tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1415177 - /tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java
Date Thu, 29 Nov 2012 14:21:45 GMT
Author: markt
Date: Thu Nov 29 14:21:45 2012
New Revision: 1415177

URL: http://svn.apache.org/viewvc?rev=1415177&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54190
Improve unit tests.
Patch by Brian Burch.

Modified:
    tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java

Modified: tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java?rev=1415177&r1=1415176&r2=1415177&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java
(original)
+++ tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java
Thu Nov 29 14:21:45 2012
@@ -21,6 +21,8 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import javax.servlet.http.HttpServletResponse;
+
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -48,9 +50,13 @@ import org.apache.tomcat.util.buf.ByteCh
  */
 public class TestNonLoginAndBasicAuthenticator extends TomcatBaseTest {
 
+    protected static final Boolean USE_COOKIES = true;
+    protected static final Boolean NO_COOKIES = !USE_COOKIES;
+
     private static final String USER = "user";
     private static final String PWD = "pwd";
     private static final String ROLE = "role";
+    private static final String NICE_METHOD = "Basic";
 
     private static final String HTTP_PREFIX = "http://localhost:";
     private static final String CONTEXT_PATH_NOLOGIN = "/nologin";
@@ -58,12 +64,39 @@ public class TestNonLoginAndBasicAuthent
     private static final String URI_PROTECTED = "/protected";
     private static final String URI_PUBLIC = "/anyoneCanAccess";
 
-    private static final int SHORT_TIMEOUT_SECS = 4;
-    private static final int LONG_TIMEOUT_SECS = 10;
-    private static final long LONG_TIMEOUT_DELAY_MSECS =
-                                    ((LONG_TIMEOUT_SECS + 2) * 1000);
-
-    private static String CLIENT_AUTH_HEADER = "authorization";
+    private static final int SHORT_TIMEOUT_MINS = 1;
+    private static final int LONG_TIMEOUT_MINS = 2;
+    private static final int MANAGER_SCAN_DELAY_SECS = 60;
+    private static final int EXTRA_DELAY_SECS = 5;
+    private static final long TIMEOUT_DELAY_MSECS =
+            (((SHORT_TIMEOUT_MINS * 60)
+                    + MANAGER_SCAN_DELAY_SECS + EXTRA_DELAY_SECS) * 1000);
+
+    private static final String CLIENT_AUTH_HEADER = "authorization";
+    private static final String SERVER_AUTH_HEADER = "WWW-Authenticate";
+    private static final String SERVER_COOKIE_HEADER = "Set-Cookie";
+    private static final String CLIENT_COOKIE_HEADER = "Cookie";
+
+    private static final BasicCredentials NO_CREDENTIALS = null;
+    private static final BasicCredentials GOOD_CREDENTIALS =
+                new BasicCredentials(NICE_METHOD, USER, PWD);
+    private static final BasicCredentials STRANGE_CREDENTIALS =
+                new BasicCredentials("bAsIc", USER, PWD);
+    private static final BasicCredentials BAD_CREDENTIALS =
+                new BasicCredentials(NICE_METHOD, USER, "wrong");
+    private static final BasicCredentials BAD_METHOD =
+                new BasicCredentials("BadMethod", USER, PWD);
+    private static final BasicCredentials SPACED_BASE64 =
+                new BasicCredentials(NICE_METHOD + " ", USER, PWD);
+    private static final BasicCredentials SPACED_USERNAME =
+                new BasicCredentials(NICE_METHOD, " " + USER + " ", PWD);
+    private static final BasicCredentials SPACED_PASSWORD =
+                new BasicCredentials(NICE_METHOD, USER, " " + PWD + " ");
+
+    private Tomcat tomcat;
+    private AuthenticatorBase basicAuthenticator;
+    private AuthenticatorBase nonloginAuthenticator;
+    private List<String> cookies;
 
     /*
      * Try to access an unprotected resource in a webapp that
@@ -72,7 +105,8 @@ public class TestNonLoginAndBasicAuthent
      */
     @Test
     public void testAcceptPublicNonLogin() throws Exception {
-        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PUBLIC, false, 200);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PUBLIC,
+                NO_COOKIES, HttpServletResponse.SC_OK);
     }
 
     /*
@@ -82,7 +116,8 @@ public class TestNonLoginAndBasicAuthent
      */
     @Test
     public void testRejectProtectedNonLogin() throws Exception {
-        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED, true, 403);
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                NO_COOKIES, HttpServletResponse.SC_FORBIDDEN);
     }
 
     /*
@@ -93,164 +128,378 @@ public class TestNonLoginAndBasicAuthent
     @Test
     public void testAcceptPublicBasic() throws Exception {
         doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PUBLIC,
-                false, false, 200, false, 200);
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
     }
 
     /*
      * Try to access a protected resource in a webapp that
      * has a BASIC login method defined. The access will be
-     * challenged, authenticated and then permitted.
+     * challenged with 401 SC_UNAUTHORIZED, and then be permitted
+     * once authenticated.
      */
     @Test
     public void testAcceptProtectedBasic() throws Exception {
         doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
-                false, true, 401, false, 200);
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
     }
 
     /*
-     * Try to access a protected resource in a webapp that
-     * has a BASIC login method defined. Verify the server is
-     * prepared to accept non-standard case for the auth scheme.
-     * The access should be challenged, authenticated and then permitted.
+     * This is the same as testAcceptProtectedBasic (above), except
+     * using an invalid password.
+     */
+    @Test
+    public void testAuthMethodBadCredentials() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                BAD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+    }
+
+    /*
+     * This is the same as testAcceptProtectedBasic (above), except
+     * to verify the server follows RFC2617 by treating the auth-scheme
+     * token as case-insensitive.
      */
     @Test
     public void testAuthMethodCaseBasic() throws Exception {
         doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
-                true, true, 401, false, 200);
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                STRANGE_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
     }
 
     /*
-     * Logon to access a protected resource in a webapp that uses
-     * BASIC authentication. Wait until that session times-out,
-     * then re-access the resource.
-     * This should be rejected with SC_FORBIDDEN 401 status, which
-     * can be followed by successful re-authentication.
+     * This is the same as testAcceptProtectedBasic (above), except
+     * using an invalid authentication method.
+     *
+     * Note: the container ensures the Basic login method is called.
+     *       BasicAuthenticator does not find the expected authentication
+     *       header method, and so does not extract any credentials.
+     *
+     * The request is rejected with 401 SC_UNAUTHORIZED status. RFC2616
+     * says the response body should identify the auth-schemes that are
+     * acceptable for the container.
+     */
+    @Test
+    public void testAuthMethodBadMethod() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                BAD_METHOD, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+    }
+
+    /*
+     * This is the same as testAcceptProtectedBasic (above), except
+     * using excess white space after the authentication method.
+     *
+     * The request is rejected with 401 SC_UNAUTHORIZED status.
+     *
+     * TODO: RFC2617 does not define the separation syntax between the
+     *       auth-scheme and basic-credentials tokens. Tomcat should tolerate
+     *       any reasonable amount of white space and return SC_OK.
+     */
+    @Test
+    public void testAuthMethodExtraSpace() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                SPACED_BASE64, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+    }
+
+    /*
+     * This is the same as testAcceptProtectedBasic (above), except
+     * using white space around the username credential.
+     *
+     * The request is rejected with 401 SC_UNAUTHORIZED status.
+     *
+     * TODO: RFC2617 does not define the separation syntax between the
+     *       auth-scheme and basic-credentials tokens. Tomcat should tolerate
+     *       any reasonable amount of white space and return SC_OK.
+     */
+    @Test
+    public void testUserExtraSpace() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                SPACED_USERNAME, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+    }
+
+    /*
+     * This is the same as testAcceptProtectedBasic (above), except
+     * using white space around the password credential.
+     *
+     * The request is rejected with 401 SC_UNAUTHORIZED status.
+     *
+     * TODO: RFC2617 does not define the separation syntax between the
+     *       auth-scheme and basic-credentials tokens. Tomcat should tolerate
+     *       any reasonable amount of white space and return SC_OK.
      */
     @Test
+    public void testPasswordExtraSpace() throws Exception {
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                SPACED_PASSWORD, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+    }
+
+    /*
+     * The default behaviour of BASIC authentication does NOT create
+     * a session on the server. Verify that the client is required to
+     * send a valid authenticate header with every request to access
+     * protected resources.
+     */
+    @Test
+    public void testBasicLoginWithoutSession() throws Exception {
+
+        // this section is identical to testAuthMethodCaseBasic
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+
+        // next, try to access the protected resource while not providing
+        // credentials. This confirms the server has not retained any state
+        // data which might allow it to authenticate the client. Expect
+        // to be challenged with 401 SC_UNAUTHORIZED.
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+
+        // finally, provide credentials to confirm the resource
+        // can still be accessed with an authentication header.
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+    }
+
+    /*
+     * Test the optional behaviour of BASIC authentication to create
+     * a session on the server. The server will return a session cookie.
+     *
+     * 1. try to access a protected resource without credentials, so
+     *    get Unauthorized status.
+     * 2. try to access a protected resource when providing credentials,
+     *    so get OK status and a server session cookie.
+     * 3. access the protected resource once more using a session cookie.
+     * 4. repeat using the session cookie.
+     *
+     * Note: The FormAuthenticator is a two-step process and is protected
+     *       from session fixation attacks by the default AuthenticatorBase
+     *       changeSessionIdOnAuthentication setting of true. However,
+     *       BasicAuthenticator is a one-step process and so the
+     *       AuthenticatorBase does not reissue the sessionId.
+     */
+   @Test
+    public void testBasicLoginSessionPersistence() throws Exception {
+
+        setAlwaysUseSession();
+
+        // this section is identical to testAuthMethodCaseBasic
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+
+        // confirm the session is not recognised by the server alone
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+
+        // now provide the harvested session cookie for authentication
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, USE_COOKIES, HttpServletResponse.SC_OK);
+
+        // finally, do it again with the cookie to be sure
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, USE_COOKIES, HttpServletResponse.SC_OK);
+    }
+
+    /*
+     * Verify the timeout mechanism works for BASIC sessions. This test
+     * follows the flow of testBasicLoginSessionPersistence (above).
+     */
+   @Test
     public void testBasicLoginSessionTimeout() throws Exception {
+
+       setAlwaysUseSession();
+
+       // this section is identical to testAuthMethodCaseBasic
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+
+        // now provide the harvested session cookie for authentication
+        List<String> originalCookies = cookies;
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, USE_COOKIES, HttpServletResponse.SC_OK);
+
+        // allow the session to time out and lose authentication
+        Thread.sleep(TIMEOUT_DELAY_MSECS);
+
+        // provide the harvested session cookie for authentication
+        // to confirm it has expired
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, USE_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+
+        // finally, do BASIC reauthentication and get another session
         doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
-                false, true, 401, false, 200);
-        // wait long enough for the session above to expire
-        Thread.sleep(LONG_TIMEOUT_DELAY_MSECS);
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
         doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
-                false, true, 401, false, 200);
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+
+        // slightly paranoid verification
+        boolean sameCookies = originalCookies.equals(cookies);
+        assertTrue(!sameCookies);
     }
 
     /*
      * Logon to access a protected resource in a webapp that uses
      * BASIC authentication. Then try to access a protected resource
-     * in a different webapp that does not have a login method.
+     * in a different webapp which does not have a login method.
      * This should be rejected with SC_FORBIDDEN 403 status, confirming
      * there has been no cross-authentication between the webapps.
      */
     @Test
     public void testBasicLoginRejectProtected() throws Exception {
         doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
-                false, true, 401, false, 200);
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+
+        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
+                NO_COOKIES, HttpServletResponse.SC_FORBIDDEN);
+    }
+
+    /*
+     * Try to use the session cookie from the BASIC webapp to request
+     * access to the webapp that does not have a login method. (This
+     * is equivalent to Single Signon, but without the Valve.)
+     *
+     * Verify there is no cross-authentication when using similar logic
+     * to testBasicLoginRejectProtected (above).
+     *
+     * This should be rejected with SC_FORBIDDEN 403 status.
+     */
+    @Test
+    public void testBasicLoginRejectProtectedWithSession() throws Exception {
+
+        setAlwaysUseSession();
+
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                NO_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_UNAUTHORIZED);
+        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
+                GOOD_CREDENTIALS, NO_COOKIES, HttpServletResponse.SC_OK);
+
+        // use the session cookie harvested with the other webapp
         doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
-                true, 403);
+                USE_COOKIES, HttpServletResponse.SC_FORBIDDEN);
     }
 
 
-    private void doTestNonLogin(String uri, boolean expectedReject,
+    private void doTestNonLogin(String uri, boolean useCookie,
             int expectedRC) throws Exception {
 
         Map<String,List<String>> reqHeaders = new HashMap<>();
         Map<String,List<String>> respHeaders = new HashMap<>();
 
+        if (useCookie && (cookies != null)) {
+            reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
+        }
+
         ByteChunk bc = new ByteChunk();
         int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders,
                 respHeaders);
 
-        if (expectedReject) {
+        if (expectedRC != HttpServletResponse.SC_OK) {
             assertEquals(expectedRC, rc);
             assertTrue(bc.getLength() > 0);
         }
         else {
-            assertEquals(200, rc);
             assertEquals("OK", bc.toString());
         }
     }
 
     private void doTestBasic(String user, String pwd, String uri,
-            boolean verifyAuthSchemeCase,
-            boolean expectedReject1, int expectedRC1,
-            boolean expectedReject2, int expectedRC2) throws Exception {
-
-        // the first access attempt should be challenged
-        Map<String,List<String>> reqHeaders1 = new HashMap<>();
-        Map<String,List<String>> respHeaders1 = new HashMap<>();
+            BasicCredentials credentials, boolean useCookie,
+            int expectedRC) throws Exception {
 
-        ByteChunk bc = new ByteChunk();
-        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders1,
-                respHeaders1);
+        Map<String,List<String>> reqHeaders = new HashMap<>();
+        Map<String,List<String>> respHeaders = new HashMap<>();
 
-        if (expectedReject1) {
-            assertEquals(expectedRC1, rc);
-            assertTrue(bc.getLength() > 0);
+        if (useCookie && (cookies != null)) {
+            reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
         }
         else {
-            assertEquals(200, rc);
-            assertEquals("OK", bc.toString());
-            return;
+            if (credentials != null) {
+                List<String> auth = new ArrayList<>();
+                auth.add(credentials.getCredentials());
+                reqHeaders.put(CLIENT_AUTH_HEADER, auth);
+            }
         }
 
-        // the second access attempt should be sucessful
-        String credentials = user + ":" + pwd;
-        byte[] credentialsBytes = ByteChunk.convertToBytes(credentials);
-        String base64auth = Base64.encode(credentialsBytes);
-        String authScheme = verifyAuthSchemeCase ? "bAsIc " : "Basic ";
-        String authLine = authScheme + base64auth;
-
-        List<String> auth = new ArrayList<>();
-        auth.add(authLine);
-        Map<String,List<String>> reqHeaders2 = new HashMap<>();
-        reqHeaders2.put(CLIENT_AUTH_HEADER, auth);
-
-        Map<String,List<String>> respHeaders2 = new HashMap<>();
-
-        bc.recycle();
-        rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders2,
-                respHeaders2);
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders,
+                respHeaders);
 
-        if (expectedReject2) {
-            assertEquals(expectedRC2, rc);
+        if (expectedRC != HttpServletResponse.SC_OK) {
+            assertEquals(expectedRC, rc);
             assertTrue(bc.getLength() > 0);
+            if (expectedRC == HttpServletResponse.SC_UNAUTHORIZED) {
+                // The server should identify the acceptable method(s)
+                boolean methodFound = false;
+                List<String> authHeaders = respHeaders.get(SERVER_AUTH_HEADER);
+                for (String authHeader : authHeaders) {
+                    if (authHeader.indexOf(NICE_METHOD) > -1) {
+                        methodFound = true;
+                    }
+                }
+                assertTrue(methodFound);
+            }
         }
         else {
-            assertEquals(200, rc);
             assertEquals("OK", bc.toString());
+            List<String> newCookies = respHeaders.get(SERVER_COOKIE_HEADER);
+            if (newCookies != null) {
+                // harvest cookies whenever the server sends some new ones
+                cookies = newCookies;
+            }
         }
     }
 
 
+    /*
+     * setup two webapps for every test
+     *
+     * note: the super class tearDown method will stop tomcat
+     */
     @Override
     public void setUp() throws Exception {
 
         super.setUp();
 
         // create a tomcat server using the default in-memory Realm
-        Tomcat tomcat = getTomcatInstance();
+        tomcat = getTomcatInstance();
 
         // add the test user and role to the Realm
         tomcat.addUser(USER, PWD);
         tomcat.addRole(USER, ROLE);
 
         // setup both NonLogin and Login webapps
-        setUpNonLogin(tomcat);
-        setUpLogin(tomcat);
+        setUpNonLogin();
+        setUpLogin();
 
         tomcat.start();
     }
 
-    private void setUpNonLogin(Tomcat tomcat) throws Exception {
+
+    private void setUpNonLogin() throws Exception {
 
         // Must have a real docBase for webapps - just use temp
         Context ctxt = tomcat.addContext(CONTEXT_PATH_NOLOGIN,
                 System.getProperty("java.io.tmpdir"));
-        ctxt.setSessionTimeout(LONG_TIMEOUT_SECS);
+        ctxt.setSessionTimeout(LONG_TIMEOUT_MINS);
 
-        // Add protected servlet
+        // Add protected servlet to the context
         Tomcat.addServlet(ctxt, "TesterServlet1", new TesterServlet());
         ctxt.addServletMapping(URI_PROTECTED, "TesterServlet1");
 
@@ -261,7 +510,7 @@ public class TestNonLoginAndBasicAuthent
         sc1.addCollection(collection1);
         ctxt.addConstraint(sc1);
 
-        // Add unprotected servlet
+        // Add unprotected servlet to the context
         Tomcat.addServlet(ctxt, "TesterServlet2", new TesterServlet());
         ctxt.addServletMapping(URI_PUBLIC, "TesterServlet2");
 
@@ -276,17 +525,18 @@ public class TestNonLoginAndBasicAuthent
         LoginConfig lc = new LoginConfig();
         lc.setAuthMethod("NONE");
         ctxt.setLoginConfig(lc);
-        ctxt.getPipeline().addValve(new NonLoginAuthenticator());
+        nonloginAuthenticator = new NonLoginAuthenticator();
+        ctxt.getPipeline().addValve(nonloginAuthenticator);
     }
 
-    private void setUpLogin(Tomcat tomcat) throws Exception {
+    private void setUpLogin() throws Exception {
 
         // Must have a real docBase for webapps - just use temp
         Context ctxt = tomcat.addContext(CONTEXT_PATH_LOGIN,
                 System.getProperty("java.io.tmpdir"));
-        ctxt.setSessionTimeout(SHORT_TIMEOUT_SECS);
+        ctxt.setSessionTimeout(SHORT_TIMEOUT_MINS);
 
-        // Add protected servlet
+        // Add protected servlet to the context
         Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet());
         ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3");
         SecurityCollection collection = new SecurityCollection();
@@ -296,7 +546,7 @@ public class TestNonLoginAndBasicAuthent
         sc.addCollection(collection);
         ctxt.addConstraint(sc);
 
-        // Add unprotected servlet
+        // Add unprotected servlet to the context
         Tomcat.addServlet(ctxt, "TesterServlet4", new TesterServlet());
         ctxt.addServletMapping(URI_PUBLIC, "TesterServlet4");
 
@@ -311,7 +561,44 @@ public class TestNonLoginAndBasicAuthent
         LoginConfig lc = new LoginConfig();
         lc.setAuthMethod("BASIC");
         ctxt.setLoginConfig(lc);
-        ctxt.getPipeline().addValve(new BasicAuthenticator());
+        basicAuthenticator = new BasicAuthenticator();
+        ctxt.getPipeline().addValve(basicAuthenticator);
+    }
+
+    /*
+     * Force non-default behaviour for both Authenticators
+     */
+    private void setAlwaysUseSession() {
+
+        basicAuthenticator.setAlwaysUseSession(true);
+        nonloginAuthenticator.setAlwaysUseSession(true);
     }
 
+    /*
+     * Encapsulate the logic to generate an HTTP header
+     * for BASIC Authentication.
+     * Note: only used internally, so no need to validate arguments.
+     */
+    private static final class BasicCredentials {
+
+        private final String method;
+        private final String username;
+        private final String password;
+        private final String credentials;
+
+        private BasicCredentials(String aMethod,
+                String aUsername, String aPassword) {
+            method = aMethod;
+            username = aUsername;
+            password = aPassword;
+            String userCredentials = username + ":" + password;
+            byte[] credentialsBytes = ByteChunk.convertToBytes(userCredentials);
+            String base64auth = Base64.encode(credentialsBytes);
+            credentials= method + " " + base64auth;
+        }
+
+        private String getCredentials() {
+            return credentials;
+        }
+    }
 }
\ No newline at end of file



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message