001: /**
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */package org.apache.geronimo.tomcat;
017:
018: import java.io.BufferedReader;
019: import java.io.IOException;
020: import java.io.InputStreamReader;
021: import java.net.HttpURLConnection;
022: import java.net.URL;
023: import java.security.PermissionCollection;
024: import java.security.Permissions;
025: import java.security.Principal;
026: import java.util.HashMap;
027: import java.util.HashSet;
028: import java.util.Iterator;
029: import java.util.Map;
030: import java.util.Set;
031:
032: import javax.management.ObjectName;
033: import javax.security.jacc.WebResourcePermission;
034: import javax.security.jacc.WebUserDataPermission;
035:
036: import org.apache.geronimo.security.deploy.PrincipalInfo;
037: import org.apache.geronimo.security.deploy.Role;
038: import org.apache.geronimo.security.deploy.Security;
039: import org.apache.geronimo.security.deploy.SubjectInfo;
040: import org.apache.geronimo.security.deployment.GeronimoSecurityBuilderImpl;
041: import org.apache.geronimo.security.jacc.ComponentPermissions;
042: import org.apache.geronimo.security.credentialstore.CredentialStore;
043: import org.apache.geronimo.tomcat.util.SecurityHolder;
044:
045: /**
046: * Tests the JACC security for Tomcat
047: *
048: * @version $Revision: 546336 $ $Date: 2007-06-11 17:47:54 -0700 (Mon, 11 Jun 2007) $
049: */
050: public class JACCSecurityTest extends AbstractWebModuleTest {
051:
052: ObjectName appName = null;
053:
054: /**
055: * Test the explicit map feature. Only Alan should be able to log in.
056: *
057: * @throws Exception thrown if an error in the test occurs
058: */
059: public void testExplicitMapping() throws Exception {
060:
061: Security securityConfig = new Security();
062: securityConfig.setUseContextHandler(false);
063:
064: String securityRealmName = "demo-properties-realm";
065: String defaultPrincipalId = "izumi";
066: SubjectInfo defaultSubjectInfo = new SubjectInfo(
067: securityRealmName, defaultPrincipalId);
068: securityConfig.setDefaultSubjectInfo(defaultSubjectInfo);
069:
070: Role role = new Role();
071: role.setRoleName("content-administrator");
072: PrincipalInfo principalInfo = new PrincipalInfo(
073: "org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal",
074: "it");
075: role.getPrincipals().add(principalInfo);
076:
077: securityConfig.getRoleMappings().put(role.getRoleName(), role);
078:
079: Map roleDesignates = new HashMap();
080: Map principalRoleMap = new HashMap();
081: buildPrincipalRoleMap(securityConfig, roleDesignates,
082: principalRoleMap);
083:
084: PermissionCollection uncheckedPermissions = new Permissions();
085:
086: PermissionCollection excludedPermissions = new Permissions();
087: excludedPermissions.add(new WebResourcePermission(
088: "/auth/login.html", ""));
089: excludedPermissions.add(new WebUserDataPermission(
090: "/auth/login.html", ""));
091:
092: Map rolePermissions = new HashMap();
093: PermissionCollection permissions = new Permissions();
094: permissions.add(new WebUserDataPermission("/protected/*", ""));
095: permissions.add(new WebResourcePermission("/protected/*", ""));
096: rolePermissions.put("content-administrator", permissions);
097: rolePermissions.put("auto-administrator", permissions);
098:
099: ComponentPermissions componentPermissions = new ComponentPermissions(
100: excludedPermissions, uncheckedPermissions,
101: rolePermissions);
102:
103: startWebApp(roleDesignates, principalRoleMap,
104: componentPermissions, defaultSubjectInfo, permissions);
105:
106: //Begin the test
107: HttpURLConnection connection = (HttpURLConnection) new URL(
108: connector.getConnectUrl() + "/test/protected/hello.txt")
109: .openConnection();
110: connection.setInstanceFollowRedirects(false);
111: assertEquals(HttpURLConnection.HTTP_OK, connection
112: .getResponseCode());
113:
114: //Be sure we have been given the login page
115: BufferedReader reader = new BufferedReader(
116: new InputStreamReader(connection.getInputStream()));
117: assertEquals("<!-- Login Page -->", reader.readLine());
118: reader.close();
119:
120: String cookie = connection.getHeaderField("Set-Cookie");
121: cookie = cookie.substring(0, cookie.lastIndexOf(';'));
122: String location = connector.getConnectUrl()
123: + "/test/protected/j_security_check?j_username=alan&j_password=starcraft";
124:
125: connection = (HttpURLConnection) new URL(location)
126: .openConnection();
127: connection.setRequestMethod("POST");
128: connection.setRequestProperty("Referer", connector
129: .getConnectUrl()
130: + "/test/auth/logon.html?param=test");
131: connection.setRequestProperty("Cookie", cookie);
132: connection.setInstanceFollowRedirects(false);
133: assertEquals(HttpURLConnection.HTTP_MOVED_TEMP, connection
134: .getResponseCode());
135:
136: connection = (HttpURLConnection) new URL(connector
137: .getConnectUrl()
138: + "/test/protected/hello.txt").openConnection();
139: connection.setRequestProperty("Cookie", cookie);
140: connection.setInstanceFollowRedirects(false);
141: reader = new BufferedReader(new InputStreamReader(connection
142: .getInputStream()));
143:
144: assertEquals(HttpURLConnection.HTTP_OK, connection
145: .getResponseCode());
146: assertEquals("Hello World", reader.readLine());
147: connection.disconnect();
148:
149: //Now lets try it with izumi
150: connection = (HttpURLConnection) new URL(connector
151: .getConnectUrl()
152: + "/test/protected/hello.txt").openConnection();
153: connection.setInstanceFollowRedirects(false);
154: assertEquals(HttpURLConnection.HTTP_OK, connection
155: .getResponseCode());
156:
157: cookie = connection.getHeaderField("Set-Cookie");
158: cookie = cookie.substring(0, cookie.lastIndexOf(';'));
159:
160: //Be sure we have been given the login page
161: reader = new BufferedReader(new InputStreamReader(connection
162: .getInputStream()));
163: assertEquals("<!-- Login Page -->", reader.readLine());
164: reader.close();
165:
166: location = connector.getConnectUrl()
167: + "/test/protected/j_security_check?j_username=izumi&j_password=violin";
168:
169: connection = (HttpURLConnection) new URL(location)
170: .openConnection();
171: connection.setRequestMethod("POST");
172: connection.setRequestProperty("Cookie", cookie);
173: connection.setInstanceFollowRedirects(false);
174: assertEquals(HttpURLConnection.HTTP_MOVED_TEMP, connection
175: .getResponseCode());
176:
177: try {
178: connection = (HttpURLConnection) new URL(connector
179: .getConnectUrl()
180: + "/test/protected/hello.txt").openConnection();
181: connection.setRequestProperty("Cookie", cookie);
182: connection.setInstanceFollowRedirects(false);
183: reader = new BufferedReader(new InputStreamReader(
184: connection.getInputStream()));
185:
186: fail("Should throw an IOException for HTTP 403 response");
187: } catch (IOException e) {
188: }
189:
190: assertEquals(HttpURLConnection.HTTP_FORBIDDEN, connection
191: .getResponseCode());
192: connection.disconnect();
193:
194: stopWebApp();
195: }
196:
197: protected TomcatWebAppContext startWebApp(Map roleDesignates,
198: Map principalRoleMap,
199: ComponentPermissions componentPermissions,
200: SubjectInfo defaultPrincipal, PermissionCollection checked)
201: throws Exception {
202:
203: SecurityHolder securityHolder = new SecurityHolder();
204: securityHolder.setSecurity(true);
205: securityHolder.setPolicyContextID(POLICY_CONTEXT_ID);
206: // securityHolder.setDefaultSubject(defaultPrincipal);
207: securityHolder.setSecurityRealm(securityRealmName);
208: CredentialStore credentialStore = null;
209: return setUpSecureAppContext(roleDesignates, principalRoleMap,
210: componentPermissions, null, securityHolder,
211: credentialStore);
212: }
213:
214: protected void stopWebApp() throws Exception {
215: }
216:
217: public void buildPrincipalRoleMap(Security security,
218: Map<String, SubjectInfo> roleDesignates,
219: Map<String, Set<Principal>> principalRoleMap) {
220: Map roleToPrincipalMap = new HashMap();
221: GeronimoSecurityBuilderImpl.buildRolePrincipalMap(security,
222: roleToPrincipalMap, getClass().getClassLoader());
223: invertMap(roleToPrincipalMap, principalRoleMap);
224: }
225:
226: private static Map invertMap(
227: Map<String, Set<Principal>> roleToPrincipalMap,
228: Map principalRoleMapping) {
229: for (Iterator roles = roleToPrincipalMap.entrySet().iterator(); roles
230: .hasNext();) {
231: Map.Entry entry = (Map.Entry) roles.next();
232: String role = (String) entry.getKey();
233: Set principals = (Set) entry.getValue();
234: for (Iterator iter = principals.iterator(); iter.hasNext();) {
235: java.security.Principal principal = (java.security.Principal) iter
236: .next();
237:
238: HashSet roleSet = (HashSet) principalRoleMapping
239: .get(principal);
240: if (roleSet == null) {
241: roleSet = new HashSet();
242: principalRoleMapping.put(principal, roleSet);
243: }
244: roleSet.add(role);
245: }
246: }
247: return principalRoleMapping;
248: }
249:
250: protected void setUp() throws Exception {
251: super .setUp();
252: super
253: .init("org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm");
254: setUpSecurity();
255: }
256:
257: protected void tearDown() throws Exception {
258: tearDownSecurity();
259: super.tearDown();
260: }
261:
262: }
|