Permalink
Browse files

Added tests for JASPIC register session with custom principal

  • Loading branch information...
arjantijms committed Apr 8, 2016
1 parent 24b94df commit b4bfc05be0da73239e000df14eee7b6fee499bfe
@@ -0,0 +1,23 @@
package org.javaee7.jaspic.registersession.sam;
import java.security.Principal;
/**
*
* @author Arjan Tijms
*
*/
public class MyPrincipal implements Principal {
private final String name;
public MyPrincipal(String name) {
this.name = name;
}
@Override
public String getName() {
return name;
}
}
@@ -6,7 +6,6 @@
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
@@ -22,15 +21,14 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
*
* @author Arjan Tijms
*
*/
public class TestServerAuthModule implements ServerAuthModule {
Logger logger = Logger.getLogger("blalllalala");
private CallbackHandler handler;
private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class, HttpServletResponse.class };
@@ -65,7 +63,15 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject
callbacks = new Callback[] {
// The name of the authenticated user
new CallerPrincipalCallback(clientSubject, "test"),
request.getParameter("customPrincipal") == null?
// Name based Callback
new CallerPrincipalCallback(clientSubject, "test") :
// Custom principal based Callback
new CallerPrincipalCallback(clientSubject, new MyPrincipal("test")),
// the roles of the authenticated user
new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) };
@@ -1,13 +1,17 @@
package org.javaee7.jaspic.registersession.servlet;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.javaee7.jaspic.registersession.sam.MyPrincipal;
/**
*
* @author Arjan Tijms
@@ -22,16 +26,19 @@
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.getWriter().write("This is a protected servlet \n");
String webName = null;
boolean isCustomPrincipal = false;
if (request.getUserPrincipal() != null) {
Principal principal = request.getUserPrincipal();
isCustomPrincipal = principal instanceof MyPrincipal;
webName = request.getUserPrincipal().getName();
}
response.getWriter().write("web username: " + webName + "\n");
boolean webHasRole = request.isUserInRole("architect");
response.getWriter().write("isCustomPrincipal: " + isCustomPrincipal + "\n");
response.getWriter().write("web username: " + webName + "\n");
response.getWriter().write("web user has role \"architect\": " + webHasRole + "\n");
}
@@ -1,13 +1,17 @@
package org.javaee7.jaspic.registersession.servlet;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.javaee7.jaspic.registersession.sam.MyPrincipal;
/**
*
* @author Arjan Tijms
@@ -24,14 +28,17 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
response.getWriter().write("This is a public servlet \n");
String webName = null;
boolean isCustomPrincipal = false;
if (request.getUserPrincipal() != null) {
webName = request.getUserPrincipal().getName();
Principal principal = request.getUserPrincipal();
isCustomPrincipal = principal instanceof MyPrincipal;
webName = principal.getName();
}
response.getWriter().write("web username: " + webName + "\n");
boolean webHasRole = request.isUserInRole("architect");
response.getWriter().write("isCustomPrincipal: " + isCustomPrincipal + "\n");
response.getWriter().write("web username: " + webName + "\n");
response.getWriter().write("web user has role \"architect\": " + webHasRole + "\n");
}
@@ -0,0 +1,187 @@
package org.javaee7.jaspic.registersession;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
import org.javaee7.jaspic.common.ArquillianBase;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.shrinkwrap.api.Archive;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.xml.sax.SAXException;
/**
* Variant of the {@link RegisterSessionTest}, where a custom principal is used instead
* of a container provided one. This is particularly challenging since the SAM has to
* pass the principal obtained from HttpServletRequest into the CallbackHandler, which
* then somehow has to recognize this as the signal to continue an authenticated session.
*
* @author Arjan Tijms
*
*/
@RunWith(Arquillian.class)
public class RegisterSessionCustomPrincipalTest extends ArquillianBase {
@Deployment(testable = false)
public static Archive<?> createDeployment() {
return defaultArchive();
}
@Test
public void testRemembersSession() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
// Accessing protected page without login
String response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse(response.contains("This is a protected servlet"));
// -------------------- Request 2 ---------------------------
// We access the protected page again and now login
response = getFromServerPath("protected/servlet?doLogin=true&customPrincipal=true");
// Now has to be logged-in so page is accessible
assertTrue(
"Could not access protected page, but should be able to. " +
"Did the container remember the previously set 'unauthenticated identity'?",
response.contains("This is a protected servlet")
);
// Check principal has right name and right type and roles are available
checkAuthenticatedIdentity(response);
// -------------------- Request 3 ---------------------------
// JASPIC is normally stateless, but for this test the SAM uses the register session feature so now
// we should be logged-in when doing a call without explicitly logging in again.
response = getFromServerPath("protected/servlet?continueSession=true");
// Logged-in thus should be accessible.
assertTrue(
"Could not access protected page, but should be able to. " +
"Did the container not remember the authenticated identity via 'javax.servlet.http.registerSession'?",
response.contains("This is a protected servlet")
);
// Both the user name and roles/groups have to be restored
// *** NOTE ***: The JASPIC 1.1 spec is NOT clear about remembering roles, but spec lead Ron Monzillo clarified that
// this should indeed be the case. The next JASPIC revision of the spec will have to mention this explicitly.
// Intuitively it should make sense though that the authenticated identity is fully restored and not partially,
// but again the spec should make this clear to avoid ambiguity.
checkAuthenticatedIdentity(response);
// -------------------- Request 4 ---------------------------
// The session should also be remembered for other resources, including public ones
response = getFromServerPath("public/servlet?continueSession=true");
// This test almost can't fail, but include for clarity
assertTrue(response.contains("This is a public servlet"));
// When accessing the public page, the username and roles should be restored and be available
// just as on protected pages
checkAuthenticatedIdentity(response);
}
@Test
public void testJoinSessionIsOptional() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
// We access a protected page and login
//
String response = getFromServerPath("protected/servlet?doLogin=true&customPrincipal=true");
// Now has to be logged-in so page is accessible
assertTrue(
"Could not access protected page, but should be able to. " +
"Did the container remember the previously set 'unauthenticated identity'?",
response.contains("This is a protected servlet")
);
// Check principal has right name and right type and roles are available
checkAuthenticatedIdentity(response);
// -------------------- Request 2 ---------------------------
// JASPIC is normally stateless, but for this test the SAM uses the register session feature so now
// we should be logged-in when doing a call without explicitly logging in again.
response = getFromServerPath("protected/servlet?continueSession=true");
// Logged-in thus should be accessible.
assertTrue(
"Could not access protected page, but should be able to. " +
"Did the container not remember the authenticated identity via 'javax.servlet.http.registerSession'?",
response.contains("This is a protected servlet")
);
// Both the user name and roles/groups have to be restored
// *** NOTE ***: The JASPIC 1.1 spec is NOT clear about remembering roles, but spec lead Ron Monzillo clarified that
// this should indeed be the case. The next JASPIC revision of the spec will have to mention this explicitly.
// Intuitively it should make sense though that the authenticated identity is fully restored and not partially,
// but again the spec should make this clear to avoid ambiguity.
// Check principal has right name and right type and roles are available
checkAuthenticatedIdentity(response);
// -------------------- Request 3 ---------------------------
// Although the container remembers the authentication session, the SAM needs to OPT-IN to it.
// If the SAM instead "does nothing", we should not have access to the protected resource anymore
// even within the same HTTP session.
response = getFromServerPath("protected/servlet");
assertFalse(response.contains("This is a protected servlet"));
// -------------------- Request 4 ---------------------------
// Access to a public page is unaffected by joining or not joining the session, but if we do not join the
// session we shouldn't see the user's name and roles.
response = getFromServerPath("public/servlet");
assertTrue(response.contains("This is a public servlet"));
assertFalse(response.contains("web username: test"));
assertFalse(response.contains("web user has role \"architect\": true"));
}
private void checkAuthenticatedIdentity( String response) {
// Has to be logged-in with the right principal
assertTrue(
"Authenticated but username is not the expected one 'test'",
response.contains("web username: test")
);
assertTrue(
"Authentication succeeded and username is correct, but the expected role 'architect' is not present.",
response.contains("web user has role \"architect\": true"));
assertTrue(
"Authentication succeeded and username and roles are correct, but principal type is not the expected custom type.",
response.contains("isCustomPrincipal: true")
);
}
}
Oops, something went wrong.

0 comments on commit b4bfc05

Please sign in to comment.