test/javax/servlet/annotation/TestServletSecurityMappings.java - tomcat80 - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package javax.servlet.annotation;

 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Set;

 import javax.servlet.ServletContainerInitializer;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRegistration;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 import org.junit.runners.Parameterized.Parameter;
 import org.junit.runners.Parameterized.Parameters;

 import org.apache.catalina.Context;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;

 @RunWith(Parameterized.class)
 public class TestServletSecurityMappings extends TomcatBaseTest {

     @Parameters(name="{0}, {1}, {2}, {3}")
     public static Collection<Object[]> inputs() {
         List<Object[]> result = new ArrayList<>();
         result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.FALSE, Boolean.FALSE });
         result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.FALSE, Boolean.TRUE });
         result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.TRUE , Boolean.FALSE });
         result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.TRUE,  Boolean.TRUE });
         result.add(new Object[] { Boolean.FALSE, Boolean.TRUE,  Boolean.FALSE, Boolean.FALSE });
         result.add(new Object[] { Boolean.FALSE, Boolean.TRUE,  Boolean.FALSE, Boolean.TRUE });
         result.add(new Object[] { Boolean.FALSE, Boolean.TRUE,  Boolean.TRUE , Boolean.FALSE });
         result.add(new Object[] { Boolean.FALSE, Boolean.TRUE,  Boolean.TRUE,  Boolean.TRUE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.FALSE, Boolean.FALSE, Boolean.FALSE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.FALSE, Boolean.FALSE, Boolean.TRUE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.FALSE, Boolean.TRUE , Boolean.FALSE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.FALSE, Boolean.TRUE,  Boolean.TRUE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.TRUE,  Boolean.FALSE, Boolean.FALSE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.TRUE,  Boolean.FALSE, Boolean.TRUE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.TRUE,  Boolean.TRUE , Boolean.FALSE });
         result.add(new Object[] { Boolean.TRUE,  Boolean.TRUE,  Boolean.TRUE,  Boolean.TRUE });
         return result;
     }

     @Parameter(0)
     public boolean redirectContextRoot;

     @Parameter(1)
     public boolean secureRoot;

     @Parameter(2)
     public boolean secureDefault;

     @Parameter(3)
     public boolean secureFoo;


     @Test
     public void doTestSecurityAnnotationsAddServlet() throws Exception {

         // Setup Tomcat instance
         Tomcat tomcat = getTomcatInstance();

         // No file system docBase required
         Context ctx = tomcat.addContext("/test", null);
         ctx.setMapperContextRootRedirectEnabled(redirectContextRoot);

         ServletContainerInitializer sci = new SCI(secureRoot, secureDefault, secureFoo);
         ctx.addServletContainerInitializer(sci, null);

         tomcat.start();

         ByteChunk bc = new ByteChunk();
         int rc;

         // Foo
         rc = getUrl("http://localhost:" + getPort() + "/test/foo", bc, false);
         if (secureFoo || secureDefault) {
             Assert.assertEquals(403, rc);
         } else {
             Assert.assertEquals(200, rc);
         }
         bc.recycle();

         // Default
         rc = getUrl("http://localhost:" + getPort() + "/test/something", bc, false);
         if (secureDefault) {
             Assert.assertEquals(403, rc);
         } else {
             Assert.assertEquals(200, rc);
         }
         bc.recycle();

         // Root
         rc = getUrl("http://localhost:" + getPort() + "/test", bc, false);
         if (redirectContextRoot) {
            Assert.assertEquals(302, rc);
         } else {
             if (secureRoot || secureDefault) {
                 Assert.assertEquals(403, rc);
             } else {
                 Assert.assertEquals(200, rc);
             }
         }
     }


     public static class SCI implements ServletContainerInitializer {

         private final boolean secureRoot;
         private final boolean secureDefault;
         private final boolean secureFoo;

         public SCI(boolean secureRoot, boolean secureDefault, boolean secureFoo) {
             this.secureRoot = secureRoot;
             this.secureDefault = secureDefault;
             this.secureFoo = secureFoo;
         }

         @Override
         public void onStartup(Set<Class<?>> c, ServletContext ctx)
                 throws ServletException {

             ServletRegistration.Dynamic sr;
             if (secureRoot) {
                 sr = ctx.addServlet("Root", SecureRoot.class.getName());
             } else {
                 sr =ctx.addServlet("Root", Root.class.getName());
             }
             sr.addMapping("");

             if (secureDefault) {
                 sr = ctx.addServlet("Default", SecureDefault.class.getName());
             } else {
                 sr = ctx.addServlet("Default", Default.class.getName());
             }
             sr.addMapping("/");

             if (secureFoo) {
                 sr = ctx.addServlet("Foo", SecureFoo.class.getName());
             } else {
                 sr = ctx.addServlet("Foo", Foo.class.getName());
             }
             sr.addMapping("/foo");
         }
     }


     @ServletSecurity(@HttpConstraint(ServletSecurity.EmptyRoleSemantic.DENY))
     public static class SecureRoot extends HttpServlet {

         private static final long serialVersionUID = 1L;

         @Override
         protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 throws ServletException, IOException {
             resp.getWriter().print("OK");
         }
     }


     public static class Root extends HttpServlet {

         private static final long serialVersionUID = 1L;

         @Override
         protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 throws ServletException, IOException {
             resp.getWriter().print("OK");
         }
     }


     @ServletSecurity(@HttpConstraint(ServletSecurity.EmptyRoleSemantic.DENY))
     public static class SecureDefault extends HttpServlet {

         private static final long serialVersionUID = 1L;

         @Override
         protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 throws ServletException, IOException {
             resp.getWriter().print("OK");
         }
     }


     public static class Default extends HttpServlet {

         private static final long serialVersionUID = 1L;

         @Override
         protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 throws ServletException, IOException {
             resp.getWriter().print("OK");
         }
     }


     @ServletSecurity(@HttpConstraint(ServletSecurity.EmptyRoleSemantic.DENY))
     public static class SecureFoo extends HttpServlet {

         private static final long serialVersionUID = 1L;

         @Override
         protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 throws ServletException, IOException {
             resp.getWriter().print("OK");
         }
     }


     public static class Foo extends HttpServlet {

         private static final long serialVersionUID = 1L;

         @Override
         protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 throws ServletException, IOException {
             resp.getWriter().print("OK");
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package javax.servlet.annotation;

	import java.io.IOException;
	import java.util.ArrayList;
	import java.util.Collection;
	import java.util.List;
	import java.util.Set;

	import javax.servlet.ServletContainerInitializer;
	import javax.servlet.ServletContext;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRegistration;
	import javax.servlet.http.HttpServlet;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import org.junit.Assert;
	import org.junit.Test;
	import org.junit.runner.RunWith;
	import org.junit.runners.Parameterized;
	import org.junit.runners.Parameterized.Parameter;
	import org.junit.runners.Parameterized.Parameters;

	import org.apache.catalina.Context;
	import org.apache.catalina.startup.Tomcat;
	import org.apache.catalina.startup.TomcatBaseTest;
	import org.apache.tomcat.util.buf.ByteChunk;

	@RunWith(Parameterized.class)
	public class TestServletSecurityMappings extends TomcatBaseTest {

	@Parameters(name="{0}, {1}, {2}, {3}")
	public static Collection<Object[]> inputs() {
	List<Object[]> result = new ArrayList<>();
	result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.FALSE, Boolean.FALSE });
	result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.FALSE, Boolean.TRUE });
	result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.TRUE , Boolean.FALSE });
	result.add(new Object[] { Boolean.FALSE, Boolean.FALSE, Boolean.TRUE, Boolean.TRUE });
	result.add(new Object[] { Boolean.FALSE, Boolean.TRUE, Boolean.FALSE, Boolean.FALSE });
	result.add(new Object[] { Boolean.FALSE, Boolean.TRUE, Boolean.FALSE, Boolean.TRUE });
	result.add(new Object[] { Boolean.FALSE, Boolean.TRUE, Boolean.TRUE , Boolean.FALSE });
	result.add(new Object[] { Boolean.FALSE, Boolean.TRUE, Boolean.TRUE, Boolean.TRUE });
	result.add(new Object[] { Boolean.TRUE, Boolean.FALSE, Boolean.FALSE, Boolean.FALSE });
	result.add(new Object[] { Boolean.TRUE, Boolean.FALSE, Boolean.FALSE, Boolean.TRUE });
	result.add(new Object[] { Boolean.TRUE, Boolean.FALSE, Boolean.TRUE , Boolean.FALSE });
	result.add(new Object[] { Boolean.TRUE, Boolean.FALSE, Boolean.TRUE, Boolean.TRUE });
	result.add(new Object[] { Boolean.TRUE, Boolean.TRUE, Boolean.FALSE, Boolean.FALSE });
	result.add(new Object[] { Boolean.TRUE, Boolean.TRUE, Boolean.FALSE, Boolean.TRUE });
	result.add(new Object[] { Boolean.TRUE, Boolean.TRUE, Boolean.TRUE , Boolean.FALSE });
	result.add(new Object[] { Boolean.TRUE, Boolean.TRUE, Boolean.TRUE, Boolean.TRUE });
	return result;
	}

	@Parameter(0)
	public boolean redirectContextRoot;

	@Parameter(1)
	public boolean secureRoot;

	@Parameter(2)
	public boolean secureDefault;

	@Parameter(3)
	public boolean secureFoo;


	@Test
	public void doTestSecurityAnnotationsAddServlet() throws Exception {

	// Setup Tomcat instance
	Tomcat tomcat = getTomcatInstance();

	// No file system docBase required
	Context ctx = tomcat.addContext("/test", null);
	ctx.setMapperContextRootRedirectEnabled(redirectContextRoot);

	ServletContainerInitializer sci = new SCI(secureRoot, secureDefault, secureFoo);
	ctx.addServletContainerInitializer(sci, null);

	tomcat.start();

	ByteChunk bc = new ByteChunk();
	int rc;

	// Foo
	rc = getUrl("http://localhost:" + getPort() + "/test/foo", bc, false);
	if (secureFoo \|\| secureDefault) {
	Assert.assertEquals(403, rc);
	} else {
	Assert.assertEquals(200, rc);
	}
	bc.recycle();

	// Default
	rc = getUrl("http://localhost:" + getPort() + "/test/something", bc, false);
	if (secureDefault) {
	Assert.assertEquals(403, rc);
	} else {
	Assert.assertEquals(200, rc);
	}
	bc.recycle();

	// Root
	rc = getUrl("http://localhost:" + getPort() + "/test", bc, false);
	if (redirectContextRoot) {
	Assert.assertEquals(302, rc);
	} else {
	if (secureRoot \|\| secureDefault) {
	Assert.assertEquals(403, rc);
	} else {
	Assert.assertEquals(200, rc);
	}
	}
	}


	public static class SCI implements ServletContainerInitializer {

	private final boolean secureRoot;
	private final boolean secureDefault;
	private final boolean secureFoo;

	public SCI(boolean secureRoot, boolean secureDefault, boolean secureFoo) {
	this.secureRoot = secureRoot;
	this.secureDefault = secureDefault;
	this.secureFoo = secureFoo;
	}

	@Override
	public void onStartup(Set<Class<?>> c, ServletContext ctx)
	throws ServletException {

	ServletRegistration.Dynamic sr;
	if (secureRoot) {
	sr = ctx.addServlet("Root", SecureRoot.class.getName());
	} else {
	sr =ctx.addServlet("Root", Root.class.getName());
	}
	sr.addMapping("");

	if (secureDefault) {
	sr = ctx.addServlet("Default", SecureDefault.class.getName());
	} else {
	sr = ctx.addServlet("Default", Default.class.getName());
	}
	sr.addMapping("/");

	if (secureFoo) {
	sr = ctx.addServlet("Foo", SecureFoo.class.getName());
	} else {
	sr = ctx.addServlet("Foo", Foo.class.getName());
	}
	sr.addMapping("/foo");
	}
	}


	@ServletSecurity(@HttpConstraint(ServletSecurity.EmptyRoleSemantic.DENY))
	public static class SecureRoot extends HttpServlet {

	private static final long serialVersionUID = 1L;

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	throws ServletException, IOException {
	resp.getWriter().print("OK");
	}
	}


	public static class Root extends HttpServlet {

	private static final long serialVersionUID = 1L;

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	throws ServletException, IOException {
	resp.getWriter().print("OK");
	}
	}


	@ServletSecurity(@HttpConstraint(ServletSecurity.EmptyRoleSemantic.DENY))
	public static class SecureDefault extends HttpServlet {

	private static final long serialVersionUID = 1L;

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	throws ServletException, IOException {
	resp.getWriter().print("OK");
	}
	}


	public static class Default extends HttpServlet {

	private static final long serialVersionUID = 1L;

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	throws ServletException, IOException {
	resp.getWriter().print("OK");
	}
	}


	@ServletSecurity(@HttpConstraint(ServletSecurity.EmptyRoleSemantic.DENY))
	public static class SecureFoo extends HttpServlet {

	private static final long serialVersionUID = 1L;

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	throws ServletException, IOException {
	resp.getWriter().print("OK");
	}
	}


	public static class Foo extends HttpServlet {

	private static final long serialVersionUID = 1L;

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	throws ServletException, IOException {
	resp.getWriter().print("OK");
	}
	}
	}