tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1235207 - /tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
Date Tue, 24 Jan 2012 11:28:29 GMT
Author: markt
Date: Tue Jan 24 11:28:29 2012
New Revision: 1235207

URL: http://svn.apache.org/viewvc?rev=1235207&view=rev
Log:
Add SSO test.
Patch provided by Brian Burch.

Added:
    tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
  (with props)

Added: tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java?rev=1235207&view=auto
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
(added)
+++ tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
Tue Jan 24 11:28:29 2012
@@ -0,0 +1,370 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.catalina.authenticator;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+import org.junit.Test;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.deploy.SecurityCollection;
+import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.startup.TesterServlet;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.catalina.util.Base64;
+import org.apache.tomcat.util.buf.ByteChunk;
+
+/**
+ * Test BasicAuthenticator and NonLoginAuthenticator when a
+ * SingleSignOn Valve is active.
+ *
+ * <p>
+ * In the absence of SSO support, a webapp using NonLoginAuthenticator
+ * simply cannot access protected resources. These tests exercise the
+ * the way successfully authenticating a different webapp under the
+ * BasicAuthenticator triggers the additional SSO logic for both webapps.
+ */
+public class TestSSOnonLoginAndBasicAuthenticator extends TomcatBaseTest {
+
+    private static final String USER = "user";
+    private static final String PWD = "pwd";
+    private static final String ROLE = "role";
+
+    private static final String HTTP_PREFIX = "http://localhost:";
+    private static final String CONTEXT_PATH_NOLOGIN = "/nologin";
+    private static final String CONTEXT_PATH_LOGIN = "/login";
+    private static final String URI_PROTECTED = "/protected";
+    private static final String URI_PUBLIC = "/anyoneCanAccess";
+
+    private static final int SHORT_TIMEOUT_SECS = 4;
+    private static final long SHORT_TIMEOUT_DELAY_MSECS =
+                                    ((SHORT_TIMEOUT_SECS + 3) * 1000);
+    private static final int LONG_TIMEOUT_SECS = 10;
+    private static final long LONG_TIMEOUT_DELAY_MSECS =
+                                    ((LONG_TIMEOUT_SECS + 5) * 1000);
+
+    private static String CLIENT_AUTH_HEADER = "authorization";
+    private static String SERVER_COOKIES = "Set-Cookie";
+    private static String BROWSER_COOKIES = "Cookie";
+
+    private List<String> cookies;
+
+    /*
+     * Try to access an unprotected resource without an established
+     * SSO session.
+     * This should be permitted.
+     */
+    @Test
+    public void testAcceptPublicNonLogin() throws Exception {
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PUBLIC,
+                        false, false, 200);
+    }
+
+    /*
+     * Try to access a protected resource without an established
+     * SSO session.
+     * This should be rejected with SC_FORBIDDEN 403 status.
+     */
+    @Test
+    public void testRejectProtectedNonLogin() throws Exception {
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                        false, true, 403);
+    }
+
+    /*
+     * Logon to access a protected resource using BASIC authentication,
+     * which will establish an SSO session.
+     * Wait until the SSO session times-out, then try to re-access
+     * the resource.
+     * This should be rejected with SC_FORBIDDEN 401 status, which
+     * will then be followed by successful re-authentication.
+     */
+    @Test
+    public void testBasicLoginSessionTimeout() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                true, 401, false, 200);
+        // wait long enough for my session to expire
+        Thread.sleep(SHORT_TIMEOUT_DELAY_MSECS);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                true, 401, false, 200);
+    }
+
+    /*
+     * Logon to access a protected resource using BASIC authentication,
+     * which will establish an SSO session.
+     * Immediately try to access a protected resource in the NonLogin
+     * webapp, but without sending the SSO session cookie.
+     * This should be rejected with SC_FORBIDDEN 403 status.
+     */
+    @Test
+    public void testBasicLoginRejectProtectedWithoutCookies() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                true, 401, false, 200);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                        false, true, 403);
+    }
+
+    /*
+     * Logon to access a protected resource using BASIC authentication,
+     * which will establish an SSO session.
+     * Immediately try to access a protected resource in the NonLogin
+     * webapp while sending the SSO session cookie provided by the
+     * first webapp.
+     * This should be successful with SC_OK 200 status.
+     */
+    @Test
+    public void testBasicLoginAcceptProtectedWithCookies() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                true, 401, false, 200);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                        true, false, 200);
+    }
+
+    /*
+     * Logon to access a protected resource using BASIC authentication,
+     * which will establish an SSO session.
+     * Immediately try to access a protected resource in the NonLogin
+     * webapp while sending the SSO session cookie provided by the
+     * first webapp.
+     * This should be successful with SC_OK 200 status.
+     *
+     * Then, wait long enough for the BASIC session to expire. (The SSO
+     * session should remain active because the NonLogin session has
+     * not yet expired).
+     *
+     * Try to access the protected resource again, before the SSO session
+     * has expired.
+     * This should be successful with SC_OK 200 status.
+     *
+     * Finally, wait for the non-login session to expire and try again..
+     * This should be rejected with SC_FORBIDDEN 403 status.
+     *
+     * (see bugfix https://issues.apache.org/bugzilla/show_bug.cgi?id=52303)
+     */
+    @Test
+    public void testBasicExpiredAcceptProtectedWithCookies() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                true, 401, false, 200);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                        true, false, 200);
+
+        // wait long enough for the BASIC session to expire,
+        // but not long enough for NonLogin session expiry
+        Thread.sleep(SHORT_TIMEOUT_DELAY_MSECS);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                        true, false, 200);
+
+        // wait long enough for my NonLogin session to expire
+        // and tear down the SSO session at the same time.
+        Thread.sleep(LONG_TIMEOUT_DELAY_MSECS);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                        false, true, 403);
+    }
+
+
+    public void doTestNonLogin(String uri, boolean addCookies,
+            boolean expectedReject, int expectedRC)
+            throws Exception {
+
+        Map<String,List<String>> reqHeaders =
+                new HashMap<String,List<String>>();
+        if (addCookies) {
+            addCookies(reqHeaders);
+        }
+        Map<String,List<String>> respHeaders =
+                new HashMap<String,List<String>>();
+
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders,
+                respHeaders);
+
+        if (expectedReject) {
+            assertEquals(expectedRC, rc);
+            assertNull(bc.toString());
+        }
+        else {
+            assertEquals(200, rc);
+            assertEquals("OK", bc.toString());
+            saveCookies(respHeaders);
+        }
+}
+
+    public void doTestBasic(String user, String pwd, String uri,
+            boolean expectedReject1, int expectedRC1,
+            boolean expectedReject2, int expectedRC2) throws Exception {
+
+        // the first access attempt should be challenged
+        Map<String,List<String>> reqHeaders1 =
+                new HashMap<String,List<String>>();
+        Map<String,List<String>> respHeaders1 =
+                new HashMap<String,List<String>>();
+
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders1,
+                respHeaders1);
+
+        if (expectedReject1) {
+            assertEquals(expectedRC1, rc);
+            assertNull(bc.toString());
+        }
+        else {
+            assertEquals(200, rc);
+            assertEquals("OK", bc.toString());
+            return;
+        }
+
+        // the second access attempt should be sucessful
+        String credentials = user + ":" + pwd;
+        byte[] credentialsBytes = ByteChunk.convertToBytes(credentials);
+        String base64auth = Base64.encode(credentialsBytes);
+        String authLine = "Basic " + base64auth;
+
+        List<String> auth = new ArrayList<String>();
+        auth.add(authLine);
+        Map<String,List<String>> reqHeaders2 = new HashMap<String,List<String>>();
+        reqHeaders2.put(CLIENT_AUTH_HEADER, auth);
+
+        Map<String,List<String>> respHeaders2 =
+            new HashMap<String,List<String>>();
+
+        bc.reset();
+        rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders2,
+                respHeaders2);
+
+        if (expectedReject2) {
+            assertEquals(expectedRC2, rc);
+            assertNull(bc.toString());
+        }
+        else {
+            assertEquals(200, rc);
+            assertEquals("OK", bc.toString());
+            saveCookies(respHeaders2);
+        }
+    }
+
+
+    @Override
+    public void setUp() throws Exception {
+
+        super.setUp();
+
+        // create a tomcat server using the default in-memory Realm
+        Tomcat tomcat = getTomcatInstance();
+
+        // associate the SingeSignOn Valve before the Contexts
+        SingleSignOn sso = new SingleSignOn();
+        tomcat.getHost().getPipeline().addValve(sso);
+
+        // add the test user and role to the Realm
+        tomcat.addUser(USER, PWD);
+        tomcat.addRole(USER, ROLE);
+
+        // setup both NonLogin and Login webapps
+        setUpNonLogin(tomcat);
+        setUpLogin(tomcat);
+
+        tomcat.start();
+    }
+
+    private void setUpNonLogin(Tomcat tomcat) throws Exception {
+
+        // Must have a real docBase for webapps - just use temp
+        Context ctxt = tomcat.addContext(CONTEXT_PATH_NOLOGIN,
+                System.getProperty("java.io.tmpdir"));
+        ctxt.setSessionTimeout(LONG_TIMEOUT_SECS);
+
+        // Add protected servlet
+        Tomcat.addServlet(ctxt, "TesterServlet1", new TesterServlet());
+        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet1");
+
+        SecurityCollection collection1 = new SecurityCollection();
+        collection1.addPattern(URI_PROTECTED);
+        SecurityConstraint sc1 = new SecurityConstraint();
+        sc1.addAuthRole(ROLE);
+        sc1.addCollection(collection1);
+        ctxt.addConstraint(sc1);
+
+        // Add unprotected servlet
+        Tomcat.addServlet(ctxt, "TesterServlet2", new TesterServlet());
+        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet2");
+
+        SecurityCollection collection2 = new SecurityCollection();
+        collection2.addPattern(URI_PUBLIC);
+        SecurityConstraint sc2 = new SecurityConstraint();
+        // do not add a role - which signals access permitted without one
+        sc2.addCollection(collection2);
+        ctxt.addConstraint(sc2);
+
+        // Configure the authenticator and inherit the Realm from Engine
+        LoginConfig lc = new LoginConfig();
+        lc.setAuthMethod("NONE");
+        ctxt.setLoginConfig(lc);
+        ctxt.getPipeline().addValve(new NonLoginAuthenticator());
+    }
+
+    private void setUpLogin(Tomcat tomcat) throws Exception {
+
+        // Must have a real docBase for webapps - just use temp
+        Context ctxt = tomcat.addContext(CONTEXT_PATH_LOGIN,
+                System.getProperty("java.io.tmpdir"));
+        ctxt.setSessionTimeout(SHORT_TIMEOUT_SECS);
+
+        // Add protected servlet
+        Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet());
+        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3");
+
+        SecurityCollection collection = new SecurityCollection();
+        collection.addPattern(URI_PROTECTED);
+        SecurityConstraint sc = new SecurityConstraint();
+        sc.addAuthRole(ROLE);
+        sc.addCollection(collection);
+        ctxt.addConstraint(sc);
+
+        // Configure the appropriate authenticator
+        LoginConfig lc = new LoginConfig();
+        lc.setAuthMethod("BASIC");
+        ctxt.setLoginConfig(lc);
+        ctxt.getPipeline().addValve(new BasicAuthenticator());
+    }
+
+    /*
+     * extract and save the server cookies from the incoming response
+     */
+    protected void saveCookies(Map<String,List<String>> respHeaders) {
+
+        // we only save the Cookie values, not header prefix
+        cookies = respHeaders.get(SERVER_COOKIES);
+    }
+
+    /*
+     * add all saved cookies to the outgoing request
+     */
+    protected void addCookies(Map<String,List<String>> reqHeaders) {
+
+        if ((cookies != null) && (cookies.size() > 0)) {
+            reqHeaders.put(BROWSER_COOKIES + ":", cookies);
+        }
+    }
+}
\ No newline at end of file

Propchange: tomcat/trunk/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
------------------------------------------------------------------------------
    svn:eol-style = native



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message