package org.javaee7.jaspic.basicauthentication;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
import org.javaee7.jaspic.common.ArquillianBase;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.shrinkwrap.api.Archive;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.xml.sax.SAXException;
/**
* This tests that we can login from a protected resource (a resource for which
* security constraints have been set) and then access it.
*
* @author Arjan Tijms
*
*/
@RunWith(Arquillian.class)
public class BasicAuthenticationProtectedTest extends ArquillianBase {
@Deployment(testable = false)
public static Archive<?> createDeployment() {
return defaultArchive();
}
@Test
public void testProtectedPageNotLoggedin() throws IOException, SAXException {
String response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse(
"Not authenticated, so should not have been able to access protected resource",
response.contains("This is a protected servlet")
);
}
@Test
public void testProtectedPageLoggedin() throws IOException, SAXException {
String response = getFromServerPath("protected/servlet?doLogin=true");
// Now has to be logged-in so page is accessible
assertTrue(
"Should have been authenticated, but could not access protected resource",
response.contains("This is a protected servlet")
);
// Not only does the page needs to be accessible, the caller should have
// the correct
// name and roles as well
// Being able to access a page protected by a role but then seeing the un-authenticated
// (anonymous) user would normally be impossible, but could happen if the authorization
// system checks roles on the authenticated subject, but does not correctly expose
// or propagate these to the HttpServletRequest
assertFalse(
"Protected resource could be accessed, but the user appears to be the unauthenticated user. " +
"This should not be possible",
response.contains("web username: null")
);
// An authenticated user should have the exact name "test" and nothing else.
assertTrue(
"Protected resource could be accessed, but the username is not correct.",
response.contains("web username: test")
);
// Being able to access a page protected by role "architect" but failing
// the test for this role would normally be impossible, but could happen if the
// authorization system checks roles on the authenticated subject, but does not
// correctly expose or propagate these to the HttpServletRequest
assertTrue(
"Resource protected by role \"architect\" could be accessed, but user fails test for this role." +
"This should not be possible",
response.contains("web user has role \"architect\": true")
);
}
}