[WFLY-4922] Add smoke test for <deny-uncovered-http-methods/> tag

wildfly · Jul 14, 2015 · 7ea925a · 7ea925a
1 parent 7fa580c
commit 7ea925a
Show file tree

Hide file tree

Showing 6 changed files with 259 additions and 0 deletions.
diff --git a/...ss/as/test/integration/web/security/servlet/methods/DenyUncoveredHttpMethodsTestCase.java b/...ss/as/test/integration/web/security/servlet/methods/DenyUncoveredHttpMethodsTestCase.java
@@ -0,0 +1,177 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2015, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.test.integration.web.security.servlet.methods;
+
+import java.io.IOException;
+import java.net.URL;
+import java.nio.charset.Charset;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.http.Header;
+import org.apache.http.HttpHeaders;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.methods.HttpDelete;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpHead;
+import org.apache.http.client.methods.HttpOptions;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpPut;
+import org.apache.http.client.methods.HttpTrace;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.util.EntityUtils;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.RunAsClient;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.as.arquillian.api.ServerSetup;
+import org.jboss.as.test.integration.web.security.WebTestsSecurityDomainSetup;
+import org.jboss.logging.Logger;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import static org.junit.Assert.assertThat;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Tests whether the <deny-uncovered-http-methods/> tag in web.xml behavior is correct.
+ *
+ * @author Jan Tymel
+ */
+@RunWith(Arquillian.class)
+@RunAsClient
+@ServerSetup(WebTestsSecurityDomainSetup.class)
+public class DenyUncoveredHttpMethodsTestCase {
+
+    @ArquillianResource(SecuredServlet.class)
+    URL deploymentURL;
+
+    private static final String CONTENT_FROM_GET = "GET";
+    private static final String CONTENT_FROM_HEAD = "HEAD";
+
+    @Test
+    public void testCorrectUserAndPassword() throws Exception {
+        HttpGet httpGet = new HttpGet(getURL());
+        HttpResponse response = getHttpResponse(httpGet, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_OK));
+
+        assertThat(contentOf(response), is(CONTENT_FROM_GET));
+    }
+
+    @Test
+    public void testHeadMethod() throws Exception {
+        HttpHead httpHead = new HttpHead(getURL());
+        HttpResponse response = getHttpResponse(httpHead, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_OK));
+
+        assertThat(testHeaderContentOf(response), containsString(CONTENT_FROM_HEAD));
+    }
+
+    @Test
+    public void testPostMethod() throws Exception {
+        HttpPost httpPost = new HttpPost(getURL());
+        HttpResponse response = getHttpResponse(httpPost, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
+    }
+
+    @Test
+    public void testPutMethod() throws Exception {
+        HttpPut httpPut = new HttpPut(getURL());
+        HttpResponse response = getHttpResponse(httpPut, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
+    }
+
+    @Test
+    public void testDeleteMethod() throws Exception {
+        HttpDelete httpDelete = new HttpDelete(getURL());
+        HttpResponse response = getHttpResponse(httpDelete, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
+    }
+
+    @Test
+    public void testTraceMethod() throws Exception {
+        HttpTrace httpTrace = new HttpTrace(getURL());
+        HttpResponse response = getHttpResponse(httpTrace, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
+    }
+
+    @Test
+    public void testOptionsMethod() throws Exception {
+        HttpOptions httpOptions = new HttpOptions(getURL());
+        HttpResponse response = getHttpResponse(httpOptions, "anil", "anil");
+
+        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
+    }
+
+    private HttpResponse getHttpResponse(HttpUriRequest request, String user, String password) throws IOException {
+        String auth = user + ":" + password;
+        byte[] encodedAuth = Base64.encodeBase64(auth.getBytes(Charset.forName("US-ASCII")));
+        String authHeader = "Basic " + new String(encodedAuth);
+        request.setHeader(HttpHeaders.AUTHORIZATION, authHeader);
+        DefaultHttpClient httpClient = new DefaultHttpClient();
+        HttpResponse response = httpClient.execute(request);
+        return response;
+    }
+
+    private int statusCodeOf(HttpResponse response) {
+        return response.getStatusLine().getStatusCode();
+    }
+
+    private String contentOf(HttpResponse response) throws IOException {
+        return EntityUtils.toString(response.getEntity());
+    }
+
+    private String testHeaderContentOf(HttpResponse response) {
+        Header[] header = response.getHeaders("TestHeader");
+
+        return header.length > 0 ? header[0].getValue() : null;
+    }
+
+    private String getURL() {
+        return deploymentURL.toString() + "secured/";
+    }
+
+    @Deployment
+    public static WebArchive deployment() throws IOException {
+        WebArchive war = ShrinkWrap.create(WebArchive.class, "deny-uncovered-http-methods.war");
+        war.addClass(SecuredServlet.class);
+
+        Package warPackage = DenyUncoveredHttpMethodsTestCase.class.getPackage();
+
+        war.addAsWebInfResource(warPackage, "jboss-web.xml", "jboss-web.xml");
+        war.setWebXML(warPackage, "web.xml");
+
+        war.addAsResource(warPackage, "users.properties", "users.properties");
+        war.addAsResource(warPackage, "roles.properties", "roles.properties");
+        Logger.getLogger(DenyUncoveredHttpMethodsTestCase.class).debug(war.toString(true));
+
+        return war;
+    }
+}
diff --git a/.../test/java/org/jboss/as/test/integration/web/security/servlet/methods/SecuredServlet.java b/.../test/java/org/jboss/as/test/integration/web/security/servlet/methods/SecuredServlet.java
@@ -0,0 +1,62 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright (c) 2011, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.test.integration.web.security.servlet.methods;
+
+import java.io.IOException;
+import java.io.Writer;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.HttpMethodConstraint;
+import javax.servlet.annotation.ServletSecurity;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Simple servlet that secures GET and HEAD methods, both for user with 'gooduser' role.
+ *
+ * @author Jan Tymel
+ */
+@WebServlet(name = "SecuredServlet", urlPatterns = {"/secured/"}, loadOnStartup = 1)
+@ServletSecurity(
+        httpMethodConstraints = {
+            @HttpMethodConstraint(value = "GET", rolesAllowed = "gooduser"),
+            @HttpMethodConstraint(value = "HEAD", rolesAllowed = "gooduser")
+        }
+)
+public class SecuredServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        Writer writer = resp.getWriter();
+        writer.write("GET");
+    }
+
+    @Override
+    protected void doHead(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setHeader("TestHeader", "HEAD");
+    }
+
+}
diff --git a/...ic/src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/jboss-web.xml b/...ic/src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/jboss-web.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<jboss-web>
+  <security-domain>web-tests</security-domain>
+</jboss-web>
diff --git a/...src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/roles.properties b/...src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/roles.properties
@@ -0,0 +1 @@
+anil=gooduser
diff --git a/...src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/users.properties b/...src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/users.properties
@@ -0,0 +1 @@
+anil=anil
diff --git a/...on/basic/src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/web.xml b/...on/basic/src/test/java/org/jboss/as/test/integration/web/security/servlet/methods/web.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1">  
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>WebSecurityBasic</realm-name>
+    </login-config>
+
+    <deny-uncovered-http-methods/>
+
+</web-app>