001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.test.web.security;
023:
024: import java.net.HttpURLConnection;
025:
026: import junit.framework.Test;
027: import junit.framework.TestSuite;
028:
029: import org.apache.commons.httpclient.Cookie;
030: import org.apache.commons.httpclient.Header;
031: import org.apache.commons.httpclient.HttpClient;
032: import org.apache.commons.httpclient.HttpState;
033: import org.apache.commons.httpclient.methods.GetMethod;
034: import org.apache.commons.httpclient.methods.PostMethod;
035: import org.jboss.test.JBossTestCase;
036: import org.jboss.test.JBossTestSetup;
037:
038: //$Id$
039:
040: /**
041: * JBAS-2283: Custom Header based authentication
042: * @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
043: * @since Sep 11, 2006
044: * @version $Revision$
045: */
046: public class CustomHeaderAuthTestCase extends JBossTestCase {
047: private String baseURLNoAuth = "http://" + getServerHost() + ":"
048: + Integer.getInteger("web.port", 8080) + "/";
049: private HttpClient httpConn = new HttpClient();
050:
051: private String path = "header-form-auth/restricted/SecuredServlet";
052:
053: public CustomHeaderAuthTestCase(String name) {
054: super (name);
055: }
056:
057: /**
058: * Ensure that in the absence of headers, there is regular
059: * form based authentication
060: * @throws Exception
061: */
062: public void testRegularFormAuth() throws Exception {
063: doSecureGetWithLogin(path, "jduke", "theduke");
064: }
065:
066: /**
067: * Test usecases where the userid is sent via header and the
068: * session key is used as the password. To simplify testing,
069: * we pass a password as part of the session key. In reality,
070: * there needs to be a login module that can take the username
071: * and session key and validate.
072: * @throws Exception
073: */
074: public void testCustomHeaderBaseAuth() throws Exception {
075: String serverHost = getServerHost();
076: //Siteminder usecase
077: performCustomAuth("sm_ssoid", new Cookie(serverHost,
078: "SMSESSION", "theduke", "/", null, false), "SiteMinder");
079:
080: //Cleartrust usecase
081: performCustomAuth("ct-remote-user", new Cookie(serverHost,
082: "CTSESSION", "theduke", "/", null, false), "Cleartrust");
083:
084: //Oblix usecase
085: performCustomAuth("HTTP_OBLIX_UID", new Cookie(serverHost,
086: "ObSSOCookie", "theduke", "/", null, false), "Oblix");
087: }
088:
089: private void performCustomAuth(String headerId, Cookie cookie,
090: String usecase) throws Exception {
091: GetMethod indexGet = new GetMethod(baseURLNoAuth + path);
092: indexGet.addRequestHeader(headerId, "jduke");
093: httpConn.getState().addCookie(cookie);
094: int responseCode = httpConn.executeMethod(indexGet);
095: String response = indexGet.getStatusText();
096: log.debug("Response from " + usecase + " case:" + response);
097: Header jex = indexGet.getResponseHeader("X-JException");
098: log.debug("Saw X-JException, " + jex);
099: assertNull("X-JException == null", jex);
100: assertTrue("Get OK(" + responseCode + ")",
101: responseCode == HttpURLConnection.HTTP_OK);
102: }
103:
104: private PostMethod doSecureGetWithLogin(String path,
105: String username, String password) throws Exception {
106: GetMethod indexGet = new GetMethod(baseURLNoAuth + path);
107: int responseCode = httpConn.executeMethod(indexGet);
108: String body = indexGet.getResponseBodyAsString();
109: assertTrue("Get OK(" + responseCode + ")",
110: responseCode == HttpURLConnection.HTTP_OK);
111: assertTrue("Redirected to login page", body
112: .indexOf("j_security_check") > 0);
113:
114: HttpState state = httpConn.getState();
115: Cookie[] cookies = state.getCookies();
116: String sessionID = null;
117: for (int c = 0; c < cookies.length; c++) {
118: Cookie k = cookies[c];
119: if (k.getName().equalsIgnoreCase("JSESSIONID"))
120: sessionID = k.getValue();
121: }
122: getLog().debug("Saw JSESSIONID=" + sessionID);
123:
124: // Submit the login form
125: PostMethod formPost = new PostMethod(baseURLNoAuth
126: + "header-form-auth/j_security_check");
127: formPost.addRequestHeader("Referer", baseURLNoAuth
128: + "header-form-auth/restricted/login.html");
129: formPost.addParameter("j_username", username);
130: formPost.addParameter("j_password", password);
131: responseCode = httpConn.executeMethod(formPost
132: .getHostConfiguration(), formPost, state);
133: String response = formPost.getStatusText();
134: log.debug("responseCode=" + responseCode + ", response="
135: + response);
136: assertTrue("Saw HTTP_MOVED_TEMP",
137: responseCode == HttpURLConnection.HTTP_MOVED_TEMP);
138:
139: // Follow the redirect to the SecureServlet
140: Header location = formPost.getResponseHeader("Location");
141: String indexURI = location.getValue();
142: GetMethod war1Index = new GetMethod(indexURI);
143: responseCode = httpConn.executeMethod(war1Index
144: .getHostConfiguration(), war1Index, state);
145: response = war1Index.getStatusText();
146: log.debug("responseCode=" + responseCode + ", response="
147: + response);
148: assertTrue("Get OK", responseCode == HttpURLConnection.HTTP_OK);
149: body = war1Index.getResponseBodyAsString();
150: if (body.indexOf("j_security_check") > 0)
151: fail("get of " + indexURI + " redirected to login page");
152: return formPost;
153: }
154:
155: /** One time setup for all SingleSignOnUnitTestCase unit tests
156: */
157: public static Test suite() throws Exception {
158: TestSuite suite = new TestSuite();
159: suite.addTest(new TestSuite(CustomHeaderAuthTestCase.class));
160:
161: // Create an initializer for the test suite
162: Test wrapper = new JBossTestSetup(suite) {
163: protected void setUp() throws Exception {
164: super .setUp();
165: deploy("header-form-auth.ear");
166: // Make sure the security cache is clear
167: flushAuthCache();
168: }
169:
170: protected void tearDown() throws Exception {
171: undeploy("header-form-auth.ear");
172: super.tearDown();
173: }
174: };
175: return wrapper;
176: }
177: }
|