use of org.apache.tomcat.util.descriptor.web.SecurityConstraint in project tomcat by apache.
the class TestRealmBase method testHttpConstraint.
/*
* This test case covers the special case in section 13.4.1 of the Servlet
* 3.1 specification for {@link jakarta.servlet.annotation.HttpConstraint}.
*/
@Test
public void testHttpConstraint() throws IOException {
// Get the annotation from the test case
Class<TesterServletSecurity01> clazz = TesterServletSecurity01.class;
ServletSecurity servletSecurity = clazz.getAnnotation(ServletSecurity.class);
// Convert the annotation into constraints
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(servletSecurity);
SecurityConstraint[] constraints = SecurityConstraint.createConstraints(servletSecurityElement, "/*");
// Create a separate constraint that covers DELETE
SecurityConstraint deleteConstraint = new SecurityConstraint();
deleteConstraint.addAuthRole(ROLE1);
SecurityCollection deleteCollection = new SecurityCollection();
deleteCollection.addMethod("DELETE");
deleteCollection.addPatternDecoded("/*");
deleteConstraint.addCollection(deleteCollection);
TesterMapRealm mapRealm = new TesterMapRealm();
// Set up the mock request and response
TesterRequest request = new TesterRequest();
Response response = new TesterResponse();
Context context = request.getContext();
context.addSecurityRole(ROLE1);
context.addSecurityRole(ROLE2);
request.getMappingData().context = context;
// Create the principals
List<String> userRoles1 = new ArrayList<>();
userRoles1.add(ROLE1);
GenericPrincipal gp1 = new GenericPrincipal(USER1, userRoles1);
List<String> userRoles2 = new ArrayList<>();
userRoles2.add(ROLE2);
GenericPrincipal gp2 = new GenericPrincipal(USER2, userRoles2);
List<String> userRoles99 = new ArrayList<>();
GenericPrincipal gp99 = new GenericPrincipal(USER99, userRoles99);
// Add the constraints to the context
for (SecurityConstraint constraint : constraints) {
context.addConstraint(constraint);
}
context.addConstraint(deleteConstraint);
// All users should be able to perform a GET
request.setMethod("GET");
SecurityConstraint[] constraintsGet = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsGet, null));
// Only user1 should be able to perform a POST as only that user has
// role1.
request.setMethod("POST");
SecurityConstraint[] constraintsPost = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPost, null));
// Only users with application roles (role1 or role2 so user1 or user2)
// should be able to perform a PUT.
request.setMethod("PUT");
SecurityConstraint[] constraintsPut = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsPut, null));
// Any authenticated user should be able to perform a TRACE.
request.setMethod("TRACE");
SecurityConstraint[] constraintsTrace = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp2);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
request.setUserPrincipal(gp99);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsTrace, null));
// Only user1 should be able to perform a DELETE as only that user has
// role1.
request.setMethod("DELETE");
SecurityConstraint[] constraintsDelete = mapRealm.findSecurityConstraints(request, context);
request.setUserPrincipal(null);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp1);
Assert.assertTrue(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp2);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
request.setUserPrincipal(gp99);
Assert.assertFalse(mapRealm.hasResourcePermission(request, response, constraintsDelete, null));
}
Aggregations