Search in sources :

Example 1 with FormAuthenticator

use of org.eclipse.jetty.security.authentication.FormAuthenticator in project jetty.project by eclipse.

the class ConstraintTest method testFormRedirect.

@Test
public void testFormRedirect() throws Exception {
    _security.setAuthenticator(new FormAuthenticator("/testLoginPage", "/testErrorPage", false));
    _server.start();
    String response;
    response = _connector.getResponse("GET /ctx/noauth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/forbid/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403 Forbidden"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.containsString(" 302 Found"));
    Assert.assertThat(response, Matchers.containsString("/ctx/testLoginPage"));
    String session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/testLoginPage HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.containsString(" 200 OK"));
    Assert.assertThat(response, Matchers.containsString("URI=/ctx/testLoginPage"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 32\r\n" + "\r\n" + "j_username=user&j_password=wrong");
    Assert.assertThat(response, Matchers.containsString("Location"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 35\r\n" + "\r\n" + "j_username=user&j_password=password");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/auth/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403"));
    Assert.assertThat(response, Matchers.containsString("!role"));
}
Also used : FormAuthenticator(org.eclipse.jetty.security.authentication.FormAuthenticator) Test(org.junit.Test)

Example 2 with FormAuthenticator

use of org.eclipse.jetty.security.authentication.FormAuthenticator in project jetty.project by eclipse.

the class ConstraintTest method testFormNoCookies.

@Test
public void testFormNoCookies() throws Exception {
    _security.setAuthenticator(new FormAuthenticator("/testLoginPage", "/testErrorPage", false));
    _server.start();
    String response;
    response = _connector.getResponse("GET /ctx/noauth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/forbid/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403 Forbidden"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.containsString(" 302 Found"));
    Assert.assertThat(response, Matchers.containsString("/ctx/testLoginPage"));
    int jsession = response.indexOf(";jsessionid=");
    String session = response.substring(jsession + 12, response.indexOf("\r\n", jsession));
    response = _connector.getResponse("GET /ctx/testLoginPage;jsessionid=" + session + ";other HTTP/1.0\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.containsString(" 200 OK"));
    Assert.assertThat(response, Matchers.containsString("URI=/ctx/testLoginPage"));
    response = _connector.getResponse("POST /ctx/j_security_check;jsessionid=" + session + ";other HTTP/1.0\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 31\r\n" + "\r\n" + "j_username=user&j_password=wrong\r\n");
    Assert.assertThat(response, Matchers.containsString("Location"));
    response = _connector.getResponse("POST /ctx/j_security_check;jsessionid=" + session + ";other HTTP/1.0\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 35\r\n" + "\r\n" + "j_username=user&j_password=password\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/auth/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/auth/info;jsessionid=" + session + ";other HTTP/1.0\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/admin/info;jsessionid=" + session + ";other HTTP/1.0\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403"));
    Assert.assertThat(response, Matchers.containsString("!role"));
}
Also used : FormAuthenticator(org.eclipse.jetty.security.authentication.FormAuthenticator) Constraint(org.eclipse.jetty.util.security.Constraint) Test(org.junit.Test)

Example 3 with FormAuthenticator

use of org.eclipse.jetty.security.authentication.FormAuthenticator in project jetty.project by eclipse.

the class ConstraintTest method testStrictFormRedirect.

@Test
public void testStrictFormRedirect() throws Exception {
    _security.setAuthenticator(new FormAuthenticator("/testLoginPage", "/testErrorPage", false));
    _server.start();
    String response;
    response = _connector.getResponse("GET /ctx/noauth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/forbid/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403 Forbidden"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\nHost:wibble.com:8888\r\n\r\n");
    Assert.assertThat(response, Matchers.containsString(" 302 Found"));
    Assert.assertThat(response, Matchers.containsString("http://wibble.com:8888/ctx/testLoginPage"));
    String session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 31\r\n" + "\r\n" + "j_username=user&j_password=wrong\r\n");
    Assert.assertThat(response, Matchers.containsString("Location"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 36\r\n" + "\r\n" + "j_username=user3&j_password=password\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/auth/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403"));
    Assert.assertThat(response, Matchers.containsString("!role"));
    response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403"));
    Assert.assertThat(response, Matchers.containsString("!role"));
    // log in again as user2
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("testLoginPage"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 36\r\n" + "\r\n" + "j_username=user2&j_password=password\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/auth/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    //check user2 does not have right role to access /admin/*
    response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403"));
    Assert.assertThat(response, Matchers.containsString("!role"));
    //log in as user3, who doesn't have a valid role, but we are checking a constraint
    //of ** which just means they have to be authenticated
    response = _connector.getResponse("GET /ctx/starstar/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("testLoginPage"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 36\r\n" + "\r\n" + "j_username=user3&j_password=password\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/starstar/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/starstar/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    // log in again as admin
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n\r\n");
    //        assertThat(response,startsWith("HTTP/1.1 302 "));
    //        assertThat(response,containsString("testLoginPage"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 36\r\n" + "\r\n" + "j_username=admin&j_password=password\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/auth/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
}
Also used : FormAuthenticator(org.eclipse.jetty.security.authentication.FormAuthenticator) Test(org.junit.Test)

Example 4 with FormAuthenticator

use of org.eclipse.jetty.security.authentication.FormAuthenticator in project jetty.project by eclipse.

the class ConstraintTest method testFormPostRedirect.

@Test
public void testFormPostRedirect() throws Exception {
    _security.setAuthenticator(new FormAuthenticator("/testLoginPage", "/testErrorPage", false));
    _server.start();
    String response;
    response = _connector.getResponse("GET /ctx/noauth/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    response = _connector.getResponse("GET /ctx/forbid/info HTTP/1.0\r\n\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403 Forbidden"));
    response = _connector.getResponse("POST /ctx/auth/info HTTP/1.0\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 27\r\n" + "\r\n" + "test_parameter=test_value\r\n");
    Assert.assertThat(response, Matchers.containsString(" 302 Found"));
    Assert.assertThat(response, Matchers.containsString("/ctx/testLoginPage"));
    String session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    response = _connector.getResponse("GET /ctx/testLoginPage HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.containsString(" 200 OK"));
    Assert.assertThat(response, Matchers.containsString("URI=/ctx/testLoginPage"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 31\r\n" + "\r\n" + "j_username=user&j_password=wrong\r\n");
    Assert.assertThat(response, Matchers.containsString("Location"));
    response = _connector.getResponse("POST /ctx/j_security_check HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: 35\r\n" + "\r\n" + "j_username=user&j_password=password\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 302 "));
    Assert.assertThat(response, Matchers.containsString("Location"));
    Assert.assertThat(response, Matchers.containsString("/ctx/auth/info"));
    session = response.substring(response.indexOf("JSESSIONID=") + 11, response.indexOf(";Path=/ctx"));
    // sneak in other request
    response = _connector.getResponse("GET /ctx/auth/other HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    Assert.assertTrue(!response.contains("test_value"));
    // retry post as GET
    response = _connector.getResponse("GET /ctx/auth/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 OK"));
    Assert.assertTrue(response.contains("test_value"));
    response = _connector.getResponse("GET /ctx/admin/info HTTP/1.0\r\n" + "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n");
    Assert.assertThat(response, Matchers.startsWith("HTTP/1.1 403"));
    Assert.assertThat(response, Matchers.containsString("!role"));
}
Also used : FormAuthenticator(org.eclipse.jetty.security.authentication.FormAuthenticator) Test(org.junit.Test)

Example 5 with FormAuthenticator

use of org.eclipse.jetty.security.authentication.FormAuthenticator in project drill by apache.

the class WebServer method createSecurityHandler.

/**
   * @return {@link SecurityHandler} with appropriate {@link LoginService}, {@link Authenticator} and constraints.
   */
private ConstraintSecurityHandler createSecurityHandler() {
    ConstraintSecurityHandler security = new ConstraintSecurityHandler();
    Set<String> knownRoles = ImmutableSet.of(AUTHENTICATED_ROLE, ADMIN_ROLE);
    security.setConstraintMappings(Collections.<ConstraintMapping>emptyList(), knownRoles);
    security.setAuthenticator(new FormAuthenticator("/login", "/login", true));
    security.setLoginService(new DrillRestLoginService(workManager.getContext()));
    return security;
}
Also used : ConstraintSecurityHandler(org.eclipse.jetty.security.ConstraintSecurityHandler) FormAuthenticator(org.eclipse.jetty.security.authentication.FormAuthenticator) DrillRestLoginService(org.apache.drill.exec.server.rest.auth.DrillRestLoginService)

Aggregations

FormAuthenticator (org.eclipse.jetty.security.authentication.FormAuthenticator)13 Test (org.junit.Test)6 ConstraintSecurityHandler (org.eclipse.jetty.security.ConstraintSecurityHandler)4 DrillRestLoginService (org.apache.drill.exec.server.rest.auth.DrillRestLoginService)2 BasicAuthenticator (org.eclipse.jetty.security.authentication.BasicAuthenticator)2 ClientCertAuthenticator (org.eclipse.jetty.security.authentication.ClientCertAuthenticator)2 DigestAuthenticator (org.eclipse.jetty.security.authentication.DigestAuthenticator)2 SpnegoAuthenticator (org.eclipse.jetty.security.authentication.SpnegoAuthenticator)2 Constraint (org.eclipse.jetty.util.security.Constraint)1