craigmcc 01/03/26 12:04:41
Modified: tester/src/bin tester.xml
tester/web/WEB-INF web.xml
Added: tester/src/tester/org/apache/tester Authentication03.java
Log:
Add a new unit test to validate correct behavior of isUserInRole() for
three circumstances:
* Role name mapped directly to a user --> true
* Role name specified in a <security-role-ref> element for a role name
mapped directly to a user --> true
* Role name not mapped to a user --> false
PR: Bugzilla #1086
Submitted by: [EMAIL PROTECTED]
Revision Changes Path
1.24 +33 -22 jakarta-tomcat-4.0/tester/src/bin/tester.xml
Index: tester.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/tester/src/bin/tester.xml,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- tester.xml 2001/03/21 20:28:24 1.23
+++ tester.xml 2001/03/26 20:04:37 1.24
@@ -12,7 +12,7 @@
<taskdef name="tester" classname="org.apache.tester.TestClient"/>
- <target name="all"
depends="ROOT,CaseSensitive,ErrorPage,Jndi,RequestDispatcher,Resources,ServletRequest,ServletResponse,HttpSession,XercesTest"/>
+ <target name="all"
depends="ROOT,Authentication,CaseSensitive,ErrorPage,Jndi,RequestDispatcher,Resources,ServletRequest,ServletResponse,HttpSession,XercesTest"/>
<target name="ROOT">
@@ -37,6 +37,38 @@
</target>
+ <target name="Authentication">
+
+ <!-- ========== Authentication ======================================== -->
+
+ <!-- Once a user has been authenticated, the corresponding user identity
+ should be visible to all other requests in this web application, even
+ for URIs that are not protected by security constraints. This is
+ tested by invoking a protected URI followed by a non-protected URI
+ -->
+
+ <tester host="${host}" port="${port}" protocol="${protocol}"
+ debug="${debug}"
+ request="${context.path}/protected/Authentication01"
+ inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
+ outContent="Authentication01 PASSED"/>
+
+ <tester host="${host}" port="${port}" protocol="${protocol}"
+ debug="${debug}"
+ request="${context.path}/protected/Authentication02"
+ inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
+ outContent="Authentication02 PASSED"/>
+
+ <!-- Test isUserInRole() on actual role and on an alias -->
+ <tester host="${host}" port="${port}" protocol="${protocol}"
+ debug="${debug}"
+ request="${context.path}/protected/Authentication03"
+ inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
+ outContent="Authentication03 PASSED"/>
+
+ </target>
+
+
<target name="CaseSensitive">
<!-- ========== Case Sensitive Request URI Matching =================== -->
@@ -489,27 +521,6 @@
<tester host="${host}" port="${port}" protocol="${protocol}"
request="${context.path}/WrappedGetInputStream01" debug="${debug}"
outContent="GetInputStream01 PASSED"/>
-
-
- <!-- ========== Authentication ======================================== -->
-
- <!-- Once a user has been authenticated, the corresponding user identity
- should be visible to all other requests in this web application, even
- for URIs that are not protected by security constraints. This is
- tested by invoking a protected URI followed by a non-protected URI
- -->
-
- <tester host="${host}" port="${port}" protocol="${protocol}"
- debug="${debug}"
- request="${context.path}/protected/Authentication01"
- inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
- outContent="Authentication01 PASSED"/>
-
- <tester host="${host}" port="${port}" protocol="${protocol}"
- debug="${debug}"
- request="${context.path}/protected/Authentication02"
- inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
- outContent="Authentication02 PASSED"/>
</target>
1.1
jakarta-tomcat-4.0/tester/src/tester/org/apache/tester/Authentication03.java
Index: Authentication03.java
===================================================================
/* ========================================================================= *
* *
* The Apache Software License, Version 1.1 *
* *
* Copyright (c) 1999, 2000, 2001 The Apache Software Foundation. *
* All rights reserved. *
* *
* ========================================================================= *
* *
* Redistribution and use in source and binary forms, with or without modi- *
* fication, are permitted provided that the following conditions are met: *
* *
* 1. Redistributions of source code must retain the above copyright notice *
* notice, this list of conditions and the following disclaimer. *
* *
* 2. Redistributions in binary form must reproduce the above copyright *
* notice, this list of conditions and the following disclaimer in the *
* documentation and/or other materials provided with the distribution. *
* *
* 3. The end-user documentation included with the redistribution, if any, *
* must include the following acknowlegement: *
* *
* "This product includes software developed by the Apache Software *
* Foundation <http://www.apache.org/>." *
* *
* Alternately, this acknowlegement may appear in the software itself, if *
* and wherever such third-party acknowlegements normally appear. *
* *
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software *
* Foundation" must not be used to endorse or promote products derived *
* from this software without prior written permission. For written *
* permission, please contact <[EMAIL PROTECTED]>. *
* *
* 5. Products derived from this software may not be called "Apache" nor may *
* "Apache" appear in their names without prior written permission of the *
* Apache Software Foundation. *
* *
* THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES *
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY *
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL *
* THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY *
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, *
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN *
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE *
* POSSIBILITY OF SUCH DAMAGE. *
* *
* ========================================================================= *
* *
* This software consists of voluntary contributions made by many indivi- *
* duals on behalf of the Apache Software Foundation. For more information *
* on the Apache Software Foundation, please see <http://www.apache.org/>. *
* *
* ========================================================================= */
package org.apache.tester;
import java.io.*;
import java.security.Principal;
import javax.servlet.*;
import javax.servlet.http.*;
/**
* Ensure that we get the correct results from <code>isUserInRole()</code>
* for an actual role, a role aliased with a
* <code><security-role-ref></code> element, and for a role that is
* not assigned to the specified user.
*
* @author Craig R. McClanahan
* @version $Revision: 1.1 $ $Date: 2001/03/26 20:04:39 $
*/
public class Authentication03 extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
// Prepare to create this response
response.setContentType("text/plain");
PrintWriter writer = response.getWriter();
StringBuffer results = new StringBuffer();
// Validate that we have been authenticated correctly
String remoteUser = request.getRemoteUser();
if (remoteUser == null) {
results.append(" Not Authenticated/");
} else if (!"tomcat".equals(remoteUser)) {
results.append(" Authenticated as '");
results.append(remoteUser);
results.append("'/");
}
// Validate that this user is part of the "tomcat" role
if (!request.isUserInRole("tomcat")) {
results.append(" Not in role 'tomcat'/");
}
// Validate that this user is part of the "alias" role
// (mapped to "tomcat" in a <security-role-ref> element
if (!request.isUserInRole("alias")) {
results.append(" Not in role 'alias'/");
}
// Validate that this user is NOT part of the "unknown" role
if (request.isUserInRole("unknown")) {
results.append(" In role 'unknown'/");
}
// Generate our response
if (results.length() < 1) {
writer.println("Authentication03 PASSED");
} else {
writer.print("Authentication03 FAILED -");
writer.println(results.toString());
}
// Add wrapper messages as required
while (true) {
String message = StaticLogger.read();
if (message == null)
break;
writer.println(message);
}
StaticLogger.reset();
}
}
1.16 +21 -0 jakarta-tomcat-4.0/tester/web/WEB-INF/web.xml
Index: web.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/tester/web/WEB-INF/web.xml,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- web.xml 2001/03/21 19:38:50 1.15
+++ web.xml 2001/03/26 20:04:40 1.16
@@ -214,6 +214,15 @@
</servlet>
<servlet>
+ <servlet-name>Authentication03</servlet-name>
+ <servlet-class>org.apache.tester.Authentication03</servlet-class>
+ <security-role-ref>
+ <role-name>alias</role-name>
+ <role-link>tomcat</role-link>
+ </security-role-ref>
+ </servlet>
+
+ <servlet>
<servlet-name>ErrorPage01</servlet-name>
<servlet-class>org.apache.tester.ErrorPage01</servlet-class>
</servlet>
@@ -392,6 +401,11 @@
</servlet-mapping>
<servlet-mapping>
+ <servlet-name>Authentication03</servlet-name>
+ <url-pattern>/protected/Authentication03</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
<servlet-name>ErrorPage01</servlet-name>
<url-pattern>/ErrorPage01</url-pattern>
</servlet-mapping>
@@ -716,6 +730,13 @@
<auth-method>BASIC</auth-method>
<realm-name>Authentication Servlet</realm-name>
</login-config>
+
+<!--
+ <security-role>
+ <description>Security role we are testing for</description>
+ <role-name>tomcat</role-name>
+ </security-role>
+-->
<!-- ========== Environment Entries =================================== -->
