001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.test.web.security.jacc;
023:
024: import java.util.ArrayList;
025: import java.util.List;
026: import java.util.HashMap;
027: import java.security.Policy;
028: import java.security.ProtectionDomain;
029: import javax.security.jacc.PolicyConfiguration;
030: import javax.security.jacc.WebResourcePermission;
031: import javax.security.jacc.PolicyContext;
032:
033: import junit.framework.TestCase;
034: import org.jboss.metadata.WebMetaData;
035: import org.jboss.metadata.WebSecurityMetaData;
036: import org.jboss.security.SecurityRoleMetaData;
037: import org.jboss.web.WebPermissionMapping;
038: import org.jboss.security.jacc.DelegatingPolicy;
039: import org.jboss.security.jacc.JBossPolicyConfigurationFactory;
040: import org.jboss.security.SimplePrincipal;
041:
042: /** Test
043:
044: <?xml version="1.0" encoding="UTF-8"?>
045: <web-app version="2.4"
046: xmlns="http://java.sun.com/xml/ns/j2ee"
047: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
048: xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
049: http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
050:
051: <description>Tests of various security-constraints</description>
052:
053: <servlet>
054: <servlet-name>ConstraintsServlet</servlet-name>
055: <servlet-class>org.jboss.test.security.servlets.ConstraintsServlet</servlet-class>
056: </servlet>
057:
058: <servlet-mapping>
059: <servlet-name>ConstraintsServlet</servlet-name>
060: <url-pattern>/*</url-pattern>
061: </servlet-mapping>
062:
063: <security-constraint>
064: <display-name>excluded</display-name>
065: <web-resource-collection>
066: <web-resource-name>No Access</web-resource-name>
067: <url-pattern>/excluded/*</url-pattern>
068: <url-pattern>/restricted/get-only/excluded/*</url-pattern>
069: <url-pattern>/restricted/post-only/excluded/*</url-pattern>
070: <url-pattern>/restricted/any/excluded/*</url-pattern>
071: </web-resource-collection>
072: <web-resource-collection>
073: <web-resource-name>No Access</web-resource-name>
074: <url-pattern>/restricted/*</url-pattern>
075: <http-method>DELETE</http-method>
076: <http-method>PUT</http-method>
077: <http-method>HEAD</http-method>
078: <http-method>OPTIONS</http-method>
079: <http-method>TRACE</http-method>
080: <http-method>GET</http-method>
081: <http-method>POST</http-method>
082: </web-resource-collection>
083: <auth-constraint />
084: <user-data-constraint>
085: <transport-guarantee>NONE</transport-guarantee>
086: </user-data-constraint>
087: </security-constraint>
088:
089: <security-constraint>
090: <display-name>unchecked</display-name>
091: <web-resource-collection>
092: <web-resource-name>All Access</web-resource-name>
093: <url-pattern>/unchecked/*</url-pattern>
094: <http-method>DELETE</http-method>
095: <http-method>PUT</http-method>
096: <http-method>HEAD</http-method>
097: <http-method>OPTIONS</http-method>
098: <http-method>TRACE</http-method>
099: <http-method>GET</http-method>
100: <http-method>POST</http-method>
101: </web-resource-collection>
102: <user-data-constraint>
103: <transport-guarantee>NONE</transport-guarantee>
104: </user-data-constraint>
105: </security-constraint>
106:
107: <security-constraint>
108: <display-name>Restricted GET</display-name>
109: <web-resource-collection>
110: <web-resource-name>Restricted Access - Get Only</web-resource-name>
111: <url-pattern>/restricted/get-only/*</url-pattern>
112: <http-method>GET</http-method>
113: </web-resource-collection>
114: <auth-constraint>
115: <role-name>GetRole</role-name>
116: </auth-constraint>
117: <user-data-constraint>
118: <transport-guarantee>NONE</transport-guarantee>
119: </user-data-constraint>
120: </security-constraint>
121: <security-constraint>
122: <display-name>Excluded GET</display-name>
123: <web-resource-collection>
124: <web-resource-name>Restricted Access - Get Only</web-resource-name>
125: <url-pattern>/restricted/get-only/*</url-pattern>
126: <http-method>DELETE</http-method>
127: <http-method>PUT</http-method>
128: <http-method>HEAD</http-method>
129: <http-method>OPTIONS</http-method>
130: <http-method>TRACE</http-method>
131: <http-method>POST</http-method>
132: </web-resource-collection>
133: <auth-constraint />
134: <user-data-constraint>
135: <transport-guarantee>NONE</transport-guarantee>
136: </user-data-constraint>
137: </security-constraint>
138:
139: <security-constraint>
140: <display-name>Restricted POST</display-name>
141: <web-resource-collection>
142: <web-resource-name>Restricted Access - Post Only</web-resource-name>
143: <url-pattern>/restricted/post-only/*</url-pattern>
144: <http-method>POST</http-method>
145: </web-resource-collection>
146: <auth-constraint>
147: <role-name>PostRole</role-name>
148: </auth-constraint>
149: <user-data-constraint>
150: <transport-guarantee>NONE</transport-guarantee>
151: </user-data-constraint>
152: </security-constraint>
153: <security-constraint>
154: <display-name>Excluded POST</display-name>
155: <web-resource-collection>
156: <web-resource-name>Restricted Access - Post Only</web-resource-name>
157: <url-pattern>/restricted/post-only/*</url-pattern>
158: <http-method>DELETE</http-method>
159: <http-method>PUT</http-method>
160: <http-method>HEAD</http-method>
161: <http-method>OPTIONS</http-method>
162: <http-method>TRACE</http-method>
163: <http-method>GET</http-method>
164: </web-resource-collection>
165: <auth-constraint />
166: <user-data-constraint>
167: <transport-guarantee>NONE</transport-guarantee>
168: </user-data-constraint>
169: </security-constraint>
170:
171: <security-constraint>
172: <display-name>Restricted ANY</display-name>
173: <web-resource-collection>
174: <web-resource-name>Restricted Access - Any</web-resource-name>
175: <url-pattern>/restricted/any/*</url-pattern>
176: <http-method>DELETE</http-method>
177: <http-method>PUT</http-method>
178: <http-method>HEAD</http-method>
179: <http-method>OPTIONS</http-method>
180: <http-method>TRACE</http-method>
181: <http-method>GET</http-method>
182: <http-method>POST</http-method>
183: </web-resource-collection>
184: <auth-constraint>
185: <role-name>*</role-name>
186: </auth-constraint>
187: <user-data-constraint>
188: <transport-guarantee>NONE</transport-guarantee>
189: </user-data-constraint>
190: </security-constraint>
191:
192: <security-constraint>
193: <display-name>Unrestricted</display-name>
194: <web-resource-collection>
195: <web-resource-name>Restricted Access - Any</web-resource-name>
196: <url-pattern>/restricted/not/*</url-pattern>
197: <http-method>DELETE</http-method>
198: <http-method>PUT</http-method>
199: <http-method>HEAD</http-method>
200: <http-method>OPTIONS</http-method>
201: <http-method>TRACE</http-method>
202: <http-method>GET</http-method>
203: <http-method>POST</http-method>
204: </web-resource-collection>
205: <user-data-constraint>
206: <transport-guarantee>NONE</transport-guarantee>
207: </user-data-constraint>
208: </security-constraint>
209:
210: <security-role>
211: <role-name>GetRole</role-name>
212: </security-role>
213: <security-role>
214: <role-name>PostRole</role-name>
215: </security-role>
216:
217: <login-config>
218: <auth-method>BASIC</auth-method>
219: <realm-name>WebConstraintsUnitTestCase</realm-name>
220: </login-config>
221: </web-app>
222:
223: @author Scott.Stark@jboss.org
224: @version $Revision: 57206 $
225: */
226: public class WebConstraintsUnitTestCase extends TestCase {
227: private PolicyConfiguration pc;
228:
229: public void testUnchecked() throws Exception {
230: Policy p = Policy.getPolicy();
231: SimplePrincipal[] caller = null;
232: ProtectionDomain pd = new ProtectionDomain(null, null, null,
233: caller);
234: // Test /unchecked
235: WebResourcePermission wrp = new WebResourcePermission(
236: "/unchecked", "GET");
237: assertTrue("/unchecked GET", p.implies(pd, wrp));
238: wrp = new WebResourcePermission("/unchecked/x", "GET");
239: assertTrue("/unchecked/x GET", p.implies(pd, wrp));
240:
241: // Test the Unrestricted security-constraint
242: wrp = new WebResourcePermission("/restricted/not", "GET");
243: assertTrue("/restricted/not GET", p.implies(pd, wrp));
244: wrp = new WebResourcePermission("/restricted/not/x", "GET");
245: assertTrue("/restricted/not/x GET", p.implies(pd, wrp));
246: wrp = new WebResourcePermission("/restricted/not/x", "HEAD");
247: assertTrue("/restricted/not/x HEAD", p.implies(pd, wrp));
248: wrp = new WebResourcePermission("/restricted/not/x", "POST");
249: assertTrue("/restricted/not/x POST", p.implies(pd, wrp));
250:
251: wrp = new WebResourcePermission("/", "GET");
252: assertTrue("/ GET", p.implies(pd, wrp));
253: wrp = new WebResourcePermission("/other", "GET");
254: assertTrue("/other GET", p.implies(pd, wrp));
255: wrp = new WebResourcePermission("/other", "HEAD");
256: assertTrue("/other HEAD", p.implies(pd, wrp));
257: wrp = new WebResourcePermission("/other", "POST");
258: assertTrue("/other POST", p.implies(pd, wrp));
259: }
260:
261: public void testGetAccess() throws Exception {
262: Policy p = Policy.getPolicy();
263: SimplePrincipal[] caller = { new SimplePrincipal("GetRole") };
264: ProtectionDomain pd = new ProtectionDomain(null, null, null,
265: caller);
266:
267: // Test the Restricted GET security-constraint
268: WebResourcePermission wrp = new WebResourcePermission(
269: "/restricted/get-only", "GET");
270: assertTrue("/restricted/get-only GET", p.implies(pd, wrp));
271:
272: wrp = new WebResourcePermission("/restricted/get-only/x", "GET");
273: assertTrue("/restricted/get-only/x GET", p.implies(pd, wrp));
274:
275: // Test the Restricted ANY security-constraint
276: wrp = new WebResourcePermission("/restricted/any/x", "GET");
277: assertTrue("/restricted/any/x GET", p.implies(pd, wrp));
278:
279: // Test that a POST to the Restricted GET security-constraint fails
280: wrp = new WebResourcePermission("/restricted/get-only/x",
281: "POST");
282: assertFalse("/restricted/get-only/x POST", p.implies(pd, wrp));
283:
284: // Test that Restricted POST security-constraint fails
285: wrp = new WebResourcePermission("/restricted/post-only/x",
286: "GET");
287: assertFalse("/restricted/post-only/x GET", p.implies(pd, wrp));
288:
289: // Validate that the excluded subcontext if not accessible
290: wrp = new WebResourcePermission(
291: "/restricted/get-only/excluded/x", "GET");
292: assertFalse("/restricted/get-only/excluded/x GET", p.implies(
293: pd, wrp));
294:
295: caller = new SimplePrincipal[] { new SimplePrincipal(
296: "OtherRole") };
297: pd = new ProtectionDomain(null, null, null, caller);
298: // Test the Restricted GET security-constraint
299: wrp = new WebResourcePermission("/restricted/get-only", "GET");
300: assertFalse("/restricted/get-only GET", p.implies(pd, wrp));
301: wrp = new WebResourcePermission("/restricted/get-only/x", "GET");
302: assertFalse("/restricted/get-only/x GET", p.implies(pd, wrp));
303:
304: /* Test the Restricted ANY security-constraint. Note that this would be
305: allowed by the non-JACC and standalone tomcat as they interpret the "*"
306: role-name to mean any role while the JACC mapping simply replaces "*" with
307: the web.xml security-role/role-name values.
308: */
309: wrp = new WebResourcePermission("/restricted/any/x", "GET");
310: assertFalse("/restricted/any/x GET", p.implies(pd, wrp));
311: }
312:
313: /** Test that the excluded paths are not accessible by anyone
314: */
315: public void testExcludedAccess() throws Exception {
316: Policy p = Policy.getPolicy();
317: SimplePrincipal[] caller = { new SimplePrincipal("GetRole") };
318: ProtectionDomain pd = new ProtectionDomain(null, null, null,
319: caller);
320:
321: WebResourcePermission wrp = new WebResourcePermission(
322: "/excluded/x", "GET");
323: assertFalse("/excluded/x GET", p.implies(pd, wrp));
324: wrp = new WebResourcePermission("/excluded/x", "OPTIONS");
325: assertFalse("/excluded/x OPTIONS", p.implies(pd, wrp));
326: wrp = new WebResourcePermission("/excluded/x", "HEAD");
327: assertFalse("/excluded/x HEAD", p.implies(pd, wrp));
328: wrp = new WebResourcePermission("/excluded/x", "POST");
329: assertFalse("/excluded/x POST", p.implies(pd, wrp));
330:
331: wrp = new WebResourcePermission("/restricted/", "GET");
332: assertFalse("/restricted/ GET", p.implies(pd, wrp));
333: wrp = new WebResourcePermission("/restricted/", "OPTIONS");
334: assertFalse("/restricted/ OPTIONS", p.implies(pd, wrp));
335: wrp = new WebResourcePermission("/restricted/", "HEAD");
336: assertFalse("/restricted/ HEAD", p.implies(pd, wrp));
337: wrp = new WebResourcePermission("/restricted/", "POST");
338: assertFalse("/restricted/ POST", p.implies(pd, wrp));
339:
340: wrp = new WebResourcePermission(
341: "/restricted/get-only/excluded/x", "GET");
342: assertFalse("/restricted/get-only/excluded/x GET", p.implies(
343: pd, wrp));
344: wrp = new WebResourcePermission(
345: "/restricted/get-only/excluded/x", "OPTIONS");
346: assertFalse("/restricted/get-only/excluded/x OPTIONS", p
347: .implies(pd, wrp));
348: wrp = new WebResourcePermission(
349: "/restricted/get-only/excluded/x", "HEAD");
350: assertFalse("/restricted/get-only/excluded/x HEAD", p.implies(
351: pd, wrp));
352: wrp = new WebResourcePermission(
353: "/restricted/get-only/excluded/x", "POST");
354: assertFalse("/restricted/get-only/excluded/x POST", p.implies(
355: pd, wrp));
356:
357: wrp = new WebResourcePermission(
358: "/restricted/post-only/excluded/x", "GET");
359: assertFalse("/restricted/post-only/excluded/x GET", p.implies(
360: pd, wrp));
361: wrp = new WebResourcePermission(
362: "/restricted/post-only/excluded/x", "OPTIONS");
363: assertFalse("/restricted/post-only/excluded/x OPTIONS", p
364: .implies(pd, wrp));
365: wrp = new WebResourcePermission(
366: "/restricted/post-only/excluded/x", "HEAD");
367: assertFalse("/restricted/post-only/excluded/x HEAD", p.implies(
368: pd, wrp));
369: wrp = new WebResourcePermission(
370: "/restricted/post-only/excluded/x", "POST");
371: assertFalse("/restricted/post-only/excluded/x POST", p.implies(
372: pd, wrp));
373:
374: wrp = new WebResourcePermission("/restricted/any/excluded/x",
375: "GET");
376: assertFalse("/restricted/any/excluded/x GET", p
377: .implies(pd, wrp));
378: wrp = new WebResourcePermission("/restricted/any/excluded/x",
379: "OPTIONS");
380: assertFalse("/restricted/any/excluded/x OPTIONS", p.implies(pd,
381: wrp));
382: wrp = new WebResourcePermission("/restricted/any/excluded/x",
383: "HEAD");
384: assertFalse("/restricted/any/excluded/x HEAD", p.implies(pd,
385: wrp));
386: wrp = new WebResourcePermission("/restricted/any/excluded/x",
387: "POST");
388: assertFalse("/restricted/any/excluded/x POST", p.implies(pd,
389: wrp));
390: }
391:
392: /** Test POSTs against URLs that only allows the POST method and required
393: * the PostRole role
394: */
395: public void testPostAccess() throws Exception {
396: Policy p = Policy.getPolicy();
397: SimplePrincipal[] caller = { new SimplePrincipal("PostRole") };
398: ProtectionDomain pd = new ProtectionDomain(null, null, null,
399: caller);
400:
401: WebResourcePermission wrp = new WebResourcePermission(
402: "/restricted/post-only/", "POST");
403: assertTrue("/restricted/post-only/ POST", p.implies(pd, wrp));
404: wrp = new WebResourcePermission("/restricted/post-only/x",
405: "POST");
406: assertTrue("/restricted/post-only/x POST", p.implies(pd, wrp));
407:
408: // Test the Restricted ANY security-constraint
409: wrp = new WebResourcePermission("/restricted/any/x", "POST");
410: assertTrue("/restricted/any/x POST", p.implies(pd, wrp));
411:
412: // Validate that the excluded subcontext if not accessible
413: wrp = new WebResourcePermission(
414: "/restricted/post-only/excluded/x", "POST");
415: assertFalse("/restricted/post-only/excluded/x POST", p.implies(
416: pd, wrp));
417:
418: // Test that a GET to the Restricted POST security-constraint fails
419: wrp = new WebResourcePermission("/restricted/post-only/x",
420: "GET");
421: assertFalse("/restricted/post-only/excluded/x GET", p.implies(
422: pd, wrp));
423: // Test that Restricted POST security-constraint fails
424: wrp = new WebResourcePermission("/restricted/get-only/x",
425: "POST");
426: assertFalse("/restricted/get-only/x POST", p.implies(pd, wrp));
427:
428: // Change to otherUser to test failure
429: caller = new SimplePrincipal[] { new SimplePrincipal(
430: "OtherRole") };
431: pd = new ProtectionDomain(null, null, null, caller);
432:
433: // Test the Restricted Post security-constraint
434: wrp = new WebResourcePermission("/restricted/post-only", "POST");
435: assertFalse("/restricted/post-only POST", p.implies(pd, wrp));
436: wrp = new WebResourcePermission("/restricted/post-only/x",
437: "POST");
438: assertFalse("/restricted/post-only/x POST", p.implies(pd, wrp));
439:
440: }
441:
442: protected void setUp() throws Exception {
443: WebMetaData metaData = new WebMetaData();
444: ArrayList securityContraints = new ArrayList();
445: addExcluded(securityContraints);
446: addAllAccessSC(securityContraints);
447: addRestrictedGetSC(securityContraints);
448: addExcludedGetSC(securityContraints);
449: addRestrictedPostSC(securityContraints);
450: addExcludedPostSC(securityContraints);
451: addRestrictedAnySC(metaData, securityContraints);
452: addUnrestrictedSC(securityContraints);
453: metaData.setSecurityConstraints(securityContraints);
454:
455: DelegatingPolicy policy = new DelegatingPolicy();
456: Policy.setPolicy(policy);
457: JBossPolicyConfigurationFactory pcf = new JBossPolicyConfigurationFactory();
458: pc = pcf.getPolicyConfiguration("WebConstraintsUnitTestCase",
459: true);
460: WebPermissionMapping.createPermissions(metaData, pc);
461: pc.commit();
462: System.out.println(policy.listContextPolicies());
463: PolicyContext.setContextID("WebConstraintsUnitTestCase");
464: }
465:
466: private void addExcluded(List securityContraints) {
467: // security-constraint/ display-name = excluded
468: WebSecurityMetaData wsmd = new WebSecurityMetaData();
469: securityContraints.add(wsmd);
470: // web-resource-collection/web-resource-name = No Access
471: WebSecurityMetaData.WebResourceCollection wrc = wsmd
472: .addWebResource("No Access");
473: wrc.addPattern("/excluded/*");
474: wrc.addPattern("/restricted/get-only/excluded/*");
475: wrc.addPattern("/restricted/post-only/excluded/*");
476: wrc.addPattern("/restricted/any/excluded/*");
477: wrc.addPattern("/excluded/*");
478:
479: // web-resource-collection/web-resource-name = No Access
480: wrc = wsmd.addWebResource("No Access");
481: wrc.addPattern("/restricted/*");
482: wrc.addHttpMethod("DELETE");
483: wrc.addHttpMethod("PUT");
484: wrc.addHttpMethod("HEAD");
485: wrc.addHttpMethod("OPTIONS");
486: wrc.addHttpMethod("TRACE");
487: wrc.addHttpMethod("GET");
488: wrc.addHttpMethod("POST");
489:
490: // empty auth-constraint
491: wsmd.setExcluded(true);
492:
493: // user-data-constraint/transport-guarantee
494: wsmd.setTransportGuarantee("NONE");
495: }
496:
497: private void addAllAccessSC(List securityContraints) {
498: WebSecurityMetaData wsmd = new WebSecurityMetaData();
499: securityContraints.add(wsmd);
500:
501: // All Access
502: WebSecurityMetaData.WebResourceCollection wrc = wsmd
503: .addWebResource("All Access");
504: wrc.addPattern("/unchecked/*");
505: wrc.addHttpMethod("DELETE");
506: wrc.addHttpMethod("PUT");
507: wrc.addHttpMethod("HEAD");
508: wrc.addHttpMethod("OPTIONS");
509: wrc.addHttpMethod("TRACE");
510: wrc.addHttpMethod("GET");
511: wrc.addHttpMethod("POST");
512:
513: // No auth-constraint
514: wsmd.setUnchecked(true);
515: // user-data-constraint/transport-guarantee
516: wsmd.setTransportGuarantee("NONE");
517: }
518:
519: private void addRestrictedGetSC(List securityContraints) {
520: WebSecurityMetaData wsmd = new WebSecurityMetaData();
521: securityContraints.add(wsmd);
522:
523: // web-resource-name = Restricted Access - Get Only
524: WebSecurityMetaData.WebResourceCollection wrc = wsmd
525: .addWebResource("Restricted Access - Get Only");
526: wrc.addPattern("/restricted/get-only/*");
527: wrc.addHttpMethod("GET");
528:
529: // auth-constraint/role-name = GetRole
530: wsmd.addRole("GetRole");
531: // user-data-constraint/transport-guarantee
532: wsmd.setTransportGuarantee("NONE");
533: }
534:
535: private void addExcludedGetSC(List securityContraints) {
536: WebSecurityMetaData wsmd = new WebSecurityMetaData();
537: securityContraints.add(wsmd);
538:
539: // web-resource-name = Restricted Access - Get Only
540: WebSecurityMetaData.WebResourceCollection wrc = wsmd
541: .addWebResource("Restricted Access - Get Only");
542: wrc.addPattern("/restricted/get-only/*");
543: wrc.addHttpMethod("DELETE");
544: wrc.addHttpMethod("PUT");
545: wrc.addHttpMethod("HEAD");
546: wrc.addHttpMethod("OPTIONS");
547: wrc.addHttpMethod("TRACE");
548: wrc.addHttpMethod("POST");
549:
550: // empty auth-constraint
551: wsmd.setExcluded(true);
552: // user-data-constraint/transport-guarantee
553: wsmd.setTransportGuarantee("NONE");
554: }
555:
556: private void addRestrictedPostSC(List securityContraints) {
557: WebSecurityMetaData wsmd = new WebSecurityMetaData();
558: securityContraints.add(wsmd);
559:
560: // web-resource-name = Restricted Access - Post Only
561: WebSecurityMetaData.WebResourceCollection wrc = wsmd
562: .addWebResource("Restricted Access - Post Only");
563: wrc.addPattern("/restricted/post-only/*");
564: wrc.addHttpMethod("POST");
565:
566: // auth-constraint/role-name = PostRole
567: wsmd.addRole("PostRole");
568: // user-data-constraint/transport-guarantee
569: wsmd.setTransportGuarantee("NONE");
570: }
571:
572: private void addExcludedPostSC(List securityContraints) {
573: WebSecurityMetaData wsmd = new WebSecurityMetaData();
574: securityContraints.add(wsmd);
575:
576: // web-resource-name = Restricted Access - Post Only
577: WebSecurityMetaData.WebResourceCollection wrc = wsmd
578: .addWebResource("Restricted Access - Post Only");
579: wrc.addPattern("/restricted/post-only/*");
580: wrc.addHttpMethod("DELETE");
581: wrc.addHttpMethod("PUT");
582: wrc.addHttpMethod("HEAD");
583: wrc.addHttpMethod("OPTIONS");
584: wrc.addHttpMethod("TRACE");
585: wrc.addHttpMethod("GET");
586:
587: // empty auth-constraint
588: wsmd.setExcluded(true);
589: // user-data-constraint/transport-guarantee
590: wsmd.setTransportGuarantee("NONE");
591: }
592:
593: private void addRestrictedAnySC(WebMetaData wmd,
594: List securityContraints) {
595: WebSecurityMetaData wsmd = new WebSecurityMetaData();
596: securityContraints.add(wsmd);
597:
598: // web-resource-name = Restricted Access - Any
599: WebSecurityMetaData.WebResourceCollection wrc = wsmd
600: .addWebResource("Restricted Access - Any");
601: wrc.addPattern("/restricted/any/*");
602: wrc.addHttpMethod("DELETE");
603: wrc.addHttpMethod("PUT");
604: wrc.addHttpMethod("HEAD");
605: wrc.addHttpMethod("OPTIONS");
606: wrc.addHttpMethod("TRACE");
607: wrc.addHttpMethod("GET");
608: wrc.addHttpMethod("POST");
609:
610: // auth-constraint/role-name = *
611: wsmd.addRole("*");
612: // Add the security-role/role-name values * would map to
613: HashMap roles = new HashMap();
614: roles.put("GetRole", new SecurityRoleMetaData("GetRole"));
615: roles.put("PostRole", new SecurityRoleMetaData("PostRole"));
616: wmd.setSecurityRoles(roles);
617: // user-data-constraint/transport-guarantee
618: wsmd.setTransportGuarantee("NONE");
619: }
620:
621: private void addUnrestrictedSC(List securityContraints) {
622: WebSecurityMetaData wsmd = new WebSecurityMetaData();
623: securityContraints.add(wsmd);
624:
625: // web-resource-name = Restricted Access - Any
626: WebSecurityMetaData.WebResourceCollection wrc = wsmd
627: .addWebResource("Restricted Access - Any");
628: wrc.addPattern("/restricted/not/*");
629: wrc.addHttpMethod("DELETE");
630: wrc.addHttpMethod("PUT");
631: wrc.addHttpMethod("HEAD");
632: wrc.addHttpMethod("OPTIONS");
633: wrc.addHttpMethod("TRACE");
634: wrc.addHttpMethod("GET");
635: wrc.addHttpMethod("POST");
636:
637: // no auth-constraint
638: wsmd.setUnchecked(true);
639: // user-data-constraint/transport-guarantee
640: wsmd.setTransportGuarantee("NONE");
641: }
642: }
|