001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017: package org.apache.jetspeed.security;
018:
019: import java.security.AccessControlException;
020: import java.security.AccessController;
021: import java.security.Policy;
022: import java.security.PrivilegedAction;
023:
024: import javax.security.auth.login.LoginContext;
025: import javax.security.auth.login.LoginException;
026:
027: import junit.framework.Test;
028: import junit.framework.TestSuite;
029:
030: import org.apache.jetspeed.security.impl.PassiveCallbackHandler;
031: import org.apache.jetspeed.security.impl.UserPrincipalImpl;
032: import org.apache.jetspeed.security.util.test.AbstractSecurityTestcase;
033:
034: /**
035: * @author <a href="mailto:dlestrat@apache.org">David Le Strat</a>
036: */
037: public class TestRdbmsPolicy extends AbstractSecurityTestcase {
038: /**
039: * <p>
040: * The JAAS login context.
041: * </p>
042: */
043: private LoginContext loginContext = null;
044:
045: /**
046: * @see junit.framework.TestCase#setUp()
047: */
048: public void setUp() throws Exception {
049: super .setUp();
050: initUser();
051:
052: // Let's login in.
053: try {
054: System.out
055: .println("\t\t[TestRdbmsPolicy] Creating login context.");
056: PassiveCallbackHandler pch = new PassiveCallbackHandler(
057: "anon", "password");
058: loginContext = new LoginContext("Jetspeed", pch);
059: loginContext.login();
060: } catch (LoginException le) {
061: le.printStackTrace();
062: assertTrue("\t\t[TestRdbmsPolicy] Failed to setup test.",
063: false);
064: }
065:
066: }
067:
068: /**
069: * @see junit.framework.TestCase#tearDown()
070: */
071: public void tearDown() throws Exception {
072:
073: // Logout.
074: try {
075: loginContext.logout();
076: } catch (LoginException le) {
077: le.printStackTrace();
078: assertTrue(
079: "\t\t[TestRdbmsPolicy] Failed to tear down test.",
080: false);
081: }
082: destroyUser();
083: super .tearDown();
084: }
085:
086: public static Test suite() {
087: // All methods starting with "test" will be executed in the test suite.
088: return new TestSuite(TestRdbmsPolicy.class);
089: }
090:
091: /**
092: * <p>
093: * Executing this test requires adding an entry to java.policy.
094: * </p>
095: * <p>
096: * A possible entry would be to grant for all principals:
097: * </p>
098: *
099: * <pre><code>
100: * grant
101: * {
102: * permission org.apache.jetspeed.security.auth.PortletPermission "myportlet", "view";
103: * }
104: * </code></pre>
105: *
106: * <p>
107: * Such an entry would also test the Rdbms defaulting behavior if no entry is provided in the
108: * database for the tested Subject InternalUserPrincipal.
109: * </p>
110: */
111: /*public void testPermissionWithSubjectInContructor()
112: {
113: // InternalPermission should be granted.
114: PortletPermission perm1 = new PortletPermission("myportlet", "view", loginContext.getSubject());
115: try
116: {
117: AccessController.checkPermission(perm1);
118: }
119: catch (AccessControlException ace)
120: {
121: assertTrue("did not authorize view permission on the portlet.", false);
122: }
123:
124: // InternalPermission should be denied.
125: PortletPermission perm2 = new PortletPermission("myportlet", "edit", loginContext.getSubject());
126: try
127: {
128: AccessController.checkPermission(perm2);
129: assertTrue("did not deny edit permission on the portlet.", false);
130: }
131: catch (AccessControlException ace)
132: {
133: }
134:
135: // Subject is omitted. InternalPermission should be denied.
136: PortletPermission perm3 = new PortletPermission("myportlet", "view");
137: try
138: {
139: AccessController.checkPermission(perm3);
140: // assertTrue("did not deny permission with no subject passed.", false);
141: }
142: catch (AccessControlException ace)
143: {
144: }
145: }*/
146:
147: /**
148: * <p>
149: * Test the policy with the default spring setting where the default underlying policy is not
150: * applied.
151: * </p>
152: */
153: public void testPermissionWithSubjectInAccessControlContext() {
154:
155: // InternalPermission should be granted.
156: try {
157: JSSubject.doAsPrivileged(loginContext.getSubject(),
158: new PrivilegedAction() {
159: public Object run() {
160: PortletPermission perm1 = new PortletPermission(
161: "myportlet", "view");
162: System.out
163: .println("\t\t[TestRdbmsPolicy] Check access control for permission: [myportlet, view]");
164: System.out
165: .println("\t\t with policy: "
166: + Policy.getPolicy()
167: .getClass()
168: .getName());
169: AccessController.checkPermission(perm1);
170: return null;
171: }
172: }, null);
173: } catch (AccessControlException ace) {
174: assertTrue(
175: "did not authorize view permission on the portlet.",
176: false);
177: }
178:
179: // Should be denied.
180: try {
181: JSSubject.doAsPrivileged(loginContext.getSubject(),
182: new PrivilegedAction() {
183: public Object run() {
184: PortletPermission perm2 = new PortletPermission(
185: "myportlet", "secure");
186: System.out
187: .println("\t\t[TestRdbmsPolicy] Check access control for permission: [myportlet, secure]");
188: System.out
189: .println("\t\t with policy: "
190: + Policy.getPolicy()
191: .getClass()
192: .getName());
193: AccessController.checkPermission(perm2);
194: return null;
195: }
196: }, null);
197: assertTrue(
198: "did not deny secure permission on the portlet.",
199: false);
200: } catch (AccessControlException ace) {
201: }
202: }
203:
204: /**
205: * <p>
206: * Test the policy with the default policy being evaluated as well.
207: * </p>
208: */
209: public void testPermissionWithSubjectInAccessControlContextAndDefaultPolicy() {
210: System.out
211: .println("\n\n\t\t[TestRdbmsPolicy] Test with default Policy enabled.");
212: AuthorizationProvider atzProvider = (AuthorizationProvider) ctx
213: .getBean("org.apache.jetspeed.security.AuthorizationProvider");
214: atzProvider.useDefaultPolicy(true);
215: testPermissionWithSubjectInAccessControlContext();
216: }
217:
218: /**
219: * <p>
220: * Initialize user test object.
221: * </p>
222: */
223: protected void initUser() {
224: try {
225: ums.addUser("anon", "password");
226: } catch (SecurityException sex) {
227: }
228: UserPrincipal user = new UserPrincipalImpl("anon");
229: PortletPermission perm1 = new PortletPermission("myportlet",
230: "view");
231: PortletPermission perm2 = new PortletPermission("myportlet",
232: "view, edit");
233: try {
234: pms.addPermission(perm1);
235: pms.addPermission(perm2);
236:
237: pms.grantPermission(user, perm1);
238: pms.grantPermission(user, perm2);
239: } catch (SecurityException sex) {
240: sex.printStackTrace();
241: }
242: }
243:
244: /**
245: * <p>
246: * Destroy user test object.
247: * </p>
248: */
249: protected void destroyUser() throws Exception {
250: ums.removeUser("anon");
251: // Remove permissions.
252: PortletPermission perm1 = new PortletPermission("myportlet",
253: "view");
254: PortletPermission perm2 = new PortletPermission("myportlet",
255: "view, edit");
256: pms.removePermission(perm1);
257: pms.removePermission(perm2);
258: }
259:
260: }
|