init

test/org/apache/catalina/realm/TestGenericPrincipal.java

@@ -0,0 +1,89 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.catalina.realm;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestGenericPrincipal {
+
+    private static final String USER = "user";
+    private static final String PASSWORD = "pwd";
+    private static final List<String> ROLES = Collections.unmodifiableList(
+            Arrays.asList(new String[] { "ROLE1", "ROLE2" }));
+    private static final TesterPrincipal PRINCIPAL = new TesterPrincipal("Principal");
+    private static final TesterPrincipalNonSerializable PRINCIPAL_NON_SERIALIZABLE =
+            new TesterPrincipalNonSerializable("PrincipalNonSerializable");
+
+    @Test
+    public void testSerialize01() throws ClassNotFoundException, IOException {
+        GenericPrincipal gpIn = new GenericPrincipal(USER, PASSWORD, ROLES);
+        doTest(gpIn);
+    }
+
+    @Test
+    public void testSerialize02() throws ClassNotFoundException, IOException {
+        GenericPrincipal gpIn = new GenericPrincipal(USER, PASSWORD, ROLES, PRINCIPAL);
+        doTest(gpIn);
+    }
+
+    @Test
+    public void testSerialize03() throws ClassNotFoundException, IOException {
+        GenericPrincipal gpIn = new GenericPrincipal(USER, PASSWORD, ROLES, PRINCIPAL_NON_SERIALIZABLE);
+        doTest(gpIn);
+    }
+
+    private void doTest(GenericPrincipal gpIn)
+            throws ClassNotFoundException, IOException {
+        GenericPrincipal gpOut = serializeAndDeserialize(gpIn);
+
+        Assert.assertNull(gpOut.getGssCredential());
+        Assert.assertEquals(gpIn.getName(), gpOut.getName());
+        Assert.assertEquals(gpIn.getPassword(), gpOut.getPassword());
+        Assert.assertArrayEquals(gpIn.getRoles(), gpOut.getRoles());
+        if (gpIn == gpIn.getUserPrincipal()) {
+            Assert.assertEquals(gpOut, gpOut.getUserPrincipal());
+        } else if (gpIn.getUserPrincipal() instanceof Serializable) {
+            Assert.assertEquals(gpIn.getUserPrincipal(), gpOut.getUserPrincipal());
+        } else {
+            Assert.assertEquals(gpOut, gpOut.getUserPrincipal());
+        }
+    }
+
+    private GenericPrincipal serializeAndDeserialize(GenericPrincipal gpIn)
+            throws IOException, ClassNotFoundException {
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(bos);
+        oos.writeObject(gpIn);
+
+        byte[] data = bos.toByteArray();
+
+        ByteArrayInputStream bis = new ByteArrayInputStream(data);
+        ObjectInputStream ois = new ObjectInputStream(bis);
+        return (GenericPrincipal) ois.readObject();
+    }
+}

test/org/apache/catalina/realm/TestJNDIRealm.java

@@ -0,0 +1,174 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.realm;
+
+import java.lang.reflect.Field;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.BasicAttributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleException;
+import org.apache.naming.NameParserImpl;
+import org.apache.tomcat.unittest.TesterContext;
+import org.apache.tomcat.util.security.MD5Encoder;
+import org.easymock.EasyMock;
+
+public class TestJNDIRealm {
+
+    private static final String ALGORITHM = "MD5";
+
+    private static final String USER = "test-user";
+    private static final String PASSWORD = "test-password";
+    private static final String REALM = "test-realm";
+
+    private static final String NONCE = "test-nonce";
+    private static final String HA2 = "test-md5a2";
+    public static final String USER_PASSWORD_ATTR = "test-pwd";
+
+    private static MessageDigest md5Helper;
+
+    @BeforeClass
+    public static void setupClass() throws Exception {
+        md5Helper = MessageDigest.getInstance(ALGORITHM);
+    }
+
+    @Test
+    public void testAuthenticateWithoutUserPassword() throws Exception {
+        // GIVEN
+        JNDIRealm realm = buildRealm(PASSWORD);
+
+        // WHEN
+        String expectedResponse =
+                MD5Encoder.encode(md5Helper.digest((ha1() + ":" + NONCE + ":" + HA2).getBytes()));
+        Principal principal =
+                realm.authenticate(USER, expectedResponse, NONCE, null, null, null, REALM, HA2);
+
+        // THEN
+        Assert.assertNull(principal);
+    }
+
+    @Test
+    public void testAuthenticateWithUserPassword() throws Exception {
+        // GIVEN
+        JNDIRealm realm = buildRealm(PASSWORD);
+        realm.setUserPassword(USER_PASSWORD_ATTR);
+
+        // WHEN
+        String expectedResponse =
+                MD5Encoder.encode(md5Helper.digest((ha1() + ":" + NONCE + ":" + HA2).getBytes()));
+        Principal principal =
+                realm.authenticate(USER, expectedResponse, NONCE, null, null, null, REALM, HA2);
+
+        // THEN
+        Assert.assertTrue(principal instanceof GenericPrincipal);
+        Assert.assertEquals(PASSWORD, ((GenericPrincipal)principal).getPassword());
+    }
+
+    @Test
+    public void testAuthenticateWithUserPasswordAndCredentialHandler() throws Exception {
+        // GIVEN
+        JNDIRealm realm = buildRealm(ha1());
+        realm.setCredentialHandler(buildCredentialHandler());
+        realm.setUserPassword(USER_PASSWORD_ATTR);
+
+        // WHEN
+        String expectedResponse =
+                MD5Encoder.encode(md5Helper.digest((ha1() + ":" + NONCE + ":" + HA2).getBytes()));
+        Principal principal =
+                realm.authenticate(USER, expectedResponse, NONCE, null, null, null, REALM, HA2);
+
+        // THEN
+        Assert.assertTrue(principal instanceof GenericPrincipal);
+        Assert.assertEquals(ha1(), ((GenericPrincipal)principal).getPassword());
+    }
+
+
+    private JNDIRealm buildRealm(String password) throws javax.naming.NamingException,
+            NoSuchFieldException, IllegalAccessException, LifecycleException {
+        Context context = new TesterContext();
+        JNDIRealm realm = new JNDIRealm();
+        realm.setContainer(context);
+        realm.setUserSearch("");
+
+        Field field = JNDIRealm.class.getDeclaredField("context");
+        field.setAccessible(true);
+        field.set(realm, mockDirContext(mockSearchResults(password)));
+
+        realm.start();
+
+        return realm;
+    }
+
+    private MessageDigestCredentialHandler buildCredentialHandler()
+            throws NoSuchAlgorithmException {
+        MessageDigestCredentialHandler credentialHandler = new MessageDigestCredentialHandler();
+        credentialHandler.setAlgorithm(ALGORITHM);
+        return credentialHandler;
+    }
+
+    private NamingEnumeration<SearchResult> mockSearchResults(String password)
+            throws NamingException {
+        @SuppressWarnings("unchecked")
+        NamingEnumeration<SearchResult> searchResults =
+                EasyMock.createNiceMock(NamingEnumeration.class);
+        EasyMock.expect(Boolean.valueOf(searchResults.hasMore()))
+                .andReturn(Boolean.TRUE)
+                .andReturn(Boolean.FALSE)
+                .andReturn(Boolean.TRUE)
+                .andReturn(Boolean.FALSE);
+        EasyMock.expect(searchResults.next())
+                .andReturn(new SearchResult("ANY RESULT", "",
+                        new BasicAttributes(USER_PASSWORD_ATTR, password)))
+                .times(2);
+        EasyMock.replay(searchResults);
+        return searchResults;
+    }
+
+    private DirContext mockDirContext(NamingEnumeration<SearchResult> namingEnumeration)
+            throws NamingException {
+        DirContext dirContext = EasyMock.createNiceMock(InitialDirContext.class);
+        EasyMock.expect(dirContext.search(EasyMock.anyString(), EasyMock.anyString(),
+                        EasyMock.anyObject(SearchControls.class)))
+                .andReturn(namingEnumeration)
+                .times(2);
+        EasyMock.expect(dirContext.getNameParser(""))
+                .andReturn(new NameParserImpl()).times(2);
+        EasyMock.expect(dirContext.getNameInNamespace())
+                .andReturn("ANY NAME")
+                .times(2);
+        EasyMock.replay(dirContext);
+        return dirContext;
+    }
+
+    private String ha1() {
+        String a1 = USER + ":" + REALM + ":" + PASSWORD;
+        return MD5Encoder.encode(md5Helper.digest(a1.getBytes()));
+    }
+}

test/org/apache/catalina/realm/TestJNDIRealmConvertToHexEscape.java

@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.realm;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+@RunWith(Parameterized.class)
+public class TestJNDIRealmConvertToHexEscape {
+
+    @Parameterized.Parameters(name = "{index}: in[{0}], out[{1}]")
+    public static Collection<Object[]> parameters() {
+        List<Object[]> parameterSets = new ArrayList<>();
+
+        parameterSets.add(new String[] { "none", "none" });
+        parameterSets.add(new String[] { "\\", "\\" });
+        parameterSets.add(new String[] { "\\\\", "\\5C" });
+        parameterSets.add(new String[] { "\\5C", "\\5C" });
+        parameterSets.add(new String[] { "\\ ", "\\20" });
+        parameterSets.add(new String[] { "\\20", "\\20" });
+        parameterSets.add(new String[] { "\\ foo", "\\20foo" });
+        parameterSets.add(new String[] { "\\20foo", "\\20foo" });
+        parameterSets.add(new String[] { "\\  foo", "\\20 foo" });
+        parameterSets.add(new String[] { "\\20 foo", "\\20 foo" });
+        parameterSets.add(new String[] { "\\ \\ foo", "\\20\\20foo" });
+        parameterSets.add(new String[] { "\\20\\20foo", "\\20\\20foo" });
+        parameterSets.add(new String[] { "foo\\ ", "foo\\20" });
+        parameterSets.add(new String[] { "foo\\20", "foo\\20" });
+        parameterSets.add(new String[] { "foo \\ ", "foo \\20" });
+        parameterSets.add(new String[] { "foo \\20", "foo \\20" });
+        parameterSets.add(new String[] { "foo\\ \\ ", "foo\\20\\20" });
+        parameterSets.add(new String[] { "foo\\20\\20", "foo\\20\\20" });
+
+        return parameterSets;
+    }
+
+
+    @Parameter(0)
+    public String in;
+    @Parameter(1)
+    public String out;
+
+
+    @Test
+    public void testConvertToHexEscape() throws Exception {
+        String result = JNDIRealm.convertToHexEscape(in);
+        Assert.assertEquals(out, result);
+    }
+}

test/org/apache/catalina/realm/TestMemoryRealm.java

@@ -0,0 +1,38 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.catalina.realm;
+
+import java.security.Principal;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestMemoryRealm {
+
+    /**
+     * Unknown user triggers NPE.
+     */
+    @Test
+    public void testBug56246() {
+        MemoryRealm memoryRealm = new MemoryRealm();
+        memoryRealm.setCredentialHandler(new MessageDigestCredentialHandler());
+
+        Principal p = memoryRealm.authenticate("foo", "bar");
+
+        Assert.assertNull(p);
+    }
+}

test/org/apache/catalina/realm/TestMessageDigestCredentialHandler.java

@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.realm;
+
+import java.security.NoSuchAlgorithmException;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+
+public class TestMessageDigestCredentialHandler {
+
+    private static final String[] DIGESTS = new String[] {"MD5", "SHA-1", "SHA-512"};
+
+    private static final String PWD = "password";
+
+    static {
+        try {
+            ConcurrentMessageDigest.init("SHA-512");
+        } catch (NoSuchAlgorithmException e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+
+    @Test
+    public void testGeneral() throws Exception {
+        for (String digest : DIGESTS) {
+            for (int saltLength = 0; saltLength < 20; saltLength++) {
+                for (int iterations = 1; iterations < 100; iterations += 10)
+                doTest(digest, saltLength, iterations);
+            }
+        }
+    }
+
+    private void doTest(String digest, int saltLength, int iterations) throws NoSuchAlgorithmException {
+        MessageDigestCredentialHandler mdch = new MessageDigestCredentialHandler();
+        MessageDigestCredentialHandler verifier = new MessageDigestCredentialHandler();
+        mdch.setAlgorithm(digest);
+        mdch.setIterations(iterations);
+        mdch.setSaltLength(saltLength);
+        verifier.setAlgorithm(digest);
+        String storedCredential = mdch.mutate(PWD);
+        Assert.assertTrue(verifier.matches(PWD, storedCredential));
+    }
+}

test/org/apache/catalina/realm/TestSecretKeyCredentialHandler.java

@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.realm;
+
+import java.security.NoSuchAlgorithmException;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestSecretKeyCredentialHandler {
+
+    private static final String[] ALGORITHMS = { "PBKDF2WithHmacSHA1", "PBEWithMD5AndDES" };
+    private static final String[] PASSWORDS = { "password", "$!&#%!%@$#@*^$%&%%#!!*%$%&#@!^" };
+    private static final int[] KEYLENGTHS = { 8, 111, 256 };
+    private static final int[] SALTLENGTHS = { 1, 7, 12, 20 };
+    private static final int[] ITERATIONS = { 1, 2111, 10000 };
+
+    @Test
+    public void testGeneral() throws Exception {
+        for (String digest : ALGORITHMS) {
+            for (String password : PASSWORDS) {
+                for (int saltLength : SALTLENGTHS) {
+                    for (int iterations : ITERATIONS) {
+                        for (int keyLength : KEYLENGTHS) {
+                            doTest(password, digest, saltLength, iterations, keyLength, true);
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testZeroSalt() throws NoSuchAlgorithmException {
+        doTest(PASSWORDS[0], ALGORITHMS[0], 0, ITERATIONS[0], KEYLENGTHS[0], false);
+    }
+
+    @Test
+    public void testZeroIterations() throws NoSuchAlgorithmException {
+        doTest(PASSWORDS[0], ALGORITHMS[0], SALTLENGTHS[0], 0, KEYLENGTHS[0], false);
+    }
+
+    @Test
+    public void testZeroKeyLength() throws NoSuchAlgorithmException {
+        doTest(PASSWORDS[0], ALGORITHMS[0], SALTLENGTHS[0], ITERATIONS[0], 0, false);
+    }
+
+    private void doTest(String password, String digest, int saltLength, int iterations,
+            int keyLength, boolean expectMatch) throws NoSuchAlgorithmException {
+        SecretKeyCredentialHandler pbech = new SecretKeyCredentialHandler();
+        SecretKeyCredentialHandler verifier = new SecretKeyCredentialHandler();
+        pbech.setAlgorithm(digest);
+        pbech.setIterations(iterations);
+        pbech.setSaltLength(saltLength);
+        pbech.setKeyLength(keyLength);
+        verifier.setAlgorithm(digest);
+        String storedCredential = pbech.mutate(password);
+        if (expectMatch) {
+            Assert.assertTrue(
+                    "[" + digest + "] [" + saltLength + "] [" + iterations + "] [" + keyLength + "] ["
+                            + password + "] [" + storedCredential + "]",
+                    verifier.matches(password, storedCredential));
+        } else {
+            Assert.assertFalse(
+                    "[" + digest + "] [" + saltLength + "] [" + iterations + "] [" + keyLength + "] ["
+                            + password + "] [" + storedCredential + "]",
+                    verifier.matches(password, storedCredential));
+        }
+    }
+}

test/org/apache/catalina/realm/TesterPrincipal.java

@@ -0,0 +1,66 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.catalina.realm;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+public class TesterPrincipal implements Principal, Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    private final String name;
+
+    public TesterPrincipal(String name) {
+        this.name = name;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((name == null) ? 0 : name.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        TesterPrincipal other = (TesterPrincipal) obj;
+        if (name == null) {
+            if (other.name != null) {
+                return false;
+            }
+        } else if (!name.equals(other.name)) {
+            return false;
+        }
+        return true;
+    }
+}

test/org/apache/catalina/realm/TesterPrincipalNonSerializable.java

@@ -0,0 +1,63 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.catalina.realm;
+
+import java.security.Principal;
+
+public class TesterPrincipalNonSerializable implements Principal {
+
+    private final String name;
+
+    public TesterPrincipalNonSerializable(String name) {
+        this.name = name;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((name == null) ? 0 : name.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        TesterPrincipalNonSerializable other = (TesterPrincipalNonSerializable) obj;
+        if (name == null) {
+            if (other.name != null) {
+                return false;
+            }
+        } else if (!name.equals(other.name)) {
+            return false;
+        }
+        return true;
+    }
+}

test/org/apache/catalina/realm/TesterServletSecurity01.java

@@ -0,0 +1,35 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.catalina.realm;
+
+import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.HttpMethodConstraint;
+import javax.servlet.annotation.ServletSecurity;
+
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+
+@ServletSecurity(value=@HttpConstraint,
+        httpMethodConstraints={
+                @HttpMethodConstraint(value="POST",
+                        rolesAllowed=TestRealmBase.ROLE1),
+                @HttpMethodConstraint(value="PUT",
+                        rolesAllowed=SecurityConstraint.ROLE_ALL_ROLES),
+                @HttpMethodConstraint(value="TRACE",
+                        rolesAllowed=SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)})
+public class TesterServletSecurity01 {
+    // Class is NO-OP. It is only used to 'host' the annotation.
+}