Return-Path: 
 <tomcat-dev-return-19373-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 8676 invoked by uid 500); 26 Mar 2001 20:04:43 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 8630 invoked by uid 500); 26 Mar 2001 20:04:42 -0000
Delivered-To: apmail-jakarta-tomcat-4.0-cvs@apache.org
Date: 26 Mar 2001 20:04:41 -0000
Message-ID: <20010326200441.8624.qmail@apache.org>
From: craigmcc@apache.org
To: jakarta-tomcat-4.0-cvs@apache.org
Subject: cvs commit: jakarta-tomcat-4.0/tester/web/WEB-INF web.xml

craigmcc    01/03/26 12:04:41

  Modified:    tester/src/bin tester.xml
               tester/web/WEB-INF web.xml
  Added:       tester/src/tester/org/apache/tester Authentication03.java
  Log:
  Add a new unit test to validate correct behavior of isUserInRole() for
  three circumstances:
  * Role name mapped directly to a user --> true
  * Role name specified in a <security-role-ref> element for a role name
    mapped directly to a user --> true
  * Role name not mapped to a user --> false
  
  PR: Bugzilla #1086
  Submitted by:	kevinj@develop.com
  
  Revision  Changes    Path
  1.24      +33 -22    jakarta-tomcat-4.0/tester/src/bin/tester.xml
  
  Index: tester.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/tester/src/bin/tester.xml,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -r1.23 -r1.24
  --- tester.xml	2001/03/21 20:28:24	1.23
  +++ tester.xml	2001/03/26 20:04:37	1.24
  @@ -12,7 +12,7 @@
     <taskdef  name="tester"     classname="org.apache.tester.TestClient"/>
   
   
  -  <target name="all" depends="ROOT,CaseSensitive,ErrorPage,Jndi,RequestDispatcher,Resources,ServletRequest,ServletResponse,HttpSession,XercesTest"/>
  +  <target name="all" depends="ROOT,Authentication,CaseSensitive,ErrorPage,Jndi,RequestDispatcher,Resources,ServletRequest,ServletResponse,HttpSession,XercesTest"/>
   
   
     <target name="ROOT">
  @@ -37,6 +37,38 @@
     </target>
   
   
  +  <target name="Authentication">
  +
  +    <!-- ========== Authentication ======================================== -->
  +
  +    <!-- Once a user has been authenticated, the corresponding user identity
  +         should be visible to all other requests in this web application, even
  +         for URIs that are not protected by security constraints.  This is
  +         tested by invoking a protected URI followed by a non-protected URI
  +    -->
  +
  +    <tester host="${host}" port="${port}" protocol="${protocol}"
  +          debug="${debug}"
  +         request="${context.path}/protected/Authentication01"
  +       inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
  +      outContent="Authentication01 PASSED"/>
  +
  +    <tester host="${host}" port="${port}" protocol="${protocol}"
  +          debug="${debug}"
  +         request="${context.path}/protected/Authentication02"
  +       inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
  +      outContent="Authentication02 PASSED"/>
  +
  +    <!-- Test isUserInRole() on actual role and on an alias -->
  +    <tester host="${host}" port="${port}" protocol="${protocol}"
  +          debug="${debug}"
  +         request="${context.path}/protected/Authentication03"
  +       inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
  +      outContent="Authentication03 PASSED"/>
  +
  +  </target>
  +
  +
     <target name="CaseSensitive">
   
       <!-- ========== Case Sensitive Request URI Matching =================== -->
  @@ -489,27 +521,6 @@
       <tester host="${host}" port="${port}" protocol="${protocol}"
            request="${context.path}/WrappedGetInputStream01" debug="${debug}"
         outContent="GetInputStream01 PASSED"/>
  -
  -
  -    <!-- ========== Authentication ======================================== -->
  -
  -    <!-- Once a user has been authenticated, the corresponding user identity
  -         should be visible to all other requests in this web application, even
  -         for URIs that are not protected by security constraints.  This is
  -         tested by invoking a protected URI followed by a non-protected URI
  -    -->
  -
  -    <tester host="${host}" port="${port}" protocol="${protocol}"
  -          debug="${debug}"
  -         request="${context.path}/protected/Authentication01"
  -       inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
  -      outContent="Authentication01 PASSED"/>
  -
  -    <tester host="${host}" port="${port}" protocol="${protocol}"
  -          debug="${debug}"
  -         request="${context.path}/protected/Authentication02"
  -       inHeaders="Authorization:Basic dG9tY2F0OnRvbWNhdA=="
  -      outContent="Authentication02 PASSED"/>
   
   
     </target>
  
  
  
  1.1                  jakarta-tomcat-4.0/tester/src/tester/org/apache/tester/Authentication03.java
  
  Index: Authentication03.java
  ===================================================================
  /* ========================================================================= *
   *                                                                           *
   *                 The Apache Software License,  Version 1.1                 *
   *                                                                           *
   *      Copyright (c) 1999, 2000, 2001  The Apache Software Foundation.      *
   *                           All rights reserved.                            *
   *                                                                           *
   * ========================================================================= *
   *                                                                           *
   * Redistribution and use in source and binary forms,  with or without modi- *
   * fication, are permitted provided that the following conditions are met:   *
   *                                                                           *
   * 1. Redistributions of source code  must retain the above copyright notice *
   *    notice, this list of conditions and the following disclaimer.          *
   *                                                                           *
   * 2. Redistributions  in binary  form  must  reproduce the  above copyright *
   *    notice,  this list of conditions  and the following  disclaimer in the *
   *    documentation and/or other materials provided with the distribution.   *
   *                                                                           *
   * 3. The end-user documentation  included with the redistribution,  if any, *
   *    must include the following acknowlegement:                             *
   *                                                                           *
   *       "This product includes  software developed  by the Apache  Software *
   *        Foundation <http://www.apache.org/>."                              *
   *                                                                           *
   *    Alternately, this acknowlegement may appear in the software itself, if *
   *    and wherever such third-party acknowlegements normally appear.         *
   *                                                                           *
   * 4. The names  "The  Jakarta  Project",  "Tomcat",  and  "Apache  Software *
   *    Foundation"  must not be used  to endorse or promote  products derived *
   *    from this  software without  prior  written  permission.  For  written *
   *    permission, please contact <apache@apache.org>.                        *
   *                                                                           *
   * 5. Products derived from this software may not be called "Apache" nor may *
   *    "Apache" appear in their names without prior written permission of the *
   *    Apache Software Foundation.                                            *
   *                                                                           *
   * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES *
   * INCLUDING, BUT NOT LIMITED TO,  THE IMPLIED WARRANTIES OF MERCHANTABILITY *
   * AND FITNESS FOR  A PARTICULAR PURPOSE  ARE DISCLAIMED.  IN NO EVENT SHALL *
   * THE APACHE  SOFTWARE  FOUNDATION OR  ITS CONTRIBUTORS  BE LIABLE  FOR ANY *
   * DIRECT,  INDIRECT,   INCIDENTAL,  SPECIAL,  EXEMPLARY,  OR  CONSEQUENTIAL *
   * DAMAGES (INCLUDING,  BUT NOT LIMITED TO,  PROCUREMENT OF SUBSTITUTE GOODS *
   * OR SERVICES;  LOSS OF USE,  DATA,  OR PROFITS;  OR BUSINESS INTERRUPTION) *
   * HOWEVER CAUSED AND  ON ANY  THEORY  OF  LIABILITY,  WHETHER IN  CONTRACT, *
   * STRICT LIABILITY, OR TORT  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN *
   * ANY  WAY  OUT OF  THE  USE OF  THIS  SOFTWARE,  EVEN  IF  ADVISED  OF THE *
   * POSSIBILITY OF SUCH DAMAGE.                                               *
   *                                                                           *
   * ========================================================================= *
   *                                                                           *
   * This software  consists of voluntary  contributions made  by many indivi- *
   * duals on behalf of the  Apache Software Foundation.  For more information *
   * on the Apache Software Foundation, please see <http://www.apache.org/>.   *
   *                                                                           *
   * ========================================================================= */
  
  package org.apache.tester;
  
  
  import java.io.*;
  import java.security.Principal;
  import javax.servlet.*;
  import javax.servlet.http.*;
  
  /**
   * Ensure that we get the correct results from <code>isUserInRole()</code>
   * for an actual role, a role aliased with a
   * <code>&lt;security-role-ref&gt;</code> element, and for a role that is
   * not assigned to the specified user.
   *
   * @author Craig R. McClanahan
   * @version $Revision: 1.1 $ $Date: 2001/03/26 20:04:39 $
   */
  
  public class Authentication03 extends HttpServlet {
  
      public void doGet(HttpServletRequest request, HttpServletResponse response)
          throws IOException, ServletException {
  
          // Prepare to create this response
          response.setContentType("text/plain");
          PrintWriter writer = response.getWriter();
          StringBuffer results = new StringBuffer();
  
          // Validate that we have been authenticated correctly
          String remoteUser = request.getRemoteUser();
          if (remoteUser == null) {
              results.append("  Not Authenticated/");
          } else if (!"tomcat".equals(remoteUser)) {
              results.append("  Authenticated as '");
              results.append(remoteUser);
              results.append("'/");
          }
  
          // Validate that this user is part of the "tomcat" role
          if (!request.isUserInRole("tomcat")) {
              results.append("  Not in role 'tomcat'/");
          }
  
          // Validate that this user is part of the "alias" role
          // (mapped to "tomcat" in a <security-role-ref> element
          if (!request.isUserInRole("alias")) {
              results.append("  Not in role 'alias'/");
          }
  
          // Validate that this user is NOT part of the "unknown" role
          if (request.isUserInRole("unknown")) {
              results.append("  In role 'unknown'/");
          }
  
          // Generate our response
          if (results.length() < 1) {
              writer.println("Authentication03 PASSED");
          } else {
              writer.print("Authentication03 FAILED -");
              writer.println(results.toString());
          }
  
          // Add wrapper messages as required
          while (true) {
              String message = StaticLogger.read();
              if (message == null)
                  break;
              writer.println(message);
          }
          StaticLogger.reset();
  
  
      }
  
  }
  
  
  
  1.16      +21 -0     jakarta-tomcat-4.0/tester/web/WEB-INF/web.xml
  
  Index: web.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/tester/web/WEB-INF/web.xml,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- web.xml	2001/03/21 19:38:50	1.15
  +++ web.xml	2001/03/26 20:04:40	1.16
  @@ -214,6 +214,15 @@
       </servlet>
   
       <servlet>
  +        <servlet-name>Authentication03</servlet-name>
  +        <servlet-class>org.apache.tester.Authentication03</servlet-class>
  +        <security-role-ref>
  +            <role-name>alias</role-name>
  +            <role-link>tomcat</role-link>
  +        </security-role-ref>
  +    </servlet>
  +
  +    <servlet>
           <servlet-name>ErrorPage01</servlet-name>
           <servlet-class>org.apache.tester.ErrorPage01</servlet-class>
       </servlet>
  @@ -392,6 +401,11 @@
       </servlet-mapping>
   
       <servlet-mapping>
  +        <servlet-name>Authentication03</servlet-name>
  +        <url-pattern>/protected/Authentication03</url-pattern>
  +    </servlet-mapping>
  +
  +    <servlet-mapping>
           <servlet-name>ErrorPage01</servlet-name>
           <url-pattern>/ErrorPage01</url-pattern>
       </servlet-mapping>
  @@ -716,6 +730,13 @@
           <auth-method>BASIC</auth-method>
           <realm-name>Authentication Servlet</realm-name>
       </login-config>
  +
  +<!--
  +    <security-role>
  +        <description>Security role we are testing for</description>
  +        <role-name>tomcat</role-name>
  +    </security-role>
  +-->
   
   
       <!-- ========== Environment Entries =================================== -->