Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoakim Erdfelt2014-06-26 23:11:05 +0000
committerJoakim Erdfelt2014-06-26 23:11:05 +0000
commita68bf9139b384e7fa65058aadf4fb140a246678e (patch)
treee97ef127ea9c77f7726c47b3afe7da1ffddcb011 /jetty-security
parent6faf94e4c1fee00b4fd838135e7da9f37f9392a5 (diff)
downloadorg.eclipse.jetty.project-a68bf9139b384e7fa65058aadf4fb140a246678e.tar.gz
org.eclipse.jetty.project-a68bf9139b384e7fa65058aadf4fb140a246678e.tar.xz
org.eclipse.jetty.project-a68bf9139b384e7fa65058aadf4fb140a246678e.zip
Adding AliasedConstraintTest for working out alias logic
Diffstat (limited to 'jetty-security')
-rw-r--r--jetty-security/src/test/java/org/eclipse/jetty/security/AliasedConstraintTest.java173
-rw-r--r--jetty-security/src/test/resources/docroot/all/index.txt1
-rw-r--r--jetty-security/src/test/resources/docroot/forbid/index.txt1
3 files changed, 175 insertions, 0 deletions
diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/AliasedConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/AliasedConstraintTest.java
new file mode 100644
index 0000000000..bb3e42642c
--- /dev/null
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/AliasedConstraintTest.java
@@ -0,0 +1,173 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+//
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+//
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+//
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+//
+
+package org.eclipse.jetty.security;
+
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.*;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.eclipse.jetty.http.HttpStatus;
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.LocalConnector;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.ContextHandler;
+import org.eclipse.jetty.server.handler.ResourceHandler;
+import org.eclipse.jetty.server.session.SessionHandler;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.security.Constraint;
+import org.eclipse.jetty.util.security.Password;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+/**
+ * Some requests for static data that is served by ResourceHandler, but some is secured.
+ * <p>
+ * This is mainly here to test security bypass techniques using aliased names that should be caught.
+ */
+@RunWith(Parameterized.class)
+@Ignore("need to verify alias logic with greg")
+public class AliasedConstraintTest
+{
+ private static final String TEST_REALM = "TestRealm";
+ private static Server server;
+ private static LocalConnector connector;
+ private static ConstraintSecurityHandler security;
+
+ @BeforeClass
+ public static void startServer() throws Exception
+ {
+ server = new Server();
+ connector = new LocalConnector(server);
+ server.setConnectors(new Connector[] { connector });
+
+ ContextHandler context = new ContextHandler();
+ SessionHandler session = new SessionHandler();
+
+ HashLoginService loginService = new HashLoginService(TEST_REALM);
+ loginService.putUser("user0",new Password("password"),new String[] {});
+ loginService.putUser("user",new Password("password"),new String[] { "user" });
+ loginService.putUser("user2",new Password("password"),new String[] { "user" });
+ loginService.putUser("admin",new Password("password"),new String[] { "user", "administrator" });
+ loginService.putUser("user3",new Password("password"),new String[] { "foo" });
+
+ context.setContextPath("/ctx");
+ server.setHandler(context);
+ context.setHandler(session);
+
+ server.addBean(loginService);
+
+ security = new ConstraintSecurityHandler();
+ session.setHandler(security);
+ ResourceHandler handler = new ResourceHandler();
+ String resourceBase = MavenTestingUtils.getTestResourceDir("docroot").getAbsolutePath();
+ handler.setResourceBase(resourceBase);
+ security.setHandler(handler);
+
+ List<ConstraintMapping> constraints = new ArrayList<>();
+
+ Constraint constraint0 = new Constraint();
+ constraint0.setAuthenticate(true);
+ constraint0.setName("forbid");
+ ConstraintMapping mapping0 = new ConstraintMapping();
+ mapping0.setPathSpec("/forbid/*");
+ mapping0.setConstraint(constraint0);
+ constraints.add(mapping0);
+
+ Set<String> knownRoles = new HashSet<>();
+ knownRoles.add("user");
+ knownRoles.add("administrator");
+
+ security.setConstraintMappings(constraints,knownRoles);
+ server.start();
+ }
+
+ @AfterClass
+ public static void stopServer() throws Exception
+ {
+ server.stop();
+ }
+
+ @Parameters(name = "{0}: {1}")
+ public static Collection<Object[]> data()
+ {
+ List<Object[]> data = new ArrayList<>();
+
+ final String OPENCONTENT = "this is open content";
+
+ data.add(new Object[] { "/ctx/all/index.txt", HttpStatus.OK_200, OPENCONTENT });
+ data.add(new Object[] { "/ctx/ALL/index.txt", HttpStatus.OK_200, OPENCONTENT });
+ data.add(new Object[] { "/ctx/ALL/Fred/../index.txt", HttpStatus.OK_200, OPENCONTENT });
+ data.add(new Object[] { "/ctx/../bar/../ctx/all/index.txt", HttpStatus.OK_200, OPENCONTENT });
+ data.add(new Object[] { "/ctx/forbid/index.txt", HttpStatus.FORBIDDEN_403, null });
+ data.add(new Object[] { "/ctx/all/../forbid/index.txt", HttpStatus.FORBIDDEN_403, null });
+ data.add(new Object[] { "/ctx/FoRbId/index.txt", HttpStatus.FORBIDDEN_403, null });
+
+ return data;
+ }
+
+ @Parameter(value = 0)
+ public String uri;
+
+ @Parameter(value = 1)
+ public int expectedStatusCode;
+
+ @Parameter(value = 2)
+ public String expectedContent;
+
+ @Test
+ public void testAccess() throws Exception
+ {
+ StringBuilder request = new StringBuilder();
+ request.append("GET ").append(uri).append(" HTTP/1.1\r\n");
+ request.append("Host: localhost\r\n");
+ request.append("Connection: close\r\n");
+ request.append("\r\n");
+
+ String response = connector.getResponses(request.toString());
+
+ switch (expectedStatusCode)
+ {
+ case 200:
+ assertThat(response,startsWith("HTTP/1.1 200 OK"));
+ break;
+ case 403:
+ assertThat(response,startsWith("HTTP/1.1 403 Forbidden"));
+ break;
+ default:
+ fail("Write a handler for response status code: " + expectedStatusCode);
+ break;
+ }
+
+ if (expectedContent != null)
+ {
+ assertThat(response,containsString("this is open content"));
+ }
+ }
+}
diff --git a/jetty-security/src/test/resources/docroot/all/index.txt b/jetty-security/src/test/resources/docroot/all/index.txt
new file mode 100644
index 0000000000..290f702703
--- /dev/null
+++ b/jetty-security/src/test/resources/docroot/all/index.txt
@@ -0,0 +1 @@
+this is open content. \ No newline at end of file
diff --git a/jetty-security/src/test/resources/docroot/forbid/index.txt b/jetty-security/src/test/resources/docroot/forbid/index.txt
new file mode 100644
index 0000000000..aed1cf32e1
--- /dev/null
+++ b/jetty-security/src/test/resources/docroot/forbid/index.txt
@@ -0,0 +1 @@
+this is forbidden content. \ No newline at end of file

Back to the top