001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.test.security.test;
023:
024: import java.net.HttpURLConnection;
025: import java.net.URL;
026:
027: import org.jboss.test.util.web.HttpUtils;
028: import org.jboss.test.JBossTestCase;
029: import junit.framework.Test;
030:
031: /** Tests of the web declarative security model
032:
033: @author Scott.Stark@jboss.org
034: @version $Revision: 57211 $
035: */
036: public class WebConstraintsUnitTestCase extends JBossTestCase {
037: public static String REALM = "WebConstraintsUnitTestCase";
038: public String baseURLNoAuth = HttpUtils.getBaseURLNoAuth();
039: public static final String WAR = "web-constraints.war";
040: static String username = "scott";
041: static char[] password = "echoman".toCharArray();
042: /** A flag indicating if a "*" web-app/auth-constraint/role-name should imply
043: * any authenticated user role, or only the security-role/role-name values
044: * in the web app. True = only the web-app defined roles.
045: */
046: private boolean strictStarRolesMode;
047:
048: public boolean isStrictStarRolesMode() {
049: return strictStarRolesMode;
050: }
051:
052: public void setStrictStarRolesMode(boolean strictStarRolesMode) {
053: this .strictStarRolesMode = strictStarRolesMode;
054: }
055:
056: public WebConstraintsUnitTestCase(String name) {
057: super (name);
058: }
059:
060: /** Test URLs that should require no authentication for any method
061: */
062: public void testUnchecked() throws Exception {
063: log.debug("+++ testUnchecked");
064: // Test the unchecked security-constraint
065: URL url = new URL(baseURLNoAuth + "web-constraints/unchecked");
066: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
067: url = new URL(baseURLNoAuth + "web-constraints/unchecked/");
068: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
069: url = new URL(baseURLNoAuth + "web-constraints/unchecked/x");
070: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
071: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
072: HttpUtils.HEAD);
073: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
074: HttpUtils.POST);
075:
076: // Test the Unrestricted security-constraint
077: url = new URL(baseURLNoAuth + "web-constraints/restricted/not");
078: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
079: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
080: HttpUtils.HEAD);
081: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
082: HttpUtils.POST);
083: url = new URL(baseURLNoAuth
084: + "web-constraints/restricted/not/x");
085: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
086: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
087: HttpUtils.HEAD);
088: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
089: HttpUtils.POST);
090:
091: // Test the unspecified mappings
092: url = new URL(baseURLNoAuth + "web-constraints/");
093: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
094: url = new URL(baseURLNoAuth + "web-constraints/other");
095: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
096: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
097: HttpUtils.HEAD);
098: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
099: HttpUtils.POST);
100: }
101:
102: /** Test GETs against URLs that only allows the GET method and required
103: * the GetRole role
104: */
105: public void testGetAccess() throws Exception {
106: log.debug("+++ testGetAccess");
107: String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
108: // Test the Restricted GET security-constraint
109: URL url = new URL(baseURL
110: + "web-constraints/restricted/get-only");
111: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
112: url = new URL(baseURL + "web-constraints/restricted/get-only/x");
113: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
114:
115: // Test the Restricted ANY security-constraint
116: url = new URL(baseURL + "web-constraints/restricted/any/x");
117: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
118:
119: // Test that a POST to the Restricted GET security-constraint fails
120: url = new URL(baseURL + "web-constraints/restricted/get-only/x");
121: HttpUtils.accessURL(url, REALM,
122: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
123: // Test that Restricted POST security-constraint fails
124: url = new URL(baseURL
125: + "web-constraints/restricted/post-only/x");
126: HttpUtils.accessURL(url, REALM,
127: HttpURLConnection.HTTP_FORBIDDEN);
128:
129: // Validate that the excluded subcontext if not accessible
130: url = new URL(baseURL
131: + "web-constraints/restricted/get-only/excluded/x");
132: HttpUtils.accessURL(url, REALM,
133: HttpURLConnection.HTTP_FORBIDDEN);
134:
135: // Change to otherUser to test failure
136: baseURL = HttpUtils.getBaseURL("otherUser", "otherUserPass");
137:
138: // Test the Restricted GET security-constraint
139: url = new URL(baseURL + "web-constraints/restricted/get-only");
140: HttpUtils.accessURL(url, REALM,
141: HttpURLConnection.HTTP_FORBIDDEN);
142: url = new URL(baseURL + "web-constraints/restricted/get-only/x");
143: HttpUtils.accessURL(url, REALM,
144: HttpURLConnection.HTTP_FORBIDDEN);
145:
146: if (strictStarRolesMode == false) {
147: // Test the Restricted ANY security-constraint
148: url = new URL(baseURL + "web-constraints/restricted/any/x");
149: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
150: }
151: }
152:
153: /** Test that the excluded paths are not accessible by anyone
154: */
155: public void testExcludedAccess() throws Exception {
156: log.debug("+++ testExcludedAccess");
157: String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
158: // Test the excluded security-constraint
159: URL url = new URL(baseURL + "web-constraints/excluded/x");
160: HttpUtils.accessURL(url, REALM,
161: HttpURLConnection.HTTP_FORBIDDEN);
162: HttpUtils.accessURL(url, REALM,
163: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
164: HttpUtils.accessURL(url, REALM,
165: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
166: HttpUtils.accessURL(url, REALM,
167: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
168: url = new URL(baseURL + "web-constraints/restricted/");
169: HttpUtils.accessURL(url, REALM,
170: HttpURLConnection.HTTP_FORBIDDEN);
171: HttpUtils.accessURL(url, REALM,
172: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
173: HttpUtils.accessURL(url, REALM,
174: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
175: HttpUtils.accessURL(url, REALM,
176: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
177:
178: url = new URL(baseURL
179: + "web-constraints/restricted/get-only/excluded/x");
180: HttpUtils.accessURL(url, REALM,
181: HttpURLConnection.HTTP_FORBIDDEN);
182: HttpUtils.accessURL(url, REALM,
183: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
184: HttpUtils.accessURL(url, REALM,
185: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
186: HttpUtils.accessURL(url, REALM,
187: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
188:
189: url = new URL(baseURL
190: + "web-constraints/restricted/put-only/excluded/x");
191: HttpUtils.accessURL(url, REALM,
192: HttpURLConnection.HTTP_FORBIDDEN);
193: HttpUtils.accessURL(url, REALM,
194: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
195: HttpUtils.accessURL(url, REALM,
196: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
197: HttpUtils.accessURL(url, REALM,
198: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
199:
200: url = new URL(baseURL
201: + "web-constraints/restricted/any/excluded/x");
202: HttpUtils.accessURL(url, REALM,
203: HttpURLConnection.HTTP_FORBIDDEN);
204: HttpUtils.accessURL(url, REALM,
205: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.OPTIONS);
206: HttpUtils.accessURL(url, REALM,
207: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.HEAD);
208: HttpUtils.accessURL(url, REALM,
209: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
210: }
211:
212: /** Test POSTs against URLs that only allows the POST method and required
213: * the PostRole role
214: */
215: public void testPostAccess() throws Exception {
216: log.debug("+++ testPostAccess");
217: String baseURL = HttpUtils.getBaseURL("postUser",
218: "postUserPass");
219: // Test the Restricted POST security-constraint
220: URL url = new URL(baseURL
221: + "web-constraints/restricted/post-only/");
222: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
223: HttpUtils.POST);
224: url = new URL(baseURL
225: + "web-constraints/restricted/post-only/x");
226: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
227: HttpUtils.POST);
228:
229: // Test the Restricted ANY security-constraint
230: url = new URL(baseURL + "web-constraints/restricted/any/x");
231: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK,
232: HttpUtils.POST);
233:
234: // Validate that the excluded subcontext if not accessible
235: url = new URL(baseURL
236: + "web-constraints/restricted/post-only/excluded/x");
237: HttpUtils.accessURL(url, REALM,
238: HttpURLConnection.HTTP_FORBIDDEN);
239:
240: // Test that a GET to the Restricted POST security-constraint fails
241: url = new URL(baseURL
242: + "web-constraints/restricted/post-only/x");
243: HttpUtils.accessURL(url, REALM,
244: HttpURLConnection.HTTP_FORBIDDEN);
245: // Test that Restricted POST security-constraint fails
246: url = new URL(baseURL + "web-constraints/restricted/get-only/x");
247: HttpUtils.accessURL(url, REALM,
248: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
249:
250: // Change to otherUser to test failure
251: baseURL = HttpUtils.getBaseURL("otherUser", "otherUserPass");
252:
253: // Test the Restricted GET security-constraint
254: url = new URL(baseURL + "web-constraints/restricted/post-only");
255: HttpUtils.accessURL(url, REALM,
256: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
257: url = new URL(baseURL
258: + "web-constraints/restricted/post-only/x");
259: HttpUtils.accessURL(url, REALM,
260: HttpURLConnection.HTTP_FORBIDDEN, HttpUtils.POST);
261:
262: if (strictStarRolesMode == false) {
263: // Test the Restricted ANY security-constraint
264: url = new URL(baseURL + "web-constraints/restricted/any/x");
265: HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_OK);
266: }
267: }
268:
269: public static Test suite() throws Exception {
270: return JBossTestCase.getDeploySetup(
271: WebConstraintsUnitTestCase.class, WAR);
272: }
273: }
|