Permalink
Browse files

Added JASPIC tests for EJB propagation after register session

  • Loading branch information...
arjantijms committed Apr 29, 2016
1 parent b4bfc05 commit e7a3b436d98a7be794a530465db2e9072362837c
@@ -0,0 +1,51 @@
package org.javaee7.jaspic.registersession.ejb;
import javax.annotation.Resource;
import javax.annotation.security.DeclareRoles;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJBContext;
import javax.ejb.Stateless;
/**
* This is a "protected" EJB in the sense that there is role checking done prior to accessing (some) methods.
* <p>
* In JBoss EAP 6.1+ the use of any declarative security annotation switches the bean to a different mode, called "secured" in
* JBoss terms.
* <p>
* GlassFish requires the <code>@DeclareRoles</code> annotation when programmatic role checking is done (making dynamic role
* checking impossible).
*
* @author Arjan Tijms
*/
@Stateless
//Required by GlassFish
@DeclareRoles({ "architect" })
//JBoss EAP 6.1+ defaults unchecked methods to DenyAll
@PermitAll
public class ProtectedEJB {
@Resource
private EJBContext ejbContext;
@RolesAllowed("architect")
public String getUserName() {
try {
return ejbContext.getCallerPrincipal() != null ? ejbContext.getCallerPrincipal().getName() : null;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
public boolean isUserArchitect() {
try {
return ejbContext.isCallerInRole("architect");
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
}
@@ -0,0 +1,27 @@
package org.javaee7.jaspic.registersession.ejb;
import javax.annotation.Resource;
import javax.ejb.EJBContext;
import javax.ejb.Stateless;
/**
* This is a "public" EJB in the sense that all its methods should be accessible and there is no declarative role checking prior
* to accessing a method.
*
* @author Arjan Tijms
*
*/
@Stateless
public class PublicEJB {
@Resource
private EJBContext ejbContext;
public String getUserName() {
try {
return ejbContext.getCallerPrincipal() != null ? ejbContext.getCallerPrincipal().getName() : null;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
@@ -0,0 +1,63 @@
package org.javaee7.jaspic.registersession.servlet;
import static java.util.logging.Level.SEVERE;
import java.io.IOException;
import java.util.logging.Logger;
import javax.ejb.EJB;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.javaee7.jaspic.registersession.ejb.ProtectedEJB;
/**
*
* @author Arjan Tijms
*
*/
@WebServlet(urlPatterns = "/public/servlet-protected-ejb")
public class PublicServletProtectedEJB extends HttpServlet {
private static final long serialVersionUID = 1L;
private final static Logger logger = Logger.getLogger(PublicServletProtectedEJB.class.getName());
@EJB
private ProtectedEJB protectedEJB;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String webName = null;
if (request.getUserPrincipal() != null) {
webName = request.getUserPrincipal().getName();
}
String ejbName = "";
try {
ejbName = protectedEJB.getUserName();
} catch (Exception e) {
logger.log(SEVERE, "", e);
}
response.getWriter().write("web username: " + webName + "\n" + "EJB username: " + ejbName + "\n");
boolean webHasRole = request.isUserInRole("architect");
boolean ejbHasRole = false;
try {
ejbHasRole = protectedEJB.isUserArchitect();
} catch (Exception e) {
logger.log(SEVERE, "", e);
}
response.getWriter().write(
"web user has role \"architect\": " + webHasRole + "\n" + "EJB user has role \"architect\": " + ejbHasRole
+ "\n");
}
}
@@ -0,0 +1,50 @@
package org.javaee7.jaspic.registersession.servlet;
import static java.util.logging.Level.SEVERE;
import java.io.IOException;
import java.util.logging.Logger;
import javax.ejb.EJB;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.javaee7.jaspic.registersession.ejb.PublicEJB;
/**
*
* @author Arjan Tijms
*
*/
@WebServlet(urlPatterns = "/public/servlet-public-ejb")
public class PublicServletPublicEJB extends HttpServlet {
private static final long serialVersionUID = 1L;
private final static Logger logger = Logger.getLogger(PublicServletPublicEJB.class.getName());
@EJB
private PublicEJB publicEJB;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String webName = null;
if (request.getUserPrincipal() != null) {
webName = request.getUserPrincipal().getName();
}
String ejbName = "";
try {
ejbName = publicEJB.getUserName();
} catch (Exception e) {
logger.log(SEVERE, "", e);
}
response.getWriter().write("web username: " + webName + "\n" + "EJB username: " + ejbName + "\n");
}
}
@@ -0,0 +1,149 @@
package org.javaee7.jaspic.registersession;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
import org.javaee7.jaspic.common.ArquillianBase;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.shrinkwrap.api.Archive;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.xml.sax.SAXException;
/**
* Variant of the {@link RegisterSessionCustomPrincipalTest}, where it's tested
* if the authenticated identity restored by the runtime correctly propagates
* to EJB.
*
* @author Arjan Tijms
*
*/
@RunWith(Arquillian.class)
public class RegisterSessionCustomPrincipalEJBPropagationTest extends ArquillianBase {
@Deployment(testable = false)
public static Archive<?> createDeployment() {
return defaultArchive();
}
@Test
public void testRemembersSession() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
// Accessing protected page without login
String response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse(response.contains("This is a protected servlet"));
// -------------------- Request 2 ---------------------------
// We access the protected page again and now login
response = getFromServerPath("protected/servlet?doLogin=true&customPrincipal=true");
// Now has to be logged-in so page is accessible
assertTrue(
"Could not access protected page, but should be able to. " +
"Did the container remember the previously set 'unauthenticated identity'?",
response.contains("This is a protected servlet")
);
// Check principal has right name and right type and roles are available
checkAuthenticatedIdentity(response);
// -------------------- Request 3 ---------------------------
// JASPIC is normally stateless, but for this test the SAM uses the register session feature so now
// we should be logged-in when doing a call without explicitly logging in again.
response = getFromServerPath("protected/servlet?continueSession=true");
// Logged-in thus should be accessible.
assertTrue(
"Could not access protected page, but should be able to. " +
"Did the container not remember the authenticated identity via 'javax.servlet.http.registerSession'?",
response.contains("This is a protected servlet")
);
// Both the user name and roles/groups have to be restored
// *** NOTE ***: The JASPIC 1.1 spec is NOT clear about remembering roles, but spec lead Ron Monzillo clarified that
// this should indeed be the case. The next JASPIC revision of the spec will have to mention this explicitly.
// Intuitively it should make sense though that the authenticated identity is fully restored and not partially,
// but again the spec should make this clear to avoid ambiguity.
checkAuthenticatedIdentity(response);
// -------------------- Request 4 ---------------------------
// The session should also be remembered and propagated to a public EJB
response = getFromServerPath("public/servlet-public-ejb?continueSession=true");
// Both the web (HttpServletRequest) and EJB (EJBContext) should see the same
// user name.
assertTrue(
"User should have been authenticated in the web layer and given name \"test\", " +
" but does not appear to have this name",
response.contains("web username: test")
);
assertTrue(
"Web has user principal set, but EJB not.",
response.contains("EJB username: test")
);
// -------------------- Request 5 ---------------------------
// The session should also be remembered and propagated to a protected EJB
response = getFromServerPath("public/servlet-protected-ejb?continueSession=true");
// Both the web (HttpServletRequest) and EJB (EJBContext) should see the same
// user name.
assertTrue(
"User should have been authenticated in the web layer and given name \"test\", " +
" but does not appear to have this name",
response.contains("web username: test")
);
assertTrue(
"Web has user principal set, but EJB not.",
response.contains("EJB username: test")
);
// Both the web (HttpServletRequest) and EJB (EJBContext) should see that the
// user has the role "architect".
assertTrue(response.contains("web user has role \"architect\": true"));
assertTrue("Web user principal has role \"architect\", but one in EJB doesn't.",
response.contains("EJB user has role \"architect\": true"));
}
private void checkAuthenticatedIdentity( String response) {
// Has to be logged-in with the right principal
assertTrue(
"Authenticated but username is not the expected one 'test'",
response.contains("web username: test")
);
assertTrue(
"Authentication succeeded and username is correct, but the expected role 'architect' is not present.",
response.contains("web user has role \"architect\": true"));
assertTrue(
"Authentication succeeded and username and roles are correct, but principal type is not the expected custom type.",
response.contains("isCustomPrincipal: true")
);
}
}
Oops, something went wrong.

0 comments on commit e7a3b43

Please sign in to comment.