Author: hlship
Date: Mon Oct 24 18:33:25 2011
New Revision: 1188278
URL: http://svn.apache.org/viewvc?rev=1188278&view=rev
Log:
TAP5-1511: RequestSecurityManager.checkPageSecurity() should return request
security instead of INSECURE in case when security is disabled
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java?rev=1188278&r1=1188277&r2=1188278&view=diff
==============================================================================
---
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
Mon Oct 24 18:33:25 2011
@@ -1,4 +1,4 @@
-// Copyright 2008, 2009, 2010 The Apache Software Foundation
+// Copyright 2008, 2009, 2010, 2011 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -14,15 +14,15 @@
package org.apache.tapestry5.internal.services;
-import java.io.IOException;
-
import org.apache.tapestry5.services.ComponentEventRequestParameters;
import org.apache.tapestry5.services.PageRenderRequestParameters;
+import java.io.IOException;
+
/**
* Used to manage the relationship between the security of a request and the
security of a page. By secure, we mean
* whether a request uses HTTPS and whether a page demands the use of HTTPS.
- *
+ *
* @see org.apache.tapestry5.services.Request#isSecure()
*/
public interface RequestSecurityManager
@@ -30,9 +30,8 @@ public interface RequestSecurityManager
/**
* Checks the page to see if it is secure; if so, and the request is not
secure, then a redirect to the page is
* generated and sent.
- *
- * @param parameters
- * parameters for the current request
+ *
+ * @param parameters parameters for the current request
* @return true if a redirect was sent, false if normal processing should
continue
* @throws IOException
*/
@@ -42,9 +41,8 @@ public interface RequestSecurityManager
* Checks the target page of the component event request to see if it is
secure; if so, and the
* request is not secure, then a redirect to the page is generated and
sent, preserving the
* original component event request.
- *
- * @param parameters
- * parameters for the current request
+ *
+ * @param parameters parameters for the current request
* @return true if a redirect was sent, false if normal processing should
continue
* @throws IOException
* @since 5.2.0.0
@@ -52,12 +50,13 @@ public interface RequestSecurityManager
boolean
checkForInsecureComponentEventRequest(ComponentEventRequestParameters
parameters) throws IOException;
/**
- * Determines if the page security does not match the request's security.
- *
- * @param pageName
- * for the security check
- * @return SECURE or INSECURE if a change in security is required, or
UNSPECIFIED if the request security matches
- * the page's security level
+ * Determines if the page security does not match the request's security.
Returns {@link LinkSecurity#SECURE}
+ * or {@link LinkSecurity#INSECURE} if the request security matches the
pages. Otherwise, returns
+ * {@link LinkSecurity#FORCE_SECURE} or {@link
LinkSecurity#FORCE_INSECURE} (which will force fully qualified URLs to be
generated when
+ * rendering).
+ *
+ * @param pageName for the security check
+ * @return security for this request, as applied to indicated page
*/
LinkSecurity checkPageSecurity(String pageName);
}
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java?rev=1188278&r1=1188277&r2=1188278&view=diff
==============================================================================
---
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
Mon Oct 24 18:33:25 2011
@@ -1,4 +1,4 @@
-// Copyright 2008, 2009, 2010 The Apache Software Foundation
+// Copyright 2008, 2009, 2010, 2011 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -14,18 +14,13 @@
package org.apache.tapestry5.internal.services;
-import java.io.IOException;
-
import org.apache.tapestry5.Link;
import org.apache.tapestry5.MetaDataConstants;
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.ioc.annotations.Symbol;
-import org.apache.tapestry5.services.ComponentEventLinkEncoder;
-import org.apache.tapestry5.services.ComponentEventRequestParameters;
-import org.apache.tapestry5.services.MetaDataLocator;
-import org.apache.tapestry5.services.PageRenderRequestParameters;
-import org.apache.tapestry5.services.Request;
-import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.*;
+
+import java.io.IOException;
public class RequestSecurityManagerImpl implements RequestSecurityManager
{
@@ -40,8 +35,8 @@ public class RequestSecurityManagerImpl
private final ComponentEventLinkEncoder componentEventLinkEncoder;
public RequestSecurityManagerImpl(Request request, Response response,
- ComponentEventLinkEncoder componentEventLinkEncoder,
MetaDataLocator locator, @Symbol(SymbolConstants.SECURE_ENABLED)
- boolean securityEnabled)
+ ComponentEventLinkEncoder
componentEventLinkEncoder, MetaDataLocator locator,
@Symbol(SymbolConstants.SECURE_ENABLED)
+ boolean securityEnabled)
{
this.request = request;
this.response = response;
@@ -53,7 +48,9 @@ public class RequestSecurityManagerImpl
public boolean
checkForInsecureComponentEventRequest(ComponentEventRequestParameters
parameters) throws IOException
{
if (!needsRedirect(parameters.getActivePageName()))
+ {
return false;
+ }
// Page is secure but request is not, so redirect.
// We can safely ignore the forForm parameter since secure form
requests are always done from
@@ -83,15 +80,21 @@ public class RequestSecurityManagerImpl
private boolean needsRedirect(String pageName)
{
if (!securityEnabled)
+ {
return false;
+ }
// We don't (at this time) redirect from secure to insecure, just from
insecure to secure.
if (request.isSecure())
+ {
return false;
+ }
if (!isSecure(pageName))
+ {
return false;
+ }
return true;
}
@@ -104,12 +107,16 @@ public class RequestSecurityManagerImpl
public LinkSecurity checkPageSecurity(String pageName)
{
if (!securityEnabled)
- return LinkSecurity.INSECURE;
+ {
+ return request.isSecure() ? LinkSecurity.SECURE :
LinkSecurity.INSECURE;
+ }
boolean securePage = isSecure(pageName);
if (request.isSecure() == securePage)
+ {
return securePage ? LinkSecurity.SECURE : LinkSecurity.INSECURE;
+ }
// Return a value that will, ultimately, force an absolute URL.
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java?rev=1188278&r1=1188277&r2=1188278&view=diff
==============================================================================
---
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
Mon Oct 24 18:33:25 2011
@@ -1,4 +1,4 @@
-// Copyright 2008, 2009, 2010 The Apache Software Foundation
+// Copyright 2008, 2009, 2010, 2011 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -18,11 +18,7 @@ import org.apache.tapestry5.Link;
import org.apache.tapestry5.MetaDataConstants;
import org.apache.tapestry5.internal.EmptyEventContext;
import org.apache.tapestry5.internal.test.InternalBaseTestCase;
-import org.apache.tapestry5.services.ComponentEventLinkEncoder;
-import org.apache.tapestry5.services.MetaDataLocator;
-import org.apache.tapestry5.services.PageRenderRequestParameters;
-import org.apache.tapestry5.services.Request;
-import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.*;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
@@ -106,7 +102,7 @@ public class RequestSecurityManagerImplT
}
private void train_createPageRenderLink(ComponentEventLinkEncoder encoder,
PageRenderRequestParameters parameters,
- Link link)
+ Link link)
{
expect(encoder.createPageRenderLink(parameters)).andReturn(link);
}
@@ -115,11 +111,11 @@ public class RequestSecurityManagerImplT
public Object[][] check_page_security_data()
{
return new Object[][]
- {
- { true, true, LinkSecurity.SECURE },
- { false, false, LinkSecurity.INSECURE },
- { true, false, LinkSecurity.FORCE_INSECURE },
- { false, true, LinkSecurity.FORCE_SECURE } };
+ {
+ {true, true, LinkSecurity.SECURE},
+ {false, false, LinkSecurity.INSECURE},
+ {true, false, LinkSecurity.FORCE_INSECURE},
+ {false, true, LinkSecurity.FORCE_SECURE}};
}
@Test(dataProvider = "check_page_security_data")
@@ -148,4 +144,34 @@ public class RequestSecurityManagerImplT
expect(locator.findMeta(MetaDataConstants.SECURE_PAGE, pageName,
Boolean.class)).andReturn(securePage);
}
+ @DataProvider
+ public Object[][] security_disabled_data()
+ {
+ return new Object[][]{
+ {false, LinkSecurity.INSECURE},
+ {true, LinkSecurity.SECURE}
+ };
+ }
+
+ /**
+ * https://issues.apache.org/jira/browse/TAP5-1511
+ */
+ @Test(dataProvider = "security_disabled_data")
+ public void link_security_when_security_is_disabled(boolean secureRequest,
LinkSecurity expectedLinkSecurity)
+ {
+ Request request = mockRequest();
+ Response response = mockResponse();
+ MetaDataLocator locator = mockMetaDataLocator();
+
+ train_isSecure(request, secureRequest);
+
+ replay();
+
+ RequestSecurityManager manager = new
RequestSecurityManagerImpl(request, response, null, locator, false);
+
+ assertEquals(manager.checkPageSecurity(PAGE_NAME),
expectedLinkSecurity);
+
+ verify();
+ }
+
}
