JACCAuthorizationUnitTestCase.java example

Explorer
picketbox-master
package org.jboss.test.authorization.jacc;

import junit.framework.Assert;
import junit.framework.TestCase;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.jacc.DelegatingPolicy;
import org.jboss.security.jacc.JBossPolicyConfigurationFactory;
import org.junit.Test;

import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.WebResourcePermission;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;

/**
 * This class tests the behavior of the PicketBox JACC policy implementation in scenarios that involve the usage of the
 * "any authenticated user" role, "**".
 */
public class JACCAuthorizationUnitTestCase extends TestCase {

    private static final String ANY_AUTHENTICATED_USER_ROLE = "**";

    /**
     * This test installs the PicketBox policy and registers a WebResourcePermission with the role "**" (any authenticated
     * user). It then performs a series of implies methods, checking the results. Any authenticated user should be able
     * to access the resource identified by the same pattern and HTTP methods as the registered WebResourcePermission
     * irrespective of the security roles associated with that user.
     *
     * @throws Exception if an error occurs while running the test.
     */
    @Test
    public void testAnyAuthenticatedUserRole() throws Exception {

        Policy policy = new DelegatingPolicy();
        Policy.setPolicy(policy);
        PolicyContext.setContextID("testcontext");

        PolicyConfiguration configuration =
            new JBossPolicyConfigurationFactory().getPolicyConfiguration("testcontext", true);
        // create a permission for a web resource using the role '**' (any authenticated user).
        Permission permission = new WebResourcePermission("/test", "GET,POST");
        configuration.addToRole(ANY_AUTHENTICATED_USER_ROLE, permission);
        configuration.commit();

        Principal[] roles = new Principal[]{new SimplePrincipal("Manager"), new SimplePrincipal("Administrator")};
        // should match - same pattern, same methods. Authenticated user has a couple of roles.
        boolean implies = policy.implies(new ProtectionDomain(null, null, null, roles),
                new WebResourcePermission("/test", "POST,GET"));
        Assert.assertTrue(implies);

        // should match - same pattern, same methods. User contains has no roles.
        implies = policy.implies(new ProtectionDomain(null, null, null, new Principal[]{}),
                new WebResourcePermission("/test", "POST,GET"));
        Assert.assertTrue(implies);

        // should not match - supplied permission has a different pattern.
        implies = policy.implies(new ProtectionDomain(null, null, null, roles),
                new WebResourcePermission("/test/*", "GET,POST"));
        Assert.assertFalse(implies);

        // should not match - supplied permission has a different list of methods.
        implies = policy.implies(new ProtectionDomain(null, null, null, roles),
                new WebResourcePermission("/test/*", "GET,DELETE,PUT"));
        Assert.assertFalse(implies);
    }
}