Author: markt
Date: Tue Jun 18 22:43:17 2013
New Revision: 1494355
URL: http://svn.apache.org/r1494355
Log:
A unit test for handling the special case of an empty HttpConstraint that does
not result in unauthenticated access for all.
Added:
tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java
Modified:
tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java
tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java
Modified: tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java?rev=1494355&r1=1494354&r2=1494355&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java
(original)
+++ tomcat/trunk/test/org/apache/catalina/connector/TesterRequest.java Tue Jun
18 22:43:17 2013
@@ -36,4 +36,13 @@ public class TesterRequest extends Reque
public String getDecodedRequestURI() {
return "/level1/level2/foo.html";
}
+
+ private String method;
+ public void setMethod(String method) {
+ this.method = method;
+ }
+ @Override
+ public String getMethod() {
+ return method;
+ }
}
Modified: tomcat/trunk/test/org/apache/catalina/core/TesterContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TesterContext.java?rev=1494355&r1=1494354&r2=1494355&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/core/TesterContext.java (original)
+++ tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Tue Jun 18
22:43:17 2013
@@ -83,6 +83,28 @@ public class TesterContext implements Co
return securityRoles.toArray(new String[securityRoles.size()]);
}
+ @Override
+ public void removeSecurityRole(String role) {
+ securityRoles.remove(role);
+ }
+
+ private List<SecurityConstraint> securityConstraints = new ArrayList<>();
+ @Override
+ public void addConstraint(SecurityConstraint constraint) {
+ securityConstraints.add(constraint);
+ }
+
+ @Override
+ public SecurityConstraint[] findConstraints() {
+ return securityConstraints.toArray(
+ new SecurityConstraint[securityConstraints.size()]);
+ }
+
+ @Override
+ public void removeConstraint(SecurityConstraint constraint) {
+ securityConstraints.remove(constraint);
+ }
+
@Override
public Log getLogger() {
@@ -668,11 +690,6 @@ public class TesterContext implements Co
}
@Override
- public void addConstraint(SecurityConstraint constraint) {
- // NO-OP
- }
-
- @Override
public void addErrorPage(ErrorPage errorPage) {
// NO-OP
}
@@ -764,11 +781,6 @@ public class TesterContext implements Co
}
@Override
- public SecurityConstraint[] findConstraints() {
- return null;
- }
-
- @Override
public ErrorPage findErrorPage(int errorCode) {
return null;
}
@@ -899,11 +911,6 @@ public class TesterContext implements Co
}
@Override
- public void removeConstraint(SecurityConstraint constraint) {
- // NO-OP
- }
-
- @Override
public void removeErrorPage(ErrorPage errorPage) {
// NO-OP
}
@@ -939,11 +946,6 @@ public class TesterContext implements Co
}
@Override
- public void removeSecurityRole(String role) {
- // NO-OP
- }
-
- @Override
public void removeServletMapping(String pattern) {
// NO-OP
}
Modified: tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java?rev=1494355&r1=1494354&r2=1494355&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java (original)
+++ tomcat/trunk/test/org/apache/catalina/realm/TestRealmBase.java Tue Jun 18
22:43:17 2013
@@ -20,12 +20,16 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
+import javax.servlet.ServletSecurityElement;
+import javax.servlet.annotation.ServletSecurity;
+
import org.junit.Assert;
import org.junit.Test;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.catalina.connector.TesterRequest;
import org.apache.catalina.connector.TesterResponse;
import org.apache.catalina.core.TesterContext;
import org.apache.catalina.deploy.SecurityConstraint;
@@ -34,8 +38,10 @@ import org.apache.catalina.startup.Teste
public class TestRealmBase {
private static final String USER1 = "user1";
- private static final String PWD1 = "password1";
- private static final String ROLE1 = "role1";
+ private static final String USER2 = "user2";
+ private static final String USER99 = "user99";
+ private static final String PWD = "password";
+ public static final String ROLE1 = "role1";
private static final String ROLE2 = "role2";
private static final String ROLE3 = "role3";
private static final String ROLE99 = "role99";
@@ -563,11 +569,7 @@ public class TestRealmBase {
// Set up an authenticated user
// Configure the users in the Realm
if (userRoles != null) {
- for (String userRole : userRoles) {
- mapRealm.addUser(USER1, userRole);
- }
-
- GenericPrincipal gp = new GenericPrincipal(USER1, PWD1, userRoles);
+ GenericPrincipal gp = new GenericPrincipal(USER1, PWD, userRoles);
request.setUserPrincipal(gp);
}
@@ -577,4 +579,130 @@ public class TestRealmBase {
Assert.assertEquals(Boolean.valueOf(expected),
Boolean.valueOf(result));
}
+
+
+ /**
+ * This test case covers the special case in section 13.4.1 of the Servlet
+ * 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
+ */
+ @Test
+ public void testHttpConstraint() throws IOException {
+ // Get the annotation from the test case
+ Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
+ ServletSecurity servletSecurity =
+ clazz.getAnnotation(ServletSecurity.class);
+
+ // Convert the annotation into constraints
+ ServletSecurityElement servletSecurityElement =
+ new ServletSecurityElement(servletSecurity);
+ SecurityConstraint[] constraints =
+ SecurityConstraint.createConstraints(
+ servletSecurityElement, "/*");
+
+ TesterMapRealm mapRealm = new TesterMapRealm();
+
+ // Set up the mock request and response
+ TesterRequest request = new TesterRequest();
+ Response response = new TesterResponse();
+ Context context = new TesterContext();
+ context.addSecurityRole(ROLE1);
+ context.addSecurityRole(ROLE2);
+ request.setContext(context);
+
+ // Create the principals
+ List<String> userRoles1 = new ArrayList<>();
+ userRoles1.add(ROLE1);
+ GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
+
+ List<String> userRoles2 = new ArrayList<>();
+ userRoles2.add(ROLE2);
+ GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
+
+ List<String> userRoles99 = new ArrayList<>();
+ GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
+
+ // Add the constraints to the context
+ for (SecurityConstraint constraint : constraints) {
+ context.addConstraint(constraint);
+ }
+
+ // All users should be able to perform a GET
+ request.setMethod("GET");
+
+ SecurityConstraint[] constraintsGet =
+ mapRealm.findSecurityConstraints(request, context);
+
+ request.setUserPrincipal(null);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsGet, null));
+ request.setUserPrincipal(gp1);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsGet, null));
+ request.setUserPrincipal(gp2);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsGet, null));
+ request.setUserPrincipal(gp99);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsGet, null));
+
+ // Only user1 should be able to perform a POST as only that user has
+ // role1.
+ request.setMethod("POST");
+
+ SecurityConstraint[] constraintsPost =
+ mapRealm.findSecurityConstraints(request, context);
+
+ request.setUserPrincipal(null);
+ Assert.assertFalse(mapRealm.hasResourcePermission(
+ request, response, constraintsPost, null));
+ request.setUserPrincipal(gp1);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsPost, null));
+ request.setUserPrincipal(gp2);
+ Assert.assertFalse(mapRealm.hasResourcePermission(
+ request, response, constraintsPost, null));
+ request.setUserPrincipal(gp99);
+ Assert.assertFalse(mapRealm.hasResourcePermission(
+ request, response, constraintsPost, null));
+
+ // Only users with application roles (role1 or role2 so user1 or user2)
+ // should be able to perform a PUT.
+ request.setMethod("PUT");
+
+ SecurityConstraint[] constraintsPut =
+ mapRealm.findSecurityConstraints(request, context);
+
+ request.setUserPrincipal(null);
+ Assert.assertFalse(mapRealm.hasResourcePermission(
+ request, response, constraintsPut, null));
+ request.setUserPrincipal(gp1);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsPut, null));
+ request.setUserPrincipal(gp2);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsPut, null));
+ request.setUserPrincipal(gp99);
+ Assert.assertFalse(mapRealm.hasResourcePermission(
+ request, response, constraintsPut, null));
+
+ // Any authenticated user should be able to perform a TRACE.
+ request.setMethod("TRACE");
+
+ SecurityConstraint[] constraintsTrace =
+ mapRealm.findSecurityConstraints(request, context);
+
+ request.setUserPrincipal(null);
+ Assert.assertFalse(mapRealm.hasResourcePermission(
+ request, response, constraintsTrace, null));
+ request.setUserPrincipal(gp1);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsTrace, null));
+ request.setUserPrincipal(gp2);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsTrace, null));
+ request.setUserPrincipal(gp99);
+ Assert.assertTrue(mapRealm.hasResourcePermission(
+ request, response, constraintsTrace, null));
+
+ }
}
Added: tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java?rev=1494355&view=auto
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java
(added)
+++ tomcat/trunk/test/org/apache/catalina/realm/TesterServletSecurity01.java
Tue Jun 18 22:43:17 2013
@@ -0,0 +1,35 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements. See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License. You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.catalina.realm;
+
+import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.HttpMethodConstraint;
+import javax.servlet.annotation.ServletSecurity;
+
+import org.apache.catalina.deploy.SecurityConstraint;
+
+@ServletSecurity(value=@HttpConstraint,
+ httpMethodConstraints={
+ @HttpMethodConstraint(value="POST",
+ rolesAllowed=TestRealmBase.ROLE1),
+ @HttpMethodConstraint(value="PUT",
+ rolesAllowed=SecurityConstraint.ROLE_ALL_ROLES),
+ @HttpMethodConstraint(value="TRACE",
+
rolesAllowed=SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)})
+public class TesterServletSecurity01 {
+ // Class is NO-OP. It is only used to 'host' the annotation.
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
