brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aleds...@apache.org
Subject [1/7] brooklyn-server git commit: Initialize REST API security correctly for integration tests
Date Wed, 16 Nov 2016 22:33:05 GMT
Repository: brooklyn-server
Updated Branches:
  refs/heads/master be89a8dd2 -> 2e4114259


Initialize REST API security correctly for integration tests

Also add checks for it in the tests.

Tests had different behaviour depending on whether brooklyn-ui existed along brooklyn-server
on disk. When brooklyn-ui was there tests would find it and use the web app code from there,
including the web.xml which restricts requests to only authorized users. When brooklyn-ui
is missing though a default web app without web.xml was being created. This would result in
non-authorized requests succeeding.  In this case requests including the authorization header
would be accepted and rejected if the password is invalid. But in order to include the authorization
header the server must first respond with a 401 which didn't happen. Moving web-security.xml
to rest-server allows us to force request authentication for tests even if there's no web.xml
in the web app.
Should be fine moving web-security.xml to rest-server (which is only used in classic) because
it's only inserted by classic related code. Karaf Brooklyn doesn't have control over the web
apps.


Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/cd07d816
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/cd07d816
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/cd07d816

Branch: refs/heads/master
Commit: cd07d8161ae4688900b824a449760986806c814f
Parents: 9b24f7d
Author: Svetoslav Neykov <svetoslav.neykov@cloudsoftcorp.com>
Authored: Mon Nov 14 12:08:39 2016 +0200
Committer: Svetoslav Neykov <svetoslav.neykov@cloudsoftcorp.com>
Committed: Mon Nov 14 12:08:39 2016 +0200

----------------------------------------------------------------------
 launcher/src/main/resources/web-security.xml    | 51 ----------------
 .../launcher/BrooklynWebServerTest.java         | 61 +++++++++++++++-----
 .../src/main/resources/web-security.xml         | 51 ++++++++++++++++
 .../brooklyn/rest/BrooklynRestApiLauncher.java  |  1 +
 .../AbstractRestApiEntitlementsTest.java        | 18 ++++--
 .../ActivityApiEntitlementsTest.java            | 17 +++---
 .../EntityConfigApiEntitlementsTest.java        |  2 +
 .../entitlement/ScriptApiEntitlementsTest.java  | 14 +++--
 .../entitlement/SensorApiEntitlementsTest.java  |  2 +
 .../entitlement/ServerApiEntitlementsTest.java  |  3 +
 .../ServerResourceIntegrationTest.java          |  2 +-
 11 files changed, 139 insertions(+), 83 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/launcher/src/main/resources/web-security.xml
----------------------------------------------------------------------
diff --git a/launcher/src/main/resources/web-security.xml b/launcher/src/main/resources/web-security.xml
deleted file mode 100644
index 2311458..0000000
--- a/launcher/src/main/resources/web-security.xml
+++ /dev/null
@@ -1,51 +0,0 @@
-<!--
-    Licensed to the Apache Software Foundation (ASF) under one
-    or more contributor license agreements.  See the NOTICE file
-    distributed with this work for additional information
-    regarding copyright ownership.  The ASF licenses this file
-    to you under the Apache License, Version 2.0 (the
-    "License"); you may not use this file except in compliance
-    with the License.  You may obtain a copy of the License at
-    
-     http://www.apache.org/licenses/LICENSE-2.0
-    
-    Unless required by applicable law or agreed to in writing,
-    software distributed under the License is distributed on an
-    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-    KIND, either express or implied.  See the License for the
-    specific language governing permissions and limitations
-    under the License.
--->
-<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
-         version="3.1">
-
-  <security-constraint>
-    <web-resource-collection>
-      <web-resource-name>Logout</web-resource-name>
-      <url-pattern>/v1/logout</url-pattern>
-    </web-resource-collection>
-  </security-constraint>
-
-  <!-- Ignored programmatically if noConsoleSecurity -->
-  <security-constraint>
-    <web-resource-collection>
-      <web-resource-name>All</web-resource-name>
-      <url-pattern>/</url-pattern>
-    </web-resource-collection>
-    <auth-constraint>
-      <role-name>webconsole</role-name>
-    </auth-constraint>
-  </security-constraint>
-
-  <login-config>
-    <auth-method>BASIC</auth-method>
-    <realm-name>webconsole</realm-name>
-  </login-config>
-
-  <security-role>
-    <role-name>webconsole</role-name>
-  </security-role>
-
-</web-app>

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/launcher/src/test/java/org/apache/brooklyn/launcher/BrooklynWebServerTest.java
----------------------------------------------------------------------
diff --git a/launcher/src/test/java/org/apache/brooklyn/launcher/BrooklynWebServerTest.java
b/launcher/src/test/java/org/apache/brooklyn/launcher/BrooklynWebServerTest.java
index 2b8406e..e1eb1b3 100644
--- a/launcher/src/test/java/org/apache/brooklyn/launcher/BrooklynWebServerTest.java
+++ b/launcher/src/test/java/org/apache/brooklyn/launcher/BrooklynWebServerTest.java
@@ -18,17 +18,13 @@
  */
 package org.apache.brooklyn.launcher;
 
-import org.apache.brooklyn.core.entity.Entities;
-import org.apache.brooklyn.core.internal.BrooklynProperties;
-import org.apache.brooklyn.core.mgmt.internal.LocalManagementContext;
-import org.apache.brooklyn.core.test.entity.LocalManagementContextForTests;
-
 import static org.testng.Assert.assertEquals;
 import static org.testng.Assert.assertTrue;
 import static org.testng.Assert.fail;
 
 import java.io.File;
 import java.io.FileInputStream;
+import java.net.SocketException;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.KeyStore;
@@ -38,24 +34,31 @@ import java.util.Map;
 
 import javax.net.ssl.SSLHandshakeException;
 
+import org.apache.brooklyn.core.entity.Entities;
+import org.apache.brooklyn.core.internal.BrooklynProperties;
+import org.apache.brooklyn.core.mgmt.internal.LocalManagementContext;
+import org.apache.brooklyn.core.test.entity.LocalManagementContextForTests;
+import org.apache.brooklyn.rest.BrooklynWebConfig;
+import org.apache.brooklyn.util.collections.MutableMap;
+import org.apache.brooklyn.util.exceptions.Exceptions;
+import org.apache.brooklyn.util.http.HttpTool;
+import org.apache.brooklyn.util.http.HttpToolResponse;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.conn.ssl.SSLSocketFactory;
-import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
-import org.apache.brooklyn.rest.BrooklynWebConfig;
-import org.apache.brooklyn.util.collections.MutableMap;
-import org.apache.brooklyn.util.http.HttpTool;
-import org.apache.brooklyn.util.http.HttpToolResponse;
-import org.apache.brooklyn.util.exceptions.Exceptions;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
-import java.net.SocketException;
 
 public class BrooklynWebServerTest {
 
@@ -92,13 +95,45 @@ public class BrooklynWebServerTest {
         try {
             webServer.start();
 
-            HttpToolResponse response = HttpTool.execAndConsume(new DefaultHttpClient(),
new HttpGet(webServer.getRootUrl()));
+            HttpToolResponse response = HttpTool.execAndConsume(HttpTool.httpClientBuilder().build(),
new HttpGet(webServer.getRootUrl()));
             assertEquals(response.getResponseCode(), 200);
         } finally {
             webServer.stop();
         }
     }
 
+    @Test
+    public void verifySecurityInitialized() throws Exception {
+        webServer = new BrooklynWebServer(newManagementContext(brooklynProperties));
+        webServer.start();
+        try {
+            HttpToolResponse response = HttpTool.execAndConsume(HttpTool.httpClientBuilder().build(),
new HttpGet(webServer.getRootUrl()));
+            assertEquals(response.getResponseCode(), 401);
+        } finally {
+            webServer.stop();
+        }
+    }
+
+    @Test
+    public void verifySecurityInitializedExplicitUser() throws Exception {
+        webServer = new BrooklynWebServer(newManagementContext(brooklynProperties));
+        webServer.start();
+
+        CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
+        credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("myuser",
"somepass"));
+        HttpClient client = HttpTool.httpClientBuilder()
+            .credentials(new UsernamePasswordCredentials("myuser", "somepass"))
+            .uri(webServer.getRootUrl())
+            .build();
+
+        try {
+            HttpToolResponse response = HttpTool.execAndConsume(client, new HttpGet(webServer.getRootUrl()));
+            assertEquals(response.getResponseCode(), 401);
+        } finally {
+            webServer.stop();
+        }
+    }
+
     @DataProvider(name="keystorePaths")
     public Object[][] getKeystorePaths() {
         return new Object[][] {

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/main/resources/web-security.xml
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/resources/web-security.xml b/rest/rest-server/src/main/resources/web-security.xml
new file mode 100644
index 0000000..2311458
--- /dev/null
+++ b/rest/rest-server/src/main/resources/web-security.xml
@@ -0,0 +1,51 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    
+     http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1">
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Logout</web-resource-name>
+      <url-pattern>/v1/logout</url-pattern>
+    </web-resource-collection>
+  </security-constraint>
+
+  <!-- Ignored programmatically if noConsoleSecurity -->
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>All</web-resource-name>
+      <url-pattern>/</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>webconsole</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <login-config>
+    <auth-method>BASIC</auth-method>
+    <realm-name>webconsole</realm-name>
+  </login-config>
+
+  <security-role>
+    <role-name>webconsole</role-name>
+  </security-role>
+
+</web-app>

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/BrooklynRestApiLauncher.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/BrooklynRestApiLauncher.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/BrooklynRestApiLauncher.java
index 4dc3d66..b600159 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/BrooklynRestApiLauncher.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/BrooklynRestApiLauncher.java
@@ -194,6 +194,7 @@ public class BrooklynRestApiLauncher {
         if (securityProvider != null && securityProvider != AnyoneSecurityProvider.class)
{
             ((BrooklynProperties) mgmt.getConfig()).put(
                     BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME, securityProvider.getName());
+            ((WebAppContext)context).addOverrideDescriptor(getClass().getResource("/web-security.xml").toExternalForm());
         } else if (context instanceof WebAppContext) {
             ((WebAppContext)context).setSecurityHandler(new NopSecurityHandler());
         }

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
index 4a0d568..c858799 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
@@ -37,6 +37,7 @@ import org.apache.brooklyn.rest.BrooklynRestApiLauncher;
 import org.apache.brooklyn.rest.BrooklynRestApiLauncherTestFixture;
 import org.apache.brooklyn.util.http.HttpAsserts;
 import org.apache.brooklyn.util.http.HttpTool;
+import org.apache.brooklyn.util.http.HttpTool.HttpClientBuilder;
 import org.apache.brooklyn.util.http.HttpToolResponse;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.http.client.HttpClient;
@@ -65,7 +66,7 @@ public abstract class AbstractRestApiEntitlementsTest extends BrooklynRestApiLau
         props.put(PerUserEntitlementManager.PER_USER_ENTITLEMENTS_CONFIG_PREFIX+".myUser",
"user");
         props.put(PerUserEntitlementManager.PER_USER_ENTITLEMENTS_CONFIG_PREFIX+".myCustom",
StaticDelegatingEntitlementManager.class.getName());
         
-        mgmt = LocalManagementContextForTests.builder(true).useProperties(props).build();
+        mgmt = LocalManagementContextForTests.builder(false).useProperties(props).build();
         app = mgmt.getEntityManager().createEntity(EntitySpec.create(TestApplication.class)
                 .child(EntitySpec.create(TestEntity.class))
                         .configure(TestEntity.CONF_NAME, "myname"));
@@ -84,10 +85,12 @@ public abstract class AbstractRestApiEntitlementsTest extends BrooklynRestApiLau
     }
     
     protected HttpClient newClient(String user) throws Exception {
-        return httpClientBuilder()
-                .uri(getBaseUriRest())
-                .credentials(new UsernamePasswordCredentials(user, "ignoredPassword"))
-                .build();
+        HttpClientBuilder builder = httpClientBuilder()
+                .uri(getBaseUriRest());
+        if (user != null) {
+            builder.credentials(new UsernamePasswordCredentials(user, "ignoredPassword"));
+        }
+        return builder.build();
     }
 
     protected String httpGet(String user, String path) throws Exception {
@@ -130,6 +133,11 @@ public abstract class AbstractRestApiEntitlementsTest extends BrooklynRestApiLau
         assertStatusCodeEquals(response, 404);
     }
 
+    protected void assert401(String path) throws Exception {
+        HttpToolResponse response = HttpTool.httpGet(newClient(null), URI.create(getBaseUriRest()).resolve(path),
ImmutableMap.<String, String>of());
+        assertStatusCodeEquals(response, 401);
+    }
+
     protected void assertStatusCodeEquals(HttpToolResponse response, int expected) {
         assertEquals(response.getResponseCode(), expected,
                 "code="+response.getResponseCode()+"; reason="+response.getReasonPhrase()+";
content="+response.getContentAsString());

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ActivityApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ActivityApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ActivityApiEntitlementsTest.java
index 4a7a0b3..0b61e43 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ActivityApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ActivityApiEntitlementsTest.java
@@ -75,6 +75,7 @@ public class ActivityApiEntitlementsTest extends AbstractRestApiEntitlementsTest
     @Test(groups = "Integration")
     public void testGetTask() throws Exception {
         String path = "/v1/activities/"+subTask.getId();
+        assert401(path);
         assertPermitted("myRoot", path);
         assertPermitted("myUser", path);
         assertPermitted("myReadonly", path);
@@ -88,18 +89,20 @@ public class ActivityApiEntitlementsTest extends AbstractRestApiEntitlementsTest
         for (Map.Entry<String, String> entry : streams.entrySet()) {
             String streamId = entry.getKey();
             String expectedStream = entry.getValue();
+            String path = pathPrefix+streamId;
 
-            assertEquals(httpGet("myRoot", pathPrefix+streamId), expectedStream);
-            assertEquals(httpGet("myUser", pathPrefix+streamId), expectedStream);
-            assertEquals(httpGet("myReadonly", pathPrefix+streamId), expectedStream);
-            assertForbidden("myMinimal", pathPrefix+streamId);
-            assertForbidden("unrecognisedUser", pathPrefix+streamId);
+            assert401(path);
+            assertEquals(httpGet("myRoot", path), expectedStream);
+            assertEquals(httpGet("myUser", path), expectedStream);
+            assertEquals(httpGet("myReadonly", path), expectedStream);
+            assertForbidden("myMinimal", path);
+            assertForbidden("unrecognisedUser", path);
             
             StaticDelegatingEntitlementManager.setDelegate(new SeeSelectiveStreams(streamId));
-            assertEquals(httpGet("myCustom", pathPrefix+streamId), expectedStream);
+            assertEquals(httpGet("myCustom", path), expectedStream);
             
             StaticDelegatingEntitlementManager.setDelegate(new SeeSelectiveStreams("differentStreamId"));
-            assertForbidden("myCustom", pathPrefix+streamId);
+            assertForbidden("myCustom", path);
         }
     }
     

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/EntityConfigApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/EntityConfigApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/EntityConfigApiEntitlementsTest.java
index b95392b..fd2ffef 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/EntityConfigApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/EntityConfigApiEntitlementsTest.java
@@ -49,6 +49,7 @@ public class EntityConfigApiEntitlementsTest extends AbstractRestApiEntitlements
         String path = "/v1/applications/"+app.getId()+"/entities/"+entity.getId()+"/config/"+TestEntity.CONF_NAME.getName();
         String val = "\"myname\"";
         
+        assert401(path);
         assertEquals(httpGet("myRoot", path), val);
         assertEquals(httpGet("myUser", path), val);
         assertEquals(httpGet("myReadonly", path), val);
@@ -68,6 +69,7 @@ public class EntityConfigApiEntitlementsTest extends AbstractRestApiEntitlements
         String confName = TestEntity.CONF_NAME.getName();
         String regex = ".*"+confName+".*myname.*";
         
+        assert401(path);
         Asserts.assertStringMatchesRegex(httpGet("myRoot", path), regex);
         Asserts.assertStringMatchesRegex(httpGet("myUser", path), regex);
         Asserts.assertStringMatchesRegex(httpGet("myReadonly", path), regex);

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java
index 5f6498a..7f76e0c 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ScriptApiEntitlementsTest.java
@@ -36,14 +36,16 @@ public class ScriptApiEntitlementsTest extends AbstractRestApiEntitlementsTest
{
     @Test(groups = "Integration")
     public void testGroovy() throws Exception {
         String script = "1 + 1";
-        HttpToolResponse rootRepsonse = httpPost("myRoot", "/v1/script/groovy", script.getBytes());
+        String path = "/v1/script/groovy";
+        HttpToolResponse rootRepsonse = httpPost("myRoot", path, script.getBytes());
         assertHealthyStatusCode(rootRepsonse);
-        Map groovyOutput = new Gson().fromJson(rootRepsonse.getContentAsString(), Map.class);
+        Map<?, ?> groovyOutput = new Gson().fromJson(rootRepsonse.getContentAsString(),
Map.class);
         assertEquals(groovyOutput.get("result"), "2");
-        assertForbiddenPost("myUser", "/v1/script/groovy", script.getBytes());
-        assertForbiddenPost("myReadonly", "/v1/script/groovy", script.getBytes());
-        assertForbiddenPost("myMinimal", "/v1/script/groovy", script.getBytes());
-        assertForbiddenPost("unrecognisedUser", "/v1/script/groovy", script.getBytes());
+        assert401(path);
+        assertForbiddenPost("myUser", path, script.getBytes());
+        assertForbiddenPost("myReadonly", path, script.getBytes());
+        assertForbiddenPost("myMinimal", path, script.getBytes());
+        assertForbiddenPost("unrecognisedUser", path, script.getBytes());
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/SensorApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/SensorApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/SensorApiEntitlementsTest.java
index 931b7ae..3a60a86 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/SensorApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/SensorApiEntitlementsTest.java
@@ -52,6 +52,7 @@ public class SensorApiEntitlementsTest extends AbstractRestApiEntitlementsTest
{
         String path = "/v1/applications/"+app.getId()+"/entities/"+entity.getId()+"/sensors/"+sensorName;
         String val = "\"myval\"";
         
+        assert401(path);
         assertEquals(httpGet("myRoot", path), val);
         assertEquals(httpGet("myUser", path), val);
         assertEquals(httpGet("myReadonly", path), val);
@@ -73,6 +74,7 @@ public class SensorApiEntitlementsTest extends AbstractRestApiEntitlementsTest
{
         String sensorName = TestEntity.NAME.getName();
         String regex = ".*"+sensorName+".*myval.*";
         
+        assert401(path);
         Asserts.assertStringMatchesRegex(httpGet("myRoot", path), regex);
         Asserts.assertStringMatchesRegex(httpGet("myUser", path), regex);
         Asserts.assertStringMatchesRegex(httpGet("myReadonly", path), regex);

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java
index ca53976..fd01654 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/ServerApiEntitlementsTest.java
@@ -27,6 +27,7 @@ public class ServerApiEntitlementsTest extends AbstractRestApiEntitlementsTest
{
     @Test(groups = "Integration")
     public void testGetHealthy() throws Exception {
         String path = "/v1/server/up";
+        assert401(path);
         assertPermitted("myRoot", path);
         assertPermitted("myUser", path);
         assertForbidden("myReadonly", path);
@@ -37,6 +38,7 @@ public class ServerApiEntitlementsTest extends AbstractRestApiEntitlementsTest
{
     @Test(groups = "Integration")
     public void testReloadProperties() throws Exception {
         String resource = "/v1/server/properties/reload";
+        assert401(resource);
         assertPermittedPost("myRoot", resource, null);
         assertForbiddenPost("myUser", resource, null);
         assertForbiddenPost("myReadonly", resource, null);
@@ -48,6 +50,7 @@ public class ServerApiEntitlementsTest extends AbstractRestApiEntitlementsTest
{
     public void testGetConfig() throws Exception {
         // Property set in test setup.
         String path = "/v1/server/config/" + Entitlements.GLOBAL_ENTITLEMENT_MANAGER.getName();
+        assert401(path);
         assertPermitted("myRoot", path);
         assertForbidden("myUser", path);
         assertForbidden("myReadonly", path);

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/cd07d816/rest/rest-server/src/test/java/org/apache/brooklyn/rest/resources/ServerResourceIntegrationTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/resources/ServerResourceIntegrationTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/resources/ServerResourceIntegrationTest.java
index 604d1eb..2436b91 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/resources/ServerResourceIntegrationTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/resources/ServerResourceIntegrationTest.java
@@ -87,7 +87,7 @@ public class ServerResourceIntegrationTest extends BrooklynRestApiLauncherTestFi
                     uri, args, args);
             HttpAsserts.assertHealthyStatusCode(response.getResponseCode());
     
-            // Has no gone back to credentials from brooklynProperties; TestSecurityProvider
credentials no longer work
+            // Has now gone back to credentials from brooklynProperties; TestSecurityProvider
credentials no longer work
             response = HttpTool.httpPost(httpClientBuilder().uri(baseUri).credentials(defaultCredential).build(),

                     uri, args, args);
             HttpAsserts.assertHealthyStatusCode(response.getResponseCode());


Mime
View raw message