Example 1 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class ConstraintTest method testSecurityElementExample13_7.
/**
* Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-7
* @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"),
* httpMethodConstraints = @HttpMethodConstraint(value="TRACE",
* emptyRoleSemantic = EmptyRoleSemantic.DENY))
* @throws Exception if test fails
*/
@Test
public void testSecurityElementExample13_7() throws Exception {
List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
methodElements.add(new HttpMethodConstraintElement("TRACE", new HttpConstraintElement(EmptyRoleSemantic.DENY)));
ServletSecurityElement element = new ServletSecurityElement(new HttpConstraintElement(TransportGuarantee.NONE, "R1"), methodElements);
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
Assert.assertTrue(!mappings.isEmpty());
Assert.assertEquals(2, mappings.size());
Assert.assertTrue(mappings.get(0).getMethodOmissions() != null);
Assert.assertEquals("TRACE", mappings.get(0).getMethodOmissions()[0]);
Assert.assertTrue(mappings.get(0).getConstraint().getAuthenticate());
Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
Assert.assertEquals("TRACE", mappings.get(1).getMethod());
Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
Assert.assertEquals(0, mappings.get(1).getConstraint().getDataConstraint());
Assert.assertTrue(mappings.get(1).getConstraint().isForbidden());
}
Also used :
ArrayList(java.util.ArrayList)
HttpConstraintElement(javax.servlet.HttpConstraintElement)
HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Test(org.junit.Test)
Example 2 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class ConstraintTest method testSecurityElementExample13_6.
/**
* Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-6
* @ServletSecurity(value = @HttpConstraint(rolesAllowed = "R1"), httpMethodConstraints = @HttpMethodConstraint("GET"))
* @throws Exception if test fails
*/
@Test
public void testSecurityElementExample13_6() throws Exception {
List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
methodElements.add(new HttpMethodConstraintElement("GET"));
ServletSecurityElement element = new ServletSecurityElement(new HttpConstraintElement(TransportGuarantee.NONE, "R1"), methodElements);
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
Assert.assertTrue(!mappings.isEmpty());
Assert.assertEquals(2, mappings.size());
Assert.assertTrue(mappings.get(0).getMethodOmissions() != null);
Assert.assertEquals("GET", mappings.get(0).getMethodOmissions()[0]);
Assert.assertTrue(mappings.get(0).getConstraint().getAuthenticate());
Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
Assert.assertEquals("GET", mappings.get(1).getMethod());
Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
Assert.assertEquals(0, mappings.get(1).getConstraint().getDataConstraint());
Assert.assertFalse(mappings.get(1).getConstraint().getAuthenticate());
}
Also used :
ArrayList(java.util.ArrayList)
HttpConstraintElement(javax.servlet.HttpConstraintElement)
HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Test(org.junit.Test)
Example 3 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class ConstraintTest method testSecurityElementExample13_5.
/**
* Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-5
* @ServletSecurity((httpMethodConstraints = {
* @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"),
* @HttpMethodConstraint(value = "POST", rolesAllowed = "R1",
* transportGuarantee = TransportGuarantee.CONFIDENTIAL)})
* @throws Exception if test fails
*/
@Test
public void testSecurityElementExample13_5() throws Exception {
List<HttpMethodConstraintElement> methodElements = new ArrayList<HttpMethodConstraintElement>();
methodElements.add(new HttpMethodConstraintElement("GET", new HttpConstraintElement(TransportGuarantee.NONE, "R1")));
methodElements.add(new HttpMethodConstraintElement("POST", new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL, "R1")));
ServletSecurityElement element = new ServletSecurityElement(methodElements);
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
Assert.assertTrue(!mappings.isEmpty());
Assert.assertEquals(2, mappings.size());
Assert.assertEquals("GET", mappings.get(0).getMethod());
Assert.assertEquals("R1", mappings.get(0).getConstraint().getRoles()[0]);
Assert.assertTrue(mappings.get(0).getMethodOmissions() == null);
Assert.assertEquals(0, mappings.get(0).getConstraint().getDataConstraint());
Assert.assertEquals("POST", mappings.get(1).getMethod());
Assert.assertEquals("R1", mappings.get(1).getConstraint().getRoles()[0]);
Assert.assertEquals(2, mappings.get(1).getConstraint().getDataConstraint());
Assert.assertTrue(mappings.get(1).getMethodOmissions() == null);
}
Also used :
ArrayList(java.util.ArrayList)
HttpConstraintElement(javax.servlet.HttpConstraintElement)
HttpMethodConstraintElement(javax.servlet.HttpMethodConstraintElement)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Test(org.junit.Test)
Example 4 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project jetty.project by eclipse.
the class ConstraintTest method testSecurityElementExample13_3.
/**
* Equivalent of Servlet Spec 3.1 pg 132, sec 13.4.1.1, Example 13-3
* @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
* @throws Exception if test fails
*/
@Test
public void testSecurityElementExample13_3() throws Exception {
HttpConstraintElement httpConstraintElement = new HttpConstraintElement(EmptyRoleSemantic.DENY);
ServletSecurityElement element = new ServletSecurityElement(httpConstraintElement);
List<ConstraintMapping> mappings = ConstraintSecurityHandler.createConstraintsWithMappingsForPath("foo", "/foo/*", element);
Assert.assertTrue(!mappings.isEmpty());
Assert.assertEquals(1, mappings.size());
ConstraintMapping mapping = mappings.get(0);
Assert.assertTrue(mapping.getConstraint().isForbidden());
}
Also used :
HttpConstraintElement(javax.servlet.HttpConstraintElement)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
Test(org.junit.Test)
Example 5 with ServletSecurityElement
use of javax.servlet.ServletSecurityElement in project tomcat by apache.
the class TestRealmBase method testHttpConstraint.
/*
* This test case covers the special case in section 13.4.1 of the Servlet
* 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
*/
@Test
public void testHttpConstraint() throws IOException {
// Get the annotation from the test case
Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
// Convert the annotation into constraints
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
// Create a separate constraint that covers DELETE
SecurityConstraint deleteConstraint = new SecurityConstraint();
deleteConstraint.addAuthRole(ROLE1);
SecurityCollection deleteCollection = new SecurityCollection();
deleteCollection.addMethod("DELETE");
deleteCollection.addPatternDecoded("/*");
deleteConstraint.addCollection(deleteCollection);
TesterMapRealm mapRealm = new TesterMapRealm();
// Set up the mock request and response
TesterRequest request = new TesterRequest();
Response response = new TesterResponse();
Context context = request.getContext();
context.addSecurityRole(ROLE1);
context.addSecurityRole(ROLE2);
request.getMappingData().context = context;
// Create the principals
List<String> userRoles1 = new ArrayList<>();
userRoles1.add(ROLE1);
GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
List<String> userRoles2 = new ArrayList<>();
userRoles2.add(ROLE2);
GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
List<String> userRoles99 = new ArrayList<>();
GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
// Add the constraints to the context
for (SecurityConstraint constraint : constraints) {
context.addConstraint(constraint);
}
context.addConstraint(deleteConstraint);
// All users should be able to perform a GET
request.setMethod("GET");
SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
// Only user1 should be able to perform a POST as only that user has
// role1.
request.setMethod("POST");
SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
// Only users with application roles (role1 or role2 so user1 or user2)
// should be able to perform a PUT.
request.setMethod("PUT");
SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
// Any authenticated user should be able to perform a TRACE.
request.setMethod("TRACE");
SecurityConstraint[] constraintsTrace = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
// Only user1 should be able to perform a DELETE as only that user has
// role1.
request.setMethod("DELETE");
SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used :
Context(org.apache.catalina.Context)
TesterContext(org.apache.tomcat.unittest.TesterContext)
ServletSecurity(javax.servlet.annotation.ServletSecurity)
ArrayList(java.util.ArrayList)
TesterResponse(org.apache.tomcat.unittest.TesterResponse)
ServletSecurityElement(javax.servlet.ServletSecurityElement)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
TesterResponse(org.apache.tomcat.unittest.TesterResponse)
Response(org.apache.catalina.connector.Response)
TesterMapRealm(org.apache.catalina.startup.TesterMapRealm)
TesterRequest(org.apache.tomcat.unittest.TesterRequest)
SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)
Test(org.junit.Test)
Aggregations
ServletSecurityElement (javax.servlet.ServletSecurityElement)12
Test (org.junit.Test)9
HttpConstraintElement (javax.servlet.HttpConstraintElement)8
ArrayList (java.util.ArrayList)4
HttpMethodConstraintElement (javax.servlet.HttpMethodConstraintElement)4
ServletSecurity (javax.servlet.annotation.ServletSecurity)3
Context (org.apache.catalina.Context)2
HashSet (java.util.HashSet)1
FilterRegistration (javax.servlet.FilterRegistration)1
ServletContext (javax.servlet.ServletContext)1
ServletRegistration (javax.servlet.ServletRegistration)1
Response (org.apache.catalina.connector.Response)1
TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)1
TesterContext (org.apache.tomcat.unittest.TesterContext)1
TesterRequest (org.apache.tomcat.unittest.TesterRequest)1
TesterResponse (org.apache.tomcat.unittest.TesterResponse)1
SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)1
SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)1
ConstraintAware (org.eclipse.jetty.security.ConstraintAware)1
ConstraintMapping (org.eclipse.jetty.security.ConstraintMapping)1
