//
// ========================================================================
// Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.security;
import java.io.IOException;
import java.util.Arrays;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.HttpScheme;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.LocalConnector;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.session.SessionHandler;
import org.eclipse.jetty.util.security.Constraint;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
public class DataConstraintsTest
{
private Server _server;
private LocalConnector _connector;
private LocalConnector _connectorS;
private SessionHandler _session;
private ConstraintSecurityHandler _security;
@Before
public void startServer()
{
_server = new Server();
HttpConnectionFactory http = new HttpConnectionFactory();
http.getHttpConfiguration().setSecurePort(9999);
http.getHttpConfiguration().setSecureScheme("BWTP");
_connector = new LocalConnector(_server,http);
_connector.setIdleTimeout(300000);
HttpConnectionFactory https = new HttpConnectionFactory();
https.getHttpConfiguration().addCustomizer(new HttpConfiguration.Customizer()
{
@Override
public void customize(Connector connector, HttpConfiguration channelConfig, Request request)
{
request.setScheme(HttpScheme.HTTPS.asString());
request.setSecure(true);
}
});
_connectorS = new LocalConnector(_server,https);
_server.setConnectors(new Connector[]{_connector,_connectorS});
ContextHandler _context = new ContextHandler();
_session = new SessionHandler();
_context.setContextPath("/ctx");
_server.setHandler(_context);
_context.setHandler(_session);
_security = new ConstraintSecurityHandler();
_session.setHandler(_security);
_security.setHandler(new AbstractHandler()
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
baseRequest.setHandled(true);
response.sendError(404);
}
});
}
@After
public void stopServer() throws Exception
{
if (_server.isRunning())
{
_server.stop();
_server.join();
}
}
@Test
public void testIntegral() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(false);
constraint0.setName("integral");
constraint0.setDataConstraint(Constraint.DC_INTEGRAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/integral/*");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("GET /ctx/integral/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
Assert.assertThat(response, Matchers.containsString("Location: BWTP://"));
Assert.assertThat(response, Matchers.containsString(":9999"));
response = _connectorS.getResponses("GET /ctx/integral/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
@Test
public void testConfidential() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(false);
constraint0.setName("confid");
constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/confid/*");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/some/thing HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
Assert.assertThat(response, Matchers.containsString("Location: BWTP://"));
Assert.assertThat(response, Matchers.containsString(":9999"));
response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
@Test
public void testConfidentialWithNoRolesSetAndNoMethodRestriction() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setName("confid");
constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/confid/*");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
@Test
public void testConfidentialWithNoRolesSetAndMethodRestriction() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setName("confid");
constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/confid/*");
mapping0.setMethod(HttpMethod.POST.asString());
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
@Test
public void testConfidentialWithRolesSetAndMethodRestriction() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setRoles(new String[] { "admin" } );
constraint0.setName("confid");
constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/confid/*");
mapping0.setMethod(HttpMethod.POST.asString());
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
@Test
public void testConfidentialWithRolesSetAndMethodRestrictionAndAuthenticationRequired() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setRoles(new String[] { "admin" } );
constraint0.setAuthenticate(true);
constraint0.setName("confid");
constraint0.setDataConstraint(Constraint.DC_CONFIDENTIAL);
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/confid/*");
mapping0.setMethod(HttpMethod.POST.asString());
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
DefaultIdentityService identityService = new DefaultIdentityService();
_security.setLoginService(new CustomLoginService(identityService));
_security.setIdentityService(identityService);
_security.setAuthenticator(new BasicAuthenticator());
_server.start();
String response;
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connectorS.getResponses("GET /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 401 Unauthorized"));
response = _connector.getResponses("GET /ctx/confid/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connector.getResponses("POST /ctx/confid/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 302 Found"));
response = _connectorS.getResponses("POST /ctx/confid/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
@Test
public void testRestrictedWithoutAuthenticator() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(true);
constraint0.setRoles(new String[] { "admin" } );
constraint0.setName("restricted");
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/restricted/*");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
}
@Test
public void testRestrictedWithoutAuthenticatorAndMethod() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(true);
constraint0.setRoles(new String[] { "admin" } );
constraint0.setName("restricted");
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/restricted/*");
mapping0.setMethod("GET");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
_server.start();
String response;
response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 403 Forbidden"));
}
@Test
public void testRestricted() throws Exception
{
Constraint constraint0 = new Constraint();
constraint0.setAuthenticate(true);
constraint0.setRoles(new String[] { "admin" } );
constraint0.setName("restricted");
ConstraintMapping mapping0 = new ConstraintMapping();
mapping0.setPathSpec("/restricted/*");
mapping0.setMethod("GET");
mapping0.setConstraint(constraint0);
_security.setConstraintMappings(Arrays.asList(new ConstraintMapping[]
{
mapping0
}));
DefaultIdentityService identityService = new DefaultIdentityService();
_security.setLoginService(new CustomLoginService(identityService));
_security.setIdentityService(identityService);
_security.setAuthenticator(new BasicAuthenticator());
_server.start();
String response;
response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 401 Unauthorized"));
response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\r\n\r\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 401 Unauthorized"));
response = _connector.getResponses("GET /ctx/restricted/info HTTP/1.0\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\n\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
response = _connectorS.getResponses("GET /ctx/restricted/info HTTP/1.0\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\n\n");
Assert.assertThat(response, Matchers.containsString("HTTP/1.1 404 Not Found"));
}
private class CustomLoginService implements LoginService{
private IdentityService identityService;
public CustomLoginService(IdentityService identityService)
{
this.identityService = identityService;
}
@Override
public String getName()
{
return "name";
}
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request)
{
if("admin".equals(username) && "password".equals(credentials))
return new DefaultUserIdentity(null,null,new String[] { "admin" } );
return null;
}
@Override
public boolean validate(UserIdentity user)
{
return false;
}
@Override
public IdentityService getIdentityService()
{
return identityService;
}
@Override
public void setIdentityService(IdentityService service)
{
}
@Override
public void logout(UserIdentity user)
{
}
}
}