Author: markt Date: Tue Jun 18 22:43:17 2013 New Revision: 1494355 URL: http://svn.apache.org/r1494355 Log: A unit test for handling the special case of an empty HttpConstraint that does not result in unauthenticated access for all.
Added: tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java Modified: tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java tomcat/trunk/test/org/apache/catalina/core/TesterContext.java tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java Modified: tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java?rev=1494355&r1=1494354&r2=1494355&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java (original) +++ tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java Tue Jun 18 22:43:17 2013 @@ -36,4 +36,13 @@ public class TesterRequest extends Reque public String getDecodedRequestURI() { return "/level1/level2/foo.html"; } + + private String method; + public void setMethod(String method) { + this.method = method; + } + @Override + public String getMethod() { + return method; + } } Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1494355&r1=1494354&r2=1494355&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original) +++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Jun 18 22:43:17 2013 @@ -83,6 +83,28 @@ public class TesterContext implements Co return securityRoles.toArray(new String[securityRoles.size()]); } + @Override + public void removeSecurityRole(String role) { + securityRoles.remove(role); + } + + private List<SecurityConstraint> securityConstraints = new ArrayList<>(); + @Override + public void addConstraint(SecurityConstraint constraint) { + securityConstraints.add(constraint); + } + + @Override + public SecurityConstraint[] findConstraints() { + return securityConstraints.toArray( + new SecurityConstraint[securityConstraints.size()]); + } + + @Override + public void removeConstraint(SecurityConstraint constraint) { + securityConstraints.remove(constraint); + } + @Override public Log getLogger() { @@ -668,11 +690,6 @@ public class TesterContext implements Co } @Override - public void addConstraint(SecurityConstraint constraint) { - // NO-OP - } - - @Override public void addErrorPage(ErrorPage errorPage) { // NO-OP } @@ -764,11 +781,6 @@ public class TesterContext implements Co } @Override - public SecurityConstraint[] findConstraints() { - return null; - } - - @Override public ErrorPage findErrorPage(int errorCode) { return null; } @@ -899,11 +911,6 @@ public class TesterContext implements Co } @Override - public void removeConstraint(SecurityConstraint constraint) { - // NO-OP - } - - @Override public void removeErrorPage(ErrorPage errorPage) { // NO-OP } @@ -939,11 +946,6 @@ public class TesterContext implements Co } @Override - public void removeSecurityRole(String role) { - // NO-OP - } - - @Override public void removeServletMapping(String pattern) { // NO-OP } Modified: tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java?rev=1494355&r1=1494354&r2=1494355&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java (original) +++ tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java Tue Jun 18 22:43:17 2013 @@ -20,12 +20,16 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; +import javax.servlet.ServletSecurityElement; +import javax.servlet.annotation.ServletSecurity; + import org.junit.Assert; import org.junit.Test; import org.apache.catalina.Context; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; +import org.apache.catalina.connector.TesterRequest; import org.apache.catalina.connector.TesterResponse; import org.apache.catalina.core.TesterContext; import org.apache.catalina.deploy.SecurityConstraint; @@ -34,8 +38,10 @@ import org.apache.catalina.startup.Teste public class TestRealmBase { private static final String USER1 = "user1"; - private static final String PWD1 = "password1"; - private static final String ROLE1 = "role1"; + private static final String USER2 = "user2"; + private static final String USER99 = "user99"; + private static final String PWD = "password"; + public static final String ROLE1 = "role1"; private static final String ROLE2 = "role2"; private static final String ROLE3 = "role3"; private static final String ROLE99 = "role99"; @@ -563,11 +569,7 @@ public class TestRealmBase { // Set up an authenticated user // Configure the users in the Realm if (userRoles != null) { - for (String userRole : userRoles) { - mapRealm.addUser(USER1, userRole); - } - - GenericPrincipal gp = new GenericPrincipal(USER1, PWD1, userRoles); + GenericPrincipal gp = new GenericPrincipal(USER1, PWD, userRoles); request.setUserPrincipal(gp); } @@ -577,4 +579,130 @@ public class TestRealmBase { Assert.assertEquals(Boolean.valueOf(expected), Boolean.valueOf(result)); } + + + /** + * This test case covers the special case in section 13.4.1 of the Servlet + * 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}. + */ + @Test + public void testHttpConstraint() throws IOException { + // Get the annotation from the test case + Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class; + ServletSecurity servletSecurity = + clazz.getAnnotation(ServletSecurity.class); + + // Convert the annotation into constraints + ServletSecurityElement servletSecurityElement = + new ServletSecurityElement(servletSecurity); + SecurityConstraint[] constraints = + SecurityConstraint.createConstraints( + servletSecurityElement, "/*"); + + TesterMapRealm mapRealm = new TesterMapRealm(); + + // Set up the mock request and response + TesterRequest request = new TesterRequest(); + Response response = new TesterResponse(); + Context context = new TesterContext(); + context.addSecurityRole(ROLE1); + context.addSecurityRole(ROLE2); + request.setContext(context); + + // Create the principals + List<String> userRoles1 = new ArrayList<>(); + userRoles1.add(ROLE1); + GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1); + + List<String> userRoles2 = new ArrayList<>(); + userRoles2.add(ROLE2); + GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2); + + List<String> userRoles99 = new ArrayList<>(); + GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99); + + // Add the constraints to the context + for (SecurityConstraint constraint : constraints) { + context.addConstraint(constraint); + } + + // All users should be able to perform a GET + request.setMethod("GET"); + + SecurityConstraint[] constraintsGet = + mapRealm.findSecurityConstraints(request, context); + + request.setUserPrincipal(null); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsGet, null)); + request.setUserPrincipal(gp1); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsGet, null)); + request.setUserPrincipal(gp2); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsGet, null)); + request.setUserPrincipal(gp99); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsGet, null)); + + // Only user1 should be able to perform a POST as only that user has + // role1. + request.setMethod("POST"); + + SecurityConstraint[] constraintsPost = + mapRealm.findSecurityConstraints(request, context); + + request.setUserPrincipal(null); + Assert.assertFalse(mapRealm.hasResourcePermission( + request, response, constraintsPost, null)); + request.setUserPrincipal(gp1); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsPost, null)); + request.setUserPrincipal(gp2); + Assert.assertFalse(mapRealm.hasResourcePermission( + request, response, constraintsPost, null)); + request.setUserPrincipal(gp99); + Assert.assertFalse(mapRealm.hasResourcePermission( + request, response, constraintsPost, null)); + + // Only users with application roles (role1 or role2 so user1 or user2) + // should be able to perform a PUT. + request.setMethod("PUT"); + + SecurityConstraint[] constraintsPut = + mapRealm.findSecurityConstraints(request, context); + + request.setUserPrincipal(null); + Assert.assertFalse(mapRealm.hasResourcePermission( + request, response, constraintsPut, null)); + request.setUserPrincipal(gp1); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsPut, null)); + request.setUserPrincipal(gp2); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsPut, null)); + request.setUserPrincipal(gp99); + Assert.assertFalse(mapRealm.hasResourcePermission( + request, response, constraintsPut, null)); + + // Any authenticated user should be able to perform a TRACE. + request.setMethod("TRACE"); + + SecurityConstraint[] constraintsTrace = + mapRealm.findSecurityConstraints(request, context); + + request.setUserPrincipal(null); + Assert.assertFalse(mapRealm.hasResourcePermission( + request, response, constraintsTrace, null)); + request.setUserPrincipal(gp1); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsTrace, null)); + request.setUserPrincipal(gp2); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsTrace, null)); + request.setUserPrincipal(gp99); + Assert.assertTrue(mapRealm.hasResourcePermission( + request, response, constraintsTrace, null)); + + } } Added: tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java?rev=1494355&view=auto ============================================================================== --- tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java (added) +++ tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java Tue Jun 18 22:43:17 2013 @@ -0,0 +1,35 @@ +/* +* Licensed to the Apache Software Foundation (ASF) under one or more +* contributor license agreements. See the NOTICE file distributed with +* this work for additional information regarding copyright ownership. +* The ASF licenses this file to You under the Apache License, Version 2.0 +* (the "License"); you may not use this file except in compliance with +* the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +package org.apache.catalina.realm; + +import javax.servlet.annotation.HttpConstraint; +import javax.servlet.annotation.HttpMethodConstraint; +import javax.servlet.annotation.ServletSecurity; + +import org.apache.catalina.deploy.SecurityConstraint; + +@ServletSecurity(value=@HttpConstraint, + httpMethodConstraints={ + @HttpMethodConstraint(value="POST", + rolesAllowed=TestRealmBase.ROLE1), + @HttpMethodConstraint(value="PUT", + rolesAllowed=SecurityConstraint.ROLE_ALL_ROLES), + @HttpMethodConstraint(value="TRACE", + rolesAllowed=SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)}) +public class TesterServletSecurity01 { + // Class is NO-OP. It is only used to 'host' the annotation. +} --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org