001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.test.web.security.jacc;
023:
024: import java.security.Policy;
025: import java.security.ProtectionDomain;
026: import java.util.ArrayList;
027: import java.util.List;
028: import javax.security.jacc.PolicyConfiguration;
029: import javax.security.jacc.PolicyContext;
030: import javax.security.jacc.WebResourcePermission;
031: import javax.security.jacc.WebUserDataPermission;
032:
033: import junit.framework.TestCase;
034: import org.jboss.metadata.WebMetaData;
035: import org.jboss.metadata.WebSecurityMetaData;
036: import org.jboss.security.SimplePrincipal;
037: import org.jboss.security.jacc.DelegatingPolicy;
038: import org.jboss.security.jacc.JBossPolicyConfigurationFactory;
039: import org.jboss.web.WebPermissionMapping;
040:
041: /**
042: * Test
043: * @author Scott.Stark@jboss.org
044: * @version $Revision: 57206 $
045: */
046: public class QualifiedPatternUnitTestCase extends TestCase {
047: private PolicyConfiguration pc;
048:
049: public void testUnchecked() throws Exception {
050: Policy p = Policy.getPolicy();
051: SimplePrincipal[] caller = null;
052: ProtectionDomain pd = new ProtectionDomain(null, null, null,
053: caller);
054:
055: WebResourcePermission wrp = new WebResourcePermission("/a",
056: "GET");
057: assertTrue("/a GET", p.implies(pd, wrp));
058: wrp = new WebResourcePermission("/a", "POST");
059: assertTrue("/a POST", p.implies(pd, wrp));
060:
061: caller = new SimplePrincipal[] { new SimplePrincipal("R1") };
062: pd = new ProtectionDomain(null, null, null, caller);
063: wrp = new WebResourcePermission("/a/x", "GET");
064: assertTrue("/a/x GET", p.implies(pd, wrp));
065: wrp = new WebResourcePermission("/a/x", "POST");
066: boolean implied = p.implies(pd, wrp);
067: assertTrue("/a/x POST", implied);
068: wrp = new WebResourcePermission("/b/x", "GET");
069: assertTrue("/b/x GET", p.implies(pd, wrp));
070: wrp = new WebResourcePermission("/b/x", "POST");
071: assertTrue("/b/x POST", p.implies(pd, wrp));
072: wrp = new WebResourcePermission("/b/x", "DELETE");
073: assertFalse("/b/x DELETE", p.implies(pd, wrp));
074:
075: wrp = new WebResourcePermission("/a/x.asp", "GET");
076: assertTrue("/a/x.asp GET", p.implies(pd, wrp));
077: wrp = new WebResourcePermission("/a/x.asp", "POST");
078: assertTrue("/a/x.asp POST", p.implies(pd, wrp));
079:
080: WebUserDataPermission wudp = new WebUserDataPermission(
081: "/a/*:/a", "GET:CONFIDENTIAL");
082: assertTrue("/a/*:/a GET:CONFIDENTIAL", p.implies(pd, wudp));
083: wudp = new WebUserDataPermission("/a/*:/a", "GET:CONFIDENTIAL");
084: assertTrue("/b/*:/b GET,POST:CONFIDENTIAL", p.implies(pd, wudp));
085:
086: }
087:
088: protected void setUp() throws Exception {
089: WebMetaData metaData = new WebMetaData();
090: ArrayList securityContraints = new ArrayList();
091: addSC1(securityContraints);
092: addSC2(securityContraints);
093: metaData.setSecurityConstraints(securityContraints);
094:
095: DelegatingPolicy policy = new DelegatingPolicy();
096: Policy.setPolicy(policy);
097: JBossPolicyConfigurationFactory pcf = new JBossPolicyConfigurationFactory();
098: pc = pcf.getPolicyConfiguration("QualifiedPatternUnitTestCase",
099: true);
100: WebPermissionMapping.createPermissions(metaData, pc);
101: pc.commit();
102: System.out.println(policy.listContextPolicies());
103: PolicyContext.setContextID("QualifiedPatternUnitTestCase");
104: }
105:
106: /*
107: <security-constraint>
108: <web-resource-collection>
109: <web-resource-name>sc1.c1</web-resource-name>
110: <url-pattern>/a/*</url-pattern>
111: <url-pattern>/b/*</url-pattern>
112: <url-pattern>/a</url-pattern>
113: <url-pattern>/b</url-pattern>
114: <http-method>DELETE</http-method>
115: <http-method>PUT</http-method>
116: </web-resource-collection>
117: <web-resource-collection>
118: <web-resource-name>sc1.c2</web-resource-name>
119: <url-pattern>*.asp</url-pattern>
120: </web-resource-collection>
121: <auth-constraint/>
122: </security-constraint>
123: */
124: private void addSC1(List securityContraints) {
125: WebSecurityMetaData wsmd = new WebSecurityMetaData();
126: securityContraints.add(wsmd);
127: // web-resource-collection/web-resource-name = sc1.c1
128: WebSecurityMetaData.WebResourceCollection wrc = wsmd
129: .addWebResource("sc1.c1");
130: wrc.addPattern("/a/*");
131: wrc.addPattern("/b/*");
132: wrc.addPattern("/a");
133: wrc.addPattern("/b");
134: wrc.addHttpMethod("DELETE");
135: wrc.addHttpMethod("PUT");
136:
137: wrc = wsmd.addWebResource("sc1.c2");
138: wrc.addPattern("*.asp");
139:
140: wsmd.setExcluded(true);
141: }
142:
143: /*
144: <security-constraint>
145: <web-resource-collection>
146: <web-resource-name>sc2.c1</web-resource-name>
147: <url-pattern>/a/*</url-pattern>
148: <url-pattern>/b/*</url-pattern>
149: <http-method>GET</http-method>
150: </web-resource-collection>
151: <web-resource-collection>
152: <web-resource-name>sc2.c2</web-resource-name>
153: <url-pattern>/b/*</url-pattern>
154: <http-method>POST</http-method>
155: </web-resource-collection>
156: <auth-constraint>
157: <role-name>R1</role-name>
158: </auth-constraint>
159: <user-data-constraint>
160: <transport-guarantee>CONFIDENTIAL</transport-guarantee>
161: </user-data-constraint>
162: </security-constraint>
163: */
164: private void addSC2(List securityContraints) {
165: WebSecurityMetaData wsmd = new WebSecurityMetaData();
166: securityContraints.add(wsmd);
167: // web-resource-collection/web-resource-name = sc1.c1
168: WebSecurityMetaData.WebResourceCollection wrc = wsmd
169: .addWebResource("sc2.c1");
170: wrc.addPattern("/a/*");
171: wrc.addPattern("/b/*");
172: wrc.addHttpMethod("GET");
173:
174: wrc = wsmd.addWebResource("sc2.c2");
175: wrc.addPattern("/b/*");
176: wrc.addHttpMethod("POST");
177:
178: wsmd.addRole("R1");
179: wsmd.setTransportGuarantee("CONFIDENTIAL");
180: }
181: }
|