securityfilter-cvs Mailing List for SecurityFilter
Brought to you by:
chris_schultz,
maxcooper
You can subscribe to this list here.
2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(38) |
Sep
(8) |
Oct
|
Nov
|
Dec
(37) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2003 |
Jan
(36) |
Feb
(29) |
Mar
(13) |
Apr
(5) |
May
(31) |
Jun
(42) |
Jul
(35) |
Aug
|
Sep
|
Oct
(31) |
Nov
(9) |
Dec
|
2004 |
Jan
(3) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2006 |
Jan
|
Feb
(14) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(14) |
Dec
|
2008 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Christopher S. <chr...@us...> - 2008-04-18 13:08:10
|
Update of /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/authenticator In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv8884/src/share/org/securityfilter/authenticator Modified Files: FormAuthenticator.java Log Message: Added configuration parameter to set the encoding used for forwarded parameters. Index: FormAuthenticator.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/authenticator/FormAuthenticator.java,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** FormAuthenticator.java 2 Nov 2007 16:31:24 -0000 1.12 --- FormAuthenticator.java 18 Apr 2008 13:08:03 -0000 1.13 *************** *** 128,131 **** --- 128,139 ---- public static final String FORWARD_PARAMETERS_PARAMETER_KEY = "forwardParametersParameter"; + + /** + * The key that will be used to look the filter init parameter + * that specifies the character encoding to be used for parameters + * forwarded from the login form. + */ + public static final String FORWARD_PARAMETERS_ENCODING_KEY = "forwardParametersEncoding"; + /** * The default value for {@link #forwardParameterName}. *************** *** 142,145 **** --- 150,158 ---- /** + * The default encoding to be used for forwarded parameters. + */ + public static final String DEFAULT_FORWARD_PARAMETERS_ENCODING = "UTF-8"; + + /** * The name of the request parameter that will be recognized as a * post-login forward request. *************** *** 173,176 **** --- 186,195 ---- protected String forwardParametersParameterName; + /** + * The character encoding that will be used to encode URL parameters + * forwarded through the login page. + */ + protected String forwardParametersEncoding; + /** * Initilize this Authenticator. *************** *** 204,207 **** --- 223,231 ---- forwardParametersParameterName = DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME; + // + forwardParametersEncoding = filterConfig.getInitParameter(FORWARD_PARAMETERS_ENCODING_KEY); + if(null == forwardParametersEncoding) + forwardParametersEncoding = DEFAULT_FORWARD_PARAMETERS_ENCODING; + // default page defaultPage = securityConfig.getDefaultPage(); *************** *** 548,554 **** queryString ! .append(URLEncoder.encode(name, "UTF-8")) .append('=') ! .append(URLEncoder.encode(values[i], "UTF-8")); } } --- 572,578 ---- queryString ! .append(URLEncoder.encode(name, forwardParametersEncoding)) .append('=') ! .append(URLEncoder.encode(values[i], forwardParametersEncoding)); } } |
From: Christopher S. <chr...@us...> - 2007-11-07 17:27:30
|
Update of /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/config In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/src/share/org/securityfilter/config Modified Files: SecurityConfig.java SecurityConstraint.java Added Files: UserDataConstraint.java Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. --- NEW FILE: UserDataConstraint.java --- /* * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/config/UserDataConstraint.java,v 1.1 2007/11/07 17:22:38 chris_schultz Exp $ * $Revision: 1.1 $ * $Date: 2007/11/07 17:22:38 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2007 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.config; /** * UserDataConstraint models the <user-data-constraint> element * in a web application's deployment descriptor. * * <pre> * <user-data-constraint> * <description^gt;This is the user data constraint.</description> * <transport-guarantee> * <i><code>NONE</code> * or <code>INTEGRAL</code> * or <code>CONFIDENTIAL</code></i> * </transport-guarantee^gt; * >/user-data-constraint> * </pre> * * @author Chris Schultz (ch...@ch...) * @version $Revision: 1.1 $ $Date: 2007/11/07 17:22:38 $ */ public class UserDataConstraint { /** * Constant for transport guarantee that indicates no guarantees. * * @see #setTransportGuarantee(String) */ public static final String TRANSPORT_GUARANTEE_NONE = "NONE"; /** * Constant for transport guarantee that indicates data sent between * the client and server are sent in such a way that they cannot be changed * in transit. * * @see #setTransportGuarantee(String) */ public static final String TRANSPORT_GUARANTEE_INTEGRAL = "INTEGRAL"; /** * Constant for transport guarantee that indicates data sent between * the client and server are sent in such a way that they cannot be * observed by third-parties while in transit. * * @see #setTransportGuarantee(String) */ public static final String TRANSPORT_GUARANTEE_CONFIDENTIAL = "CONFIDENTIAL"; /** * The transport-guarantee for this UserDataConstraint. */ private String _transportGuarantee = TRANSPORT_GUARANTEE_NONE; public UserDataConstraint() { } /** * Sets the transport-guarantee required by this UserDataConstraint. * * @param guarantee Valid values (case sensitive) are <code>NONE</code>, * <code>INTEGRAL</code>, and <code>CONFIDENTIAL</code>. * * @throws IllegalArgumentException If <code>guarantee</code> is neither * <code>NONE</code> nor <code>INTEGRAL</code> * nor <code>CONFIDENTIAL</code>. * * @see #getTransportGuarantee() * @see #TRANSPORT_GUARANTEE_NONE * @see #TRANSPORT_GUARANTEE_INTEGRAL * @see #TRANSPORT_GUARANTEE_CONFIDENTIAL */ public void setTransportGuarantee(String guarantee) throws IllegalArgumentException { if(null == guarantee) { _transportGuarantee = null; } else { guarantee = guarantee.trim(); if(!(TRANSPORT_GUARANTEE_NONE.equals(guarantee) || TRANSPORT_GUARANTEE_INTEGRAL.equals(guarantee) || TRANSPORT_GUARANTEE_CONFIDENTIAL.equals(guarantee))) throw new IllegalArgumentException("Unknown transport guarantee: " + guarantee); _transportGuarantee = guarantee; } } /** * Returns the transport guarantee for this UserDataConstraint. * * @see #setTransportGuarantee */ public String getTransportGuarantee() { return _transportGuarantee; } } // ---------------------------------------------------------------------------- // EOF Index: SecurityConstraint.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/config/SecurityConstraint.java,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** SecurityConstraint.java 26 Jan 2004 09:29:56 -0000 1.6 --- SecurityConstraint.java 7 Nov 2007 17:22:38 -0000 1.7 *************** *** 59,66 **** /** ! * SecurityConstraint * * @author Max Cooper (ma...@ma...) * @author Torgeir Veimo (to...@po...) * @version $Revision$ $Date$ */ --- 59,69 ---- /** ! * SecurityConstraint models the <security-constraint> element ! * in a web application's deployment descriptor. * * @author Max Cooper (ma...@ma...) * @author Torgeir Veimo (to...@po...) + * @author Chris Schultz (ch...@ch...) + * * @version $Revision$ $Date$ */ *************** *** 68,71 **** --- 71,75 ---- private List resourceCollections; private AuthConstraint authConstraint = null; + private UserDataConstraint userDataConstraint; /** *************** *** 112,115 **** --- 116,140 ---- return authConstraint; } + + /** + * Sets the UserDataConstraint for this SecurityConstraint. + * + * @param userDataConstraint The UserDataConstraint. + */ + public void setUserDataConstraint(UserDataConstraint userDataConstraint) + { + this.userDataConstraint = userDataConstraint; + } + + /** + * Gets the UserDataConstraint for this SecurityConstraint. + * + * @return The UserDataConstraint for this SecurityConstraint, or + * <code>null</code> if none has been set. + */ + public UserDataConstraint getUserDataConstraint() + { + return userDataConstraint; + } } Index: SecurityConfig.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/config/SecurityConfig.java,v retrieving revision 1.17 retrieving revision 1.18 diff -C2 -d -r1.17 -r1.18 *** SecurityConfig.java 26 Jan 2004 10:54:38 -0000 1.17 --- SecurityConfig.java 7 Nov 2007 17:22:38 -0000 1.18 *************** *** 268,271 **** --- 268,277 ---- } + public void loadConfig(URL configURL) + throws IOException, SAXException + { + loadConfig(new InputSource(configURL.openStream())); + } + /** * Loads configuration from the specifued configURL. *************** *** 276,281 **** * @exception SAXException if the file has invalid xml syntax */ ! public void loadConfig(URL configURL) throws IOException, SAXException { ! securityConstraints = new ArrayList(); --- 282,288 ---- * @exception SAXException if the file has invalid xml syntax */ ! public void loadConfig(InputSource input) ! throws IOException, SAXException ! { securityConstraints = new ArrayList(); *************** *** 352,355 **** --- 359,378 ---- ); + // user-data-constraint + digester.addObjectCreate( + "securityfilter-config/security-constraint/user-data-constraint", + "org.securityfilter.config.UserDataConstraint" + ); + digester.addSetNext( + "securityfilter-config/security-constraint/user-data-constraint", + "setUserDataConstraint", + "org.securityfilter.config.UserDataConstraint" + ); + digester.addCallMethod( + "securityfilter-config/security-constraint/user-data-constraint/transport-guarantee", + "setTransportGuarantee", + 0 + ); + // web-resource-collection digester.addObjectCreate( *************** *** 373,377 **** ); - InputSource input = new InputSource(configURL.openStream()); digester.parse(input); } --- 396,399 ---- |
From: Christopher S. <chr...@us...> - 2007-11-07 17:27:30
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/src/test/org/securityfilter/test/http/form Added Files: TransportGuaranteeTest.java Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. --- NEW FILE: TransportGuaranteeTest.java --- /* * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form/TransportGuaranteeTest.java,v 1.1 2007/11/07 17:22:39 chris_schultz Exp $ * $Revision: 1.1 $ * $Date: 2007/11/07 17:22:39 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2007 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.http.form; import com.meterware.httpunit.*; import junit.framework.Assert; import org.securityfilter.example.Constants; import org.securityfilter.test.http.TestBase; import org.securityfilter.authenticator.FormAuthenticator; /** * ForwardAfterLoginTest - test forward-afterlogin behavior. * * @author Chris Schultz (ch...@ch...) * @version $Revision: 1.1 $ $Date: 2007/11/07 17:22:39 $ */ public class TransportGuaranteeTest extends TestBase { public TransportGuaranteeTest(String name) { super(name); } public void testNoSSLUpgrade() throws Exception { // request the login page WebConversation session = new WebConversation(); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); WebRequest request = new GetMethodWebRequest(baseUrl + "/regularPage.jsp"); WebResponse response = session.getResponse(request); String location = response.getHeaderField("Location"); Assert.assertNull(location); } public void testIntegralRequirement() throws Exception { // request the login page WebConversation session = new WebConversation(); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); WebRequest request = new GetMethodWebRequest(baseUrl + "/integral.jsp"); WebResponse response = session.getResponse(request); String location = response.getHeaderField("Location"); Assert.assertNotNull(location); // Remove any ";jsessionid" parameter. if(0 <= location.indexOf(";jsessionid=")) location = location.replaceAll(";jsessionid=[a-fA-F0-9]+", ""); // Check for correct redirect (fully-qualified URL) String url = baseUrl.replace("http://", "https://").replaceAll(":[0-9]+", ""); Assert.assertEquals(url + "/integral.jsp", location); } public void testConfidentialRequirement() throws Exception { // request the login page WebConversation session = new WebConversation(); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); WebRequest request = new GetMethodWebRequest(baseUrl + "/confidential.html"); WebResponse response = session.getResponse(request); String location = response.getHeaderField("Location"); Assert.assertNotNull(location); // Remove any ";jsessionid" parameter. if(0 <= location.indexOf(";jsessionid=")) location = location.replaceAll(";jsessionid=[a-fA-F0-9]+", ""); // Check for correct redirect (fully-qualified URL) String url = baseUrl.replace("http://", "https://").replaceAll(":[0-9]+", ""); Assert.assertEquals(url + "/confidential.html", location); } } |
From: Christopher S. <chr...@us...> - 2007-11-07 17:27:30
|
Update of /cvsroot/securityfilter/securityfilter/web/example In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/web/example Added Files: regularPage.jsp Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. --- NEW FILE: regularPage.jsp --- |
From: Christopher S. <chr...@us...> - 2007-11-07 17:27:30
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/config In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/src/test/org/securityfilter/test/config Added Files: UserDataConfigTest.java Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. --- NEW FILE: UserDataConfigTest.java --- /* * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/config/UserDataConfigTest.java,v 1.1 2007/11/07 17:22:38 chris_schultz Exp $ * $Revision: 1.1 $ * $Date: 2007/11/07 17:22:38 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2007 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.config; import java.io.StringReader; import java.lang.reflect.Proxy; import java.lang.reflect.Method; import java.lang.reflect.InvocationHandler; import java.net.MalformedURLException; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.xml.sax.InputSource; import junit.framework.Assert; import junit.framework.TestCase; import org.securityfilter.filter.SecurityFilter; import org.securityfilter.config.SecurityConfig; import org.securityfilter.config.SecurityConstraint; import org.securityfilter.config.UserDataConstraint; import javax.servlet.FilterConfig; import java.util.Enumeration; import javax.servlet.ServletContext; /** * UserDataConfigTests - tests to see that the transport guarantee * configuration has been loaded correctly. * * @author Chris Schultz (ch...@ch...) * @version $Revision: 1.1 $ $Date: 2007/11/07 17:22:38 $ */ public class UserDataConfigTest extends TestCase { public UserDataConfigTest(String name) { super(name); } public void testNoUserDataConstraint() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); sc.loadConfig(new InputSource(new StringReader(config))); List constraints = sc.getSecurityConstraints(); Assert.assertNotNull("Should have some security constraints", constraints); Assert.assertEquals("Should have 1 security constraint.", 1, constraints.size()); SecurityConstraint constraint = (SecurityConstraint)constraints.get(0); Assert.assertNull("Should not have a UserDataConstraint", constraint.getUserDataConstraint()); } public void testTransportGuaranteeNone() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " <user-data-constraint>" + " <description>The user data constraint</description>" + " <transport-guarantee>NONE</transport-guarantee>" + " </user-data-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); sc.loadConfig(new InputSource(new StringReader(config))); List constraints = sc.getSecurityConstraints(); Assert.assertNotNull("Should have some security constraints", constraints); Assert.assertEquals("Should have 1 security constraint.", 1, constraints.size()); SecurityConstraint constraint = (SecurityConstraint)constraints.get(0); Assert.assertNotNull("Should have a UserDataConstraint", constraint.getUserDataConstraint()); Assert.assertEquals("Incorrect transport-guarantee", UserDataConstraint.TRANSPORT_GUARANTEE_NONE, constraint.getUserDataConstraint() .getTransportGuarantee()); } public void testTransportGuaranteeNoneExtraSpaces() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " <user-data-constraint>" + " <description>The user data constraint</description>" + " <transport-guarantee> NONE" + " </transport-guarantee>" + " </user-data-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); sc.loadConfig(new InputSource(new StringReader(config))); List constraints = sc.getSecurityConstraints(); Assert.assertNotNull("Should have some security constraints", constraints); Assert.assertEquals("Should have 1 security constraint.", 1, constraints.size()); SecurityConstraint constraint = (SecurityConstraint)constraints.get(0); Assert.assertNotNull("Should have a UserDataConstraint", constraint.getUserDataConstraint()); Assert.assertEquals("Incorrect transport-guarantee", UserDataConstraint.TRANSPORT_GUARANTEE_NONE, constraint.getUserDataConstraint() .getTransportGuarantee()); } public void _testInvalidTransportGuarantee() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " <user-data-constraint>" + " <description>The user data constraint</description>" + " <transport-guarantee>INVALID</transport-guarantee>" + " </user-data-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); try { sc.loadConfig(new InputSource(new StringReader(config))); Assert.fail("INVALID transport guarantee should have failed."); } catch (org.xml.sax.SAXParseException spe) { // Expected behavior } } // // Make sure that the getSecureURL method is working. // private String getSecureURL(String url) throws MalformedURLException, javax.servlet.ServletException { // TODO: This method is /horrible/. We should be using mock objects // instead of monkeying-around with Proxies and stuff. final java.net.URL theUrl = new java.net.URL(url); InvocationHandler handler = new InvocationHandler() { public Object invoke(Object o, Method m, Object[] args) { if("getServerName".equals(m.getName())) { return theUrl.getHost(); } else if("getRequestURI".equals(m.getName())) { return theUrl.getPath(); } else if("getQueryString".equals(m.getName())) { return theUrl.getQuery(); } else throw new IllegalStateException("Unexpected call to: "+ m); } } ; HttpServletRequest request = (HttpServletRequest)Proxy .newProxyInstance(this.getClass().getClassLoader(), new Class[] { HttpServletRequest.class }, handler); return new SecurityFilter() { public String getSecureURL(HttpServletRequest request) { return super.getSecureURL(request); } }.getSecureURL(request); } public void testGetSecureURL() throws Exception { String url = "http://www.foo.com/path/resource?query=string&foo=bar"; String expected = url.replace("http://", "https://"); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_AlreadySecure() throws Exception { String url = "https://www.foo.com/path/resource?query=string&foo=bar"; String expected = url; Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_Port() throws Exception { String url = "http://www.foo.com:42/path/resource?query=string&foo=bar"; String expected = url.replace("http://", "https://") .replace(":42", ""); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_NoQueryString() throws Exception { String url = "http://www.foo.com:42/path/resource"; String expected = url.replace("http://", "https://") .replace(":42", ""); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_NoSlash() throws Exception { String url = "http://www.foo.com:42"; String expected = url.replace("http://", "https://") .replace(":42", ""); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_NoPortNoSlash() throws Exception { String url = "http://www.foo.com"; String expected = url.replace("http://", "https://"); Assert.assertEquals(expected, getSecureURL(url)); } } |
From: Christopher S. <chr...@us...> - 2007-11-07 17:27:23
|
Update of /cvsroot/securityfilter/securityfilter/web/example/WEB-INF In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/web/example/WEB-INF Modified Files: securityfilter-config.xml Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. Index: securityfilter-config.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/web/example/WEB-INF/securityfilter-config.xml,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** securityfilter-config.xml 25 Nov 2003 10:07:08 -0000 1.6 --- securityfilter-config.xml 7 Nov 2007 17:22:39 -0000 1.7 *************** *** 27,30 **** --- 27,64 ---- </security-constraint> + <!-- Configuration for transport-guarantee tests --> + <security-constraint> + <web-resource-collection> + <web-resource-name>Regular Page</web-resource-name> + <url-pattern>/regularPage.jsp</url-pattern> + </web-resource-collection> + <user-data-constraint> + <description>No transport guarantee</description> + <transport-guarantee>NONE</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Integral</web-resource-name> + <url-pattern>/integral.jsp</url-pattern> + </web-resource-collection> + <user-data-constraint> + <description>INTEGRAL transport guarantee</description> + <transport-guarantee>INTEGRAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Confidential</web-resource-name> + <url-pattern>/confidential.html</url-pattern> + </web-resource-collection> + <user-data-constraint> + <description>CONFIDENTIAL transport guarantee</description> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + <login-config> <auth-method>FORM</auth-method> *************** *** 40,42 **** </realm> ! </securityfilter-config> \ No newline at end of file --- 74,76 ---- </realm> ! </securityfilter-config> |
From: Christopher S. <chr...@us...> - 2007-11-07 17:23:41
|
Update of /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/src/share/org/securityfilter/filter Modified Files: SecurityFilter.java Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. Index: SecurityFilter.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v retrieving revision 1.24 retrieving revision 1.25 diff -C2 -d -r1.24 -r1.25 *** SecurityFilter.java 14 Feb 2006 09:28:27 -0000 1.24 --- SecurityFilter.java 7 Nov 2007 17:22:38 -0000 1.25 *************** *** 79,82 **** --- 79,83 ---- public static final String DEFAULT_CONFIG_FILE = "/WEB-INF/securityfilter-config.xml"; public static final String VALIDATE_KEY = "validate"; + public static final String SSL_PORT_INIT_PARAMETER_KEY = "ssl-redirect-port"; public static final String TRUE = "true"; *************** *** 93,96 **** --- 94,102 ---- protected Authenticator authenticator; + /** + * The port to be used when upgrading connections to HTTPS. + */ + protected int sslPort = 443; + /** * Perform filtering operation, and optionally pass the request down the chain. *************** *** 151,155 **** // check security constraint, if any if (match != null) { ! // TODO: check user-data-constraint // check auth constraint AuthConstraint authConstraint = match.getSecurityConstraint().getAuthConstraint(); --- 157,198 ---- // check security constraint, if any if (match != null) { ! ! // Check user-data-constraint (transport-guarantee) ! UserDataConstraint userDataConstraint ! = match.getSecurityConstraint().getUserDataConstraint(); ! if(null != userDataConstraint) ! { ! String tg = userDataConstraint.getTransportGuarantee(); ! if((tg.equals(UserDataConstraint.TRANSPORT_GUARANTEE_INTEGRAL) ! || tg.equals(UserDataConstraint.TRANSPORT_GUARANTEE_CONFIDENTIAL)) ! && !request.isSecure()) ! { ! // Servlet Specification Note: ! // ! // The Servlet Specification does not specify what ought ! // to be done when the connection must be "upgraded" ! // in order to satisfy the transport-guarantee. ! // ! // This implementation matches that of the Apache Tomcat ! // servlet container (as of version 5.5). ! ! // Switch from HTTP to HTTPS via redirection. ! if(0 <= sslPort) ! { ! String url = getSecureURL(wrappedRequest); ! ! hRes.sendRedirect(hRes.encodeRedirectURL(url)); ! } ! else ! { ! // SSL port set to a negative: disable redirection. ! hRes.sendError(HttpServletResponse.SC_FORBIDDEN, ! hReq.getRequestURI()); ! } ! ! return; ! } ! } ! // check auth constraint AuthConstraint authConstraint = match.getSecurityConstraint().getAuthConstraint(); *************** *** 196,199 **** --- 239,275 ---- public void init(FilterConfig config) throws ServletException { this.config = config; + + String sslPortString = config.getInitParameter(SSL_PORT_INIT_PARAMETER_KEY); + if(null != sslPortString) + { + try + { + this.sslPort = Integer.parseInt(sslPortString); + + if(this.sslPort > 65535) + { + System.err.println("ERROR: Invalid " + + SSL_PORT_INIT_PARAMETER_KEY + + ": " + sslPortString); + System.err.println("WARN: SSL port redirection is disabled."); + this.sslPort = -1; + } + else if(this.sslPort < 0) + { + System.err.println("INFO: SSL port redirection is disabled (was set to " + this.sslPort + ")"); + } + } + catch (NumberFormatException nfe) + { + System.err.println("ERROR: Invalid " + + SSL_PORT_INIT_PARAMETER_KEY + + ": " + sslPortString); + System.err.println("WARN: SSL port redirection is disabled."); + nfe.printStackTrace(); + + this.sslPort = -1; + } + } + try { // parse config file *************** *** 264,269 **** * @return the matching URLPattern object, or null if there is no match. */ ! protected URLPattern matchPattern(String pattern, String httpMethod, URLPatternMatcher matcher) throws Exception { ! // PERFORMANCE IMPROVEMENT OPPORTUNITY: cahce pattern matches Iterator i = patternList.iterator(); while (i.hasNext()) { --- 340,345 ---- * @return the matching URLPattern object, or null if there is no match. */ ! protected URLPattern matchPattern(String pattern, String httpMethod, URLPatternMatcher matcher) { ! // PERFORMANCE IMPROVEMENT OPPORTUNITY: cache pattern matches Iterator i = patternList.iterator(); while (i.hasNext()) { *************** *** 357,360 **** --- 433,459 ---- } + protected String getSecureURL(HttpServletRequest request) + { + StringBuffer url = new StringBuffer(); + url.append("https://") + .append(request.getServerName()) + ; + + if(443 != sslPort) + url.append(':') + .append(sslPort) + ; + + url.append(request.getRequestURI()); + + String queryString = request.getQueryString(); + if(null != queryString) + url.append('?') + .append(queryString) + ; + + return url.toString(); + } + ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // The following methods are provided for compatibility with various app servers. // |
From: Christopher S. <chr...@us...> - 2007-11-06 21:42:48
|
Update of /cvsroot/securityfilter/securityfilter In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv12260 Modified Files: build.xml Log Message: Added build-compile as a dependency for test-compile. Index: build.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/build.xml,v retrieving revision 1.23 retrieving revision 1.24 diff -C2 -d -r1.23 -r1.24 *** build.xml 15 Feb 2006 08:23:52 -0000 1.23 --- build.xml 6 Nov 2007 21:42:44 -0000 1.24 *************** *** 212,216 **** <!-- ========== Test Target ===================================================================================== --> ! <target name="test" depends="deploy,test-compile" description="tests webapp(s) on server(s)"> <mkdir dir="${build.test.data.dir}"/> <junit printsummary="false" --- 212,216 ---- <!-- ========== Test Target ===================================================================================== --> ! <target name="test" depends="deploy, test-compile" description="tests webapp(s) on server(s)"> <mkdir dir="${build.test.data.dir}"/> <junit printsummary="false" *************** *** 237,241 **** </target> ! <target name="test-compile"> <mkdir dir="${build.test.classes.dir}"/> <javac --- 237,241 ---- </target> ! <target name="test-compile" depends="build-compile"> <mkdir dir="${build.test.classes.dir}"/> <javac |
From: Christopher S. <chr...@us...> - 2007-11-05 23:23:47
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/config In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv26403/src/test/org/securityfilter/test/config Log Message: Directory /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/config added to the repository |
From: Christopher S. <chr...@us...> - 2007-11-05 18:46:31
|
Update of /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv12966/src/share/org/securityfilter/filter Modified Files: URLPattern.java URLPatternMatcher.java Log Message: Explicitly imported all required imports. Reduced throws declarations to their minimum (no more "throws Exception"). Index: URLPatternMatcher.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/URLPatternMatcher.java,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** URLPatternMatcher.java 26 Jan 2004 09:30:07 -0000 1.4 --- URLPatternMatcher.java 5 Nov 2007 18:46:22 -0000 1.5 *************** *** 56,60 **** package org.securityfilter.filter; ! import org.apache.oro.text.regex.*; import java.util.Collection; --- 56,62 ---- package org.securityfilter.filter; ! import org.apache.oro.text.regex.PatternCompiler; ! import org.apache.oro.text.regex.PatternMatcher; ! import org.apache.oro.text.regex.Perl5Matcher; import java.util.Collection; *************** *** 67,110 **** * @version $Revision$ $Date$ */ ! public class URLPatternMatcher { ! private PatternMatcher patternMatcher; ! /** ! * Constructor ! */ ! public URLPatternMatcher() { ! patternMatcher = new Perl5Matcher(); ! } ! /** ! * Test to see if a string pattern matches a URLPattern. ! * ! * @param pattern a String pattern to check for a match ! * @param urlPattern a URLPattern object to match against ! * @return true if the pattern matched the urlPattern, false otherwise ! * @throws Exception ! */ ! public boolean match(String pattern, URLPattern urlPattern) throws Exception { ! return patternMatcher.matches(pattern, urlPattern.getCompiledPattern()); ! } ! /** ! * Test to see if a string pattern and HTTP method matches a URLPattern. ! * ! * @param pattern a String pattern to check for a match ! * @param httpMethod an HTTP pattern to check for a match ! * @param urlPattern a URLPattern object to match against ! * @return true if the pattern matched the urlPattern, false otherwise ! * @throws Exception ! */ ! public boolean match(String pattern, String httpMethod, URLPattern urlPattern) throws Exception { ! if (match(pattern, urlPattern)) { ! Collection methods = urlPattern.getWebResourceCollection().getHttpMethods(); ! if (methods.isEmpty() || methods.contains(httpMethod.toUpperCase())) { ! return true; ! } ! } ! return false; ! } } --- 69,113 ---- * @version $Revision$ $Date$ */ ! public class URLPatternMatcher ! { ! private PatternMatcher patternMatcher; ! /** ! * Constructor ! */ ! public URLPatternMatcher() { ! patternMatcher = new Perl5Matcher(); ! } ! /** ! * Test to see if a string pattern matches a URLPattern. ! * ! * @param pattern a String pattern to check for a match ! * @param urlPattern a URLPattern object to match against ! * @return true if the pattern matched the urlPattern, false otherwise ! */ ! public boolean match(String pattern, URLPattern urlPattern) ! { ! return patternMatcher.matches(pattern, urlPattern.getCompiledPattern()); ! } ! /** ! * Test to see if a string pattern and HTTP method matches a URLPattern. ! * ! * @param pattern a String pattern to check for a match ! * @param httpMethod an HTTP pattern to check for a match ! * @param urlPattern a URLPattern object to match against ! * @return true if the pattern matched the urlPattern, false otherwise ! */ ! public boolean match(String pattern, String httpMethod, URLPattern urlPattern) ! { ! if (match(pattern, urlPattern)) { ! Collection methods = urlPattern.getWebResourceCollection().getHttpMethods(); ! if (methods.isEmpty() || methods.contains(httpMethod.toUpperCase())) { ! return true; ! } ! } ! return false; ! } } Index: URLPattern.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/URLPattern.java,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** URLPattern.java 26 Jan 2004 09:30:07 -0000 1.6 --- URLPattern.java 5 Nov 2007 18:46:22 -0000 1.7 *************** *** 56,61 **** package org.securityfilter.filter; ! import org.apache.oro.text.regex.*; ! import org.securityfilter.config.*; /** --- 56,67 ---- package org.securityfilter.filter; ! import org.apache.oro.text.regex.MalformedPatternException; ! import org.apache.oro.text.regex.Pattern; ! import org.apache.oro.text.regex.PatternCompiler; ! import org.apache.oro.text.regex.PatternMatcher; ! import org.apache.oro.text.regex.Perl5Compiler; ! ! import org.securityfilter.config.SecurityConstraint; ! import org.securityfilter.config.WebResourceCollection; /** *************** *** 67,342 **** * @version $Revision$ $Date$ */ ! public class URLPattern implements Comparable { ! /** ! * Pattern type for patterns that do not meet the specifications for the ! * other pattern types. ! */ ! public static final int EXACT_TYPE = 1; ! /** ! * Pattern type for PATH_TYPE mappings. Starts with '/' and ends with '/*'. ! */ ! public static final int PATH_TYPE = 2; ! /** ! * Pattern type for EXTENSION_TYPE mappings. Starts with '*.' ! */ ! public static final int EXTENSION_TYPE = 3; ! /** ! * Pattern type for EXTENSION_TYPE mappings. Starts with '*.' ! */ ! public static final int DEFAULT_TYPE = 4; ! protected String pattern; ! protected String convertedPattern; ! protected Pattern compiledPattern; ! protected SecurityConstraint constraint; ! protected WebResourceCollection resourceCollection; ! protected int order; ! protected int patternType; ! protected int pathLength; ! /** ! * Construct a new URLPattern object. ! * ! * @param pattern the url pattern to match ! * @param constraint the SecurityConstraint associated with this pattern ! * @param resourceCollection the WebResourceCollection associated with this pattern ! * @param order the order in which this pattern occurred in the configuration file ! * @param compiler a PatternCompiler to use to compile this url pattern ! * ! * @see URLPatternFactory ! */ ! public URLPattern( ! String pattern, ! SecurityConstraint constraint, ! WebResourceCollection resourceCollection, ! int order, ! PatternCompiler compiler ! ) throws Exception { ! this.pattern = pattern; ! this.constraint = constraint; ! this.resourceCollection = resourceCollection; ! this.order = order; ! initPatternType(); ! initPathLength(); ! initConvertedPattern(); ! initCompiledPattern(compiler); ! } ! /** ! * Get the url pattern to match. ! */ ! public String getPattern() { ! return pattern; ! } ! /** ! * Get the compiled version of this pattern. ! * ! * @return compiled version of this pattern ! */ ! public Pattern getCompiledPattern() { ! return compiledPattern; ! } ! /** ! * Get the pattern type. The pattern type will be determined on the first call to this method. ! * ! * @return EXACT, PATH, or EXTENSION ! */ ! public int getPatternType() { ! return patternType; ! } ! /** ! * Get the path length of the pattern. This is only valid when getPatternType() = PATH.<p> ! * Examples: ! * <ul> ! * <li>/* = 0</li> ! * <li>/path/* = 1</li> ! * <li>/really/long/path/* = 3</li> ! * </ul> ! * ! * @return path length of this pattern ! */ ! public int getPathLength() { ! return pathLength; ! } ! /** ! * Get the SecurityConstraint object associated with this pattern. ! */ ! public SecurityConstraint getSecurityConstraint() { ! return constraint; ! } ! /** ! * Get the order value for this pattern (the order in which it appeared in the config file). ! */ ! public int getOrder() { ! return order; ! } ! /** ! * Get the WebResourceCollection associated with this pattern. ! */ ! public WebResourceCollection getWebResourceCollection() { ! return resourceCollection; ! } ! /** ! * Initialize the patternType protected member. ! */ ! protected void initPatternType() { ! if ("/".equals(pattern)) { ! patternType = DEFAULT_TYPE; ! } else if (pattern.startsWith("*.")) { ! patternType = EXTENSION_TYPE; ! } else if (pattern.startsWith("/") && pattern.endsWith("/*")) { ! patternType = PATH_TYPE; ! } else { ! patternType = EXACT_TYPE; ! } ! } ! /** ! * Initialize the pathLength protected member. ! */ ! protected void initPathLength() { ! pathLength = -1; ! int pos = pattern.indexOf('/'); ! while (pos != -1) { ! pathLength++; ! pos = pattern.indexOf('/', pos + 1); ! } ! } ! /** ! * Initialize the convertedPattern protected member. ! */ ! protected void initConvertedPattern() { ! if (patternType == DEFAULT_TYPE) { ! // match anything for default pattern ! convertedPattern = ".*"; ! } else { ! StringBuffer buf = new StringBuffer(pattern); ! int pos; ! // escape '.' characters ! pos = buf.toString().indexOf('.'); ! while (pos != -1) { ! buf.insert(pos, "\\"); ! pos = buf.toString().indexOf('.', pos + 2); ! } ! // replace '*' chars in the compiledPattern with '.*' ! pos = buf.toString().indexOf('*'); ! while (pos != -1) { ! buf.replace(pos, pos + 1, ".*"); ! pos = buf.toString().indexOf('*', pos + 2); ! } ! // replace '/' chars with '/+' to match one or more consecutive slashes ! // the spec hints that containers are supposed to normalize the extra slashes out, ! // but testing revealed that sometimes the extra slashes are not normalized out ! pos = buf.toString().indexOf('/'); ! while (pos != -1) { ! buf.replace(pos, pos + 1, "/+"); ! pos = buf.toString().indexOf('/', pos + 2); ! } ! // adjustments for the different expression types ! switch (patternType) { ! case PATH_TYPE: ! // make sure it matches from the start of the string ! buf.insert(0, '^'); ! // make sure /foo/* matches /foo and /foo/morestuff, but not /foobar ! buf.insert(buf.length()-4, "("); ! buf.append(")?$"); ! break; ! case EXTENSION_TYPE: ! buf.append('$'); ! break; ! case EXACT_TYPE: ! buf.insert(0, '^'); ! buf.append('$'); ! break; ! } ! convertedPattern = buf.toString(); ! } ! } ! /** ! * Initialize the compiledPattern protected member. ! * ! * @param compiler ! * @throws Exception ! */ ! protected void initCompiledPattern(PatternCompiler compiler) throws Exception { ! compiledPattern = compiler.compile(convertedPattern, Perl5Compiler.READ_ONLY_MASK); ! } ! /** ! * Test if this pattern is equivalent to another pattern. ! * This is implemented so that consistency with the compareTo method results can be maintained. ! * ! * @param obj the value to test equivalence with ! * @return true if the passed object is an equivalent URLPattern, false if it is not a URLPattern ! * or if it is not equivalent. ! */ ! public boolean equals(Object obj) { ! if (obj instanceof URLPattern) { ! URLPattern otherPattern = (URLPattern) obj; ! return ( ! constraint.equals(otherPattern.getSecurityConstraint()) ! && resourceCollection.equals(otherPattern.getWebResourceCollection()) ! && pattern.equals(otherPattern.getPattern()) ! ); ! } ! return false; ! } ! /** ! * Compares this URLPattern to obj to support sorting.<p> ! * ! * The sort order is dictated by the servlet spec. The ordering by type is: ! * EXACT_TYPE ! * PATH_TYPE ! * EXTENTION_TYPE ! * DEFAULT_TYPE ! * Ordering among PATH_TYPE patterns is determined by path length, with the ! * longer path coming first. If the path lengths are the same, or both patterns ! * are of the same type other than PATH_TYPE, ordering is determined by the order ! * in which the pattern appeared in the config file. ! * ! * Thanks to Chris Nokleberg for contributing code for this method. ! * ! * @param obj another URLPattern to compare to ! * ! * @return a negative integer, zero, or a positive integer as this object is ! * less than, equal to, or greater than the specified object. ! * ! * @exception ClassCastException thrown if obj is not a URLPattern instance ! */ ! public int compareTo(Object obj) throws ClassCastException { ! URLPattern other = (URLPattern) obj; ! // return 0 if the other pattern is equivalent to this one ! if (this.equals(other)) { ! return 0; ! } ! int c = patternType - other.patternType; ! if (c == 0) { ! switch (patternType) { ! case PATH_TYPE: ! c = other.pathLength - pathLength; ! if (c != 0) { ! break; ! } ! /* fall through */ ! case EXACT_TYPE: ! /* fall through */ ! case EXTENSION_TYPE: ! /* fall through */ ! case DEFAULT_TYPE: ! c = order - other.order; ! } ! } ! return c; ! } } --- 73,355 ---- * @version $Revision$ $Date$ */ ! public class URLPattern ! implements Comparable ! { ! /** ! * Pattern type for patterns that do not meet the specifications for the ! * other pattern types. ! */ ! public static final int EXACT_TYPE = 1; ! /** ! * Pattern type for PATH_TYPE mappings. Starts with '/' and ends with '/*'. ! */ ! public static final int PATH_TYPE = 2; ! /** ! * Pattern type for EXTENSION_TYPE mappings. Starts with '*.' ! */ ! public static final int EXTENSION_TYPE = 3; ! /** ! * Pattern type for EXTENSION_TYPE mappings. Starts with '*.' ! */ ! public static final int DEFAULT_TYPE = 4; ! protected String pattern; ! protected String convertedPattern; ! protected Pattern compiledPattern; ! protected SecurityConstraint constraint; ! protected WebResourceCollection resourceCollection; ! protected int order; ! protected int patternType; ! protected int pathLength; ! /** ! * Construct a new URLPattern object. ! * ! * @param pattern the url pattern to match ! * @param constraint the SecurityConstraint associated with this pattern ! * @param resourceCollection the WebResourceCollection associated with this pattern ! * @param order the order in which this pattern occurred in the configuration file ! * @param compiler a PatternCompiler to use to compile this url pattern ! * ! * @see URLPatternFactory ! */ ! public URLPattern( ! String pattern, ! SecurityConstraint constraint, ! WebResourceCollection resourceCollection, ! int order, ! PatternCompiler compiler ! ) ! throws MalformedPatternException ! { ! this.pattern = pattern; ! this.constraint = constraint; ! this.resourceCollection = resourceCollection; ! this.order = order; ! initPatternType(); ! initPathLength(); ! initConvertedPattern(); ! initCompiledPattern(compiler); ! } ! /** ! * Get the url pattern to match. ! */ ! public String getPattern() { ! return pattern; ! } ! /** ! * Get the compiled version of this pattern. ! * ! * @return compiled version of this pattern ! */ ! public Pattern getCompiledPattern() { ! return compiledPattern; ! } ! /** ! * Get the pattern type. The pattern type will be determined on the first call to this method. ! * ! * @return EXACT, PATH, or EXTENSION ! */ ! public int getPatternType() { ! return patternType; ! } ! /** ! * Get the path length of the pattern. This is only valid when getPatternType() = PATH.<p> ! * Examples: ! * <ul> ! * <li>/* = 0</li> ! * <li>/path/* = 1</li> ! * <li>/really/long/path/* = 3</li> ! * </ul> ! * ! * @return path length of this pattern ! */ ! public int getPathLength() { ! return pathLength; ! } ! /** ! * Get the SecurityConstraint object associated with this pattern. ! */ ! public SecurityConstraint getSecurityConstraint() { ! return constraint; ! } ! /** ! * Get the order value for this pattern (the order in which it appeared in the config file). ! */ ! public int getOrder() { ! return order; ! } ! /** ! * Get the WebResourceCollection associated with this pattern. ! */ ! public WebResourceCollection getWebResourceCollection() { ! return resourceCollection; ! } ! /** ! * Initialize the patternType protected member. ! */ ! protected void initPatternType() { ! if ("/".equals(pattern)) { ! patternType = DEFAULT_TYPE; ! } else if (pattern.startsWith("*.")) { ! patternType = EXTENSION_TYPE; ! } else if (pattern.startsWith("/") && pattern.endsWith("/*")) { ! patternType = PATH_TYPE; ! } else { ! patternType = EXACT_TYPE; ! } ! } ! /** ! * Initialize the pathLength protected member. ! */ ! protected void initPathLength() { ! pathLength = -1; ! int pos = pattern.indexOf('/'); ! while (pos != -1) { ! pathLength++; ! pos = pattern.indexOf('/', pos + 1); ! } ! } ! /** ! * Initialize the convertedPattern protected member. ! */ ! protected void initConvertedPattern() { ! if (patternType == DEFAULT_TYPE) { ! // match anything for default pattern ! convertedPattern = ".*"; ! } else { ! StringBuffer buf = new StringBuffer(pattern); ! int pos; ! // escape '.' characters ! pos = buf.toString().indexOf('.'); ! while (pos != -1) { ! buf.insert(pos, "\\"); ! pos = buf.toString().indexOf('.', pos + 2); ! } ! // replace '*' chars in the compiledPattern with '.*' ! pos = buf.toString().indexOf('*'); ! while (pos != -1) { ! buf.replace(pos, pos + 1, ".*"); ! pos = buf.toString().indexOf('*', pos + 2); ! } ! // replace '/' chars with '/+' to match one or more consecutive slashes ! // the spec hints that containers are supposed to normalize the extra slashes out, ! // but testing revealed that sometimes the extra slashes are not normalized out ! pos = buf.toString().indexOf('/'); ! while (pos != -1) { ! buf.replace(pos, pos + 1, "/+"); ! pos = buf.toString().indexOf('/', pos + 2); ! } ! // adjustments for the different expression types ! switch (patternType) { ! case PATH_TYPE: ! // make sure it matches from the start of the string ! buf.insert(0, '^'); ! // make sure /foo/* matches /foo and /foo/morestuff, but not /foobar ! buf.insert(buf.length()-4, "("); ! buf.append(")?$"); ! break; ! case EXTENSION_TYPE: ! buf.append('$'); ! break; ! case EXACT_TYPE: ! buf.insert(0, '^'); ! buf.append('$'); ! break; ! } ! convertedPattern = buf.toString(); ! } ! } ! /** ! * Initialize the compiledPattern protected member. ! * ! * @param compiler ! * ! * @throws MalformedPatternException If the current pattern has errors. ! */ ! protected void initCompiledPattern(PatternCompiler compiler) ! throws MalformedPatternException ! { ! compiledPattern = compiler.compile(convertedPattern, Perl5Compiler.READ_ONLY_MASK); ! } ! /** ! * Test if this pattern is equivalent to another pattern. ! * This is implemented so that consistency with the compareTo method results can be maintained. ! * ! * @param obj the value to test equivalence with ! * @return true if the passed object is an equivalent URLPattern, false if it is not a URLPattern ! * or if it is not equivalent. ! */ ! public boolean equals(Object obj) { ! if (obj instanceof URLPattern) { ! URLPattern otherPattern = (URLPattern) obj; ! return ( ! constraint.equals(otherPattern.getSecurityConstraint()) ! && resourceCollection.equals(otherPattern.getWebResourceCollection()) ! && pattern.equals(otherPattern.getPattern()) ! ); ! } ! return false; ! } ! /** ! * Compares this URLPattern to obj to support sorting.<p> ! * ! * The sort order is dictated by the servlet spec. The ordering by type is: ! * EXACT_TYPE ! * PATH_TYPE ! * EXTENTION_TYPE ! * DEFAULT_TYPE ! * Ordering among PATH_TYPE patterns is determined by path length, with the ! * longer path coming first. If the path lengths are the same, or both patterns ! * are of the same type other than PATH_TYPE, ordering is determined by the order ! * in which the pattern appeared in the config file. ! * ! * Thanks to Chris Nokleberg for contributing code for this method. ! * ! * @param obj another URLPattern to compare to ! * ! * @return a negative integer, zero, or a positive integer as this object is ! * less than, equal to, or greater than the specified object. ! * ! * @exception ClassCastException thrown if obj is not a URLPattern instance ! */ ! public int compareTo(Object obj) throws ClassCastException { ! URLPattern other = (URLPattern) obj; ! // return 0 if the other pattern is equivalent to this one ! if (this.equals(other)) { ! return 0; ! } ! int c = patternType - other.patternType; ! if (c == 0) { ! switch (patternType) { ! case PATH_TYPE: ! c = other.pathLength - pathLength; ! if (c != 0) { ! break; ! } ! /* fall through */ ! case EXACT_TYPE: ! /* fall through */ ! case EXTENSION_TYPE: ! /* fall through */ ! case DEFAULT_TYPE: ! c = order - other.order; ! } ! } ! return c; ! } } |
From: Christopher S. <chr...@us...> - 2007-11-05 18:30:24
|
Update of /cvsroot/securityfilter/securityfilter In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv6396 Modified Files: properties.xml Log Message: Added main code build directory to test compile classpath so that tests can compile against main classes. Index: properties.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/properties.xml,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** properties.xml 15 Feb 2006 08:23:52 -0000 1.16 --- properties.xml 5 Nov 2007 18:30:20 -0000 1.17 *************** *** 119,122 **** --- 119,123 ---- <path id="test-compile.classpath"> <path refid="compile.classpath"/> + <pathelement location="${build.classes.dir}" /> <pathelement location="${junit.jar}"/> <pathelement location="${httpunit.jar}"/> *************** *** 136,138 **** </filterset> ! </project> \ No newline at end of file --- 137,139 ---- </filterset> ! </project> |
From: Christopher S. <chr...@us...> - 2007-11-02 16:31:35
|
Update of /cvsroot/securityfilter/securityfilter/web/example In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv24774/web/example Modified Files: loginForm.jsp Log Message: Added post-login forward capability (original patch posted to the sourceforge.net forums). Index: loginForm.jsp =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/web/example/loginForm.jsp,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** loginForm.jsp 15 Feb 2006 08:34:15 -0000 1.2 --- loginForm.jsp 2 Nov 2007 16:31:24 -0000 1.3 *************** *** 1,8 **** <%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> <html> <head> ! <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title><%=Constants.LOGIN_TITLE%></title> </head> --- 1,9 ---- <%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> + <%@ page import="org.securityfilter.authenticator.FormAuthenticator"%> <html> <head> ! <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title><%=Constants.LOGIN_TITLE%></title> </head> *************** *** 30,36 **** ><p> <input type="Submit"> </form> </body> ! </html> \ No newline at end of file --- 31,57 ---- ><p> + <p> + You may set these post-login forward options if you'd like:<br /> + URL: <input type="text" name="forward" /><br /> + + Method: + <input id="<%= FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME %>-redirect" type="radio" name="<%= FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME %>" value="redirect" /> + <label for="<%= FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME %>-redirect">Redirect</label> + + <input id="<%= FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME %>-forward" type="radio" name="<%= FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME %>" value="forward" /> + <label for="<%= FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME %>-forward">Forward</label> + <br /> + + Include parameters: + <input id="<%= FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME %>-yes" type="radio" name="<%= FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME %>" value="true" /> + <label for="<%= FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME %>-yes">Yes</label> + + <input id="<%= FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME %>-no" type="radio" name="<%= FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME %>" value="false" /> + <label for="<%= FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME %>-no">No</label> + </p> + <input type="Submit"> </form> </body> ! </html> |
From: Christopher S. <chr...@us...> - 2007-11-02 16:31:35
|
Update of /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/authenticator In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv24774/src/share/org/securityfilter/authenticator Modified Files: FormAuthenticator.java Log Message: Added post-login forward capability (original patch posted to the sourceforge.net forums). Index: FormAuthenticator.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/authenticator/FormAuthenticator.java,v retrieving revision 1.11 retrieving revision 1.12 diff -C2 -d -r1.11 -r1.12 *** FormAuthenticator.java 22 Feb 2005 11:02:16 -0000 1.11 --- FormAuthenticator.java 2 Nov 2007 16:31:24 -0000 1.12 *************** *** 67,74 **** --- 67,79 ---- import java.security.Principal; + import java.util.Enumeration; + import java.net.URLEncoder; + import java.io.UnsupportedEncodingException; + /** * FormAuthenticator - authenticator implementation for the FORM auth method. * * @author Max Cooper (ma...@ma...) + * @author Chris Schultz (ch...@ch...) * @version $Revision$ $Date$ */ *************** *** 77,80 **** --- 82,86 ---- public static final String LOGIN_SUBMIT_PATTERN_KEY = "loginSubmitPattern"; public static final String DEFAULT_LOGIN_SUBMIT_PATTERN = "/j_security_check"; + protected String loginSubmitPattern; *************** *** 94,97 **** --- 100,176 ---- protected SecurityRealmInterface realm; + + /** + * The key that will be used to look up the filter init parameter + * that specifies the "forward" parameter used for post-login forward + * requests. + * + * @see #forwardParameterName + */ + public static final String FORWARD_PARAMETER_KEY = "forwardParameter"; + + /** + * The key that will be used to look up the filter init parameter + * that specifies the "forwardMode" parameter used for post-login forward + * requests. + * + * @see #forwardModeParameterName + */ + public static final String FORWARD_MODE_PARAMETER_KEY = "forwardModeParameter"; + + /** + * The key that will be used to look up the filter init parameter + * that specifies the "forwardParameters" parameter used for post-login + * forward requests. + * + * @see #forwardParametersParameterName + */ + public static final String FORWARD_PARAMETERS_PARAMETER_KEY = "forwardParametersParameter"; + + /** + * The default value for {@link #forwardParameterName}. + */ + public static final String DEFAULT_FORWARD_PARAMETER_NAME = "forward"; + /** + * The default value for {@link #forwardModeParameterName}. + */ + public static final String DEFAULT_FORWARD_MODE_PARAMETER_NAME = "forward-mode"; + /** + * The default value for {@link #forwardParametersParameterName}. + */ + public static final String DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME = "forward-parameters"; + + /** + * The name of the request parameter that will be recognized as a + * post-login forward request. + * + * @see #forwardParameterName + * @see #DEFAULT_FORWARD_PARAMETER_NAME + */ + protected String forwardParameterName; + + /** + * The name of the request parameter that will be checked for + * either "forward" or "redirect" when processing a post-login forward + * request. The default is "redirect". + * + * @see #forwardModeParameterName + * @see #DEFAULT_FORWARD_MODE_PARAMETER_NAME + */ + protected String forwardModeParameterName; + + /** + * The name of the request parameter that will be checked to see + * whether the login request's request parameters should be forwarded + * to the destination URI when processing a post-login forward request. + * The options are "true" (to forward the request parameters) or "false" + * (to forward to the destination URI with no request parameter + * pass-through. The default is "false". + * + * @see #forwardParameterName + * @see #DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME + */ + protected String forwardParametersParameterName; + /** * Initilize this Authenticator. *************** *** 110,113 **** --- 189,207 ---- } + // "forward" parameter + forwardParameterName = filterConfig.getInitParameter(FORWARD_PARAMETER_KEY); + if(null == forwardParameterName) + forwardParameterName = DEFAULT_FORWARD_PARAMETER_NAME; + + // "forward-mode" parameter name + forwardModeParameterName = filterConfig.getInitParameter(FORWARD_MODE_PARAMETER_KEY); + if(null == forwardModeParameterName) + forwardModeParameterName = DEFAULT_FORWARD_MODE_PARAMETER_NAME; + + // "forward-parameters" parameter name + forwardParametersParameterName = filterConfig.getInitParameter(FORWARD_PARAMETERS_PARAMETER_KEY); + if(null == forwardParametersParameterName) + forwardParametersParameterName = DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME; + // default page defaultPage = securityConfig.getDefaultPage(); *************** *** 175,216 **** // process login form submittal if (request.getMatchableURL().endsWith(loginSubmitPattern)) { ! String username = request.getParameter(FORM_USERNAME); ! String password = request.getParameter(FORM_PASSWORD); ! Principal principal = realm instanceof FlexibleRealmInterface ? ! ((FlexibleRealmInterface) realm).authenticate(request) ! : realm.authenticate(username, password); ! if (principal != null) { ! // login successful ! // invalidate old session if the user was already authenticated, and they logged in as a different user ! if (request.getUserPrincipal() != null ! && false == request.getUserPrincipal().equals(principal)) { ! request.getSession().invalidate(); ! } ! // manage persistent login info, if persistent login management is enabled ! // and username/password are passed as part of logon ! if (persistentLoginManager != null ! && username != null && password != null) { ! String rememberme = request.getParameter(FORM_REMEMBERME); ! // did the user request that their login be persistent? ! if (rememberme != null) { ! // remember login ! persistentLoginManager.rememberLogin(request, response, username, password); ! } else { ! // forget login ! persistentLoginManager.forgetLogin(request, response); ! } ! } ! request.setUserPrincipal(principal); ! String continueToURL = getContinueToURL(request); ! // This is the url that the user was initially accessing before being prompted for login. ! response.sendRedirect(response.encodeRedirectURL(continueToURL)); ! } else { ! // login failed - forward to error page ! request.getRequestDispatcher(errorPage).forward(request, response); ! } ! return true; } --- 269,329 ---- // process login form submittal if (request.getMatchableURL().endsWith(loginSubmitPattern)) { ! String username = request.getParameter(FORM_USERNAME); ! String password = request.getParameter(FORM_PASSWORD); ! Principal principal = realm instanceof FlexibleRealmInterface ? ! ((FlexibleRealmInterface) realm).authenticate(request) ! : realm.authenticate(username, password); ! if (principal != null) { ! // login successful ! // invalidate old session if the user was already authenticated, and they logged in as a different user ! if (request.getUserPrincipal() != null ! && false == request.getUserPrincipal().equals(principal)) { ! request.getSession().invalidate(); ! } ! // manage persistent login info, if persistent login management is enabled ! // and username/password are passed as part of logon ! if (persistentLoginManager != null ! && username != null && password != null) { ! String rememberme = request.getParameter(FORM_REMEMBERME); ! // did the user request that their login be persistent? ! if (rememberme != null) { ! // remember login ! persistentLoginManager.rememberLogin(request, response, username, password); ! } else { ! // forget login ! persistentLoginManager.forgetLogin(request, response); ! } ! } ! request.setUserPrincipal(principal); ! ! ! Forward fwd = getForward(request); ! ! if(fwd.redirect) ! { ! String uri = response.encodeRedirectURL(fwd.uri); ! ! // Parameters only need to be explicitly forwarded ! // when we're doing a redirect. ! if(fwd.forwardParameters) ! { ! StringBuffer q = this.getFilteredQueryString(request); ! if(null != q) ! uri += q; ! } ! ! response.sendRedirect(uri); ! } ! else ! request.getRequestDispatcher(fwd.uri). ! forward(request, response); ! } else { ! // login failed - forward to error page ! request.getRequestDispatcher(errorPage).forward(request, response); ! } ! return true; } *************** *** 325,328 **** --- 438,561 ---- return uri; } + + /** + * A class to represent information about the destination after login. + */ + private static class Forward + { + /** + * The destination URI. + */ + String uri; + + /** + * <code>true</code> if this Forward should be redirected through the + * client. + */ + boolean redirect; + + /** + * <code>true</code> if the forward should include all the parameters + * from the current request. + */ + boolean forwardParameters; + + Forward(String uri, boolean redirect, boolean forwardParameters) + { + this.uri = uri; + this.redirect = redirect; + this.forwardParameters = forwardParameters; + } + } + + /** + * Gets post-login destination information. + */ + private Forward getForward(HttpServletRequest request) + { + String uri = request.getParameter(forwardParameterName); + boolean redirect; + boolean forwardParameters; + + // Was there a request to forward somewhere else after login? + if(null != uri && 0 < uri.trim().length()) + { + // Default to redirect + redirect = !"forward".equalsIgnoreCase(request.getParameter(forwardModeParameterName)); + // Default to do-not-forward-parameters + forwardParameters = "true".equalsIgnoreCase(request.getParameter(forwardParametersParameterName)); + } + else + { + // No forward request: go to the "continue URL" which is either + // the user's original request or the default page to hit after login. + uri = getContinueToURL(request); + redirect = true; + forwardParameters = false; + } + + return new Forward(uri, redirect, forwardParameters); + } + + /** + * Gets the query string that will be used when a login request + * has included a "forward" directive. We don't want to include + * username and password information in the resulting URL, so we + * re-build the query string by stripping-out the sensitive + * parameters. We also strip-out the "forward" parameter information + * because it has served its purpose. + * + * @param request The request being processed. + * + * @return A StringBuffer containing the query string (starting with '?') + * with all of the current request's parameters except for + * the username, password, and forward-related parameters. + */ + private StringBuffer getFilteredQueryString(HttpServletRequest request) + throws UnsupportedEncodingException + { + Enumeration e = request.getParameterNames(); + + StringBuffer queryString = null; + + if(e.hasMoreElements()) + { + boolean first = true; + queryString = new StringBuffer(); + + while(e.hasMoreElements()) + { + String name = (String)e.nextElement(); + + // Filter-out login-related parameters + if(!(FORM_USERNAME.equals(name) + || FORM_PASSWORD.equals(name) + || forwardParameterName.equals(name) + || forwardModeParameterName.equals(name) + || forwardParametersParameterName.equals(name))) + { + String[] values = request.getParameterValues(name); + + for(int i=0; i<values.length; ++i) + { + if(first) + { + queryString.append('?'); + first = false; + } + else + queryString.append('&'); + + queryString + .append(URLEncoder.encode(name, "UTF-8")) + .append('=') + .append(URLEncoder.encode(values[i], "UTF-8")); + } + } + } + } + + return queryString; + } } |
From: Christopher S. <chr...@us...> - 2007-11-02 16:31:35
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv24774/src/test/org/securityfilter/test/http/form Added Files: ForwardAfterLoginTest.java Log Message: Added post-login forward capability (original patch posted to the sourceforge.net forums). --- NEW FILE: ForwardAfterLoginTest.java --- /* * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form/ForwardAfterLoginTest.java,v 1.1 2007/11/02 16:31:24 chris_schultz Exp $ * $Revision: 1.1 $ * $Date: 2007/11/02 16:31:24 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2002 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.http.form; import com.meterware.httpunit.*; import junit.framework.Assert; import org.securityfilter.example.Constants; import org.securityfilter.test.http.TestBase; import org.securityfilter.authenticator.FormAuthenticator; /** * ForwardAfterLoginTest - test forward-afterlogin behavior. * * @author Chris Schultz (ch...@ch...) * @version $Revision: 1.1 $ $Date: 2007/11/02 16:31:24 $ */ public class ForwardAfterLoginTest extends TestBase { /** * Constructor * * @param name */ public ForwardAfterLoginTest(String name) { super(name); } public void testForwardAfterLogin() throws Exception { // request the login page WebConversation session = new WebConversation(); WebRequest request = new GetMethodWebRequest(baseUrl + "/loginForm.jsp"); WebResponse response = session.getResponse(request); // make sure the response leads us to login page assertPageTitle(Constants.LOGIN_TITLE, response); // submit valid login credentials WebForm loginForm = response.getFormWithID(Constants.LOGIN_FORM_ID); loginForm.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); loginForm.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); loginForm.setParameter(FormAuthenticator.DEFAULT_FORWARD_PARAMETER_NAME, "/securePage.jsp"); loginForm.setParameter(FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME, "forward"); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); response = session.getResponse(loginForm.getRequest()); // make sure the response leads to the default page (Home page -- index.jsp) assertPageTitle(Constants.SECURE_TITLE, response); } public void testRedirectAfterLogin() throws Exception { String contextPath = baseUrl.substring(baseUrl.lastIndexOf('/')); // request the login page WebConversation session = new WebConversation(); WebRequest request = new GetMethodWebRequest(baseUrl + "/loginForm.jsp"); WebResponse response = session.getResponse(request); // make sure the response leads us to login page assertPageTitle(Constants.LOGIN_TITLE, response); // submit valid login credentials WebForm loginForm = response.getFormWithID(Constants.LOGIN_FORM_ID); loginForm.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); loginForm.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); loginForm.setParameter(FormAuthenticator.DEFAULT_FORWARD_PARAMETER_NAME, contextPath + "/securePage.jsp"); loginForm.setParameter(FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME, "redirect"); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); response = session.getResponse(loginForm.getRequest()); String location = response.getHeaderField("Location"); // Remove any ";jsessionid" parameter. if(0 <= location.indexOf(";jsessionid=")) location = location.replaceAll(";jsessionid=[a-fA-F0-9]+", ""); // Check for correct redirect (fully-qualified URL) Assert.assertEquals(baseUrl + "/securePage.jsp", location); } public void testRedirectParametersAfterLogin() throws Exception { String contextPath = baseUrl.substring(baseUrl.lastIndexOf('/')); // request the login page WebConversation session = new WebConversation(); WebRequest request = new GetMethodWebRequest(baseUrl + FormAuthenticator.DEFAULT_LOGIN_SUBMIT_PATTERN); WebResponse response; request.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); request.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); request.setParameter(FormAuthenticator.DEFAULT_FORWARD_PARAMETER_NAME, contextPath + "/securePage.jsp"); request.setParameter(FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME, "redirect"); request.setParameter(FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME, "true"); request.setParameter("extra", "data"); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); response = session.getResponse(request); String location = response.getHeaderField("Location"); // Remove any ";jsessionid" parameter. if(0 <= location.indexOf(";jsessionid=")) location = location.replaceAll(";jsessionid=[a-fA-F0-9]+", ""); // Check for correct redirect (fully-qualified URL) Assert.assertEquals(baseUrl + "/securePage.jsp?extra=data", location); } public void testRedirectNoParametersAfterLogin() throws Exception { String contextPath = baseUrl.substring(baseUrl.lastIndexOf('/')); // request the login page WebConversation session = new WebConversation(); WebRequest request = new GetMethodWebRequest(baseUrl + FormAuthenticator.DEFAULT_LOGIN_SUBMIT_PATTERN); WebResponse response; request.setParameter(Constants.LOGIN_USERNAME_FIELD, Constants.VALID_USERNAME); request.setParameter(Constants.LOGIN_PASSWORD_FIELD, Constants.VALID_PASSWORD); request.setParameter(FormAuthenticator.DEFAULT_FORWARD_PARAMETER_NAME, contextPath + "/securePage.jsp"); request.setParameter(FormAuthenticator.DEFAULT_FORWARD_MODE_PARAMETER_NAME, "redirect"); request.setParameter(FormAuthenticator.DEFAULT_FORWARD_PARAMETERS_PARAMETER_NAME, "false"); request.setParameter("extra", "data"); // Disable automatic redirection so we can detect it ourselves. session.getClientProperties().setAutoRedirect(false); response = session.getResponse(request); String location = response.getHeaderField("Location"); // Remove any ";jsessionid" parameter. if(0 <= location.indexOf(";jsessionid=")) location = location.replaceAll(";jsessionid=[a-fA-F0-9]+", ""); // Check for correct redirect (fully-qualified URL) Assert.assertEquals(baseUrl + "/securePage.jsp", location); } } |
From: Christopher S. <chr...@us...> - 2007-11-01 17:36:15
|
Update of /cvsroot/securityfilter/securityfilter In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv28000 Modified Files: build-webapps.xml Log Message: Suppressed loading of securityfilter-blank webapp during testing. Index: build-webapps.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/build-webapps.xml,v retrieving revision 1.11 retrieving revision 1.12 diff -C2 -d -r1.11 -r1.12 *** build-webapps.xml 15 Feb 2006 08:23:52 -0000 1.11 --- build-webapps.xml 1 Nov 2007 17:36:11 -0000 1.12 *************** *** 153,159 **** --- 153,161 ---- <target name="deploy"> <!-- deploy war files --> + <!-- <ant antfile="deploy.xml" inheritall="false" target="deploy"> <property name="webapp.name" value="${project.name}-blank"/> </ant> + --> <ant antfile="deploy.xml" inheritall="false" target="deploy"> <property name="webapp.name" value="${project.name}-example"/> *************** *** 175,181 **** --- 177,185 ---- <target name="undeploy"> <!-- undeploy webapps --> + <!-- <ant antfile="deploy.xml" inheritall="false" target="undeploy"> <property name="webapp.name" value="${project.name}-blank"/> </ant> + --> <ant antfile="deploy.xml" inheritall="false" target="undeploy"> <property name="webapp.name" value="${project.name}-example"/> |
From: Max C. <max...@us...> - 2006-02-15 09:59:42
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30618/src/test/org/securityfilter/test/http/form Added Files: NoAuthNoSessionTest.java Removed Files: NoAuthSessionTest.java Log Message: bug#1056920: renamed unit test class and method names, again --- NEW FILE: NoAuthNoSessionTest.java --- /* * $Header$ * $Revision$ * $Date$ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2002 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.http.form; import org.securityfilter.test.http.TestBase; import com.meterware.httpunit.GetMethodWebRequest; import com.meterware.httpunit.WebRequest; /** * NoAuthNoSessionTest - Ensure that SecurityFilter does not create a session when accessing unsecured pages. * * Bug report: * http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 * * @author Max Cooper (ma...@ma...) * @version $Revision$ $Date$ */ public class NoAuthNoSessionTest extends TestBase { /** * Constructor * * @param name */ public NoAuthNoSessionTest(String name) { super(name); } /** * Test for session cookie on index page. There should be no session cookie. * * @throws Exception */ public void testNoAuthNoSessionForUnsecured() throws Exception { WebRequest request = new GetMethodWebRequest(baseUrl + "/index.jsp"); session.getResponse(request); // Check that there is no session ID String sessionId = session.getCookieValue("JSESSIONID"); assertNull("Got session for non-authenticated index page", sessionId); } /** * Test for session cookie on direct access of login page. There should be no session cookie. * * @throws Exception */ public void testNoAuthNoSessionForLoginPage() throws Exception { WebRequest request = new GetMethodWebRequest(baseUrl + "/loginForm.jsp"); session.getResponse(request); // Check that there is no session ID String sessionId = session.getCookieValue("JSESSIONID"); assertNull("Got session for non-authenticated login page", sessionId); } } --- NoAuthSessionTest.java DELETED --- |
From: Max C. <max...@us...> - 2006-02-15 09:55:52
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv29534/src/test/org/securityfilter/test/http/form Added Files: NoAuthSessionTest.java Removed Files: NoSessionForUnsecuredTest.java Log Message: bug#1056920: renamed unit test class and method names, improved session cookie test to look specifically for JSESSIONID cookie --- NoSessionForUnsecuredTest.java DELETED --- --- NEW FILE: NoAuthSessionTest.java --- /* * $Header$ * $Revision$ * $Date$ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2002 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.http.form; import org.securityfilter.test.http.TestBase; import com.meterware.httpunit.GetMethodWebRequest; import com.meterware.httpunit.WebRequest; /** * NoAuthSessionTest - Ensure that SecurityFilter does not create a session when accessing unsecured pages. * * Bug report: * http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 * * @author Max Cooper (ma...@ma...) * @version $Revision$ $Date$ */ public class NoAuthSessionTest extends TestBase { /** * Constructor * * @param name */ public NoAuthSessionTest(String name) { super(name); } /** * Test for session cookie on index page. There should be no session cookie. * * @throws Exception */ public void testNoAuthSessionForUnsecured() throws Exception { WebRequest request = new GetMethodWebRequest(baseUrl + "/index.jsp"); session.getResponse(request); // Check that there is no session ID String sessionId = session.getCookieValue("JSESSIONID"); assertNull("Got session for non-authenticated index page", sessionId); } /** * Test for session cookie on direct access of login page. There should be no session cookie. * * @throws Exception */ public void testNoAuthSessionForLoginPage() throws Exception { WebRequest request = new GetMethodWebRequest(baseUrl + "/loginForm.jsp"); session.getResponse(request); // Check that there is no session ID String sessionId = session.getCookieValue("JSESSIONID"); assertNull("Got session for non-authenticated login page", sessionId); } } |
From: Max C. <max...@us...> - 2006-02-15 08:48:34
|
Update of /cvsroot/securityfilter/securityfilter/conf/share In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv9974/conf/share Modified Files: MANIFEST.MF Log Message: changed the Specification-Version to match the project version, with a replacable token Index: MANIFEST.MF =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/conf/share/MANIFEST.MF,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** MANIFEST.MF 5 May 2003 11:39:03 -0000 1.12 --- MANIFEST.MF 15 Feb 2006 08:48:27 -0000 1.13 *************** *** 3,7 **** Specification-Title: Security Filter Specification-Vendor: SecurityFilter.org ! Specification-Version: 1.1 Implementation-Title: Security Filter Implementation-Vendor: SecurityFilter.org --- 3,7 ---- Specification-Title: Security Filter Specification-Vendor: SecurityFilter.org ! Specification-Version: @PROJECT.VERSION@ Implementation-Title: Security Filter Implementation-Vendor: SecurityFilter.org |
From: Max C. <max...@us...> - 2006-02-15 08:34:23
|
Update of /cvsroot/securityfilter/securityfilter/web/rememberme In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6017/web/rememberme Modified Files: loginForm.jsp Log Message: bug#1056920: added another unit test to ensure that directly requesting the login form page does not create a session Index: loginForm.jsp =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/web/rememberme/loginForm.jsp,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** loginForm.jsp 26 Jan 2004 10:53:49 -0000 1.1 --- loginForm.jsp 15 Feb 2006 08:34:15 -0000 1.2 *************** *** 1,2 **** --- 1,3 ---- + <%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> |
From: Max C. <max...@us...> - 2006-02-15 08:34:22
|
Update of /cvsroot/securityfilter/securityfilter/web/flexible-example In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6017/web/flexible-example Modified Files: loginForm.jsp Log Message: bug#1056920: added another unit test to ensure that directly requesting the login form page does not create a session Index: loginForm.jsp =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/web/flexible-example/loginForm.jsp,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** loginForm.jsp 22 Feb 2005 12:26:11 -0000 1.1 --- loginForm.jsp 15 Feb 2006 08:34:15 -0000 1.2 *************** *** 1,2 **** --- 1,3 ---- + <%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> |
From: Max C. <max...@us...> - 2006-02-15 08:34:22
|
Update of /cvsroot/securityfilter/securityfilter/web/catalina-example In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6017/web/catalina-example Modified Files: loginForm.jsp Log Message: bug#1056920: added another unit test to ensure that directly requesting the login form page does not create a session Index: loginForm.jsp =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/web/catalina-example/loginForm.jsp,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** loginForm.jsp 26 Jan 2004 11:04:02 -0000 1.1 --- loginForm.jsp 15 Feb 2006 08:34:14 -0000 1.2 *************** *** 1,2 **** --- 1,3 ---- + <%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> |
From: Max C. <max...@us...> - 2006-02-15 08:34:22
|
Update of /cvsroot/securityfilter/securityfilter/web/example In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6017/web/example Modified Files: loginForm.jsp Log Message: bug#1056920: added another unit test to ensure that directly requesting the login form page does not create a session Index: loginForm.jsp =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/web/example/loginForm.jsp,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** loginForm.jsp 26 Jan 2004 11:04:20 -0000 1.1 --- loginForm.jsp 15 Feb 2006 08:34:15 -0000 1.2 *************** *** 1,2 **** --- 1,3 ---- + <%@ page session="false" %> <%@ page import="org.securityfilter.example.Constants"%> |
From: Max C. <max...@us...> - 2006-02-15 08:34:22
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6017/src/test/org/securityfilter/test/http/form Modified Files: NoSessionForUnsecuredTest.java Log Message: bug#1056920: added another unit test to ensure that directly requesting the login form page does not create a session Index: NoSessionForUnsecuredTest.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form/NoSessionForUnsecuredTest.java,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** NoSessionForUnsecuredTest.java 14 Feb 2006 09:28:28 -0000 1.1 --- NoSessionForUnsecuredTest.java 15 Feb 2006 08:34:14 -0000 1.2 *************** *** 94,96 **** --- 94,110 ---- assertEquals("Number of cookies should be 0.", 0, cookieNames.length); } + + /** + * Test for session cookie on index page. There should be no session cookie. + * + * @throws Exception + */ + public void testNoSessionForLoginPage() throws Exception { + + WebRequest request = new GetMethodWebRequest(baseUrl + "/loginForm.jsp"); + WebResponse response = session.getResponse(request); + + String[] cookieNames = response.getNewCookieNames(); + assertEquals("Number of cookies should be 0.", 0, cookieNames.length); + } } |
From: Max C. <max...@us...> - 2006-02-15 08:24:01
|
Update of /cvsroot/securityfilter/securityfilter In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv2696 Modified Files: HISTORY build-webapps.xml build.xml deploy.xml properties.xml Log Message: use Ant import task instead of XML entity inclusion for shared properties in build files Index: properties.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/properties.xml,v retrieving revision 1.15 retrieving revision 1.16 diff -C2 -d -r1.15 -r1.16 *** properties.xml 22 Feb 2005 10:55:44 -0000 1.15 --- properties.xml 15 Feb 2006 08:23:52 -0000 1.16 *************** *** 11,14 **** --- 11,15 ---- --> + <project name="Properties file for securityfilter" default=""> <!-- ========== Local/User Properties ============================================================================== --> *************** *** 135,136 **** --- 136,138 ---- </filterset> + </project> \ No newline at end of file Index: build.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/build.xml,v retrieving revision 1.22 retrieving revision 1.23 diff -C2 -d -r1.22 -r1.23 *** build.xml 22 Feb 2005 11:02:07 -0000 1.22 --- build.xml 15 Feb 2006 08:23:52 -0000 1.23 *************** *** 7,18 **** --> - <!DOCTYPE project [ - <!ENTITY properties SYSTEM "file:./properties.xml"> - ]> - <project name="securityfilter" default="default"> ! <!-- import common properties --> ! &properties; <!-- ========== Default Target ================================================================================== --> --- 7,14 ---- --> ! <project name="securityfilter" default="default"> ! <import file="properties.xml"/> <!-- ========== Default Target ================================================================================== --> Index: build-webapps.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/build-webapps.xml,v retrieving revision 1.10 retrieving revision 1.11 diff -C2 -d -r1.10 -r1.11 *** build-webapps.xml 22 Feb 2005 11:02:04 -0000 1.10 --- build-webapps.xml 15 Feb 2006 08:23:52 -0000 1.11 *************** *** 7,18 **** --> - <!DOCTYPE project [ - <!ENTITY properties SYSTEM "file:./properties.xml"> - ]> - <project name="securityfilter-webapps" default="build"> ! ! <!-- import common properties --> ! &properties; <!-- import ant-contrib tasks --> --- 7,12 ---- --> <project name="securityfilter-webapps" default="build"> ! <import file="properties.xml"/> <!-- import ant-contrib tasks --> Index: deploy.xml =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/deploy.xml,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** deploy.xml 8 Jun 2003 12:40:07 -0000 1.5 --- deploy.xml 15 Feb 2006 08:23:52 -0000 1.6 *************** *** 7,17 **** --> - <!DOCTYPE project [ - <!ENTITY properties SYSTEM "file:./properties.xml"> - ]> - <project name="Generic Tomcat Webapp Deployment" default="deploy"> ! &properties; <target name="deploy"> --- 7,13 ---- --> <project name="Generic Tomcat Webapp Deployment" default="deploy"> ! <import file="./properties.xml" /> <target name="deploy"> Index: HISTORY =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/HISTORY,v retrieving revision 1.30 retrieving revision 1.31 diff -C2 -d -r1.30 -r1.31 *** HISTORY 14 Feb 2006 09:28:28 -0000 1.30 --- HISTORY 15 Feb 2006 08:23:52 -0000 1.31 *************** *** 14,17 **** --- 14,24 ---- Changes since the last release: =============================== + + * Fixed issue where SecurityFilter was creating a uneccessarily session for unsecured pages, + including the addition of an automated test: + http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 + + * Used ant import task in build files instead of entity inclusion + * Fixed form-based login HTTP response code (was 401, now 200), including an automated test: http://sourceforge.net/tracker/index.php?func=detail&aid=935921&group_id=59484&atid=491164 *************** *** 24,31 **** methods to put the expected value first. - * Fixed issue where SecurityFilter was creating a uneccessarily session for unsecured pages, - including the addition of an automated test: - http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 - Release 2.0, 2004-Dec-13 --- 31,34 ---- |
From: Max C. <max...@us...> - 2006-02-14 09:28:36
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/http/form In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18538/src/test/org/securityfilter/test/http/form Added Files: NoSessionForUnsecuredTest.java Log Message: bug#1056920: unsecured URLs get session objects - unit test and fix --- NEW FILE: NoSessionForUnsecuredTest.java --- /* * $Header$ * $Revision$ * $Date$ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2002 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.http.form; import org.securityfilter.test.http.TestBase; import com.meterware.httpunit.GetMethodWebRequest; import com.meterware.httpunit.WebRequest; import com.meterware.httpunit.WebResponse; /** * NoSessionForUnsecuredTest - Ensure that SecurityFilter does not create a session when accessing unsecured pages. * * Bug report: * http://sourceforge.net/tracker/index.php?func=detail&aid=1056920&group_id=59484&atid=491164 * * @author Max Cooper (ma...@ma...) * @version $Revision$ $Date$ */ public class NoSessionForUnsecuredTest extends TestBase { /** * Constructor * * @param name */ public NoSessionForUnsecuredTest(String name) { super(name); } /** * Test for session cookie on index page. There should be no session cookie. * * @throws Exception */ public void testNoSessionForUnsecured() throws Exception { WebRequest request = new GetMethodWebRequest(baseUrl + "/index.jsp"); WebResponse response = session.getResponse(request); String[] cookieNames = response.getNewCookieNames(); assertEquals("Number of cookies should be 0.", 0, cookieNames.length); } } |