directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject directory-fortress-commander git commit: FC-176 - spring security page security broken
Date Wed, 24 Aug 2016 15:23:18 GMT
Repository: directory-fortress-commander
Updated Branches:
  refs/heads/master 38aafcf0d -> 074c39aa0


 FC-176 - spring security page security broken


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/commit/074c39aa
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/tree/074c39aa
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/diff/074c39aa

Branch: refs/heads/master
Commit: 074c39aa09c58848e97293ab049e8ba9b265a58d
Parents: 38aafcf
Author: Shawn McKinney <smckinney@apache.org>
Authored: Sun Aug 21 04:51:10 2016 -0500
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Sun Aug 21 04:51:10 2016 -0500

----------------------------------------------------------------------
 src/main/resources/applicationContext.xml       |  33 ++---
 src/main/webapp/login/unauthorized.html         |   2 +-
 .../integration/FortressWebSeleniumITCase.java  | 135 ++++++++++++++++---
 3 files changed, 132 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/074c39aa/src/main/resources/applicationContext.xml
----------------------------------------------------------------------
diff --git a/src/main/resources/applicationContext.xml b/src/main/resources/applicationContext.xml
index 09db5ae..53bfab5 100644
--- a/src/main/resources/applicationContext.xml
+++ b/src/main/resources/applicationContext.xml
@@ -166,37 +166,38 @@
         <property name="securityMetadataSource">
             <sec:filter-security-metadata-source use-expressions="false">
                 <!-- before spring interceptor recognizes these roles, the j2ee preauthentication
filter requires prior declaration in web.xml -->
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.userpage"
+                <!-- http://localhost:8080/fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage?3
-->
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_USERS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.rolepage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.RolePage"
                                    access="ROLE_RBAC_ADMIN,ROLE_ROLES"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.permpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.PermPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_PERMS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.sdstaticpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.SdStaticPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_SSDS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.sddynamicpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.SdDynamicPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_DSDS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.pwpolicypage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.PwPolicyPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_POLICIES"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.objectpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.ObjectPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_PERMOBJS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.ouuserpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.OuUserPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_USEROUS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.oupermpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.OuPermPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_PERMOUS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.roleadminpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.RoleAdminPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_ADMINROLES"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.objectadminpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.ObjectAdminPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_ADMINOBJS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.permadminpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.PermAdminPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_ADMINPERMS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.auditauthzpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.AuditAuthzPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_AUDIT_AUTHZS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.auditmodpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.AuditModPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_AUDIT_MODS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.auditbindpage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.AuditBindPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_AUDIT_BINDS"/>
-                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.grouppage"
+                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.GroupPage"
                                    access="ROLE_RBAC_ADMIN,ROLE_GROUPS"/>
             </sec:filter-security-metadata-source>
         </property>

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/074c39aa/src/main/webapp/login/unauthorized.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/login/unauthorized.html b/src/main/webapp/login/unauthorized.html
index 0a3c4f7..af8ec48 100644
--- a/src/main/webapp/login/unauthorized.html
+++ b/src/main/webapp/login/unauthorized.html
@@ -24,7 +24,7 @@
     <title>Fortress Web Unauthorized Page</title>
 </head>
 <body>
-<h3>Unauthorized access attempt detected</h3>
+<h3 id="web_403">Unauthorized access attempt detected</h3>
 
 <form METHOD=POST ACTION="org.apache.directory.fortress.web.LaunchPage">
     <p>

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/074c39aa/src/test/java/org/apache/directory/fortress/web/integration/FortressWebSeleniumITCase.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/web/integration/FortressWebSeleniumITCase.java
b/src/test/java/org/apache/directory/fortress/web/integration/FortressWebSeleniumITCase.java
index 0b28e20..9e09013 100644
--- a/src/test/java/org/apache/directory/fortress/web/integration/FortressWebSeleniumITCase.java
+++ b/src/test/java/org/apache/directory/fortress/web/integration/FortressWebSeleniumITCase.java
@@ -39,6 +39,22 @@ import org.apache.directory.fortress.web.common.GlobalIds;
  */
 public class FortressWebSeleniumITCase
 {
+    public static final String ROLES = "ROLES";
+    public static final String POBJS = "POBJS";
+    public static final String PERMS = "PERMS";
+    public static final String SSDS = "SSDS";
+    public static final String DSDS = "DSDS";
+    public static final String OUSERS = "OUSERS";
+    public static final String OUPRMS = "OUPRMS";
+    public static final String ADMRLES = "ADMRLES";
+    public static final String ADMOBJS = "ADMOBJS";
+    public static final String ADMPERMS = "ADMPERMS";
+    public static final String PLCYS = "PLCYS";
+    public static final String GROUPS = "GROUPS";
+    public static final String BINDS = "BINDS";
+    public static final String AUTHZ = "AUTHZ";
+    public static final String MODS = "MODS";
+    public static final String FORTRESS_WEB = "/fortress-web";
     private WebDriver driver;
     private String baseUrl;
     private boolean acceptNextAlert = true;
@@ -65,15 +81,16 @@ public class FortressWebSeleniumITCase
     @Test
     public void testCase1() throws Exception
     {
-        log.info( "Begin FortressWebSeleniumITCase" );
-        driver.get( baseUrl + "/fortress-web" );
-        login();
+        log.info( "Begin FortressWebSeleniumITCase 1" );
+        driver.get( baseUrl + FORTRESS_WEB );
+        login( "test", "password" );
         TUtils.sleep( 1 );
 
         boolean skipFirstHalf = false;
         //boolean skipFirstHalf = true;
         boolean skipSecondHalf = false;
         //boolean skipSecondHalf = true;
+
         if ( !skipFirstHalf )
         {
             users();
@@ -107,12 +124,88 @@ public class FortressWebSeleniumITCase
         //driver.findElement( By.linkText( "glob:search*" ) ).click();
     }
 
-    private void login()
+
+    @Test
+    public void testCase2() throws Exception
+    {
+        log.info( "Begin FortressWebSeleniumITCase 2" );
+        driver.get( baseUrl + FORTRESS_WEB );
+        login( "test1", "password" );
+        TUtils.sleep( 1 );
+        doNegativeLinkTest( ROLES, "RolePage", "test1" );
+        doNegativeLinkTest( POBJS, "ObjectPage", "test1" );
+        doNegativeLinkTest( PERMS, "PermPage", "test1" );
+        doNegativeLinkTest( SSDS, "SdStaticPage", "test1" );
+        doNegativeLinkTest( DSDS, "SdDynamicPage", "test1" );
+        doNegativeLinkTest( OUSERS, "OuUserPage", "test1" );
+        doNegativeLinkTest( OUPRMS, "OuPermPage", "test1" );
+        doNegativeLinkTest( ADMRLES, "RoleAdminPage", "test1" );
+        doNegativeLinkTest( ADMOBJS, "ObjectAdminPage", "test1" );
+    }
+
+    private void doNegativeLinkTest( String linkName, String pageName, String userId)
+    {
+        log.info("Negative link:" + linkName + " test for " + userId);
+        try
+        {
+            if(driver.findElement( By.linkText( linkName ) ).isEnabled())
+            {
+                fail("Negative Link Test Failed UserId: " + userId + " Link: " + linkName);
+            }
+            fail("Negative Button Test Failed UserId: " + userId + " Link: " + linkName);
+        }
+        catch (org.openqa.selenium.NoSuchElementException e)
+        {
+            // pass
+        }
+        try
+        {
+            if(driver.findElement( By.linkText( linkName ) ).isEnabled())
+            {
+                fail("Negative Link Test Failed UserId: " + userId + " Link: " + linkName);
+            }
+        }
+        catch (org.openqa.selenium.NoSuchElementException e)
+        {
+            // pass
+        }
+
+        // Check that Spring security is enforcing page level security:
+        String unauthorizedUrl = baseUrl + FORTRESS_WEB + "/wicket/bookmarkable/org.apache.directory.fortress.web."
+ pageName;
+        driver.get( unauthorizedUrl );
+        if(is403())
+        {
+            // pass
+            TUtils.sleep( 1 );
+            driver.navigate().back();
+        }
+        else
+        {
+            fail("Spring Security Test Failed URL: " + unauthorizedUrl + "." + GlobalIds.ADD);
+        }
+    }
+
+    public boolean is403()
+    {
+        try
+        {
+            driver.findElement(By.id("web_403"));
+            return true;
+        }
+        catch (NoSuchElementException e)
+        {
+            return false;
+        }
+    }
+
+
+    //private void login()
+    private void login( String userId, String password )
     {
         driver.findElement( By.id( GlobalIds.USER_ID ) ).clear();
-        driver.findElement( By.id( GlobalIds.USER_ID ) ).sendKeys( "test" );
+        driver.findElement( By.id( GlobalIds.USER_ID ) ).sendKeys( userId );
         driver.findElement( By.id( GlobalIds.PSWD_FIELD ) ).clear();
-        driver.findElement( By.id( GlobalIds.PSWD_FIELD ) ).sendKeys( "password" );
+        driver.findElement( By.id( GlobalIds.PSWD_FIELD ) ).sendKeys( password );
         driver.findElement( By.name( GlobalIds.LOGIN ) ).click();
     }
 
@@ -344,7 +437,7 @@ TODO: FIX ME:
 
     private void roles()
     {
-        driver.findElement( By.linkText( "ROLES" ) ).click();
+        driver.findElement( By.linkText( ROLES ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).clear();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "oamt13" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
@@ -393,7 +486,7 @@ TODO: FIX ME:
 
     private void pobjs()
     {
-        driver.findElement( By.linkText( "POBJS" ) ).click();
+        driver.findElement( By.linkText( POBJS ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "t" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
         TUtils.sleep( 1 );
@@ -401,7 +494,7 @@ TODO: FIX ME:
 
     private void perms()
     {
-        driver.findElement( By.linkText( "PERMS" ) ).click();
+        driver.findElement( By.linkText( PERMS ) ).click();
         driver.findElement( By.id( "permObject" ) ).sendKeys( "/cal" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
         TUtils.sleep( 1 );
@@ -409,7 +502,7 @@ TODO: FIX ME:
 
     private void ssds()
     {
-        driver.findElement( By.linkText( "SSDS" ) ).click();
+        driver.findElement( By.linkText( SSDS ) ).click();
         driver.findElement( By.id( "roleRb" ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "oamT16SDR6" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
@@ -418,7 +511,7 @@ TODO: FIX ME:
 
     private void dsds()
     {
-        driver.findElement( By.linkText( "DSDS" ) ).click();
+        driver.findElement( By.linkText( DSDS ) ).click();
         driver.findElement( By.id( "roleRb" ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "oamT13DSD6" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
@@ -427,7 +520,7 @@ TODO: FIX ME:
 
     private void ouusers()
     {
-        driver.findElement( By.linkText( "OUSERS" ) ).click();
+        driver.findElement( By.linkText( OUSERS ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "d" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
         TUtils.sleep( 1 );
@@ -435,7 +528,7 @@ TODO: FIX ME:
 
     private void ouperms()
     {
-        driver.findElement( By.linkText( "OUPRMS" ) ).click();
+        driver.findElement( By.linkText( OUPRMS ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "a" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
     }
@@ -443,7 +536,7 @@ TODO: FIX ME:
     private void admrles()
     {
         TUtils.sleep( 1 );
-        driver.findElement( By.linkText( "ADMRLES" ) ).click();
+        driver.findElement( By.linkText( ADMRLES ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).clear();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "t" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
@@ -509,7 +602,7 @@ TODO: FIX ME:
 
     private void admobjs()
     {
-        driver.findElement( By.linkText( "ADMOBJS" ) ).click();
+        driver.findElement( By.linkText( ADMOBJS ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "u" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
         TUtils.sleep( 1 );
@@ -517,7 +610,7 @@ TODO: FIX ME:
 
     private void admperms()
     {
-        driver.findElement( By.linkText( "ADMPERMS" ) ).click();
+        driver.findElement( By.linkText( ADMPERMS ) ).click();
         driver.findElement( By.id( "objectAssignLinkLbl" ) ).click();
         TUtils.sleep( 1 );
         driver.findElement( By.linkText( GlobalIds.SELECT ) ).click();
@@ -527,7 +620,7 @@ TODO: FIX ME:
 
     private void plcys()
     {
-        driver.findElement( By.linkText( "PLCYS" ) ).click();
+        driver.findElement( By.linkText( PLCYS ) ).click();
         driver.findElement( By.id( GlobalIds.SEARCH_VAL ) ).sendKeys( "oamtp1policy" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
         TUtils.sleep( 1 );
@@ -535,7 +628,7 @@ TODO: FIX ME:
 
     private void groups()
     {
-        driver.findElement( By.linkText( "GROUPS" ) ).click();
+        driver.findElement( By.linkText( GROUPS ) ).click();
         driver.findElement( By.id( "searchVal" ) ).sendKeys( "t" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
         TUtils.sleep( 1 );
@@ -570,7 +663,7 @@ TODO: FIX ME:
 
     private void binds()
     {
-        driver.findElement( By.linkText( "BINDS" ) ).click();
+        driver.findElement( By.linkText( BINDS ) ).click();
         driver.findElement( By.id( GlobalIds.USER_ID ) ).clear();
         driver.findElement( By.id( GlobalIds.USER_ID ) ).sendKeys( "jtsuser1" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();
@@ -589,7 +682,7 @@ TODO: FIX ME:
 
     private void authzs()
     {
-        driver.findElement( By.linkText( "AUTHZ" ) ).click();
+        driver.findElement( By.linkText( AUTHZ ) ).click();
         driver.findElement( By.id( GlobalIds.OBJ_NAME ) ).clear();
         driver.findElement( By.id( GlobalIds.OBJ_NAME ) ).sendKeys( "org.apache.directory.fortress.core.impl.AdminMgrImpl"
);
         driver.findElement( By.name( "admin" ) ).click();
@@ -613,7 +706,7 @@ TODO: FIX ME:
 
     private void mods()
     {
-        driver.findElement( By.linkText( "MODS" ) ).click();
+        driver.findElement( By.linkText( MODS ) ).click();
         driver.findElement( By.id( GlobalIds.USER_ID ) ).clear();
         driver.findElement( By.id( GlobalIds.USER_ID ) ).sendKeys( "test" );
         driver.findElement( By.name( GlobalIds.SEARCH ) ).click();


Mime
View raw message