Author: ajaquith
Date: Tue Apr 1 06:44:02 2008
New Revision: 643397
URL: http://svn.apache.org/viewvc?rev=643397&view=rev
Log:
Re-factored the authentication subsystem to remove the need for JAAS
configuration files. WEB-INF/jspwiki.jaas goes away, as does the need for
PolicyLoader. Also, responsibilities for web authentication move to
WikiServletFilter. Authentication is now configured via jspwiki.properties --
see that file for details. WikiSession API change: getLoginContext() vanishes.
Modified:
incubator/jspwiki/trunk/tests/com/ecyrd/jspwiki/WikiSessionTest.java
Modified: incubator/jspwiki/trunk/tests/com/ecyrd/jspwiki/WikiSessionTest.java
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/tests/com/ecyrd/jspwiki/WikiSessionTest.java?rev=643397&r1=643396&r2=643397&view=diff
==============================================================================
--- incubator/jspwiki/trunk/tests/com/ecyrd/jspwiki/WikiSessionTest.java
(original)
+++ incubator/jspwiki/trunk/tests/com/ecyrd/jspwiki/WikiSessionTest.java Tue
Apr 1 06:44:02 2008
@@ -1,11 +1,16 @@
package com.ecyrd.jspwiki;
+import java.io.IOException;
import java.security.Principal;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
import junit.framework.Test;
import junit.framework.TestCase;
@@ -18,6 +23,8 @@
import com.ecyrd.jspwiki.auth.WikiPrincipal;
import com.ecyrd.jspwiki.auth.authorize.Role;
import com.ecyrd.jspwiki.auth.login.CookieAssertionLoginModule;
+import com.ecyrd.jspwiki.auth.login.CookieAuthenticationLoginModule;
+import com.ecyrd.jspwiki.ui.WikiServletFilter;
public class WikiSessionTest extends TestCase
{
@@ -98,97 +105,162 @@
assertFalse( WikiSession.isIPV4Address( "..." ) );
}
- public void testIsContainerStatusChanged()
+ public void testIPAddress() throws ServletException, IOException
{
TestHttpSession session = new TestHttpSession();
TestHttpServletRequest request;
WikiSession wikiSession;
- // A naked HTTP request without userPrincipal/remoteUser shouldn't
count as changed
+ // A naked HTTP request without userPrincipal/remoteUser should be
anonymous
request = new TestHttpServletRequest();
request.setUserPrincipal( null );
request.setRemoteUser( null );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertFalse( wikiSession.isContainerStatusChanged( request ) );
-
- // Let's send another request from a different IP address but
- // associated with the same HTTP session (improbable, I know...).
- // This request should also not count as changed...
- TestHttpServletRequest request2;
- WikiSession wikiSession2;
- request2 = new TestHttpServletRequest();
- request2.setUserPrincipal( null );
- request2.setRemoteUser( null );
- request2.setRemoteAddr( "127.1.1.1" );
- request2.m_session = session;
- wikiSession2 = WikiSession.getWikiSession( m_engine, request2 );
- assertFalse( wikiSession2.isContainerStatusChanged( request2 ) );
-
- // ...and the WikiSessions should be the same
- assertEquals( wikiSession, wikiSession2 );
+ assertTrue( wikiSession.isAnonymous());
+ }
+
+ public void testUserPrincipal() throws ServletException, IOException
+ {
+ TestHttpSession session = new TestHttpSession();
+ TestHttpServletRequest request;
+ WikiSession wikiSession;
- // Changing the UserPrincipal value should trigger a change...
+ // Changing the UserPrincipal value should cause the user to be
authenticated...
request = new TestHttpServletRequest();
- request.setUserPrincipal( new WikiPrincipal( "Fred Flintstone ") );
+ request.setUserPrincipal( new WikiPrincipal( "Fred Flintstone") );
request.setRemoteUser( null );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertTrue( wikiSession.isContainerStatusChanged( request ) );
+ assertTrue( wikiSession.isAuthenticated());
+ assertEquals( "Fred Flintstone",
wikiSession.getUserPrincipal().getName() );
+ }
- // ...but if the next request has the same UserPrincipal, it shouldn't.
+ public void testRemoteUser() throws ServletException, IOException
+ {
+ TestHttpSession session = new TestHttpSession();
+ TestHttpServletRequest request;
+ WikiSession wikiSession;
+
+ // If we set the remoteUser field is set, that's what will count as
authenticated
request = new TestHttpServletRequest();
- request.setUserPrincipal( new WikiPrincipal( "Fred Flintstone ") );
- request.setRemoteUser( null );
+ request.setRemoteUser( "fred" );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertFalse( wikiSession.isContainerStatusChanged( request ) );
+ assertTrue( wikiSession.isAuthenticated());
+ assertEquals( "fred", wikiSession.getUserPrincipal().getName() );
+ }
+
+ public void testUserPrincipalAndRemoteUser() throws ServletException,
IOException
+ {
+ TestHttpSession session = new TestHttpSession();
+ TestHttpServletRequest request;
+ WikiSession wikiSession;
- // If we twiddle the remoteUser field, it should trigger a change
again...
+ // If we twiddle the remoteUser field too, it should still prefer the
UserPrincipal value...
request = new TestHttpServletRequest();
- request.setUserPrincipal( new WikiPrincipal( "Fred Flintstone ") );
+ request.setUserPrincipal( new WikiPrincipal( "Fred Flintstone") );
request.setRemoteUser( "fred" );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertTrue( wikiSession.isContainerStatusChanged( request ) );
+ assertTrue( wikiSession.isAuthenticated());
+ assertEquals( "Fred Flintstone",
wikiSession.getUserPrincipal().getName() );
+ }
+
+ public void testAssertionCookie() throws ServletException, IOException
+ {
+ TestHttpSession session = new TestHttpSession();
+ TestHttpServletRequest request;
+ WikiSession wikiSession;
- // ...but not if we follow up with a similar request again.
+ // Adding the magic "assertion cookie" should set asserted status.
request = new TestHttpServletRequest();
- request.setUserPrincipal( new WikiPrincipal( "Fred Flintstone ") );
- request.setRemoteUser( "fred" );
+ request.setUserPrincipal( null );
+ request.setRemoteUser( null );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
+ String cookieName = CookieAssertionLoginModule.PREFS_COOKIE_NAME;
+ request.m_cookies = new Cookie[] { new Cookie( cookieName,
"FredFlintstone" ) };
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertFalse( wikiSession.isContainerStatusChanged( request ) );
+ assertTrue( wikiSession.isAsserted());
+ assertEquals( "FredFlintstone",
wikiSession.getUserPrincipal().getName() );
+ }
+
+ public void testAuthenticationCookieDefaults() throws ServletException,
IOException
+ {
+ TestHttpSession session = new TestHttpSession();
+ TestHttpServletRequest request;
+ WikiSession wikiSession;
+
+ // Set the authentication cookie first
+ TestHttpServletResponse response = new TestHttpServletResponse();
+ CookieAuthenticationLoginModule.setLoginCookie( m_engine, response,
"Fred Flintstone" );
+ Cookie[] cookies = response.getCookies();
+ assertEquals(1, cookies.length);
+ String uid = cookies[0].getValue();
- // And finally, if we null the UserPrincipal and remoteUser again,
- // it should not trigger a change.
+ // Adding the magic "authentication cookie" should NOT count as
authenticated in the default case
+ // (because cookie authentication is OFF).
request = new TestHttpServletRequest();
request.setUserPrincipal( null );
request.setRemoteUser( null );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
+ request.m_cookies = new Cookie[] { new Cookie( "JSPWikiUID", uid ) };
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertFalse( wikiSession.isContainerStatusChanged( request ) );
+ assertTrue( wikiSession.isAnonymous());
+ assertFalse( wikiSession.isAuthenticated());
+ assertEquals( "127.0.0.1", wikiSession.getUserPrincipal().getName() );
+
+ // Clear the authentication cookie
+ response = new TestHttpServletResponse();
+ CookieAuthenticationLoginModule.clearLoginCookie( m_engine, request,
response );
+ }
+
+ public void testAuthenticationCookieWhenOn() throws WikiException,
ServletException, IOException
+ {
+ Properties props = new Properties();
+ props.load( TestEngine.findTestProperties() );
+ props.setProperty( AuthenticationManager.PROP_ALLOW_COOKIE_AUTH,
"true");
+ m_engine = new TestEngine( props );
- // Adding the magic "assertion cookie" should trigger a change in
status.
+ TestHttpSession session = new TestHttpSession();
+ TestHttpServletRequest request;
+ WikiSession wikiSession;
+
+ // Set the authentication cookie first
+ TestHttpServletResponse response = new TestHttpServletResponse();
+ CookieAuthenticationLoginModule.setLoginCookie( m_engine, response,
"Fred Flintstone" );
+ Cookie[] cookies = response.getCookies();
+ assertEquals(1, cookies.length);
+ String uid = cookies[0].getValue();
+
+ // Adding the magic "authentication cookie" should count as
authenticated
request = new TestHttpServletRequest();
request.setUserPrincipal( null );
request.setRemoteUser( null );
request.setRemoteAddr( "127.0.0.1" );
request.m_session = session;
- String cookieName = CookieAssertionLoginModule.PREFS_COOKIE_NAME;
- request.m_cookies = new Cookie[] { new Cookie( cookieName,
"FredFlintstone" ) };
+ request.m_cookies = new Cookie[] { new Cookie( "JSPWikiUID", uid ) };
+ runSecurityFilter(m_engine, request);
wikiSession = WikiSession.getWikiSession( m_engine, request );
- assertTrue( wikiSession.isContainerStatusChanged( request ) );
- }
-
- public void testGetStatus()
- {
+ assertFalse( wikiSession.isAnonymous());
+ assertTrue( wikiSession.isAuthenticated());
+ assertEquals( "Fred Flintstone",
wikiSession.getUserPrincipal().getName() );
+
+ // Clear the authentication cookie
+ response = new TestHttpServletResponse();
+ CookieAuthenticationLoginModule.clearLoginCookie( m_engine, request,
response );
}
/**
@@ -204,15 +276,10 @@
request.setRemoteAddr( "53.33.128.9" );
// Log in
- boolean loggedIn = engine.getAuthenticationManager().login( request );
- if ( !loggedIn )
- {
- throw new IllegalStateException( "Couldn't set up anonymous user."
);
- }
-
- WikiSession session = WikiSession.getWikiSession( engine, request );
+ runSecurityFilter(engine, request);
// Make sure the user is actually anonymous
+ WikiSession session = WikiSession.getWikiSession( engine, request );
if ( !session.isAnonymous() )
{
throw new IllegalStateException( "Session is not anonymous." );
@@ -228,19 +295,19 @@
public static WikiSession assertedSession( WikiEngine engine, String name,
Principal[] roles ) throws Exception
{
// We can use cookies right?
- if ( !AuthenticationManager.allowsCookieAssertions() )
+ if ( !engine.getAuthenticationManager().allowsCookieAssertions() )
{
throw new IllegalStateException( "Couldn't set up asserted user:
login config doesn't allow cookies." );
}
// Build anon session
TestHttpServletRequest request = new TestHttpServletRequest();
- Set r = new HashSet();
+ Set<String> r = new HashSet<String>();
for ( int i = 0; i < roles.length; i++ )
{
r.add( roles[i].getName() );
}
- request.setRoles( (String[])r.toArray( new String[r.size()]) );
+ request.setRoles( r.toArray( new String[r.size()]) );
request.setRemoteAddr( "53.33.128.9" );
// Set cookie
@@ -248,19 +315,10 @@
request.setCookies( new Cookie[] { cookie } );
// Log in
- boolean loggedIn = engine.getAuthenticationManager().login( request );
- if ( !loggedIn )
- {
- throw new IllegalStateException( "Couldn't log in asserted user."
);
- }
-
- WikiSession session = WikiSession.getWikiSession( engine, request );
+ runSecurityFilter(engine, request);
// Make sure the user is actually asserted
- if ( !session.hasPrincipal( Role.ASSERTED ) )
- {
- throw new IllegalStateException( "Didn't find Role.ASSERTED in
session." );
- }
+ WikiSession session = WikiSession.getWikiSession( engine, request );
return session;
}
@@ -276,15 +334,10 @@
request.setRemoteAddr( "53.33.128.9" );
// Log in as anon
- boolean loggedIn = engine.getAuthenticationManager().login( request );
- if ( !loggedIn )
- {
- throw new IllegalStateException( "Couldn't log in anonymous user."
);
- }
-
- WikiSession session = WikiSession.getWikiSession( engine, request );
+ runSecurityFilter(engine, request);
// Log in the user with credentials
+ WikiSession session = WikiSession.getWikiSession( engine, request );
engine.getAuthenticationManager().login( session, id, password );
// Make sure the user is actually authenticated
@@ -299,33 +352,33 @@
{
// Build container session
TestHttpServletRequest request = new TestHttpServletRequest();
- Set r = new HashSet();
+ Set<String> r = new HashSet<String>();
for ( int i = 0; i < roles.length; i++ )
{
r.add( roles[i].getName() );
}
- request.setRoles( (String[])r.toArray( new String[r.size()]) );
+ request.setRoles( r.toArray( new String[r.size()]) );
request.setRemoteAddr( "53.33.128.9" );
request.setUserPrincipal( new WikiPrincipal( id ) );
- // Log in as anon
- boolean loggedIn = engine.getAuthenticationManager().login( request );
- if ( !loggedIn )
- {
- throw new IllegalStateException( "Couldn't log in anonymous user."
);
- }
-
- WikiSession session = WikiSession.getWikiSession( engine, request );
-
- // Log in the user with credentials
- engine.getAuthenticationManager().login( request );
+ // Log in
+ runSecurityFilter(engine,request);
// Make sure the user is actually authenticated
+ WikiSession session = WikiSession.getWikiSession( engine, request );
if ( !session.isAuthenticated() )
{
throw new IllegalStateException( "Could not log in authenticated
user '" + id + "'" );
}
return session;
+ }
+
+ private static void runSecurityFilter(WikiEngine engine,
HttpServletRequest request) throws ServletException, IOException
+ {
+ Filter filter = new WikiServletFilter();
+ FilterConfig filterConfig = new TestFilterConfig(new
TestServletContext(engine));
+ filter.init(filterConfig);
+ filter.doFilter(request, null, new TestFilterChain());
}
public static Test suite()
