Example 6 with SecurityFilterChain
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class WebSSOFilterTest method testDoFilterReturnsGuestTokenWhenNoHandlersRegisteredAndGuestAccessEnabled.
@Test
public void testDoFilterReturnsGuestTokenWhenNoHandlersRegisteredAndGuestAccessEnabled() throws IOException, AuthenticationException {
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
when(policyManager.getGuestAccess()).thenReturn(true);
when(policyManager.getSessionAccess()).thenReturn(true);
WebSSOFilter filter = new WebSSOFilter();
filter.setContextPolicyManager(policyManager);
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getRequestURI()).thenReturn(MOCK_CONTEXT);
HttpServletResponse response = mock(HttpServletResponse.class);
filter.doFilter(request, response, filterChain);
ArgumentCaptor<HandlerResult> handlerResult = ArgumentCaptor.forClass(HandlerResult.class);
verify(request).setAttribute(eq(DDF_AUTHENTICATION_TOKEN), handlerResult.capture());
assertTrue(handlerResult.getValue().getToken() instanceof GuestAuthenticationToken);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
GuestAuthenticationToken(org.codice.ddf.security.handler.GuestAuthenticationToken)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
Test(org.junit.Test)
Example 7 with SecurityFilterChain
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class WebSSOFilterTest method testDoFilterSessionStorageDisabled.
@Test
public void testDoFilterSessionStorageDisabled() throws Exception {
PrincipalCollection principalCollectionMock = mock(PrincipalCollection.class);
PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
when(principalHolderMock.getPrincipals()).thenReturn(principalCollectionMock);
HttpSession sessionMock = mock(HttpSession.class);
when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
HttpServletRequest requestMock = mock(HttpServletRequest.class);
when(requestMock.getSession(any(Boolean.class))).thenReturn(sessionMock);
when(requestMock.getRequestURI()).thenReturn(MOCK_CONTEXT);
HttpServletResponse responseMock = mock(HttpServletResponse.class);
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getSessionAccess()).thenReturn(false);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
ContextPolicy testPolicy = mock(ContextPolicy.class);
when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
AuthenticationHandler handlerMock = mock(AuthenticationHandler.class);
when(handlerMock.getAuthenticationType()).thenReturn("basic");
HandlerResult completedResult = mock(HandlerResult.class);
when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
when(completedResult.getToken()).thenReturn(mock(BaseAuthenticationToken.class));
when(handlerMock.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), anyBoolean())).thenReturn(completedResult);
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
WebSSOFilter filter = new WebSSOFilter();
filter.setContextPolicyManager(policyManager);
filter.setHandlerList(Collections.singletonList(handlerMock));
filter.doFilter(requestMock, responseMock, filterChain);
verify(sessionMock, times(0)).getAttribute(SECURITY_TOKEN_KEY);
verify(handlerMock, times(1)).getNormalizedToken(any(), any(), any(), anyBoolean());
verify(requestMock, times(1)).setAttribute(eq(AUTHENTICATION_TOKEN_KEY), any());
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletRequest(javax.servlet.ServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ServletResponse(javax.servlet.ServletResponse)
HttpSession(javax.servlet.http.HttpSession)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
AuthenticationHandler(org.codice.ddf.security.handler.api.AuthenticationHandler)
Mockito.anyBoolean(org.mockito.Mockito.anyBoolean)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Test(org.junit.Test)
Example 8 with SecurityFilterChain
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class AuthorizationFilterTest method testNoSubject.
@Test
public void testNoSubject() {
ContextPolicyManager contextPolicyManager = new TestPolicyManager();
contextPolicyManager.setContextPolicy(PATH, getMockContextPolicy());
AuthorizationFilter loginFilter = new AuthorizationFilter(contextPolicyManager);
loginFilter.setSecurityLogger(mock(SecurityLogger.class));
loginFilter.init();
HttpServletRequest servletRequest = getMockServletRequest();
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
SecurityFilterChain filterChain = (request, response) -> fail("Should not have called doFilter without a valid Subject");
try {
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
} catch (IOException | AuthenticationException e) {
fail(e.getMessage());
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl)
HashMap(java.util.HashMap)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityConstants(ddf.security.SecurityConstants)
Map(java.util.Map)
Assert.fail(org.junit.Assert.fail)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
Before(org.junit.Before)
SecurityLogger(ddf.security.audit.SecurityLogger)
CollectionPermission(ddf.security.permission.CollectionPermission)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
Collection(java.util.Collection)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Subject(ddf.security.Subject)
IOException(java.io.IOException)
Test(org.junit.Test)
Mockito.when(org.mockito.Mockito.when)
CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl)
ThreadContext(org.apache.shiro.util.ThreadContext)
AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException)
Collections(java.util.Collections)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Mockito.mock(org.mockito.Mockito.mock)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IOException(java.io.IOException)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
SecurityLogger(ddf.security.audit.SecurityLogger)
Test(org.junit.Test)
Example 9 with SecurityFilterChain
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class AuthorizationFilterTest method testUnAuthorizedSubject.
@Test
public void testUnAuthorizedSubject() {
ContextPolicyManager contextPolicyManager = new TestPolicyManager();
contextPolicyManager.setContextPolicy(PATH, getMockContextPolicy());
AuthorizationFilter loginFilter = new AuthorizationFilter(contextPolicyManager);
loginFilter.setSecurityLogger(mock(SecurityLogger.class));
loginFilter.init();
Subject subject = mock(Subject.class);
when(subject.isPermitted(any(CollectionPermission.class))).thenReturn(false);
ThreadContext.bind(subject);
HttpServletRequest servletRequest = getMockServletRequest();
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
SecurityFilterChain filterChain = (request, response) -> fail("Should not have called doFilter without a valid Subject");
try {
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
} catch (IOException | AuthenticationException e) {
fail(e.getMessage());
}
ThreadContext.unbindSubject();
}
Also used :
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl)
HashMap(java.util.HashMap)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityConstants(ddf.security.SecurityConstants)
Map(java.util.Map)
Assert.fail(org.junit.Assert.fail)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
Before(org.junit.Before)
SecurityLogger(ddf.security.audit.SecurityLogger)
CollectionPermission(ddf.security.permission.CollectionPermission)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
Collection(java.util.Collection)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Subject(ddf.security.Subject)
IOException(java.io.IOException)
Test(org.junit.Test)
Mockito.when(org.mockito.Mockito.when)
CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl)
ThreadContext(org.apache.shiro.util.ThreadContext)
AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException)
Collections(java.util.Collections)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Mockito.mock(org.mockito.Mockito.mock)
AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IOException(java.io.IOException)
Subject(ddf.security.Subject)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
CollectionPermission(ddf.security.permission.CollectionPermission)
SecurityLogger(ddf.security.audit.SecurityLogger)
Test(org.junit.Test)
Example 10 with SecurityFilterChain
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class BasicAuthenticationHandlerTest method testGetNormalizedTokenResolveWithCredentials.
/**
* This test case handles the scenario in which the credentials should be obtained (i.e. resolve
* flag is set) - both requests without and with the credentials are tested.
*/
@Test
public void testGetNormalizedTokenResolveWithCredentials() throws Exception {
BasicAuthenticationHandler handler = new BasicAuthenticationHandler();
HttpServletRequest request = mock(HttpServletRequest.class);
HttpServletResponse response = mock(HttpServletResponse.class);
SecurityFilterChain chain = mock(SecurityFilterChain.class);
when(request.getHeader(HttpHeaders.AUTHORIZATION)).thenReturn("Basic " + Base64.getEncoder().encodeToString(CREDENTIALS.getBytes()));
HandlerResult result = handler.getNormalizedToken(request, response, chain, true);
assertNotNull(result);
assertEquals(HandlerResult.Status.COMPLETED, result.getStatus());
assertEquals("admin", getAttributeValue(result.getToken(), USERNAME_ATTR));
assertEquals("password", getAttributeValue(result.getToken(), PASSWORD_ATTR));
// confirm that no responses were sent through the HttpResponse
Mockito.verify(response, never()).setHeader(anyString(), anyString());
Mockito.verify(response, never()).setStatus(anyInt());
Mockito.verify(response, never()).setContentLength(anyInt());
Mockito.verify(response, never()).flushBuffer();
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
Test(org.junit.Test)
Aggregations
SecurityFilterChain (org.codice.ddf.platform.filter.SecurityFilterChain)21
HttpServletRequest (javax.servlet.http.HttpServletRequest)20
Test (org.junit.Test)20
HttpServletResponse (javax.servlet.http.HttpServletResponse)19
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)15
ContextPolicyManager (org.codice.ddf.security.policy.context.ContextPolicyManager)11
ContextPolicy (org.codice.ddf.security.policy.context.ContextPolicy)9
ServletRequest (javax.servlet.ServletRequest)6
ServletResponse (javax.servlet.ServletResponse)6
AuthenticationException (org.codice.ddf.platform.filter.AuthenticationException)6
SecurityLogger (ddf.security.audit.SecurityLogger)5
AuthenticationHandler (org.codice.ddf.security.handler.api.AuthenticationHandler)5
SecurityConstants (ddf.security.SecurityConstants)4
Subject (ddf.security.Subject)4
CollectionPermission (ddf.security.permission.CollectionPermission)4
CollectionPermissionImpl (ddf.security.permission.impl.CollectionPermissionImpl)4
KeyValuePermissionImpl (ddf.security.permission.impl.KeyValuePermissionImpl)4
IOException (java.io.IOException)4
Collection (java.util.Collection)4
Collections (java.util.Collections)4
