Search in sources :

Example 6 with TesterRequest

use of org.apache.tomcat.unittest.TesterRequest in project tomcat by apache.

the class TestResponse method testBug53062l.

@Test
public void testBug53062l() throws Exception {
    Request req = new TesterRequest();
    Response resp = new Response();
    resp.setRequest(req);
    String result = resp.toAbsolute("bar.html#/../");
    Assert.assertEquals("http://localhost:8080/level1/level2/bar.html#/../", result);
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) TesterRequest(org.apache.tomcat.unittest.TesterRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TomcatBaseTest(org.apache.catalina.startup.TomcatBaseTest) Test(org.junit.Test)

Example 7 with TesterRequest

use of org.apache.tomcat.unittest.TesterRequest in project tomcat by apache.

the class TestResponse method testBug53062c.

@Test
public void testBug53062c() throws Exception {
    Request req = new TesterRequest();
    Response resp = new Response();
    resp.setRequest(req);
    String result = resp.toAbsolute("..");
    Assert.assertEquals("http://localhost:8080/level1/", result);
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) TesterRequest(org.apache.tomcat.unittest.TesterRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TomcatBaseTest(org.apache.catalina.startup.TomcatBaseTest) Test(org.junit.Test)

Example 8 with TesterRequest

use of org.apache.tomcat.unittest.TesterRequest in project tomcat by apache.

the class TestRealmBase method testHttpConstraint.

/*
     * This test case covers the special case in section 13.4.1 of the Servlet
     * 3.1 specification for {@link javax.servlet.annotation.HttpConstraint}.
     */
@Test
public void testHttpConstraint() throws IOException {
    // Get the annotation from the test case
    Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
    ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
    // Convert the annotation into constraints
    ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
    SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
    // Create a separate constraint that covers DELETE
    SecurityConstraint deleteConstraint = new SecurityConstraint();
    deleteConstraint.addAuthRole(ROLE1);
    SecurityCollection deleteCollection = new SecurityCollection();
    deleteCollection.addMethod("DELETE");
    deleteCollection.addPatternDecoded("/*");
    deleteConstraint.addCollection(deleteCollection);
    TesterMapRealm mapRealm = new TesterMapRealm();
    // Set up the mock request and response
    TesterRequest request = new TesterRequest();
    Response response = new TesterResponse();
    Context context = request.getContext();
    context.addSecurityRole(ROLE1);
    context.addSecurityRole(ROLE2);
    request.getMappingData().context = context;
    // Create the principals
    List<String> userRoles1 = new ArrayList<>();
    userRoles1.add(ROLE1);
    GenericPrincipal gp1 = new GenericPrincipal(USER1, PWD, userRoles1);
    List<String> userRoles2 = new ArrayList<>();
    userRoles2.add(ROLE2);
    GenericPrincipal gp2 = new GenericPrincipal(USER2, PWD, userRoles2);
    List<String> userRoles99 = new ArrayList<>();
    GenericPrincipal gp99 = new GenericPrincipal(USER99, PWD, userRoles99);
    // Add the constraints to the context
    for (SecurityConstraint constraint : constraints) {
        context.addConstraint(constraint);
    }
    context.addConstraint(deleteConstraint);
    // All users should be able to perform a GET
    request.setMethod("GET");
    SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
    // Only user1 should be able to perform a POST as only that user has
    // role1.
    request.setMethod("POST");
    SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
    // Only users with application roles (role1 or role2 so user1 or user2)
    // should be able to perform a PUT.
    request.setMethod("PUT");
    SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
    // Any authenticated user should be able to perform a TRACE.
    request.setMethod("TRACE");
    SecurityConstraint[] constraintsTrace = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp2);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    request.setUserPrincipal(gp99);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
    // Only user1 should be able to perform a DELETE as only that user has
    // role1.
    request.setMethod("DELETE");
    SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
    request.setUserPrincipal(null);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp1);
    Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp2);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
    request.setUserPrincipal(gp99);
    Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Also used : Context(org.apache.catalina.Context) TesterContext(org.apache.tomcat.unittest.TesterContext) ServletSecurity(javax.servlet.annotation.ServletSecurity) ArrayList(java.util.ArrayList) TesterResponse(org.apache.tomcat.unittest.TesterResponse) ServletSecurityElement(javax.servlet.ServletSecurityElement) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint) TesterResponse(org.apache.tomcat.unittest.TesterResponse) Response(org.apache.catalina.connector.Response) TesterMapRealm(org.apache.catalina.startup.TesterMapRealm) TesterRequest(org.apache.tomcat.unittest.TesterRequest) SecurityCollection(org.apache.tomcat.util.descriptor.web.SecurityCollection) Test(org.junit.Test)

Example 9 with TesterRequest

use of org.apache.tomcat.unittest.TesterRequest in project tomcat by apache.

the class TestResponse method testBug53062m.

@Test
public void testBug53062m() throws Exception {
    Request req = new TesterRequest();
    Response resp = new Response();
    resp.setRequest(req);
    String result = resp.toAbsolute("bar.html#/../../");
    Assert.assertEquals("http://localhost:8080/level1/level2/bar.html#/../../", result);
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) TesterRequest(org.apache.tomcat.unittest.TesterRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TomcatBaseTest(org.apache.catalina.startup.TomcatBaseTest) Test(org.junit.Test)

Example 10 with TesterRequest

use of org.apache.tomcat.unittest.TesterRequest in project tomcat by apache.

the class TestResponse method testBug53062k.

@Test
public void testBug53062k() throws Exception {
    Request req = new TesterRequest();
    Response resp = new Response();
    resp.setRequest(req);
    String result = resp.toAbsolute("./..?x=/../..");
    Assert.assertEquals("http://localhost:8080/level1/?x=/../..", result);
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) TesterRequest(org.apache.tomcat.unittest.TesterRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) TesterRequest(org.apache.tomcat.unittest.TesterRequest) TomcatBaseTest(org.apache.catalina.startup.TomcatBaseTest) Test(org.junit.Test)

Aggregations

TesterRequest (org.apache.tomcat.unittest.TesterRequest)26 Test (org.junit.Test)24 TomcatBaseTest (org.apache.catalina.startup.TomcatBaseTest)22 HttpServletRequest (javax.servlet.http.HttpServletRequest)20 HttpServletResponse (javax.servlet.http.HttpServletResponse)20 Locale (java.util.Locale)2 TesterContext (org.apache.tomcat.unittest.TesterContext)2 SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)2 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 ServletSecurityElement (javax.servlet.ServletSecurityElement)1 ServletSecurity (javax.servlet.annotation.ServletSecurity)1 Context (org.apache.catalina.Context)1 Request (org.apache.catalina.connector.Request)1 Response (org.apache.catalina.connector.Response)1 LoggingBaseTest (org.apache.catalina.startup.LoggingBaseTest)1 TesterMapRealm (org.apache.catalina.startup.TesterMapRealm)1 TesterResponse (org.apache.tomcat.unittest.TesterResponse)1 TesterServletContext (org.apache.tomcat.unittest.TesterServletContext)1 SecurityCollection (org.apache.tomcat.util.descriptor.web.SecurityCollection)1