/* (c) 2014 - 2016 Open Source Geospatial Foundation - all rights reserved
* (c) 2001 - 2013 OpenPlans
* This code is licensed under the GPL 2.0 license, available at the root
* application directory.
*/
package org.geoserver.gwc;
import static org.hamcrest.Matchers.equalToIgnoringCase;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThat;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.data.test.MockData;
import org.geoserver.data.test.SystemTestData;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.AccessMode;
import org.geoserver.security.CatalogMode;
import org.geoserver.security.impl.DataAccessRuleDAO;
import org.geoserver.wms.WMSTestSupport;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletResponse;
public class GWCDataSecurityChallengeIntegrationTest extends WMSTestSupport {
@Override
protected void onSetUp(SystemTestData testData) throws Exception {
super.onSetUp(testData);
DataAccessRuleDAO dao = GeoServerExtensions.bean(DataAccessRuleDAO.class,
applicationContext);
dao.setCatalogMode(CatalogMode.CHALLENGE);
GWC.get().getConfig().setDirectWMSIntegrationEnabled(true);
GWC.get().getConfig().setSecurityEnabled(true);
addUser("cite", "cite", null, Arrays.asList("ROLE_CITE_LAKES_VIEWER"));
addUser("other", "other", null, Arrays.asList("OTHER_VIEWER"));
addLayerAccessRule("*", "*", AccessMode.READ, "*");
addLayerAccessRule("*", "*", AccessMode.WRITE, "*");
addLayerAccessRule("cite", "Lakes", AccessMode.READ, "ROLE_CITE_LAKES_VIEWER");
}
@Override
protected List<javax.servlet.Filter> getFilters() {
return Collections
.singletonList((javax.servlet.Filter) GeoServerExtensions.bean("filterChainProxy"));
}
@Test
public void testDirectWMSIntegration() throws Exception {
String path = "wms?service=WMS&request=GetMap&version=1.1.1&format=image/png" + "&layers="
+ getLayerId(MockData.LAKES) + "&srs=EPSG:4326"
+ "&width=256&height=256&styles=&bbox=-180.0,-90.0,0.0,90.0&tiled=true";
MockHttpServletResponse response;
// Try first as anonymous user, which should be disallowed.
setRequestAuth(null, null);
response = getAsServletResponse(path);
assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getStatus());
// Make initial authorized request to cache the item.
setRequestAuth("cite", "cite");
response = getAsServletResponse(path);
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
assertEquals("image/png", response.getContentType());
assertThat(response.getHeader("geowebcache-cache-result"), equalToIgnoringCase("MISS"));
// Make second authorized request to ensure the item was cached.
response = getAsServletResponse(path);
assertEquals(HttpServletResponse.SC_OK, response.getStatus());
assertEquals("image/png", response.getContentType());
assertThat(response.getHeader("geowebcache-cache-result"), equalToIgnoringCase("HIT"));
// Ensure other unauthorized users can't access the cached tile.
setRequestAuth("other", "other");
response = getAsServletResponse(path);
assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
// Ensure anonymous users can't access the cached tile.
setRequestAuth(null, null);
response = getAsServletResponse(path);
assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getStatus());
}
}