Search in sources :

Example 11 with DigestWWWAuthenticateToken

use of io.undertow.security.impl.DigestWWWAuthenticateToken in project undertow by undertow-io.

the class DigestAuthentication2069TestCase method testBadUserName.

/**
     * Test that a request is correctly rejected with a bad user name.
     *
     * In this case both the supplied username is wrong and also the generated response can not be valid as there is no
     * corresponding user.
     */
@Test
public void testBadUserName() throws Exception {
    TestHttpClient client = new TestHttpClient();
    HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
    HttpResponse result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
    assertEquals(1, values.length);
    String value = values[0].getValue();
    assertTrue(value.startsWith(DIGEST.toString()));
    Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken.parseHeader(value.substring(7));
    assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
    assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
    String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
    String response = createResponse("badUser", REALM_NAME, "passwordOne", "GET", "/", nonce);
    client = new TestHttpClient();
    get = new HttpGet(DefaultServer.getDefaultServerURL());
    StringBuilder sb = new StringBuilder(DIGEST.toString());
    sb.append(" ");
    sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"badUser\"").append(",");
    sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
    sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
    sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
    sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(response).append("\"");
    get.addHeader(AUTHORIZATION.toString(), sb.toString());
    result = client.execute(get);
    assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
    assertSingleNotificationType(EventType.FAILED_AUTHENTICATION);
}
Also used : Header(org.apache.http.Header) HttpGet(org.apache.http.client.methods.HttpGet) HttpResponse(org.apache.http.HttpResponse) DigestWWWAuthenticateToken(io.undertow.security.impl.DigestWWWAuthenticateToken) TestHttpClient(io.undertow.testutils.TestHttpClient) Test(org.junit.Test)

Aggregations

DigestWWWAuthenticateToken (io.undertow.security.impl.DigestWWWAuthenticateToken)11 TestHttpClient (io.undertow.testutils.TestHttpClient)11 Header (org.apache.http.Header)11 HttpResponse (org.apache.http.HttpResponse)11 HttpGet (org.apache.http.client.methods.HttpGet)11 Test (org.junit.Test)5 AuthenticationInfoToken (io.undertow.security.impl.AuthenticationInfoToken)3