Google Git
Sign in
apache / shiro / e5d8134d9457c87e63f97b441255012686a3056f / . / web / src / test / java / org / apache / shiro / web / mgt / DefaultWebSecurityManagerTest.java
blob: 443b0309fc8676abd6c87edbf15bf8c772f3064d [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.shiro.web.mgt;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.Ini;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.session.ExpiredSessionException;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.AbstractSessionManager;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.config.WebIniSecurityManagerFactory;
import org.apache.shiro.web.servlet.ShiroHttpSession;
import org.apache.shiro.web.session.mgt.WebSessionManager;
import org.apache.shiro.web.subject.WebSubject;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.Serializable;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
/**
* @since 0.9
*/
public class DefaultWebSecurityManagerTest extends AbstractWebSecurityManagerTest {
private DefaultWebSecurityManager sm;
@Before
public void setup() {
sm = new DefaultWebSecurityManager();
sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
Ini ini = new Ini();
Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
section.put("lonestarr", "vespa");
sm.setRealm(new IniRealm(ini));
}
@Override
@After
public void tearDown() {
sm.destroy();
super.tearDown();
}
protected Subject newSubject(ServletRequest request, ServletResponse response) {
return new WebSubject.Builder(sm, request, response).buildSubject();
}
@Test
public void checkSessionManagerDeterminesContainerSessionMode() {
sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
WebSessionManager sessionManager = mock(WebSessionManager.class);
when(sessionManager.isServletContainerSessions()).thenReturn(true);
sm.setSessionManager(sessionManager);
assertTrue("The set SessionManager is not being used to determine isHttpSessionMode.", sm.isHttpSessionMode());
verify(sessionManager).isServletContainerSessions();
}
@Test
public void shiroSessionModeInit() {
sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
}
protected void sleep(long millis) {
try {
Thread.sleep(millis);
} catch (InterruptedException e) {
throw new IllegalStateException(e);
}
}
@Test
public void testLogin() {
HttpServletRequest mockRequest = mock(HttpServletRequest.class);
HttpServletResponse mockResponse = mock(HttpServletResponse.class);
when(mockRequest.getCookies()).thenReturn(null);
when(mockRequest.getContextPath()).thenReturn("/");
Subject subject = newSubject(mockRequest, mockResponse);
assertFalse(subject.isAuthenticated());
subject.login(new UsernamePasswordToken("lonestarr", "vespa"));
assertTrue(subject.isAuthenticated());
assertNotNull(subject.getPrincipal());
assertEquals("lonestarr", subject.getPrincipal());
}
@Test
public void testSessionTimeout() {
shiroSessionModeInit();
long globalTimeout = 100;
((AbstractSessionManager) sm.getSessionManager()).setGlobalSessionTimeout(globalTimeout);
HttpServletRequest mockRequest = mock(HttpServletRequest.class);
HttpServletResponse mockResponse = mock(HttpServletResponse.class);
when(mockRequest.getCookies()).thenReturn(null);
when(mockRequest.getContextPath()).thenReturn("/");
Subject subject = newSubject(mockRequest, mockResponse);
Session session = subject.getSession();
assertEquals(session.getTimeout(), globalTimeout);
session.setTimeout(125);
assertEquals(session.getTimeout(), 125);
sleep(200);
try {
session.getTimeout();
fail("Session should have expired.");
} catch (ExpiredSessionException expected) {
}
}
@Test
public void testGetSubjectByRequestResponsePair() {
shiroSessionModeInit();
HttpServletRequest mockRequest = mock(HttpServletRequest.class);
HttpServletResponse mockResponse = mock(HttpServletResponse.class);
when(mockRequest.getCookies()).thenReturn(null);
Subject subject = newSubject(mockRequest, mockResponse);
assertNotNull(subject);
assertTrue(subject.getPrincipals() == null || subject.getPrincipals().isEmpty());
assertNull(subject.getSession(false));
assertFalse(subject.isAuthenticated());
}
@Test
public void testGetSubjectByRequestSessionId() {
shiroSessionModeInit();
HttpServletRequest mockRequest = mock(HttpServletRequest.class);
HttpServletResponse mockResponse = mock(HttpServletResponse.class);
Subject subject = newSubject(mockRequest, mockResponse);
Session session = subject.getSession();
Serializable sessionId = session.getId();
assertNotNull(sessionId);
mockRequest = mock(HttpServletRequest.class);
mockResponse = mock(HttpServletResponse.class);
//now simulate the cookie going with the request and the Subject should be acquired based on that:
Cookie[] cookies = new Cookie[]{new Cookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME, sessionId.toString())};
when(mockRequest.getCookies()).thenReturn(cookies);
when(mockRequest.getParameter(any(String.class))).thenReturn(null);
subject = newSubject(mockRequest, mockResponse);
session = subject.getSession(false);
assertNotNull(session);
assertEquals(sessionId, session.getId());
}
/**
* Asserts fix for <a href="https://issues.apache.org/jira/browse/SHIRO-350">SHIRO-350</a>.
*/
@Test
public void testBuildNonWebSubjectWithDefaultServletContainerSessionManager() {
Ini ini = new Ini();
Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
section.put("user1", "user1");
WebIniSecurityManagerFactory factory = new WebIniSecurityManagerFactory(ini);
WebSecurityManager securityManager = (WebSecurityManager)factory.getInstance();
PrincipalCollection principals = new SimplePrincipalCollection("user1", "iniRealm");
Subject subject = new Subject.Builder(securityManager).principals(principals).buildSubject();
assertNotNull(subject);
assertEquals("user1", subject.getPrincipal());
}
}