package org.apache.catalina.startup;
import javax.servlet.HttpMethodConstraintElement;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
Startup event listener for a
Context that configures the properties
of that Context, and the associated defined servlets.
- Author(s):
- Craig R. McClanahan
- Jean-Francois Arcand
- Version:
- $Revision: 1500 $ $Date: 2010-07-02 11:46:55 +0200 (Fri, 02 Jul 2010) $
protected static org.jboss.logging.Logger log=
Custom mappings of login methods to authenticators
The set of Authenticators that we know how to configure. The key is
the name of the implemented authentication method, and the value is
the fully qualified Java class name of the corresponding Valve.
The Context we are associated with.
Track any fatal errors during startup configuration processing.
protected boolean ok = false;
The string resources for this package.
Sets custom mappings of login methods to authenticators.
- Parameters:
customAuthenticators Custom mappings of login methods to
authenticators
Process events for an associated Context.
- Parameters:
event The lifecycle event that has occurred
Process the application configuration file, if it exists.
Parse TLDs. This is separate, and is not subject to the order defined. Also,
all TLDs from all JARs are parsed.
Set up an Authenticator automatically if required, and one has not
already been configured.
if ((constraints == null) || (constraints.length == 0))
if (loginConfig == null) { for (int i = 0; i < valves.length; i++) { Valve authenticator = null;
if (authenticator == null) { "contextConfig.authenticatorResources"));
"contextConfig.authenticatorResources"), e);
String authenticatorName = null;
if (authenticatorName == null) { Class authenticatorClass = Class.forName(authenticatorName);
"contextConfig.authenticatorInstantiate",
if (log.isDebugEnabled()) { "contextConfig.authenticatorConfigured",
Process the default configuration file, if it exists.
The default config must be read with the container loader - so
container servlets can be loaded
Process additional descriptors: TLDs, web fragments, and map overlays.
Find and parse ServletContainerInitializer service in specified JAR.
Process a "init" event for this Context.
if (log.isDebugEnabled())
Process a "before start" event for this Context.
Process a "start" event for this Context.
if (log.isDebugEnabled())
log.debug("Pipeline Configuration:"); for (int i = 0; i < valves.length; i++) { log.debug("======================"); Process a "start" event for this Context.
Process a "stop" event for this Context.
if (log.isDebugEnabled())
for (i = 0; i < children.length; i++) { for (i = 0; i < securityConstraints.length; i++) { for (i = 0; i < errorPages.length; i++) { for (i = 0; i < filterDefs.length; i++) { for (i = 0; i < filterMaps.length; i++) { for (i = 0; i < mimeMappings.length; i++) { for (i = 0; i < parameters.length; i++) { for (i = 0; i < securityRoles.length; i++) { for (i = 0; i < servletMappings.length; i++) { for (i = 0; i < taglibs.length; i++) { for (i = 0; i < welcomeFiles.length; i++) { for (i = 0; i < wrapperLifecycles.length; i++) { for (i = 0; i < wrapperListeners.length; i++) { Process a "destroy" event for this Context.
if (log.isDebugEnabled())
Translate servlet security associated with Servlets to security constraints.
excludedPatterns.add(urlPattern);
for (int i = 0; i < wrappers.length; i++) { if (servletSecurity != null) { boolean classPA = servletSecurity.getEmptyRoleSemantic().equals(EmptyRoleSemantic.PERMIT);
boolean classDA = servletSecurity.getEmptyRoleSemantic().equals(EmptyRoleSemantic.DENY);
boolean classTP = servletSecurity.getTransportGuarantee().equals(TransportGuarantee.CONFIDENTIAL);
String[] classRA = servletSecurity.getRolesAllowed();
Collection<HttpMethodConstraintElement> httpMethodConstraints =
servletSecurity.getHttpMethodConstraints();
if (httpMethodConstraints != null && httpMethodConstraints.size() > 0)
for (HttpMethodConstraintElement httpMethodConstraint : httpMethodConstraints)
methodOmissions.add(method);
boolean methodPA = httpMethodConstraint.getEmptyRoleSemantic().equals(EmptyRoleSemantic.PERMIT);
boolean methodDA = httpMethodConstraint.getEmptyRoleSemantic().equals(EmptyRoleSemantic.DENY);
boolean methodTP = httpMethodConstraint.getTransportGuarantee().equals(TransportGuarantee.CONFIDENTIAL);
String[] methodRA = httpMethodConstraint.getRolesAllowed();
if (methodDA || methodTP || (methodRA != null && methodRA.length > 0))
if (methodPA && (methodRA == null || methodRA.length == 0)) { for (String role : methodRA) { for (String urlPattern : urlPatterns) { if (!excludedPatterns.contains(urlPattern)) { servletSecurityPatterns.add(urlPattern);
for (String urlPattern : servletSecurityPatterns) { if (classDA || classTP || (classRA != null && classRA.length > 0))
if (classPA && (classRA == null || classRA.length == 0)) { for (String urlPattern : urlPatterns) { if (!excludedPatterns.contains(urlPattern)) { servletSecurityPatterns.add(urlPattern);
for (String urlPattern : servletSecurityPatterns) { for (String methodOmission : methodOmissions) { Although this does not comply with the spec, it is likely Java method names
will be used in the annotations. Since it is not possible to validate, this
would be an error that is invisible for the user.
- Parameters:
method- Returns:
Validate the usage of security role names in the web application
deployment descriptor. If any problems are found, issue warning
messages (for backwards compatibility) and add the missing roles.
(To make these problems fatal instead, simply set the
ok
instance variable to
false as well).
for (int i = 0; i < constraints.length; i++) { for (int j = 0; j < roles.length; j++) { for (int i = 0; i < wrappers.length; i++) { for (int j = 0; j < names.length; j++) { while (container != null) { if (container instanceof Host)
if (container instanceof Engine)
3.0.0-CR2
