use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class WebSSOFilterTest method testDoFilterResolvingOnSecondCall.
@Test
public void testDoFilterResolvingOnSecondCall() throws IOException, AuthenticationException {
ContextPolicy testPolicy = mock(ContextPolicy.class);
when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
when(policyManager.getSessionAccess()).thenReturn(false);
WebSSOFilter filter = new WebSSOFilter();
// set handlers
AuthenticationHandler handler1 = mock(AuthenticationHandler.class);
when(handler1.getAuthenticationType()).thenReturn("basic");
HandlerResult noActionResult = mock(HandlerResult.class);
when(noActionResult.getStatus()).thenReturn(Status.NO_ACTION);
HandlerResult completedResult = mock(HandlerResult.class);
when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
when(completedResult.getToken()).thenReturn(null);
when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), eq(true))).thenReturn(completedResult);
when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), eq(false))).thenReturn(noActionResult);
filter.setContextPolicyManager(policyManager);
filter.setHandlerList(Collections.singletonList(handler1));
filter.setSecurityLogger(mock(SecurityLogger.class));
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getRequestURI()).thenReturn(MOCK_CONTEXT);
HttpServletResponse response = mock(HttpServletResponse.class);
try {
filter.doFilter(request, response, filterChain);
} catch (AuthenticationException e) {
}
verify(handler1, times(2)).getNormalizedToken(any(HttpServletRequest.class), any(HttpServletResponse.class), any(SecurityFilterChain.class), anyBoolean());
// the next filter should NOT be called
verify(filterChain, never()).doFilter(request, response);
verify(request, never()).setAttribute(eq(DDF_AUTHENTICATION_TOKEN), any(HandlerResult.class));
}
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class WebSSOFilterTest method testDoFilterGetResultFromSession.
@Test
public void testDoFilterGetResultFromSession() throws Exception {
PrincipalCollection principalCollectionMock = mock(PrincipalCollection.class);
when(principalCollectionMock.byType(any())).thenReturn(Collections.singletonList("principal"));
PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
when(principalHolderMock.getPrincipals()).thenReturn(principalCollectionMock);
HttpSession sessionMock = mock(HttpSession.class);
when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
HttpServletRequest requestMock = mock(HttpServletRequest.class);
when(requestMock.getSession(any(Boolean.class))).thenReturn(sessionMock);
when(requestMock.getRequestURI()).thenReturn(MOCK_CONTEXT);
when(requestMock.getRequestedSessionId()).thenReturn("JSESSIONID");
HttpServletResponse responseMock = mock(HttpServletResponse.class);
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getSessionAccess()).thenReturn(true);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
ContextPolicy testPolicy = mock(ContextPolicy.class);
when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
AuthenticationHandler handlerMock = mock(AuthenticationHandler.class);
when(handlerMock.getAuthenticationType()).thenReturn("basic");
HandlerResult completedResult = mock(HandlerResult.class);
when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
when(completedResult.getToken()).thenReturn(mock(BaseAuthenticationToken.class));
when(handlerMock.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), anyBoolean())).thenReturn(completedResult);
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
WebSSOFilter filter = new WebSSOFilter();
filter.setContextPolicyManager(policyManager);
filter.setHandlerList(Collections.singletonList(handlerMock));
filter.doFilter(requestMock, responseMock, filterChain);
verify(sessionMock, times(1)).getAttribute(SECURITY_TOKEN_KEY);
verify(handlerMock, times(0)).getNormalizedToken(any(), any(), any(), anyBoolean());
verify(requestMock, times(1)).setAttribute(eq(AUTHENTICATION_TOKEN_KEY), any());
}
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class AuthorizationFilterTest method testBadSubject.
@Test
public void testBadSubject() {
ContextPolicyManager contextPolicyManager = new TestPolicyManager();
contextPolicyManager.setContextPolicy(PATH, getMockContextPolicy());
AuthorizationFilter loginFilter = new AuthorizationFilter(contextPolicyManager);
loginFilter.setSecurityLogger(mock(SecurityLogger.class));
loginFilter.init();
HttpServletRequest servletRequest = getMockServletRequest();
servletRequest.setAttribute(SecurityConstants.SECURITY_SUBJECT, mock(Subject.class));
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
SecurityFilterChain filterChain = (request, response) -> fail("Should not have called doFilter without a valid Subject");
try {
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
} catch (IOException | AuthenticationException e) {
fail(e.getMessage());
}
}
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class AuthorizationFilterTest method testAuthorizedSubject.
@Test
public void testAuthorizedSubject() {
ContextPolicyManager contextPolicyManager = new TestPolicyManager();
contextPolicyManager.setContextPolicy(PATH, getMockContextPolicy());
AuthorizationFilter loginFilter = new AuthorizationFilter(contextPolicyManager);
loginFilter.setSecurityLogger(mock(SecurityLogger.class));
loginFilter.init();
Subject subject = mock(Subject.class);
when(subject.isPermitted(any(CollectionPermission.class))).thenReturn(true);
ThreadContext.bind(subject);
HttpServletRequest servletRequest = getMockServletRequest();
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
SecurityFilterChain filterChain = (request, response) -> sucess = true;
try {
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
if (!sucess) {
fail("Should have called doFilter with a valid Subject");
}
} catch (IOException | AuthenticationException e) {
fail(e.getMessage());
}
ThreadContext.unbindSubject();
}
use of org.codice.ddf.platform.filter.SecurityFilterChain in project ddf by codice.
the class BasicAuthenticationHandlerTest method testGetNormalizedTokenResolveWithoutCredentials.
/**
* This test case handles the scenario in which the credentials should be obtained (i.e. resolve
* flag is set) - both requests without and with the credentials are tested.
*/
@Test
public void testGetNormalizedTokenResolveWithoutCredentials() throws IOException {
BasicAuthenticationHandler handler = new BasicAuthenticationHandler();
HttpServletRequest request = mock(HttpServletRequest.class);
HttpServletResponse response = mock(HttpServletResponse.class);
SecurityFilterChain chain = mock(SecurityFilterChain.class);
HandlerResult result = handler.getNormalizedToken(request, response, chain, true);
assertNotNull(result);
assertEquals(HandlerResult.Status.REDIRECTED, result.getStatus());
// confirm that the proper responses were sent through the HttpResponse
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
Mockito.verify(response).setContentLength(0);
Mockito.verify(response).flushBuffer();
}
Aggregations