|
From: Christopher S. <chr...@us...> - 2007-11-07 17:27:30
|
Update of /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/config In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/src/test/org/securityfilter/test/config Added Files: UserDataConfigTest.java Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. --- NEW FILE: UserDataConfigTest.java --- /* * $Header: /cvsroot/securityfilter/securityfilter/src/test/org/securityfilter/test/config/UserDataConfigTest.java,v 1.1 2007/11/07 17:22:38 chris_schultz Exp $ * $Revision: 1.1 $ * $Date: 2007/11/07 17:22:38 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 * * (this license is derived and fully compatible with the Apache Software * License - see http://www.apache.org/LICENSE.txt) * * Copyright (c) 2007 SecurityFilter.org. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by * SecurityFilter.org (http://www.securityfilter.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The name "SecurityFilter" must not be used to endorse or promote * products derived from this software without prior written permission. * For written permission, please contact li...@se... . * * 5. Products derived from this software may not be called "SecurityFilter", * nor may "SecurityFilter" appear in their name, without prior written * permission of SecurityFilter.org. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE SECURITY FILTER PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== */ package org.securityfilter.test.config; import java.io.StringReader; import java.lang.reflect.Proxy; import java.lang.reflect.Method; import java.lang.reflect.InvocationHandler; import java.net.MalformedURLException; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.xml.sax.InputSource; import junit.framework.Assert; import junit.framework.TestCase; import org.securityfilter.filter.SecurityFilter; import org.securityfilter.config.SecurityConfig; import org.securityfilter.config.SecurityConstraint; import org.securityfilter.config.UserDataConstraint; import javax.servlet.FilterConfig; import java.util.Enumeration; import javax.servlet.ServletContext; /** * UserDataConfigTests - tests to see that the transport guarantee * configuration has been loaded correctly. * * @author Chris Schultz (ch...@ch...) * @version $Revision: 1.1 $ $Date: 2007/11/07 17:22:38 $ */ public class UserDataConfigTest extends TestCase { public UserDataConfigTest(String name) { super(name); } public void testNoUserDataConstraint() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); sc.loadConfig(new InputSource(new StringReader(config))); List constraints = sc.getSecurityConstraints(); Assert.assertNotNull("Should have some security constraints", constraints); Assert.assertEquals("Should have 1 security constraint.", 1, constraints.size()); SecurityConstraint constraint = (SecurityConstraint)constraints.get(0); Assert.assertNull("Should not have a UserDataConstraint", constraint.getUserDataConstraint()); } public void testTransportGuaranteeNone() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " <user-data-constraint>" + " <description>The user data constraint</description>" + " <transport-guarantee>NONE</transport-guarantee>" + " </user-data-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); sc.loadConfig(new InputSource(new StringReader(config))); List constraints = sc.getSecurityConstraints(); Assert.assertNotNull("Should have some security constraints", constraints); Assert.assertEquals("Should have 1 security constraint.", 1, constraints.size()); SecurityConstraint constraint = (SecurityConstraint)constraints.get(0); Assert.assertNotNull("Should have a UserDataConstraint", constraint.getUserDataConstraint()); Assert.assertEquals("Incorrect transport-guarantee", UserDataConstraint.TRANSPORT_GUARANTEE_NONE, constraint.getUserDataConstraint() .getTransportGuarantee()); } public void testTransportGuaranteeNoneExtraSpaces() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " <user-data-constraint>" + " <description>The user data constraint</description>" + " <transport-guarantee> NONE" + " </transport-guarantee>" + " </user-data-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); sc.loadConfig(new InputSource(new StringReader(config))); List constraints = sc.getSecurityConstraints(); Assert.assertNotNull("Should have some security constraints", constraints); Assert.assertEquals("Should have 1 security constraint.", 1, constraints.size()); SecurityConstraint constraint = (SecurityConstraint)constraints.get(0); Assert.assertNotNull("Should have a UserDataConstraint", constraint.getUserDataConstraint()); Assert.assertEquals("Incorrect transport-guarantee", UserDataConstraint.TRANSPORT_GUARANTEE_NONE, constraint.getUserDataConstraint() .getTransportGuarantee()); } public void _testInvalidTransportGuarantee() throws Exception { String config = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n" + "\n" + "<!DOCTYPE securityfilter-config PUBLIC\n" + " \"" + "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN" + "\"\n" + " \"" + "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd" + "\">" + "<securityfilter-config>" + "\n" + " <security-constraint>" + " <web-resource-collection>" + " <web-resource-name>Secure Page</web-resource-name>" + " <url-pattern>/securePage.jsp</url-pattern>" + " </web-resource-collection>" + " <auth-constraint>" + " <role-name>inthisrole</role-name>" + " </auth-constraint>" + " <user-data-constraint>" + " <description>The user data constraint</description>" + " <transport-guarantee>INVALID</transport-guarantee>" + " </user-data-constraint>" + " </security-constraint>" + "\n" + " <login-config>" + " <auth-method>BASIC</auth-method>" + " </login-config>" + "\n" + " <realm className=\"org.securityfilter.realm.catalina.CatalinaRealmAdapter\">" + " </realm>" + "\n" + "</securityfilter-config>" ; SecurityConfig sc = new SecurityConfig(true); try { sc.loadConfig(new InputSource(new StringReader(config))); Assert.fail("INVALID transport guarantee should have failed."); } catch (org.xml.sax.SAXParseException spe) { // Expected behavior } } // // Make sure that the getSecureURL method is working. // private String getSecureURL(String url) throws MalformedURLException, javax.servlet.ServletException { // TODO: This method is /horrible/. We should be using mock objects // instead of monkeying-around with Proxies and stuff. final java.net.URL theUrl = new java.net.URL(url); InvocationHandler handler = new InvocationHandler() { public Object invoke(Object o, Method m, Object[] args) { if("getServerName".equals(m.getName())) { return theUrl.getHost(); } else if("getRequestURI".equals(m.getName())) { return theUrl.getPath(); } else if("getQueryString".equals(m.getName())) { return theUrl.getQuery(); } else throw new IllegalStateException("Unexpected call to: "+ m); } } ; HttpServletRequest request = (HttpServletRequest)Proxy .newProxyInstance(this.getClass().getClassLoader(), new Class[] { HttpServletRequest.class }, handler); return new SecurityFilter() { public String getSecureURL(HttpServletRequest request) { return super.getSecureURL(request); } }.getSecureURL(request); } public void testGetSecureURL() throws Exception { String url = "http://www.foo.com/path/resource?query=string&foo=bar"; String expected = url.replace("http://", "https://"); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_AlreadySecure() throws Exception { String url = "https://www.foo.com/path/resource?query=string&foo=bar"; String expected = url; Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_Port() throws Exception { String url = "http://www.foo.com:42/path/resource?query=string&foo=bar"; String expected = url.replace("http://", "https://") .replace(":42", ""); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_NoQueryString() throws Exception { String url = "http://www.foo.com:42/path/resource"; String expected = url.replace("http://", "https://") .replace(":42", ""); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_NoSlash() throws Exception { String url = "http://www.foo.com:42"; String expected = url.replace("http://", "https://") .replace(":42", ""); Assert.assertEquals(expected, getSecureURL(url)); } public void testGetSecureURL_NoPortNoSlash() throws Exception { String url = "http://www.foo.com"; String expected = url.replace("http://", "https://"); Assert.assertEquals(expected, getSecureURL(url)); } } |
