Search in sources :

Example 11 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TesterDigestAuthenticatorPerformance method setUp.

@Before
public void setUp() throws Exception {
    ConcurrentMessageDigest.init("MD5");
    // Configure the Realm
    TesterMapRealm realm = new TesterMapRealm();
    realm.addUser(USER, PWD);
    realm.addUserRole(USER, ROLE);
    // Add the Realm to the Context
    Context context = new StandardContext();
    context.setName(CONTEXT_PATH);
    context.setRealm(realm);
    Host host = new StandardHost();
    context.setParent(host);
    Engine engine = new StandardEngine();
    host.setParent(engine);
    Service service = new StandardService();
    engine.setService(service);
    // Configure the Login config
    LoginConfig config = new LoginConfig();
    config.setRealmName(REALM);
    context.setLoginConfig(config);
    // Make the Context and Realm visible to the Authenticator
    authenticator.setContainer(context);
    authenticator.setNonceCountWindowSize(8 * 1024);
    authenticator.start();
}
Also used : Context(org.apache.catalina.Context) StandardContext(org.apache.catalina.core.StandardContext) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) StandardEngine(org.apache.catalina.core.StandardEngine) StandardHost(org.apache.catalina.core.StandardHost) StandardContext(org.apache.catalina.core.StandardContext) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) StandardService(org.apache.catalina.core.StandardService) Service(org.apache.catalina.Service) StandardHost(org.apache.catalina.core.StandardHost) Host(org.apache.catalina.Host) StandardService(org.apache.catalina.core.StandardService) StandardEngine(org.apache.catalina.core.StandardEngine) Engine(org.apache.catalina.Engine) Before(org.junit.Before)

Example 12 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestStandardWrapper method doTestRoleMapping.

private void doTestRoleMapping(String realmContainer) throws Exception {
    // Setup Tomcat instance
    Tomcat tomcat = getTomcatInstance();
    // No file system docBase required
    Context ctx = tomcat.addContext("", null);
    ctx.addRoleMapping("testRole", "very-complex-role-name");
    Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", RoleAllowServlet.class.getName());
    ctx.addServletMappingDecoded("/", "servlet");
    ctx.setLoginConfig(new LoginConfig("BASIC", null, null, null));
    ctx.getPipeline().addValve(new BasicAuthenticator());
    TesterMapRealm realm = new TesterMapRealm();
    MessageDigestCredentialHandler ch = new MessageDigestCredentialHandler();
    ch.setAlgorithm("SHA");
    realm.setCredentialHandler(ch);
    /* Attach the realm to the appropriate container, but role mapping must
         * always succeed because it is evaluated at context level.
         */
    if (realmContainer.equals("engine")) {
        tomcat.getEngine().setRealm(realm);
    } else if (realmContainer.equals("host")) {
        tomcat.getHost().setRealm(realm);
    } else if (realmContainer.equals("context")) {
        ctx.setRealm(realm);
    } else {
        throw new IllegalArgumentException("realmContainer is invalid");
    }
    realm.addUser("testUser", ch.mutate("testPwd"));
    realm.addUserRole("testUser", "testRole1");
    realm.addUserRole("testUser", "very-complex-role-name");
    realm.addUserRole("testUser", "another-very-complex-role-name");
    tomcat.start();
    Principal p = realm.authenticate("testUser", "testPwd");
    Assert.assertNotNull(p);
    Assert.assertEquals("testUser", p.getName());
    // This one is mapped
    Assert.assertTrue(realm.hasRole(wrapper, p, "testRole"));
    Assert.assertTrue(realm.hasRole(wrapper, p, "testRole1"));
    Assert.assertFalse(realm.hasRole(wrapper, p, "testRole2"));
    Assert.assertTrue(realm.hasRole(wrapper, p, "very-complex-role-name"));
    Assert.assertTrue(realm.hasRole(wrapper, p, "another-very-complex-role-name"));
    // This now tests RealmBase#hasResourcePermission() because we need a wrapper
    // to be passed from an authenticator
    ByteChunk bc = new ByteChunk();
    Map<String, List<String>> reqHeaders = new HashMap<>();
    List<String> authHeaders = new ArrayList<>();
    // testUser, testPwd
    authHeaders.add("Basic dGVzdFVzZXI6dGVzdFB3ZA==");
    reqHeaders.put("Authorization", authHeaders);
    int rc = getUrl("http://localhost:" + getPort() + "/", bc, reqHeaders, null);
    Assert.assertEquals("OK", bc.toString());
    Assert.assertEquals(200, rc);
}
Also used : Context(org.apache.catalina.Context) ServletContext(jakarta.servlet.ServletContext) Wrapper(org.apache.catalina.Wrapper) Tomcat(org.apache.catalina.startup.Tomcat) ByteChunk(org.apache.tomcat.util.buf.ByteChunk) HashMap(java.util.HashMap) MessageDigestCredentialHandler(org.apache.catalina.realm.MessageDigestCredentialHandler) ArrayList(java.util.ArrayList) HttpConstraint(jakarta.servlet.annotation.HttpConstraint) HttpMethodConstraint(jakarta.servlet.annotation.HttpMethodConstraint) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) ArrayList(java.util.ArrayList) List(java.util.List) Principal(java.security.Principal)

Example 13 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestStandardContext method doTestDenyUncoveredHttpMethodsSCI.

private void doTestDenyUncoveredHttpMethodsSCI(boolean enableDeny) throws Exception {
    // Test that denying uncovered HTTP methods when adding servlet security
    // constraints programmatically does work.
    // Set up a container
    Tomcat tomcat = getTomcatInstance();
    // No file system docBase required
    Context ctx = tomcat.addContext("", null);
    ctx.setDenyUncoveredHttpMethods(enableDeny);
    // Setup realm
    TesterMapRealm realm = new TesterMapRealm();
    realm.addUser("tomcat", "tomcat");
    realm.addUserRole("tomcat", "tomcat");
    ctx.setRealm(realm);
    // Configure app for BASIC auth
    LoginConfig lc = new LoginConfig();
    lc.setAuthMethod("BASIC");
    ctx.setLoginConfig(lc);
    ctx.getPipeline().addValve(new BasicAuthenticator());
    // Add ServletContainerInitializer
    ServletContainerInitializer sci = new DenyUncoveredHttpMethodsSCI();
    ctx.addServletContainerInitializer(sci, null);
    // Start the context
    tomcat.start();
    // Request the first servlet
    ByteChunk bc = new ByteChunk();
    int rc = getUrl("http://localhost:" + getPort() + "/test", bc, null);
    // Check for a 401
    if (enableDeny) {
        // Should be default error page
        Assert.assertTrue(bc.toString().contains("403"));
        Assert.assertEquals(403, rc);
    } else {
        Assert.assertEquals("OK", bc.toString());
        Assert.assertEquals(200, rc);
    }
}
Also used : ServletContext(jakarta.servlet.ServletContext) Context(org.apache.catalina.Context) ServletContainerInitializer(jakarta.servlet.ServletContainerInitializer) Tomcat(org.apache.catalina.startup.Tomcat) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) BasicAuthenticator(org.apache.catalina.authenticator.BasicAuthenticator) ByteChunk(org.apache.tomcat.util.buf.ByteChunk) LoginConfig(org.apache.tomcat.util.descriptor.web.LoginConfig) HttpMethodConstraint(jakarta.servlet.annotation.HttpMethodConstraint) HttpConstraint(jakarta.servlet.annotation.HttpConstraint)

Example 14 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestRealmBase method doRoleTest.

private void doRoleTest(List<String> userRoles, List<String> constraintOneRoles, List<String> constraintTwoRoles, List<String> applicationRoles, boolean expected) throws IOException {
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Configure the security constraints for the resource
    SecurityConstraint constraintOne = new SecurityConstraint();
    if (constraintOneRoles != null) {
        constraintOne.setAuthConstraint(true);
        for (String constraintRole : constraintOneRoles) {
            constraintOne.addAuthRole(constraintRole);
            if (applicationRoles.contains(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
                constraintOne.treatAllAuthenticatedUsersAsApplicationRole();
            }
        }
    }
    SecurityConstraint constraintTwo = new SecurityConstraint();
    if (constraintTwoRoles != null) {
        constraintTwo.setAuthConstraint(true);
        for (String constraintRole : constraintTwoRoles) {
            constraintTwo.addAuthRole(constraintRole);
            if (applicationRoles.contains(SecurityConstraint.ROLE_ALL_AUTHENTICATED_USERS)) {
                constraintTwo.treatAllAuthenticatedUsersAsApplicationRole();
            }
        }
    }
    SecurityConstraint[] constraints = new SecurityConstraint[] { constraintOne, constraintTwo };
    // Set up the mock request and response
    Request request = new Request(null);
    Response response = new TesterResponse();
    Context context = new TesterContext();
    for (String applicationRole : applicationRoles) {
        context.addSecurityRole(applicationRole);
    }
    request.getMappingData().context = context;
    // Configure the users in the Realm
    if (userRoles != null) {
        GenericPrincipal gp = new GenericPrincipal(USER1, userRoles);
        request.setUserPrincipal(gp);
    }
    // Check if user meets constraints
    boolean result = mapRealm.hasResourcePermission(request, response, constraints, null);
    Assert.assertEquals(Boolean.valueOf(expected), Boolean.valueOf(result));
}
Also used : TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) Request(org.apache.catalina.connector.Request) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TesterResponse(org.apache.tomcat.unittest.TesterResponse) TesterContext(org.apache.tomcat.unittest.TesterContext) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 15 with TesterMapRealm

use of org.apache.catalina.startup.TesterMapRealm in project tomcat by apache.

the class TestRealmBase method testHttpConstraint.

/*
     * This test case covers the special case in section 13.4.1 of the Servlet
     * 3.1 specification for {@link jakarta.servlet.annotation.HttpConstraint}.
     */
@Test
public void testHttpConstraint() throws IOException {
    // Get the annotation from the test case
    Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
    ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
    // Convert the annotation into constraints
    ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
    SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
    // Create a separate constraint that covers DELETE
    SecurityConstraint deleteConstraint = new SecurityConstraint();
    deleteConstraint.addAuthRole(ROLE1);
    SecurityCollection deleteCollection = new SecurityCollection();
    deleteCollection.addMethod("DELETE");
    deleteCollection.addPatternDecoded("/*");
    deleteConstraint.addCollection(deleteCollection);
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Set up the mock request and response
    TesterRequest request = new TesterRequest();
    Response response = new TesterResponse();
    Context context = request.getContext();
    context.addSecurityRole(ROLE1);
    context.addSecurityRole(ROLE2);
    request.getMappingData().context = context;
    // Create the principals
    List<String> userRoles1 = new ArrayList<>();
    userRoles1.add(ROLE1);
    GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
    List<String> userRoles2 = new ArrayList<>();
    userRoles2.add(ROLE2);
    GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
    List<String> userRoles99 = new ArrayList<>();
    GenericPrincipal gp99 = new GenericPrincipal(USER99, userRoles99);
    // Add the constraints to the context
    for (SecurityConstraint constraint : constraints) {
        context.addConstraint(constraint);
    }
    context.addConstraint(deleteConstraint);
    // All users should be able to perform a GET
    request.setMethod("GET");
    SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    // Only user1 should be able to perform a POST as only that user has
    // role1.
    request.setMethod("POST");
    SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    // Only users with application roles (role1 or role2 so user1 or user2)
    // should be able to perform a PUT.
    request.setMethod("PUT");
    SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    // Any authenticated user should be able to perform a TRACE.
    request.setMethod("TRACE");
    SecurityConstraint[] constraintsTrace = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    // Only user1 should be able to perform a DELETE as only that user has
    // role1.
    request.setMethod("DELETE");
    SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used : Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) ServletSecurity(jakarta.servlet.annotation.ServletSecurity) ArrayList(java.util.ArrayList) TesterResponse(org.apache.tomcat.unittest.TesterResponse) ServletSecurityElement(jakarta.servlet.ServletSecurityElement) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) TesterRequest(org.apache.tomcat.unittest.TesterRequest) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection) Test(org.junit.Test)

Aggregations

Context (org.apache.catalina.Context)15 TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)15 LoginConfig (org.apache.tomcat.util.descriptor.web.LoginConfig)9 Tomcat (org.apache.catalina.startup.Tomcat)7 TesterContext (org.apache.tomcat.unittest.TesterContext)7 BasicAuthenticator (org.apache.catalina.authenticator.BasicAuthenticator)5 ByteChunk (org.apache.tomcat.util.buf.ByteChunk)5 SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)5 ServletContext (jakarta.servlet.ServletContext)4 HttpConstraint (jakarta.servlet.annotation.HttpConstraint)4 HttpMethodConstraint (jakarta.servlet.annotation.HttpMethodConstraint)4 ArrayList (java.util.ArrayList)4 Response (org.apache.catalina.connector.Response)4 TesterRequest (org.apache.tomcat.unittest.TesterRequest)4 TesterResponse (org.apache.tomcat.unittest.TesterResponse)4 SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)4 Test (org.junit.Test)4 Principal (java.security.Principal)3 ServletContainerInitializer (jakarta.servlet.ServletContainerInitializer)2 List (java.util.List)2