Search in sources :

Example 6 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TesterSupport method configureClientCertContext.

public static void configureClientCertContext(Tomcat tomcat) {
    TesterSupport.initSsl(tomcat);
    /* When running on Java 11, TLSv1.3 is enabled by default. The JSSE
         * implementation of TLSv1.3 does not support
         * certificateVerification="optional", a setting on which these tests
         * depend. Therefore, force these tests to use TLSv1.2 so that they pass
         * when running on TLSv1.3.
         */
    tomcat.getConnector().findSslHostConfigs()[0].setProtocols(Constants.SSL_PROTO_TLSv1_2);
    // Need a web application with a protected and unprotected URL
    // No file system docBase required
    Context ctx = tomcat.addContext("", null);
    Tomcat.addServlet(ctx, "simple", new SimpleServlet());
    ctx.addServletMappingDecoded("/unprotected", "simple");
    ctx.addServletMappingDecoded("/protected", "simple");
    // Security constraints
    SecurityCollection collection = new SecurityCollection();
    collection.addPatternDecoded("/protected");
    SecurityConstraint sc = new SecurityConstraint();
    sc.addAuthRole(ROLE);
    sc.addCollection(collection);
    ctx.addConstraint(sc);
    // Configure the Realm
    TesterMapRealm realm = new TesterMapRealm();
    // Get the CA subject the server should send us for client cert selection
    try {
        KeyStore ks = getKeyStore(CA_JKS);
        X509Certificate cert = (X509Certificate) ks.getCertificate(CA_ALIAS);
        clientAuthExpectedIssuer = cert.getSubjectDN().getName();
    } catch (Exception ex) {
        throw new RuntimeException(ex);
    }
    String cn = "NOTFOUND";
    try {
        KeyStore ks = getKeyStore(CLIENT_JKS);
        X509Certificate cert = (X509Certificate) ks.getCertificate(CLIENT_ALIAS);
        cn = cert.getSubjectDN().getName();
    } catch (Exception ex) {
        throw new RuntimeException(ex);
    }
    realm.addUser(cn, "not used");
    realm.addUserRole(cn, ROLE);
    ctx.setRealm(realm);
    // Configure the authenticator
    LoginConfig lc = new LoginConfig();
    lc.setAuthMethod("CLIENT-CERT");
    ctx.setLoginConfig(lc);
    ctx.getPipeline().addValve(new SSLAuthenticator());
    // Clear the tracking data
    lastUsage = "NONE";
    lastRequestedIssuers = new Principal[0];
}
Also used : SSLContext(javax.net.ssl.SSLContext) Context(org.apache.catalina.Context) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) SSLAuthenticator(org.apache.catalina.authenticator.SSLAuthenticator) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) KeyStore(java.security.KeyStore) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) X509Certificate(java.security.cert.X509Certificate) ServletException(jakarta.servlet.ServletException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) UnknownHostException(java.net.UnknownHostException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection)

Example 7 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestStandardContext method testBug50015.

@Test
public void testBug50015() throws Exception {
    // Test that configuring servlet security constraints programmatically
    // does work.
    // Set up a container
    Tomcat tomcat = getTomcatInstance();
    // No file system docBase required
    Context ctx = tomcat.addContext("", null);
    // Setup realm
    TesterMapRealm realm = new TesterMapRealm();
    realm.addUser("tomcat", "tomcat");
    realm.addUserRole("tomcat", "tomcat");
    ctx.setRealm(realm);
    // Configure app for BASIC auth
    LoginConfig lc = new LoginConfig();
    lc.setAuthMethod("BASIC");
    ctx.setLoginConfig(lc);
    ctx.getPipeline().addValve(new BasicAuthenticator());
    // Add ServletContainerInitializer
    ServletContainerInitializer sci = new Bug50015SCI();
    ctx.addServletContainerInitializer(sci, null);
    // Start the context
    tomcat.start();
    // Request the first servlet
    ByteChunk bc = new ByteChunk();
    int rc = getUrl("http://localhost:" + getPort() + "/bug50015", bc, null);
    // Check for a 401
    Assert.assertNotSame("OK", bc.toString());
    Assert.assertEquals(401, rc);
}
Also used : ServletContext(jakarta.servlet.ServletContext) Context(org.apache.catalina.Context) ServletContainerInitializer(jakarta.servlet.ServletContainerInitializer) Tomcat(org.apache.catalina.startup.Tomcat) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) ByteChunk(org.apache.tomcat.util.buf.ByteChunk) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) HttpMethodConstraint(jakarta.servlet.annotation.HttpMethodConstraint) HttpConstraint(jakarta.servlet.annotation.HttpConstraint) TomcatBaseTest(org.apache.catalina.startup.TomcatBaseTest) Test(org.junit.Test)

Example 8 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestRequest method testLoginLogout.

/*
     * Test case for {@link Request#login(String, String)} and
     * {@link Request#logout()}.
     */
@Test
public void testLoginLogout() throws Exception {
    // Setup Tomcat instance
    Tomcat tomcat = getTomcatInstance();
    // No file system docBase required
    Context ctx = tomcat.addContext("", null);
    LoginConfig config = new LoginConfig();
    config.setAuthMethod("BASIC");
    ctx.setLoginConfig(config);
    ctx.getPipeline().addValve(new BasicAuthenticator());
    Tomcat.addServlet(ctx, "servlet", new LoginLogoutServlet());
    ctx.addServletMappingDecoded("/", "servlet");
    TesterMapRealm realm = new TesterMapRealm();
    realm.addUser(LoginLogoutServlet.USER, LoginLogoutServlet.PWD);
    ctx.setRealm(realm);
    tomcat.start();
    ByteChunk res = getUrl("http://localhost:" + getPort() + "/");
    Assert.assertEquals(LoginLogoutServlet.OK, res.toString());
}
Also used : Context(org.apache.catalina.Context) Tomcat(org.apache.catalina.startup.Tomcat) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) ByteChunk(org.apache.tomcat.util.buf.ByteChunk) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) TomcatBaseTest(org.apache.catalina.startup.TomcatBaseTest) Test(org.junit.Test)

Example 9 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestStandardWrapper method doTest.

private void doTest(String servletClassName, boolean usePost, boolean useRole, boolean expect200, boolean denyUncovered) throws Exception {
    // Setup Tomcat instance
    Tomcat tomcat = getTomcatInstance();
    // No file system docBase required
    Context ctx = tomcat.addContext("", null);
    ctx.setDenyUncoveredHttpMethods(denyUncovered);
    Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", servletClassName);
    wrapper.setAsyncSupported(true);
    ctx.addServletMappingDecoded("/", "servlet");
    if (useRole) {
        TesterMapRealm realm = new TesterMapRealm();
        realm.addUser("testUser", "testPwd");
        realm.addUserRole("testUser", "testRole");
        ctx.setRealm(realm);
        ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
        ctx.getPipeline().addValve(new BasicAuthenticator());
    }
    tomcat.start();
    ByteChunk bc = new ByteChunk();
    Map<String, List<String>> reqHeaders = null;
    if (useRole) {
        reqHeaders = new HashMap<>();
        List<String> authHeaders = new ArrayList<>();
        // testUser, testPwd
        authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
        reqHeaders.put("Authorization", authHeaders);
    }
    int rc;
    if (usePost) {
        rc = postUrl(null, "http://localhost:" + getPort() + "/", bc, reqHeaders, null);
    } else {
        rc = getUrl("http://localhost:" + getPort() + "/", bc, reqHeaders, null);
    }
    if (expect200) {
        Assert.assertEquals("OK", bc.toString());
        Assert.assertEquals(200, rc);
    } else {
        Assert.assertTrue(bc.getLength() > 0);
        Assert.assertEquals(403, rc);
    }
}
Also used : Context(org.apache.catalina.Context) ServletContext(jakarta.servlet.ServletContext) Wrapper(org.apache.catalina.Wrapper) Tomcat(org.apache.catalina.startup.Tomcat) ByteChunk(org.apache.tomcat.util.buf.ByteChunk) ArrayList(java.util.ArrayList) HttpConstraint(jakarta.servlet.annotation.HttpConstraint) HttpMethodConstraint(jakarta.servlet.annotation.HttpMethodConstraint) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) ArrayList(java.util.ArrayList) List(java.util.List)

Example 10 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat70 by apache.

the class TestRealmBase method testHttpConstraint.

/**
 * This test case covers the special case in section 13.4.1 of the Servlet
 * 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
 */
@Test
public void testHttpConstraint() throws IOException {
    // Get the annotation from the test case
    Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
    ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
    // Convert the annotation into constraints
    ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
    SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
    // Create a separate constraint that covers DELETE
    SecurityConstraint deleteConstraint = new SecurityConstraint();
    deleteConstraint.addAuthRole(ROLE1);
    SecurityCollection deleteCollection = new SecurityCollection();
    deleteCollection.addMethod("DELETE");
    deleteCollection.addPattern("/*");
    deleteConstraint.addCollection(deleteCollection);
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Set up the mock request and response
    TesterRequest request = new TesterRequest();
    Response response = new TesterResponse();
    Context context = request.getContext();
    context.addSecurityRole(ROLE1);
    context.addSecurityRole(ROLE2);
    request.setContext(context);
    // Create the principals
    List<String> userRoles1 = new ArrayList<String>();
    userRoles1.add(ROLE1);
    GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
    List<String> userRoles2 = new ArrayList<String>();
    userRoles2.add(ROLE2);
    GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
    List<String> userRoles99 = new ArrayList<String>();
    GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
    // Add the constraints to the context
    for (SecurityConstraint constraint : constraints) {
        context.addConstraint(constraint);
    }
    context.addConstraint(deleteConstraint);
    // All users should be able to perform a GET
    request.setMethod("GET");
    SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    // Only user1 should be able to perform a POST as only that user has
    // role1.
    request.setMethod("POST");
    SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    // Only users with application roles (role1 or role2 so user1 or user2)
    // should be able to perform a PUT.
    request.setMethod("PUT");
    SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    // Only user1 should be able to perform a DELETE as only that user has
    // role1.
    request.setMethod("DELETE");
    SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used : Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) ServletSecurity(javax.servlet.annotation.ServletSecurity) ArrayList(java.util.ArrayList) TesterResponse(org.apache.tomcat.unittest.TesterResponse) ServletSecurityElement(javax.servlet.ServletSecurityElement) SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint) TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) TesterRequest(org.apache.tomcat.unittest.TesterRequest) SecurityCollection(org.apache.catalina.deploy.SecurityCollection) Test(org.junit.Test)

Aggregations

Context (org.apache.catalina.Context)15 TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)15 LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)9 Tomcat (org.apache.catalina.startup.Tomcat)7 TesterContext (org.apache.tomcat.unittest.TesterContext)7 BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)5 ByteChunk (org.apache.tomcat.util.buf.ByteChunk)5 SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)5 ServletContext (jakarta.servlet.ServletContext)4 HttpConstraint (jakarta.servlet.annotation.HttpConstraint)4 HttpMethodConstraint (jakarta.servlet.annotation.HttpMethodConstraint)4 ArrayList (java.util.ArrayList)4 Response (org.apache.catalina.connector.Response)4 TesterRequest (org.apache.tomcat.unittest.TesterRequest)4 TesterResponse (org.apache.tomcat.unittest.TesterResponse)4 SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)4 Test (org.junit.Test)4 Principal (java.security.Principal)3 ServletContainerInitializer (jakarta.servlet.ServletContainerInitializer)2 List (java.util.List)2