Java > Open Source Codes > org > jboss > test > security > test > WebConstraintsUnitTestCase


1 /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10   * the License, or (at your option) any later version.
11   *
12   * This software is distributed in the hope that it will be useful,
13   * but WITHOUT ANY WARRANTY; without even the implied warranty of
14   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15   * Lesser General Public License for more details.
16   *
17   * You should have received a copy of the GNU Lesser General Public
18   * License along with this software; if not, write to the Free
19   * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20   * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21   */
22 package org.jboss.test.security.test;
23
24 import java.net.HttpURLConnection ;
25 import java.net.URL ;
26
27 import org.jboss.test.util.web.HttpUtils;
28 import org.jboss.test.JBossTestCase;
29 import junit.framework.Test;
30
31 /** Tests of the web declarative security model
32
33  @author Scott.Stark@jboss.org
34  @version $Revision: 37406 $
35  */
36 public class WebConstraintsUnitTestCase extends JBossTestCase
37 {
38    public static String REALM = "WebConstraintsUnitTestCase";
39    public String baseURLNoAuth = HttpUtils.getBaseURLNoAuth();
40    public static final String WAR = "web-constraints.war";
41    static String username = "scott";
42    static char[] password = "echoman".toCharArray();
43    /** A flag indicating if a "*" web-app/auth-constraint/role-name should imply
44     * any authenticated user role, or only the security-role/role-name values
45     * in the web app. True = only the web-app defined roles.
46     */
47    private boolean strictStarRolesMode;
48
49    public boolean isStrictStarRolesMode()
50    {
51       return strictStarRolesMode;
52    }
53    public void setStrictStarRolesMode(boolean strictStarRolesMode)
54    {
55       this.strictStarRolesMode = strictStarRolesMode;
56    }
57
58    public WebConstraintsUnitTestCase(String name)
59    {
60       super(name);
61    }
62
63    /** Test URLs that should require no authentication for any method
64     */
65    public void testUnchecked() throws Exception
66    {
67       log.debug("+++ testUnchecked");
68       // Test the unchecked security-constraint
69 URL url = new URL (baseURLNoAuth+"web-constraints/unchecked");
70       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
71       url = new URL (baseURLNoAuth+"web-constraints/unchecked/");
72       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
73       url = new URL (baseURLNoAuth+"web-constraints/unchecked/x");
74       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
75       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.HEAD);
76       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
77
78       // Test the Unrestricted security-constraint
79 url = new URL (baseURLNoAuth+"web-constraints/restricted/not");
80       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
81       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.HEAD);
82       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
83       url = new URL (baseURLNoAuth+"web-constraints/restricted/not/x");
84       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
85       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.HEAD);
86       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
87
88       // Test the unspecified mappings
89 url = new URL (baseURLNoAuth+"web-constraints/");
90       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
91       url = new URL (baseURLNoAuth+"web-constraints/other");
92       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
93       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.HEAD);
94       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
95    }
96
97    /** Test GETs against URLs that only allows the GET method and required
98     * the GetRole role
99     */
100    public void testGetAccess() throws Exception
101    {
102       log.debug("+++ testGetAccess");
103       String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
104       // Test the Restricted GET security-constraint
105 URL url = new URL (baseURL+"web-constraints/restricted/get-only");
106       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
107       url = new URL (baseURL+"web-constraints/restricted/get-only/x");
108       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
109
110       // Test the Restricted ANY security-constraint
111 url = new URL (baseURL+"web-constraints/restricted/any/x");
112       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
113
114       // Test that a POST to the Restricted GET security-constraint fails
115 url = new URL (baseURL+"web-constraints/restricted/get-only/x");
116       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
117       // Test that Restricted POST security-constraint fails
118 url = new URL (baseURL+"web-constraints/restricted/post-only/x");
119       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
120
121       // Validate that the excluded subcontext if not accessible
122 url = new URL (baseURL+"web-constraints/restricted/get-only/excluded/x");
123       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
124
125       // Change to otherUser to test failure
126 baseURL = HttpUtils.getBaseURL("otherUser", "otherUserPass");
127       
128       // Test the Restricted GET security-constraint
129 url = new URL (baseURL+"web-constraints/restricted/get-only");
130       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
131       url = new URL (baseURL+"web-constraints/restricted/get-only/x");
132       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
133
134       if( strictStarRolesMode == false )
135       {
136          // Test the Restricted ANY security-constraint
137 url = new URL (baseURL+"web-constraints/restricted/any/x");
138          HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
139       }
140    }
141
142    /** Test that the excluded paths are not accessible by anyone
143     */
144    public void testExcludedAccess() throws Exception
145    {
146       log.debug("+++ testExcludedAccess");
147       String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
148       // Test the excluded security-constraint
149 URL url = new URL (baseURL+"web-constraints/excluded/x");
150       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
151       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
152       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
153       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
154       url = new URL (baseURL+"web-constraints/restricted/");
155       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
156       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
157       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
158       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
159
160       url = new URL (baseURL+"web-constraints/restricted/get-only/excluded/x");
161       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
162       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
163       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
164       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
165
166       url = new URL (baseURL+"web-constraints/restricted/put-only/excluded/x");
167       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
168       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
169       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
170       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
171
172       url = new URL (baseURL+"web-constraints/restricted/any/excluded/x");
173       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
174       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
175       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
176       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
177    }
178
179    /** Test POSTs against URLs that only allows the POST method and required
180     * the PostRole role
181     */
182    public void testPostAccess() throws Exception
183    {
184       log.debug("+++ testPostAccess");
185       String baseURL = HttpUtils.getBaseURL("postUser", "postUserPass");
186       // Test the Restricted POST security-constraint
187 URL url = new URL (baseURL+"web-constraints/restricted/post-only/");
188       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
189       url = new URL (baseURL+"web-constraints/restricted/post-only/x");
190       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
191
192       // Test the Restricted ANY security-constraint
193 url = new URL (baseURL+"web-constraints/restricted/any/x");
194       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK, HttpUtils.POST);
195
196       // Validate that the excluded subcontext if not accessible
197 url = new URL (baseURL+"web-constraints/restricted/post-only/excluded/x");
198       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
199
200       // Test that a GET to the Restricted POST security-constraint fails
201 url = new URL (baseURL+"web-constraints/restricted/post-only/x");
202       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
203       // Test that Restricted POST security-constraint fails
204 url = new URL (baseURL+"web-constraints/restricted/get-only/x");
205       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
206
207       // Change to otherUser to test failure
208 baseURL = HttpUtils.getBaseURL("otherUser", "otherUserPass");
209       
210       // Test the Restricted GET security-constraint
211 url = new URL (baseURL+"web-constraints/restricted/post-only");
212       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
213       url = new URL (baseURL+"web-constraints/restricted/post-only/x");
214       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
215
216       if( strictStarRolesMode == false )
217       {
218          // Test the Restricted ANY security-constraint
219 url = new URL (baseURL+"web-constraints/restricted/any/x");
220          HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
221       }
222    }
223
224    public static Test suite() throws Exception
225    {
226       return JBossTestCase.getDeploySetup(WebConstraintsUnitTestCase.class, WAR);
227    }
228 }
229

A to Z: JavaDoc & Examples

---

Daily Java News & Articles

---

Open Source Projects

---

Open Source Codes

---

Free Computer Books

---

Remove Frame

---

Popular Tags