-
Notifications
You must be signed in to change notification settings - Fork 78
/
AnnotationsTests.java
513 lines (443 loc) · 19.6 KB
/
AnnotationsTests.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
/*
* Copyright (c) 2009, 2020 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package servlet.tck.spec.security.annotations;
import servlet.tck.util.WebUtil;
import servlet.tck.common.client.BaseTckTest;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.jupiter.api.Test;
import java.util.Properties;
/*
*
*/
public class AnnotationsTests extends BaseTckTest {
// TOFIX
// Constants:
private static final String USERNAME = "user";
private static final String PASSWORD = "password";
private static final String UNAUTH_USERNAME = "authuser";
private static final String UNAUTH_PASSWORD = "authpassword";
private static final String USER_PRINCIPAL_SEARCH = "The user principal is: "; // (+username)
private static final String REMOTE_USER_SEARCH = "getRemoteUser(): "; // (+username)
// fields:
private String pageDeny = null;
private String pageSec = null;
private String pageGuest = null;
private String pageUnprotected = null;
private String pageTrans = null;
private String pagePartial = null;
private String username = null;
private String password = null;
private String unauthUsername = null;
private String unauthPassword = null;
private String realm = null;
private WebUtil.Response response = null;
private String request = null;
/**
* Deployment for the test
*/
@Deployment(testable = false)
public static WebArchive getTestArchive() throws Exception {
return ShrinkWrap.create(WebArchive.class, "servlet_sec_annotations_web.war")
.addClasses(DenyAllServlet.class, GuestPageTestServlet.class, PartialDDServlet.class,
ServletSecTestServlet.class, UnProtectedTestServlet.class)
.setWebXML(AnnotationsTests.class.getResource("servlet_sec_annotations_web.xml"));
}
/*
* @class.setup_props: webServerHost; webServerPort; securedWebServicePort;
* user; password; authuser; authpassword; ts_home;
*
*/
public void setup(String[] args, Properties p) throws Exception {
super.setup(args, p);
// user=j2ee
// password=j2ee
// authuser=javajoe
// authpassword=javajoe
//portnum = Integer.parseInt(p.getProperty("securedWebServicePort"));
// TOFIX configurable
try {
username = System.getProperty("tck.servlet.username", "j2ee");
password = System.getProperty("tck.servlet.password", "j2ee");
unauthUsername = System.getProperty("tck.servlet.unauth.username", "javajoe");
unauthPassword = System.getProperty("tck.servlet.unauth.password", "javajoe");
realm = System.getProperty("tck.servlet.realm", "");
String pageServletBase = getContextRoot();//"/servlet_sec_annotations_web";
String pageServletDeny = pageServletBase + "/ServletDenyAll";
String pageServletSec = pageServletBase + "/ServletSecTest";
String pageServletGuest = pageServletBase + "/GuestPageTest";
String pageServletUnprotected = pageServletBase + "/UnProtectedTest";
String pageTransport = pageServletBase + "/TransportServlet";
String pagePartialDD = pageServletBase + "/PartialDDTest";
pageSec = pageServletSec;
pageDeny = pageServletDeny;
pageGuest = pageServletGuest;
pageUnprotected = pageServletUnprotected;
pageTrans = pageTransport;
pagePartial = pagePartialDD;
} catch (Exception e) {
logErr("Error: got exception: ", e);
}
}
/*
* @testName: test1
*
* @assertion_ids: Servlet:SPEC:214; Servlet:SPEC:215;
*
* @assertion: 1. teh DenyAll annotation must be supported by the Web
* container. Access a web resource that uses the DenyAll annotation applied
* at the class level should result in an access denied.
*
* @test_Strategy: 1. Send request to access DenyAllServlet 2. Receive an
* access denied
*/
@Test
public void test1() throws Exception {
trace("testing DenyAll");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test1");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pageDeny));
TEST_PROPS.setProperty(STATUS_CODE, UNAUTHORIZED);
try {
invoke();
} catch (Exception e) {
// its possible we were denied access with a FORBIDDEN (403) code instead
// of
// UNAUTHORIZED (401) so retry and check for FORBIDDEN code. If it still
// fails then we have an issue.
trace(
"we tested for Status Code=401 but we could have a 403 code, so check for that.");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test1");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pageDeny));
TEST_PROPS.setProperty(STATUS_CODE, FORBIDDEN);
invoke();
}
trace(
"test1 passed: we were not allowed to perform GET on a servlet with DenyAll anno");
}
/*
* @testName: test2
*
* @assertion_ids: Servlet:SPEC:214; Servlet:SPEC:218; Servlet:SPEC:294;
*
* @assertion: 1. Servlet 3.0 spec (section 13.4 - 3rd from last para) states:
* "When a security-constraint in the portable deployment descriptor includes
* a url-pattern that matches a request URL, the security annotations
* described in this section have no effect on the access policy that applies
* to the request URL."
*
*
* @test_Strategy: 1. We have GuestPageTestServlet setup with DenyAll anno but
* we have DD setup with roles and security-constraints that say POST can be
* accessed by Manager role (via user=javajoe) and according to spec
* statement, the DenyAll anno should be ignored. 2. attempt to POST as user
* javajoe should allow access since DD grants it. 3. do POST with incorrect
* authentication (ie "j2ee") should NOT allows access since "j2ee" is not in
* roles as defined in DD.
*/
@Test
public void test2() throws Exception {
StringBuilder sb = new StringBuilder(100);
sb.append(USER_PRINCIPAL_SEARCH).append(unauthUsername);
// attempt to doPost as "javajoe" should be allowed
trace(
"Sending request to resource with valid username/password, but not the right roles...");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test2");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, unauthUsername); // "javajoe"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, unauthPassword); // "javajoe"
//TEST_PROPS.setProperty(BASIC_AUTH_REALM, realm); // default
TEST_PROPS.setProperty(STATUS_CODE, UNAUTHORIZED);
try {
invoke();
} catch (Exception ex) {
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test2");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, unauthUsername); // "javajoe"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, unauthPassword); // "javajoe"
TEST_PROPS.setProperty(STATUS_CODE, FORBIDDEN);
}
// attempt to doGet as "javajoe" should be allowed due to DD and
// the RolesAllowed anno in GuestPageTestServlet should be ignored.
// note: doGet metho prints out userprincipal name that we are going to
// check
trace(
"Sending request to resource with valid username/password, but not the right roles...");
TEST_PROPS.setProperty(SEARCH_STRING, sb.toString());
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test2");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, unauthUsername); // "javajoe"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, unauthPassword); // "javajoe"
TEST_PROPS.setProperty(STATUS_CODE, OK);
invoke();
// attempt to doGet as "j2ee" should NOT be allowed since the DD only
// states to allow Manager role (ie javajoe). The RolesAllowed anno
// defined in GuestPageTestServlet.doGet should be completely ignored per
// spec statement cited in the javadoc for this test.
trace(
"Sending request to resource with valid username/password, but not the right roles...");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test2");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username); // "j2ee"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password); // "j2ee"
TEST_PROPS.setProperty(STATUS_CODE, UNAUTHORIZED);
try {
invoke();
} catch (Exception e) {
// its possible we were denied access with a FORBIDDEN code
// so retry with that code - if it still fails then we have an issue.
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test2");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username); // "j2ee"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password); // "j2ee"
TEST_PROPS.setProperty(STATUS_CODE, FORBIDDEN);
invoke();
}
trace("test2");
}
/*
* @testName: test3
*
* @assertion_ids: Servlet:SPEC:214; Servlet:SPEC:216;
*
* @assertion: 1. Servlet 3.0 (section 13.4) states: "When an annotation is
* specified at both the class and method level, the method targeted
* annotation overrides that on the class (for the method)" 2. PermitAll func
* must be supported by web container
*
* @test_Strategy: 1. create ServletSecTestServlet with DeclareRoles
* annotation at the class level as well as the ServletSecurity anno. 2. we
* created ServletSecTestServlet.doGet() method with PermitAll access 3. try
* to access doGet using creds that would normally fail to ensure PermitAll
* really does work.
*
*/
@Test
public void test3() throws Exception {
String invalidUser = "invalid";
// this should all work as @PermitAll is set on ServletSecTestServlet.doGet
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test3");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pageSec));
TEST_PROPS.setProperty(BASIC_AUTH_USER, unauthUsername); // try using
// "invalid" creds
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, unauthPassword); // and it should
// still work
TEST_PROPS.setProperty(STATUS_CODE, OK);
invoke();
trace(
"Class level annotation of Roles allowed overridden by method level permit all access.");
trace("test3 passed.");
}
/*
* @testName: test4
*
* @assertion_ids: Servlet:SPEC:214; Servlet:SPEC:216;
*
* @assertion: 1. Servlet 3.0 (section 13.4) states: "When an annotation is
* specified at both the class and method level, the method targeted
* annotation overrides that on the class (for the method) " 2. DenyAll can be
* applied to class and method level so here we are validating its use at the
* method level.
*
* @test_Strategy: 1. create ServletSecTestServlet with RolesAllowed
* annotation at the class level. 2. create ServletSecTestServlet.doPost
* method with DenyAll access set 3. try to access doPost using creds that
* normally work to ensure that setting deny all access really does work.
*
*/
@Test
public void test4() throws Exception {
String invalidUser = "invalid";
// now see if we get access denied - since DenyAll anno set on doPost method
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageSec));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username);
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password);
TEST_PROPS.setProperty(STATUS_CODE, UNAUTHORIZED); // check for status code
// 401
try {
invoke();
} catch (Exception e) {
// its possible we were denied access with a FORBIDDEN (403) code instead
// of
// UNAUTHORIZED (401) so retry and check for FORBIDDEN code. If it still
// fails then we have an issue.
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageSec));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username);
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password);
TEST_PROPS.setProperty(STATUS_CODE, FORBIDDEN);
invoke();
}
trace(
"Class level setting of roles allowed was overridden by deny all access at method level.");
trace("test4 passed.");
}
/*
* @testName: test5
*
* @assertion_ids: Servlet:SPEC:214; Servlet:SPEC:215;
*
* @assertion: Servlet 3.0 spec (section 13.4) states: "These annotations may
* be specified on (that is, targeted to) an HttpServlet implementation class
* or on specific method(s) of the implementation class as defined below."
*
* @test_Strategy: 1. Send request for unprotected servlet that uses the
* PermitAll access at the class level. 2. Receive page
*/
@Test
public void test5() throws Exception {
trace("Sending request to resource that uses the PermitAll annotation....");
TEST_PROPS.setProperty(TEST_NAME, "BasicSec/Test5");
TEST_PROPS.setProperty(BASIC_AUTH_USER, unauthUsername); // try using
// "invalid" creds
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, unauthPassword); // and it should
// still work
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pageUnprotected));
TEST_PROPS.setProperty(STATUS_CODE, OK);
invoke();
trace("Class level PermitAll anno returned expected results");
trace("test5 passed.");
}
/*
* @testName: test6
*
* @assertion_ids: Servlet:SPEC:214; Servlet:SPEC:218; Servlet:SPEC:294;
*
* @assertion: This validates Servlet 3.0 spec section 13.4, which says: "When
* a security-constraint in the portable deployment descriptor includes a
* url-pattern that matches a request URL, the security annotations described
* in this section have no effect on the access policy that applies to the
* request URL."
*
* @test_Strategy: 1. Send request with correct authentication for url pattern
* that is defined with a DD that has security-constraints 2. Even if the
* servlet (eg url pattern) is defined with DenyAll anno, it should be ignored
* since the DD has overriding security-constraint note: pageGuest is defined
* with both: DenyAll and DD with security-constraint 3. In this case, the
* GuestPage should be accessible and the DenyAll access setting should be
* ignored. 4. Additionally, the DD has an authconstraint set for Manager
* (user==javajoe) so we want to verify that user is the principal passed into
* the servlet.
*/
@Test
public void test6() throws Exception {
trace(
"Sending request to resource where DD allows access to override any restricting annotation...");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test6");
// attempt to doGet as "j2ee" should NOT be allowed since the DD only
// states to allow Manager role (ie javajoe). The RolesAllowed annon
// defined in GuestPageTestServlet.doGet should be completely ignored per
// spec statement cited in the javadoc for this test.
trace(
"Sending request to resource with valid username/password, but not the right roles...");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test6");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username); // "j2ee"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password); // "j2ee"
TEST_PROPS.setProperty(STATUS_CODE, UNAUTHORIZED);
try {
invoke();
} catch (Exception e) {
// its possible we were denied access with a FORBIDDEN code
// so retry with that code - if it still fails then we have an issue.
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test6");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pageGuest));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username); // "j2ee"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password); // "j2ee"
TEST_PROPS.setProperty(STATUS_CODE, FORBIDDEN);
invoke();
}
trace("User successfully accessed the resource");
}
/*
*
* @testName: test7
*
* @assertion_ids:
*
* @assertion: 1. http-method-omission
*
*
*
* @test_Strategy: 1. Send request to access servlet where there is a
* corresponding DD that excludes POST method via the http-method-omission DD
* element. (This means that all access to the PartialDD only allowed by
* Administrator EXCEPT for POST which has NO security constraints and is thus
* allowed by all. 2. Receive an access denied when trying to access GET with
* no cred (if the http-method-omission does its job.)
*
*/
@Test
public void test7() throws Exception {
trace("testing http-method-omission");
// try to access servlet via GET with NO creds/roles should fail
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test7");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pagePartial));
TEST_PROPS.setProperty(STATUS_CODE, UNAUTHORIZED);
try {
invoke();
} catch (Exception e) {
// its possible we were denied access with a FORBIDDEN (403) code instead
// of
// UNAUTHORIZED (401) so retry and check for FORBIDDEN code. If it still
// fails then we have an issue.
trace(
"we tested for Status Code=401 but we could have a 403 code, so check for that.");
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test7");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pagePartial));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username); // try as "j2ee"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password); // try as "j2ee"
TEST_PROPS.setProperty(STATUS_CODE, FORBIDDEN);
invoke();
}
trace("test7: complete doGet() with no creds - now starting doPost");
// try to access servlet via GET with creds/roles should pass
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test7");
TEST_PROPS.setProperty(REQUEST, getRequestLine("GET", pagePartial));
TEST_PROPS.setProperty(BASIC_AUTH_USER, username); // try as "j2ee"
TEST_PROPS.setProperty(BASIC_AUTH_PASSWD, password); // try as "j2ee"
TEST_PROPS.setProperty(STATUS_CODE, OK);
invoke();
trace("test7: complete doGet() with creds - now starting doPost");
// we should be allowed to do POST with NO creds
TEST_PROPS.setProperty(TEST_NAME, "SecAnnotations/Test7");
TEST_PROPS.setProperty(REQUEST, getRequestLine("POST", pagePartial));
TEST_PROPS.setProperty(STATUS_CODE, OK);
invoke();
trace("test7: complete doPost() with no creds.");
trace("test7 passed: servlet with http-method-omission settings.");
}
/**
* Returns a valid HTTP/1.1 request line.
*
* @param method
* the request method
* @param path
* the request path
* @return a valid HTTP/1.1 request line
*/
private static String getRequestLine(String method, String path) {
return method + " " + path + " HTTP/1.1";
}
/**
* Simple wrapper around TestUtil.logTrace().
*
* @param message
* - the message to log
*/
private void trace(String message) {
logger.debug("[Client]: {}", message);
}
}