CustomHeaderAuthTestCase


1   /*
2     * JBoss, Home of Professional Open Source
3     * Copyright 2005, JBoss Inc., and individual contributors as indicated
4     * by the @authors tag. See the copyright.txt in the distribution for a
5     * full listing of individual contributors.
6     *
7     * This is free software; you can redistribute it and/or modify it
8     * under the terms of the GNU Lesser General Public License as
9     * published by the Free Software Foundation; either version 2.1 of
10    * the License, or (at your option) any later version.
11    *
12    * This software is distributed in the hope that it will be useful,
13    * but WITHOUT ANY WARRANTY; without even the implied warranty of
14    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15    * Lesser General Public License for more details.
16    *
17    * You should have received a copy of the GNU Lesser General Public
18    * License along with this software; if not, write to the Free
19    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21    */
22  package org.jboss.test.web.security;
23  
24  import java.net.HttpURLConnection  ;
25  
26  import junit.framework.Test;
27  import junit.framework.TestSuite;
28  
29  import org.apache.commons.httpclient.Cookie;
30  import org.apache.commons.httpclient.Header;
31  import org.apache.commons.httpclient.HttpClient; 
32  import org.apache.commons.httpclient.HttpState;
33  import org.apache.commons.httpclient.methods.GetMethod;
34  import org.apache.commons.httpclient.methods.PostMethod;
35  import org.jboss.test.JBossTestCase;
36  import org.jboss.test.JBossTestSetup; 
37  
38  //$Id$
39  
40  /**
41   *  JBAS-2283: Custom Header based authentication
42   *  @author <a HREF="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
43   *  @since  Sep 11, 2006 
44   *  @version $Revision$
45   */
46  public class CustomHeaderAuthTestCase extends JBossTestCase
47  { 
48     private String   baseURLNoAuth = "http://" + getServerHost() + ":" + Integer.getInteger("web.port", 8080) + "/"; 
49     private HttpClient httpConn = new HttpClient();
50     
51     private String   path = "header-form-auth/restricted/SecuredServlet";
52     
53     public CustomHeaderAuthTestCase(String   name)
54     {
55        super(name); 
56     }
57     
58     /**
59      * Ensure that in the absence of headers, there is regular 
60      * form based authentication
61      * @throws Exception
62      */
63     public void testRegularFormAuth() throws Exception  
64     {
65        doSecureGetWithLogin(path, "jduke", "theduke");
66     }
67     
68     /**
69      * Test usecases where the userid is sent via header and the
70      * session key is used as the password.  To simplify testing,
71      * we pass a password as part of the session key. In reality,
72      * there needs to be a login module that can take the username 
73      * and session key and validate.
74      * @throws Exception
75      */
76     public void testCustomHeaderBaseAuth() throws Exception  
77     { 
78        String   serverHost = getServerHost();
79        //Siteminder usecase
80        performCustomAuth("sm_ssoid", new Cookie(serverHost, 
81                    "SMSESSION", "theduke", "/", null, false), "SiteMinder");
82        
83        //Cleartrust usecase
84        performCustomAuth("ct-remote-user", new Cookie(serverHost, 
85              "CTSESSION", "theduke", "/", null, false), "Cleartrust");
86        
87        //Oblix usecase
88        performCustomAuth("HTTP_OBLIX_UID", new Cookie(serverHost, 
89              "ObSSOCookie", "theduke", "/", null, false), "Oblix"); 
90     }
91     
92     private void performCustomAuth(String   headerId, Cookie cookie,
93           String   usecase) throws Exception  
94     {
95        GetMethod indexGet = new GetMethod(baseURLNoAuth+path);
96        indexGet.addRequestHeader(headerId, "jduke"); 
97        httpConn.getState().addCookie(cookie); 
98        int responseCode = httpConn.executeMethod(indexGet); 
99        String   response = indexGet.getStatusText();
100       log.debug("Response from " + usecase + " case:"+response);
101       Header jex = indexGet.getResponseHeader("X-JException");
102       log.debug("Saw X-JException, "+jex);
103       assertNull("X-JException == null", jex);
104       assertTrue("Get OK("+responseCode+")", responseCode == HttpURLConnection.HTTP_OK);
105    }
106    
107    private PostMethod doSecureGetWithLogin(String   path, String   username, String   password)
108    throws Exception  
109    {
110       GetMethod indexGet = new GetMethod(baseURLNoAuth+path);
111       int responseCode = httpConn.executeMethod(indexGet);
112       String   body = indexGet.getResponseBodyAsString();
113       assertTrue("Get OK("+responseCode+")", responseCode == HttpURLConnection.HTTP_OK);
114       assertTrue("Redirected to login page", body.indexOf("j_security_check") > 0 );
115 
116       HttpState state = httpConn.getState();
117       Cookie[] cookies = state.getCookies();
118       String   sessionID = null;
119       for(int c = 0; c < cookies.length; c ++)
120       {
121          Cookie k = cookies[c];
122          if( k.getName().equalsIgnoreCase("JSESSIONID") )
123             sessionID = k.getValue();
124       }
125       getLog().debug("Saw JSESSIONID="+sessionID);
126 
127       // Submit the login form
128       PostMethod formPost = new PostMethod(baseURLNoAuth+"header-form-auth/j_security_check");
129       formPost.addRequestHeader("Referer", baseURLNoAuth+"header-form-auth/restricted/login.html");
130       formPost.addParameter("j_username", username);
131       formPost.addParameter("j_password", password);
132       responseCode = httpConn.executeMethod(formPost.getHostConfiguration(),
133             formPost, state);
134       String   response = formPost.getStatusText();
135       log.debug("responseCode="+responseCode+", response="+response);
136       assertTrue("Saw HTTP_MOVED_TEMP", responseCode == HttpURLConnection.HTTP_MOVED_TEMP);
137 
138       //  Follow the redirect to the SecureServlet
139       Header location = formPost.getResponseHeader("Location");
140       String   indexURI = location.getValue();
141       GetMethod war1Index = new GetMethod(indexURI);
142       responseCode = httpConn.executeMethod(war1Index.getHostConfiguration(),
143             war1Index, state);
144       response = war1Index.getStatusText();
145       log.debug("responseCode="+responseCode+", response="+response);
146       assertTrue("Get OK", responseCode == HttpURLConnection.HTTP_OK);
147       body = war1Index.getResponseBodyAsString();
148       if( body.indexOf("j_security_check") > 0 )
149          fail("get of "+indexURI+" redirected to login page");
150       return formPost;
151    }
152 
153    /** One time setup for all SingleSignOnUnitTestCase unit tests
154     */
155    public static Test suite() throws Exception  
156    {
157       TestSuite suite = new TestSuite();
158       suite.addTest(new TestSuite(CustomHeaderAuthTestCase.class));
159 
160       // Create an initializer for the test suite
161       Test wrapper = new JBossTestSetup(suite)
162       {
163          protected void setUp() throws Exception  
164          {
165             super.setUp();
166             deploy("header-form-auth.ear");
167             // Make sure the security cache is clear
168             flushAuthCache();
169          }
170          protected void tearDown() throws Exception  
171          {
172             undeploy("header-form-auth.ear");
173             super.tearDown();
174          }
175       };
176       return wrapper;
177    }
178 }
179
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags