Search in sources :

Example 1 with HttpConstraintElement

use of javax.servlet.HttpConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_7.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-7
     * @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"), 
     *                  httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
     *                  emptyRoleSemantic = EmptyRoleSemantic.DENY))
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_7() throws Exception {
    List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
    methodElements.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
    ServletSecurityElement element = new ServletSecurityElement(new HttpConstraintElement(TransportGuarantee.NONE, "R1"), methodElements);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(2, mappings.size());
    Assert.assertTrue(mappings.get(0).getMethodOmissions() != null);
    Assert.assertEquals("TRACE", mappings.get(0).getMethodOmissions()[0]);
    Assert.assertTrue(mappings.get(0).getConstraint().getAuthenticate());
    Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
    Assert.assertEquals("TRACE", mappings.get(1).getMethod());
    Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
    Assert.assertEquals(0, mappings.get(1).getConstraint().getDataConstraint());
    Assert.assertTrue(mappings.get(1).getConstraint().isForbidden());
}
Also used : ArrayList(java.util.ArrayList) HttpConstraintElement(javax.servlet.HttpConstraintElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 2 with HttpConstraintElement

use of javax.servlet.HttpConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_6.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-6
     * @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"), httpMethodConstraints = @HttpMethodConstraint("GET"))
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_6() throws Exception {
    List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
    methodElements.add(new HttpMethodConstraintElement("GET"));
    ServletSecurityElement element = new ServletSecurityElement(new HttpConstraintElement(TransportGuarantee.NONE, "R1"), methodElements);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(2, mappings.size());
    Assert.assertTrue(mappings.get(0).getMethodOmissions() != null);
    Assert.assertEquals("GET", mappings.get(0).getMethodOmissions()[0]);
    Assert.assertTrue(mappings.get(0).getConstraint().getAuthenticate());
    Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
    Assert.assertEquals("GET", mappings.get(1).getMethod());
    Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
    Assert.assertEquals(0, mappings.get(1).getConstraint().getDataConstraint());
    Assert.assertFalse(mappings.get(1).getConstraint().getAuthenticate());
}
Also used : ArrayList(java.util.ArrayList) HttpConstraintElement(javax.servlet.HttpConstraintElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 3 with HttpConstraintElement

use of javax.servlet.HttpConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_5.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-5
     * @ServletSecurity((httpMethodConstraints = {
     * @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
     * @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
     *         transportGuarantee = TransportGuarantee.CONFIDENTIAL)})
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_5() throws Exception {
    List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
    methodElements.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(TransportGuarantee.NONE, "R1")));
    methodElements.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL, "R1")));
    ServletSecurityElement element = new ServletSecurityElement(methodElements);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(2, mappings.size());
    Assert.assertEquals("GET", mappings.get(0).getMethod());
    Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
    Assert.assertTrue(mappings.get(0).getMethodOmissions() == null);
    Assert.assertEquals(0, mappings.get(0).getConstraint().getDataConstraint());
    Assert.assertEquals("POST", mappings.get(1).getMethod());
    Assert.assertEquals("R1", mappings.get(1).getConstraint().getRoles()[0]);
    Assert.assertEquals(2, mappings.get(1).getConstraint().getDataConstraint());
    Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
}
Also used : ArrayList(java.util.ArrayList) HttpConstraintElement(javax.servlet.HttpConstraintElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 4 with HttpConstraintElement

use of javax.servlet.HttpConstraintElement in project jetty.project by eclipse.

the class ConstraintTest method testSecurityElementExample13_3.

/**
     * Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-3
     * @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
     * @throws Exception if test fails
     */
@Test
public void testSecurityElementExample13_3() throws Exception {
    HttpConstraintElement httpConstraintElement = new HttpConstraintElement(EmptyRoleSemantic.DENY);
    ServletSecurityElement element = new ServletSecurityElement(httpConstraintElement);
    List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
    Assert.assertTrue(!mappings.isEmpty());
    Assert.assertEquals(1, mappings.size());
    ConstraintMapping mapping = mappings.get(0);
    Assert.assertTrue(mapping.getConstraint().isForbidden());
}
Also used : HttpConstraintElement(javax.servlet.HttpConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) Test(org.junit.Test)

Example 5 with HttpConstraintElement

use of javax.servlet.HttpConstraintElement in project tomcat70 by apache.

the class TestSecurityConstraint method testCreateConstraints.

/**
 * Uses the examples in SRV.13.4 as the basis for these tests
 */
@Test
public void testCreateConstraints() {
    ServletSecurityElement element;
    SecurityConstraint[] result;
    Set<HttpMethodConstraintElement> hmces = new HashSet<HttpMethodConstraintElement>();
    // Example 13-1
    // @ServletSecurity
    element = new ServletSecurityElement();
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(0, result.length);
    // Example 13-2
    // @ServletSecurity(
    // @HttpConstraint(
    // transportGuarantee = TransportGuarantee.CONFIDENTIAL))
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(1, result.length);
    Assert.assertFalse(result[0].getAuthConstraint());
    Assert.assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    Assert.assertEquals(0, result[0].findCollections()[0].findMethods().length);
    Assert.assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[0].getUserConstraint());
    // Example 13-3
    // @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
    element = new ServletSecurityElement(new HttpConstraintElement(EmptyRoleSemantic.DENY));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(1, result.length);
    Assert.assertTrue(result[0].getAuthConstraint());
    Assert.assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    Assert.assertEquals(0, result[0].findCollections()[0].findMethods().length);
    Assert.assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
    // Example 13-4
    // @ServletSecurity(@HttpConstraint(rolesAllowed = "R1"))
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1));
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(1, result.length);
    Assert.assertTrue(result[0].getAuthConstraint());
    Assert.assertEquals(1, result[0].findAuthRoles().length);
    Assert.assertTrue(result[0].findAuthRole(ROLE1));
    Assert.assertTrue(result[0].findCollections()[0].findPattern(URL_PATTERN));
    Assert.assertEquals(0, result[0].findCollections()[0].findMethods().length);
    Assert.assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[0].getUserConstraint());
    // Example 13-5
    // @ServletSecurity((httpMethodConstraints = {
    // @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
    // @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
    // transportGuarantee = TransportGuarantee.CONFIDENTIAL)
    // })
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1)));
    hmces.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(ServletSecurity.TransportGuarantee.CONFIDENTIAL, ROLE1)));
    element = new ServletSecurityElement(hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        Assert.assertTrue(result[i].getAuthConstraint());
        Assert.assertEquals(1, result[i].findAuthRoles().length);
        Assert.assertTrue(result[i].findAuthRole(ROLE1));
        Assert.assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        Assert.assertEquals(1, result[i].findCollections()[0].findMethods().length);
        String method = result[i].findCollections()[0].findMethods()[0];
        if ("GET".equals(method)) {
            Assert.assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
        } else if ("POST".equals(method)) {
            Assert.assertEquals(ServletSecurity.TransportGuarantee.CONFIDENTIAL.name(), result[i].getUserConstraint());
        } else {
            Assert.fail("Unexpected method :[" + method + "]");
        }
    }
    // Example 13-6
    // @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
    // httpMethodConstraints = @HttpMethodConstraint("GET"))
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("GET"));
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        Assert.assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        if (result[i].findCollections()[0].findMethods().length == 1) {
            Assert.assertEquals("GET", result[i].findCollections()[0].findMethods()[0]);
            Assert.assertFalse(result[i].getAuthConstraint());
        } else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
            Assert.assertEquals("GET", result[i].findCollections()[0].findOmittedMethods()[0]);
            Assert.assertTrue(result[i].getAuthConstraint());
            Assert.assertEquals(1, result[i].findAuthRoles().length);
            Assert.assertEquals(ROLE1, result[i].findAuthRoles()[0]);
        } else {
            Assert.fail("Unexpected number of methods defined");
        }
        Assert.assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
    }
    // Example 13-7
    // @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
    // httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
    // emptyRoleSemantic = EmptyRoleSemantic.DENY))
    hmces.clear();
    hmces.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
    element = new ServletSecurityElement(new HttpConstraintElement(ServletSecurity.TransportGuarantee.NONE, ROLE1), hmces);
    result = SecurityConstraint.createConstraints(element, URL_PATTERN);
    Assert.assertEquals(2, result.length);
    for (int i = 0; i < 2; i++) {
        Assert.assertTrue(result[i].findCollections()[0].findPattern(URL_PATTERN));
        if (result[i].findCollections()[0].findMethods().length == 1) {
            Assert.assertEquals("TRACE", result[i].findCollections()[0].findMethods()[0]);
            Assert.assertTrue(result[i].getAuthConstraint());
            Assert.assertEquals(0, result[i].findAuthRoles().length);
        } else if (result[i].findCollections()[0].findOmittedMethods().length == 1) {
            Assert.assertEquals("TRACE", result[i].findCollections()[0].findOmittedMethods()[0]);
            Assert.assertTrue(result[i].getAuthConstraint());
            Assert.assertEquals(1, result[i].findAuthRoles().length);
            Assert.assertEquals(ROLE1, result[i].findAuthRoles()[0]);
        } else {
            Assert.fail("Unexpected number of methods defined");
        }
        Assert.assertEquals(ServletSecurity.TransportGuarantee.NONE.name(), result[i].getUserConstraint());
    }
// Example 13-8 is the same as 13-4
// Example 13-9 is the same as 13-7
}
Also used : HttpConstraintElement(javax.servlet.HttpConstraintElement) ServletSecurityElement(javax.servlet.ServletSecurityElement) HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

HttpConstraintElement (javax.servlet.HttpConstraintElement)12 ServletSecurityElement (javax.servlet.ServletSecurityElement)12 Test (org.junit.Test)7 ServletRegistration (javax.servlet.ServletRegistration)5 HttpMethodConstraintElement (javax.servlet.HttpMethodConstraintElement)4 ArrayList (java.util.ArrayList)3 EjbInvokerConfiguration (fish.payara.ejb.http.admin.EjbInvokerConfiguration)1 EjbOverHttpApplication (fish.payara.ejb.http.endpoint.EjbOverHttpApplication)1 MicroprofileHealthCheckConfiguration (fish.payara.microprofile.healthcheck.config.MicroprofileHealthCheckConfiguration)1 MetricsServiceConfiguration (fish.payara.microprofile.metrics.admin.MetricsServiceConfiguration)1 OpenApiServiceConfiguration (fish.payara.microprofile.openapi.impl.admin.OpenApiServiceConfiguration)1 OpenApiApplication (fish.payara.microprofile.openapi.rest.app.OpenApiApplication)1 HashSet (java.util.HashSet)1 FilterRegistration (javax.servlet.FilterRegistration)1 ServletContainer (org.glassfish.jersey.servlet.ServletContainer)1 JerseyServletContainerInitializer (org.glassfish.jersey.servlet.init.JerseyServletContainerInitializer)1