793 lines
30 KiB
Java
793 lines
30 KiB
Java
/*
|
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
package org.apache.catalina.realm;
|
|
|
|
import java.io.IOException;
|
|
import java.security.Principal;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
|
|
import javax.servlet.ServletSecurityElement;
|
|
import javax.servlet.annotation.ServletSecurity;
|
|
|
|
import org.junit.Assert;
|
|
import org.junit.Test;
|
|
|
|
import org.apache.catalina.Context;
|
|
import org.apache.catalina.connector.Request;
|
|
import org.apache.catalina.connector.Response;
|
|
import org.apache.catalina.startup.TesterMapRealm;
|
|
import org.apache.tomcat.unittest.TesterContext;
|
|
import org.apache.tomcat.unittest.TesterRequest;
|
|
import org.apache.tomcat.unittest.TesterResponse;
|
|
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
|
|
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
|
|
|
|
public class TestRealmBase {
|
|
|
|
private static final String USER1 = "user1";
|
|
private static final String USER2 = "user2";
|
|
private static final String USER99 = "user99";
|
|
private static final String PWD = "password";
|
|
public static final String ROLE1 = "role1";
|
|
private static final String ROLE2 = "role2";
|
|
private static final String ROLE3 = "role3";
|
|
private static final String ROLE99 = "role99";
|
|
|
|
// All digested passwords are the digested form of "password"
|
|
private static final String PWD_MD5 = "5f4dcc3b5aa765d61d8327deb882cf99";
|
|
private static final String PWD_SHA = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8";
|
|
private static final String PWD_MD5_PREFIX =
|
|
"{MD5}X03MO1qnZdYdgyfeuILPmQ==";
|
|
private static final String PWD_SHA_PREFIX =
|
|
"{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=";
|
|
// Salt added to "password" is "salttoprotectpassword"
|
|
private static final String PWD_SSHA_PREFIX =
|
|
"{SSHA}oFLhvfQVqFykEWu8v1pPE6nN0QRzYWx0dG9wcm90ZWN0cGFzc3dvcmQ=";
|
|
|
|
@Test
|
|
public void testDigestMD5() throws Exception {
|
|
doTestDigestDigestPasswords(PWD, "MD5", PWD_MD5);
|
|
}
|
|
|
|
@Test
|
|
public void testDigestSHA() throws Exception {
|
|
doTestDigestDigestPasswords(PWD, "SHA", PWD_SHA);
|
|
}
|
|
|
|
@Test
|
|
public void testDigestMD5Prefix() throws Exception {
|
|
doTestDigestDigestPasswords(PWD, "MD5", PWD_MD5_PREFIX);
|
|
}
|
|
|
|
@Test
|
|
public void testDigestSHAPrefix() throws Exception {
|
|
doTestDigestDigestPasswords(PWD, "SHA", PWD_SHA_PREFIX);
|
|
}
|
|
|
|
@Test
|
|
public void testDigestSSHAPrefix() throws Exception {
|
|
doTestDigestDigestPasswords(PWD, "SHA", PWD_SSHA_PREFIX);
|
|
}
|
|
|
|
private void doTestDigestDigestPasswords(String password,
|
|
String digest, String digestedPassword) throws Exception {
|
|
Context context = new TesterContext();
|
|
TesterMapRealm realm = new TesterMapRealm();
|
|
realm.setContainer(context);
|
|
MessageDigestCredentialHandler ch = new MessageDigestCredentialHandler();
|
|
ch.setAlgorithm(digest);
|
|
realm.setCredentialHandler(ch);
|
|
realm.start();
|
|
|
|
realm.addUser(USER1, digestedPassword);
|
|
|
|
Principal p = realm.authenticate(USER1, password);
|
|
|
|
Assert.assertNotNull(p);
|
|
Assert.assertEquals(USER1, p.getName());
|
|
}
|
|
|
|
@Test
|
|
public void testUserWithSingleRole() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
userRoles.add(ROLE1);
|
|
constraintRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testUserWithNoRoles() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
constraintRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testUserWithSingleRoleAndAllRoles() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
userRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE1);
|
|
constraintRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testUserWithoutNoRolesAndAllRoles() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
constraintRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testAllRolesWithNoAppRole() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
userRoles.add(ROLE1);
|
|
constraintRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testAllAuthenticatedUsers() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
constraintRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testAllAuthenticatedUsersAsAppRoleNoUser() throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
userRoles.add(ROLE1);
|
|
constraintRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testAllAuthenticatedUsersAsAppRoleWithUser()
|
|
throws IOException {
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
// Configure this test
|
|
userRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
constraintRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
|
|
doRoleTest(userRoles, constraintRoles, applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testNoAuthConstraint() throws IOException {
|
|
// No auth constraint == allow access for all
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
doRoleTest(null, null, applicationRoles, true);
|
|
}
|
|
|
|
|
|
/*
|
|
* The combining constraints tests are based on the scenarios described in
|
|
* section
|
|
*/
|
|
|
|
@Test
|
|
public void testCombineConstraints01() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// User role is in first constraint
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE1);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE2);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints02() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// User role is in last constraint
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE2);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE2);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints03() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// User role is not in any constraint
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE3);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE2);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints04() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// * is any app role
|
|
// User role is not in any constraint
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE99);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints05() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// * is any app role
|
|
// User role is a non-app constraint role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE1);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints06() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// * is any app role
|
|
// User role is an app role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE2);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints07() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// * is any app role
|
|
// User has no role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints08() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// ** is any authenticated user
|
|
// User has no role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints09() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// ** is any authenticated user
|
|
// User has constraint role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE1);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints10() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// ** is any authenticated user
|
|
// User has app role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE2);
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints11() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// ** is any authenticated user
|
|
// User is not authenticated
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
constraintOneRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(ROLE2);
|
|
applicationRoles.add(ROLE3);
|
|
|
|
doRoleTest(null, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints12() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// Constraint without role or implied role permits unauthenticated users
|
|
// User is not authenticated
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
constraintTwoRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(null, null, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints13() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// Constraint without role or implied role permits unauthenticated users
|
|
// User is not authenticated
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(null, null, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints14() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// Constraint without role or implied role permits unauthenticated users
|
|
// User is not authenticated
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(null, null, constraintTwoRoles,
|
|
applicationRoles, true);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints15() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// Constraint with empty auth section prevents all access
|
|
// User has matching constraint role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE1);
|
|
constraintTwoRoles.add(ROLE1);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints16() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// Constraint with empty auth section prevents all access
|
|
// User has matching role
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_ROLES);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
@Test
|
|
public void testCombineConstraints17() throws IOException {
|
|
// Allowed roles should be the union of the roles in the constraints
|
|
// Constraint with empty auth section prevents all access
|
|
// User matches all authenticated users
|
|
List<String> userRoles = new ArrayList<>();
|
|
List<String> constraintOneRoles = new ArrayList<>();
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
List<String> applicationRoles = new ArrayList<>();
|
|
|
|
userRoles.add(ROLE1);
|
|
constraintTwoRoles.add(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS);
|
|
applicationRoles.add(ROLE1);
|
|
|
|
doRoleTest(userRoles, constraintOneRoles, constraintTwoRoles,
|
|
applicationRoles, false);
|
|
}
|
|
|
|
|
|
/**
|
|
* @param userRoles <code>null</code> tests unauthenticated access
|
|
* otherwise access is tested with an authenticated
|
|
* user with the listed roles
|
|
* @param constraintRoles <code>null</code> is equivalent to no auth
|
|
* constraint whereas an empty list is equivalent
|
|
* to an auth constraint that defines no roles.
|
|
*/
|
|
private void doRoleTest(List<String> userRoles,
|
|
List<String> constraintRoles, List<String> applicationRoles,
|
|
boolean expected) throws IOException {
|
|
|
|
List<String> constraintTwoRoles = new ArrayList<>();
|
|
constraintTwoRoles.add(ROLE99);
|
|
doRoleTest(userRoles, constraintRoles, constraintTwoRoles,
|
|
applicationRoles, expected);
|
|
}
|
|
|
|
|
|
private void doRoleTest(List<String> userRoles,
|
|
List<String> constraintOneRoles, List<String> constraintTwoRoles,
|
|
List<String> applicationRoles, boolean expected)
|
|
throws IOException {
|
|
|
|
TesterMapRealm mapRealm = new TesterMapRealm();
|
|
|
|
// Configure the security constraints for the resource
|
|
SecurityConstraint constraintOne = new SecurityConstraint();
|
|
if (constraintOneRoles != null) {
|
|
constraintOne.setAuthConstraint(true);
|
|
for (String constraintRole : constraintOneRoles) {
|
|
constraintOne.addAuthRole(constraintRole);
|
|
if (applicationRoles.contains(
|
|
SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
|
|
constraintOne.treatAllAuthenticatedUsersAsApplicationRole();
|
|
}
|
|
}
|
|
}
|
|
SecurityConstraint constraintTwo = new SecurityConstraint();
|
|
if (constraintTwoRoles != null) {
|
|
constraintTwo.setAuthConstraint(true);
|
|
for (String constraintRole : constraintTwoRoles) {
|
|
constraintTwo.addAuthRole(constraintRole);
|
|
if (applicationRoles.contains(
|
|
SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
|
|
constraintTwo.treatAllAuthenticatedUsersAsApplicationRole();
|
|
}
|
|
}
|
|
}
|
|
SecurityConstraint[] constraints =
|
|
new SecurityConstraint[] { constraintOne, constraintTwo };
|
|
|
|
// Set up the mock request and response
|
|
Request request = new Request();
|
|
Response response = new TesterResponse();
|
|
Context context = new TesterContext();
|
|
for (String applicationRole : applicationRoles) {
|
|
context.addSecurityRole(applicationRole);
|
|
}
|
|
request.getMappingData().context = context;
|
|
|
|
// Set up an authenticated user
|
|
// Configure the users in the Realm
|
|
if (userRoles != null) {
|
|
GenericPrincipal gp = new GenericPrincipal(USER1, PWD, userRoles);
|
|
request.setUserPrincipal(gp);
|
|
}
|
|
|
|
// Check if user meets constraints
|
|
boolean result = mapRealm.hasResourcePermission(
|
|
request, response, constraints, null);
|
|
|
|
Assert.assertEquals(Boolean.valueOf(expected), Boolean.valueOf(result));
|
|
}
|
|
|
|
|
|
/*
|
|
* This test case covers the special case in section 13.4.1 of the Servlet
|
|
* 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
|
|
*/
|
|
@Test
|
|
public void testHttpConstraint() throws IOException {
|
|
// Get the annotation from the test case
|
|
Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
|
|
ServletSecurity servletSecurity =
|
|
clazz.getAnnotation(ServletSecurity.class);
|
|
|
|
// Convert the annotation into constraints
|
|
ServletSecurityElement servletSecurityElement =
|
|
new ServletSecurityElement(servletSecurity);
|
|
SecurityConstraint[] constraints =
|
|
SecurityConstraint.createConstraints(
|
|
servletSecurityElement, "/*");
|
|
|
|
// Create a separate constraint that covers DELETE
|
|
SecurityConstraint deleteConstraint = new SecurityConstraint();
|
|
deleteConstraint.addAuthRole(ROLE1);
|
|
SecurityCollection deleteCollection = new SecurityCollection();
|
|
deleteCollection.addMethod("DELETE");
|
|
deleteCollection.addPatternDecoded("/*");
|
|
deleteConstraint.addCollection(deleteCollection);
|
|
|
|
TesterMapRealm mapRealm = new TesterMapRealm();
|
|
|
|
// Set up the mock request and response
|
|
TesterRequest request = new TesterRequest();
|
|
Response response = new TesterResponse();
|
|
Context context = request.getContext();
|
|
context.addSecurityRole(ROLE1);
|
|
context.addSecurityRole(ROLE2);
|
|
request.getMappingData().context = context;
|
|
|
|
// Create the principals
|
|
List<String> userRoles1 = new ArrayList<>();
|
|
userRoles1.add(ROLE1);
|
|
GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
|
|
|
|
List<String> userRoles2 = new ArrayList<>();
|
|
userRoles2.add(ROLE2);
|
|
GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
|
|
|
|
List<String> userRoles99 = new ArrayList<>();
|
|
GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
|
|
|
|
// Add the constraints to the context
|
|
for (SecurityConstraint constraint : constraints) {
|
|
context.addConstraint(constraint);
|
|
}
|
|
context.addConstraint(deleteConstraint);
|
|
|
|
// All users should be able to perform a GET
|
|
request.setMethod("GET");
|
|
|
|
SecurityConstraint[] constraintsGet =
|
|
mapRealm.findSecurityConstraints(request, context);
|
|
|
|
request.setUserPrincipal(null);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsGet, null));
|
|
request.setUserPrincipal(gp1);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsGet, null));
|
|
request.setUserPrincipal(gp2);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsGet, null));
|
|
request.setUserPrincipal(gp99);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsGet, null));
|
|
|
|
// Only user1 should be able to perform a POST as only that user has
|
|
// role1.
|
|
request.setMethod("POST");
|
|
|
|
SecurityConstraint[] constraintsPost =
|
|
mapRealm.findSecurityConstraints(request, context);
|
|
|
|
request.setUserPrincipal(null);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPost, null));
|
|
request.setUserPrincipal(gp1);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPost, null));
|
|
request.setUserPrincipal(gp2);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPost, null));
|
|
request.setUserPrincipal(gp99);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPost, null));
|
|
|
|
// Only users with application roles (role1 or role2 so user1 or user2)
|
|
// should be able to perform a PUT.
|
|
request.setMethod("PUT");
|
|
|
|
SecurityConstraint[] constraintsPut =
|
|
mapRealm.findSecurityConstraints(request, context);
|
|
|
|
request.setUserPrincipal(null);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPut, null));
|
|
request.setUserPrincipal(gp1);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPut, null));
|
|
request.setUserPrincipal(gp2);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPut, null));
|
|
request.setUserPrincipal(gp99);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsPut, null));
|
|
|
|
// Any authenticated user should be able to perform a TRACE.
|
|
request.setMethod("TRACE");
|
|
|
|
SecurityConstraint[] constraintsTrace =
|
|
mapRealm.findSecurityConstraints(request, context);
|
|
|
|
request.setUserPrincipal(null);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsTrace, null));
|
|
request.setUserPrincipal(gp1);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsTrace, null));
|
|
request.setUserPrincipal(gp2);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsTrace, null));
|
|
request.setUserPrincipal(gp99);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsTrace, null));
|
|
|
|
// Only user1 should be able to perform a DELETE as only that user has
|
|
// role1.
|
|
request.setMethod("DELETE");
|
|
|
|
SecurityConstraint[] constraintsDelete =
|
|
mapRealm.findSecurityConstraints(request, context);
|
|
|
|
request.setUserPrincipal(null);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsDelete, null));
|
|
request.setUserPrincipal(gp1);
|
|
Assert.assertTrue(mapRealm.hasResourcePermission(
|
|
request, response, constraintsDelete, null));
|
|
request.setUserPrincipal(gp2);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsDelete, null));
|
|
request.setUserPrincipal(gp99);
|
|
Assert.assertFalse(mapRealm.hasResourcePermission(
|
|
request, response, constraintsDelete, null));
|
|
}
|
|
}
|