Source Code Cross Referenced for UncheckedPrefixWebConstraintsUnitTestCase.java in  » EJB-Server-JBoss-4.2.1 » tomcat » org » jboss » test » web » security » jacc » Java Source Code / Java DocumentationJava Source Code and Java Documentation

001:        /*
002:         * JBoss, Home of Professional Open Source.
003:         * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004:         * as indicated by the @author tags. See the copyright.txt file in the
005:         * distribution for a full listing of individual contributors.
006:         *
007:         * This is free software; you can redistribute it and/or modify it
008:         * under the terms of the GNU Lesser General Public License as
009:         * published by the Free Software Foundation; either version 2.1 of
010:         * the License, or (at your option) any later version.
011:         *
012:         * This software is distributed in the hope that it will be useful,
013:         * but WITHOUT ANY WARRANTY; without even the implied warranty of
014:         * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015:         * Lesser General Public License for more details.
016:         *
017:         * You should have received a copy of the GNU Lesser General Public
018:         * License along with this software; if not, write to the Free
019:         * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020:         * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021:         */
022:        package org.jboss.test.web.security.jacc;
023:
024:        import java.security.Policy;
025:        import java.security.ProtectionDomain;
026:        import java.util.ArrayList;
027:        import java.util.List;
028:        import javax.security.jacc.PolicyConfiguration;
029:        import javax.security.jacc.PolicyContext;
030:        import javax.security.jacc.WebResourcePermission;
031:
032:        import junit.framework.TestCase;
033:        import org.jboss.metadata.WebMetaData;
034:        import org.jboss.metadata.WebSecurityMetaData;
035:        import org.jboss.security.SimplePrincipal;
036:        import org.jboss.security.jacc.DelegatingPolicy;
037:        import org.jboss.security.jacc.JBossPolicyConfigurationFactory;
038:        import org.jboss.web.WebPermissionMapping;
039:
040:        /** Test of the unchecked permission
041:        
042:         <?xml version="1.0" encoding="UTF-8"?>
043:         <web-app version="2.4"
044:         xmlns="http://java.sun.com/xml/ns/j2ee"
045:         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
046:         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
047:         http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
048:
049:         <description>Tests of various security-constraints</description>
050:
051:         <servlet>
052:         <servlet-name>ConstraintsServlet</servlet-name>
053:         <servlet-class>org.jboss.test.security.servlets.ConstraintsServlet</servlet-class>
054:         </servlet>
055:
056:         <servlet-mapping>
057:         <servlet-name>ConstraintsServlet</servlet-name>
058:         <url-pattern>/*</url-pattern>
059:         </servlet-mapping>
060:
061:         <security-constraint>
062:         <web-resource-collection>
063:         <web-resource-name>Excluded</web-resource-name>
064:         <url-pattern>/restricted/post-only/excluded/*</url-pattern>
065:         <url-pattern>/*</url-pattern>
066:         </web-resource-collection>
067:         <auth-constraint />
068:         <user-data-constraint>
069:         <transport-guarantee>NONE</transport-guarantee>
070:         </user-data-constraint>
071:         </security-constraint>
072:
073:         <security-constraint>
074:         <web-resource-collection>
075:         <web-resource-name>Restricted POST</web-resource-name>
076:         <url-pattern>/restricted/post-only/*</url-pattern>
077:         <http-method>POST</http-method>
078:         </web-resource-collection>
079:         <auth-constraint>
080:         <role-name>PostRole</role-name>
081:         </auth-constraint>
082:         <user-data-constraint>
083:         <transport-guarantee>NONE</transport-guarantee>
084:         </user-data-constraint>
085:         </security-constraint>
086:         <security-constraint>
087:         <web-resource-collection>
088:         <web-resource-name>Excluded POST</web-resource-name>
089:         <url-pattern>/restricted/post-only/*</url-pattern>
090:         <http-method>DELETE</http-method>
091:         <http-method>PUT</http-method>
092:         <http-method>HEAD</http-method>
093:         <http-method>OPTIONS</http-method>
094:         <http-method>TRACE</http-method>
095:         <http-method>GET</http-method>
096:         </web-resource-collection>
097:         <auth-constraint />
098:         <user-data-constraint>
099:         <transport-guarantee>NONE</transport-guarantee>
100:         </user-data-constraint>
101:         </security-constraint>
102:
103:         <security-role>
104:         <role-name>PostRole</role-name>
105:         </security-role>
106:
107:         <login-config>
108:         <auth-method>BASIC</auth-method>
109:         <realm-name>WebConstraintsUnitTestCase</realm-name>
110:         </login-config>
111:         </web-app>
112:
113:         @author Scott.Stark@jboss.org
114:         @version $Revision: 57206 $
115:         */
116:        public class UncheckedPrefixWebConstraintsUnitTestCase extends TestCase {
117:            private PolicyConfiguration pc;
118:
119:            public void testUncheckedPrefix() throws Exception {
120:                Policy p = Policy.getPolicy();
121:                SimplePrincipal[] caller = null;
122:                ProtectionDomain pd = new ProtectionDomain(null, null, null,
123:                        caller);
124:
125:                // There should be no 
126:                WebResourcePermission wrp = new WebResourcePermission(
127:                        "/restricted/post-only/x", "GET");
128:                assertFalse("/restricted/post-only/x GET", p.implies(pd, wrp));
129:                wrp = new WebResourcePermission("/restricted/post-only/x",
130:                        "POST");
131:                assertFalse("/restricted/post-only/x POST", p.implies(pd, wrp));
132:
133:                caller = new SimplePrincipal[] { new SimplePrincipal("PostRole") };
134:                pd = new ProtectionDomain(null, null, null, caller);
135:                wrp = new WebResourcePermission("/restricted/post-only/x",
136:                        "GET");
137:                assertFalse("/restricted/post-only/x GET", p.implies(pd, wrp));
138:                wrp = new WebResourcePermission("/restricted/post-only/x",
139:                        "POST");
140:                assertTrue("/restricted/post-only/x POST", p.implies(pd, wrp));
141:
142:            }
143:
144:            protected void setUp() throws Exception {
145:                WebMetaData metaData = new WebMetaData();
146:                ArrayList securityContraints = new ArrayList();
147:                addSC(securityContraints);
148:                metaData.setSecurityConstraints(securityContraints);
149:
150:                DelegatingPolicy policy = new DelegatingPolicy();
151:                Policy.setPolicy(policy);
152:                JBossPolicyConfigurationFactory pcf = new JBossPolicyConfigurationFactory();
153:                pc = pcf.getPolicyConfiguration(
154:                        "UncheckedPrefixWebConstraintsUnitTestCase", true);
155:                WebPermissionMapping.createPermissions(metaData, pc);
156:                pc.commit();
157:                System.out.println(policy.listContextPolicies());
158:                PolicyContext
159:                        .setContextID("UncheckedPrefixWebConstraintsUnitTestCase");
160:            }
161:
162:            private void addSC(List securityContraints) {
163:                WebSecurityMetaData wsmd = new WebSecurityMetaData();
164:                securityContraints.add(wsmd);
165:                // web-resource-collection/web-resource-name = Excluded
166:                WebSecurityMetaData.WebResourceCollection wrc = wsmd
167:                        .addWebResource("Excluded");
168:                wrc.addPattern("/restricted/post-only/excluded/*");
169:                wrc.addPattern("/*");
170:
171:                // <auth-constraint />
172:                wsmd.setExcluded(true);
173:
174:                // user-data-constraint/transport-guarantee
175:                wsmd.setTransportGuarantee("NONE");
176:
177:                wsmd = new WebSecurityMetaData();
178:                securityContraints.add(wsmd);
179:                // web-resource-collection/web-resource-name = Restricted POST
180:                wrc = wsmd.addWebResource("Restricted POST");
181:                wrc.addPattern("/restricted/post-only/*");
182:                wrc.addHttpMethod("POST");
183:                wsmd.addRole("PostRole");
184:                wsmd.setTransportGuarantee("NONE");
185:
186:                wsmd = new WebSecurityMetaData();
187:                securityContraints.add(wsmd);
188:                // web-resource-collection/web-resource-name = Excluded POST
189:                wrc = wsmd.addWebResource("Excluded POST");
190:                wrc.addPattern("/restricted/post-only/*");
191:                wrc.addHttpMethod("DELETE");
192:                wrc.addHttpMethod("PUT");
193:                wrc.addHttpMethod("HEAD");
194:                wrc.addHttpMethod("OPTIONS");
195:                wrc.addHttpMethod("TRACE");
196:                wrc.addHttpMethod("GET");
197:                wsmd.setExcluded(true);
198:                wsmd.setTransportGuarantee("NONE");
199:            }
200:
201:        }