jetty · gregw · May 2, 2023 · Feb 3, 2023 · Feb 19, 2023 · Feb 21, 2023
diff --git a/jetty-core/jetty-client/src/main/java/org/eclipse/jetty/client/transport/HttpRequest.java b/jetty-core/jetty-client/src/main/java/org/eclipse/jetty/client/transport/HttpRequest.java
@@ -273,7 +273,7 @@ private Request param(String name, String value, boolean fromQuery)
     @Override
     public Fields getParams()
     {
-        return new Fields(params, true);
+        return params.asImmutable();
     }
 
     @Override

diff --git a/jetty-core/jetty-ee/pom.xml b/jetty-core/jetty-ee/pom.xml
@@ -33,6 +33,10 @@
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-io</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-security</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-jmx</artifactId>

diff --git a/jetty-core/jetty-ee/src/main/java/module-info.java b/jetty-core/jetty-ee/src/main/java/module-info.java
@@ -16,9 +16,11 @@
     requires org.slf4j;
 
     requires transitive org.eclipse.jetty.io;
+    requires transitive org.eclipse.jetty.security;
 
     // Only required if using JMX.
     requires static org.eclipse.jetty.jmx;
 
     exports org.eclipse.jetty.ee;
+    exports org.eclipse.jetty.ee.security;
 }
diff --git a/jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/security/ConstraintAware.java b/jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/security/ConstraintAware.java
@@ -0,0 +1,68 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.ee.security;
+
+import java.util.List;
+import java.util.Set;
+
+public interface ConstraintAware
+{
+    List<ConstraintMapping> getConstraintMappings();
+
+    Set<String> getKnownRoles();
+
+    /**
+     * Set Constraint Mappings and roles.
+     * Can only be called during initialization.
+     *
+     * @param constraintMappings the mappings
+     * @param roles the roles
+     */
+    void setConstraintMappings(List<ConstraintMapping> constraintMappings, Set<String> roles);
+
+    /**
+     * Add a Constraint Mapping.
+     * May be called for running webapplication as an annotated servlet is instantiated.
+     *
+     * @param mapping the mapping
+     */
+    void addConstraintMapping(ConstraintMapping mapping);
+
+    /**
+     * Add a Role definition.
+     * May be called on running webapplication as an annotated servlet is instantiated.
+     *
+     * @param role the role
+     */
+    void addKnownRole(String role);
+
+    /**
+     * See Servlet Spec 31, sec 13.8.4, pg 145
+     * When true, requests with http methods not explicitly covered either by inclusion or omissions
+     * in constraints, will have access denied.
+     *
+     * @param deny true for denied method access
+     */
+    void setDenyUncoveredHttpMethods(boolean deny);
+
+    boolean isDenyUncoveredHttpMethods();
+
+    /**
+     * See Servlet Spec 31, sec 13.8.4, pg 145
+     * Container must check if there are urls with uncovered http methods
+     *
+     * @return true if urls with uncovered http methods
+     */
+    boolean checkPathsWithUncoveredHttpMethods();
+}
diff --git a/jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/security/ConstraintMapping.java b/jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/security/ConstraintMapping.java
@@ -0,0 +1,85 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.ee.security;
+
+import org.eclipse.jetty.security.Constraint;
+
+public class ConstraintMapping
+{
+    String _method;
+    String[] _methodOmissions;
+    String _pathSpec;
+    Constraint _constraint;
+
+    /**
+     * @return Returns the constraint.
+     */
+    public Constraint getConstraint()
+    {
+        return _constraint;
+    }
+
+    /**
+     * @param constraint The constraint to set.
+     */
+    public void setConstraint(Constraint constraint)
+    {
+        this._constraint = constraint;
+    }
+
+    /**
+     * @return Returns the method.
+     */
+    public String getMethod()
+    {
+        return _method;
+    }
+
+    /**
+     * @param method The method to set.
+     */
+    public void setMethod(String method)
+    {
+        this._method = method;
+    }
+
+    /**
+     * @return Returns the pathSpec.
+     */
+    public String getPathSpec()
+    {
+        return _pathSpec;
+    }
+
+    /**
+     * @param pathSpec The pathSpec to set.
+     */
+    public void setPathSpec(String pathSpec)
+    {
+        this._pathSpec = pathSpec;
+    }
+
+    /**
+     * @param omissions The http-method-omission
+     */
+    public void setMethodOmissions(String[] omissions)
+    {
+        _methodOmissions = omissions;
+    }
+
+    public String[] getMethodOmissions()
+    {
+        return _methodOmissions;
+    }
+}
diff --git a/jetty-core/jetty-security/pom.xml b/jetty-core/jetty-security/pom.xml
@@ -0,0 +1,65 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <parent>
+    <groupId>org.eclipse.jetty</groupId>
+    <artifactId>jetty-core</artifactId>
+    <version>12.0.0-SNAPSHOT</version>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>jetty-security</artifactId>
+  <name>Core :: Security </name>
+  <description>The common jetty security implementation</description>
+
+  <properties>
+    <bundle-symbolic-name>${project.groupId}.security</bundle-symbolic-name>
+    <spotbugs.onlyAnalyze>org.eclipse.jetty.security.*</spotbugs.onlyAnalyze>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <argLine>
+            @{argLine} 
+	    ${jetty.surefire.argLine} 
+	    --add-reads org.eclipse.jetty.security=org.eclipse.jetty.logging 
+          </argLine>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-server</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-session</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.toolchain</groupId>
+      <artifactId>jetty-test-helper</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-http-tools</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-slf4j-impl</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/jetty-core/jetty-security/src/main/java/module-info.java b/jetty-core/jetty-security/src/main/java/module-info.java
@@ -0,0 +1,27 @@
+//
+// ========================================================================
+// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+module org.eclipse.jetty.security
+{
+    requires transitive org.eclipse.jetty.server;
+    requires transitive org.eclipse.jetty.util;
+    requires transitive org.slf4j;
+    requires java.security.jgss;
+    requires java.sql;
+
+    exports org.eclipse.jetty.security;
+    exports org.eclipse.jetty.security.authentication;
+    exports org.eclipse.jetty.security.internal;
+
+    uses org.eclipse.jetty.security.Authenticator.Factory;
+}