * @param targetParameterValues <code>Object</code> array contains the runtime parameters inst * @param principal the <code>Principal</code> to which the security privilege applies * * @throws Exception an execution error occurred */ public static void doAsPrivilege(final String methodName, final Filter targetObject, final Class<?>[] targetParameterTypes, final Object[] targetParameterValues, Principal pr throws Exception { Method method = null; Method[] methodsCache = classCache.get(Filter.class); if (methodsCache == null) { method = createMethodAndCacheIt(null, Filter.class, methodName, targetParameterTypes) } else { method = findMethod(methodsCache, methodName); if (method == null) { method = createMethodAndCacheIt(methodsCache, Filter.class, methodName, targetParamet } } execute(method, targetObject, targetParameterValues, principal); } /** * Perform work as a particular <code>Subject</code>. Here the work will be granted to a <code>null</co * * @param method the method to apply the security restriction * @param targetObject the <code>Servlet</code> on which the method will be called. * @param targetArguments <code>Object</code> array contains the runtime parameters instance. * @param principal the <code>Principal</code> to which the security privilege applies * * @throws Exception an execution error occurred */ private static void execute(final Method method, final Object targetObject, final Object[] Principal principal) throws Exception { try { Subject subject = null; PrivilegedExceptionAction<Void> pea = () -> { method.invoke(targetObject, targetArguments); return null; }; // The first argument is always the request object if (targetArguments != null && targetArguments[0] instanceof HttpServletRequest) { HttpServletRequest request = (HttpServletRequest) targetArguments[0]; boolean hasSubject = false; HttpSession session = request.getSession(false); if (session != null) { subject = (Subject) session.getAttribute(Globals.SUBJECT_ATTR); hasSubject = (subject != null); } if (subject == null) { subject = new Subject(); if (principal != null) { subject.getPrincipals().add(principal); } } if (session != null && !hasSubject) { session.setAttribute(Globals.SUBJECT_ATTR, subject); } } Subject.doAsPrivileged(subject, pea, null); } catch (PrivilegedActionException pe) { Throwable e; if (pe.getException() instanceof InvocationTargetException) { e = pe.getException().getCause(); ExceptionUtils.handleThrowable(e); } else { e = pe; } if (log.isDebugEnabled()) { log.debug(sm.getString("SecurityUtil.doAsPrivilege"), e); } if (e instanceof UnavailableException) { throw (UnavailableException) e; } else if (e instanceof ServletException) { throw (ServletException) e; } else if (e instanceof IOException) { throw (IOException) e; } else if (e instanceof RuntimeException) { throw (RuntimeException) e; } else { throw new ServletException(e.getMessage(), e); } } } /** * Find a method stored within the cache. * * @param methodsCache the cache used to store method instance * @param methodName the method to apply the security restriction * * @return the method instance, null if not yet created. */ private static Method findMethod(Method[] methodsCache, String methodName) { if (methodName.equals(INIT_METHOD)) { return methodsCache[INIT]; } else if (methodName.equals(DESTROY_METHOD)) { return methodsCache[DESTROY]; } else if (methodName.equals(SERVICE_METHOD)) { return methodsCache[SERVICE]; } else if (methodName.equals(DOFILTER_METHOD)) { return methodsCache[DOFILTER]; } else if (methodName.equals(EVENT_METHOD)) { return methodsCache[EVENT]; } else if (methodName.equals(DOFILTEREVENT_METHOD)) { return methodsCache[DOFILTEREVENT]; } return null; } /** * Create the method and cache it for further re-use. * * @param methodsCache the cache used to store method instance * @param targetType the class on which the method will be called. * @param methodName the method to apply the security restriction * @param parameterTypes <code>Class</code> array used to instantiate a <code>Method</code> object. * * @return the method instance. * * @throws Exception an execution error occurred */ private static Method createMethodAndCacheIt(Method[] methodsCache, Class<?> targetType, Class<?>[] parameterTypes) throws Exception { if (methodsCache == null) { methodsCache = new Method[4]; } Method method = targetType.getMethod(methodName, parameterTypes); if (methodName.equals(INIT_METHOD)) { methodsCache[INIT] = method; } else if (methodName.equals(DESTROY_METHOD)) { methodsCache[DESTROY] = method; } else if (methodName.equals(SERVICE_METHOD)) { methodsCache[SERVICE] = method; } else if (methodName.equals(DOFILTER_METHOD)) { methodsCache[DOFILTER] = method; } else if (methodName.equals(EVENT_METHOD)) { methodsCache[EVENT] = method; } else if (methodName.equals(DOFILTEREVENT_METHOD)) { methodsCache[DOFILTEREVENT] = method; } classCache.put(targetType, methodsCache); return method; } /** * Remove the object from the cache. * * @param cachedObject The object to remove */ public static void remove(Object cachedObject) { classCache.remove(cachedObject); } /** * Return the <code>SecurityManager</code> only if Security is enabled AND package protection mec * * @return <code>true</code> if package level protection is enabled */ public static boolean isPackageProtectionEnabled() { if (packageDefinitionEnabled && Globals.IS_SECURITY_ENABLED) { return true; } return false; } } ¤ Dauer der Verarbeitung: 0.3 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28