You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by hl...@apache.org on 2011/10/24 20:33:26 UTC
svn commit: r1188278 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/internal/services/
test/java/org/apache/tapestry5/internal/services/
Author: hlship
Date: Mon Oct 24 18:33:25 2011
New Revision: 1188278
URL: http://svn.apache.org/viewvc?rev=1188278&view=rev
Log:
TAP5-1511: RequestSecurityManager.checkPageSecurity() should return request security instead of INSECURE in case when security is disabled
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java?rev=1188278&r1=1188277&r2=1188278&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManager.java Mon Oct 24 18:33:25 2011
@@ -1,4 +1,4 @@
-// Copyright 2008, 2009, 2010 The Apache Software Foundation
+// Copyright 2008, 2009, 2010, 2011 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -14,15 +14,15 @@
package org.apache.tapestry5.internal.services;
-import java.io.IOException;
-
import org.apache.tapestry5.services.ComponentEventRequestParameters;
import org.apache.tapestry5.services.PageRenderRequestParameters;
+import java.io.IOException;
+
/**
* Used to manage the relationship between the security of a request and the security of a page. By secure, we mean
* whether a request uses HTTPS and whether a page demands the use of HTTPS.
- *
+ *
* @see org.apache.tapestry5.services.Request#isSecure()
*/
public interface RequestSecurityManager
@@ -30,9 +30,8 @@ public interface RequestSecurityManager
/**
* Checks the page to see if it is secure; if so, and the request is not secure, then a redirect to the page is
* generated and sent.
- *
- * @param parameters
- * parameters for the current request
+ *
+ * @param parameters parameters for the current request
* @return true if a redirect was sent, false if normal processing should continue
* @throws IOException
*/
@@ -42,9 +41,8 @@ public interface RequestSecurityManager
* Checks the target page of the component event request to see if it is secure; if so, and the
* request is not secure, then a redirect to the page is generated and sent, preserving the
* original component event request.
- *
- * @param parameters
- * parameters for the current request
+ *
+ * @param parameters parameters for the current request
* @return true if a redirect was sent, false if normal processing should continue
* @throws IOException
* @since 5.2.0.0
@@ -52,12 +50,13 @@ public interface RequestSecurityManager
boolean checkForInsecureComponentEventRequest(ComponentEventRequestParameters parameters) throws IOException;
/**
- * Determines if the page security does not match the request's security.
- *
- * @param pageName
- * for the security check
- * @return SECURE or INSECURE if a change in security is required, or UNSPECIFIED if the request security matches
- * the page's security level
+ * Determines if the page security does not match the request's security. Returns {@link LinkSecurity#SECURE}
+ * or {@link LinkSecurity#INSECURE} if the request security matches the pages. Otherwise, returns
+ * {@link LinkSecurity#FORCE_SECURE} or {@link LinkSecurity#FORCE_INSECURE} (which will force fully qualified URLs to be generated when
+ * rendering).
+ *
+ * @param pageName for the security check
+ * @return security for this request, as applied to indicated page
*/
LinkSecurity checkPageSecurity(String pageName);
}
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java?rev=1188278&r1=1188277&r2=1188278&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImpl.java Mon Oct 24 18:33:25 2011
@@ -1,4 +1,4 @@
-// Copyright 2008, 2009, 2010 The Apache Software Foundation
+// Copyright 2008, 2009, 2010, 2011 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -14,18 +14,13 @@
package org.apache.tapestry5.internal.services;
-import java.io.IOException;
-
import org.apache.tapestry5.Link;
import org.apache.tapestry5.MetaDataConstants;
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.ioc.annotations.Symbol;
-import org.apache.tapestry5.services.ComponentEventLinkEncoder;
-import org.apache.tapestry5.services.ComponentEventRequestParameters;
-import org.apache.tapestry5.services.MetaDataLocator;
-import org.apache.tapestry5.services.PageRenderRequestParameters;
-import org.apache.tapestry5.services.Request;
-import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.*;
+
+import java.io.IOException;
public class RequestSecurityManagerImpl implements RequestSecurityManager
{
@@ -40,8 +35,8 @@ public class RequestSecurityManagerImpl
private final ComponentEventLinkEncoder componentEventLinkEncoder;
public RequestSecurityManagerImpl(Request request, Response response,
- ComponentEventLinkEncoder componentEventLinkEncoder, MetaDataLocator locator, @Symbol(SymbolConstants.SECURE_ENABLED)
- boolean securityEnabled)
+ ComponentEventLinkEncoder componentEventLinkEncoder, MetaDataLocator locator, @Symbol(SymbolConstants.SECURE_ENABLED)
+ boolean securityEnabled)
{
this.request = request;
this.response = response;
@@ -53,7 +48,9 @@ public class RequestSecurityManagerImpl
public boolean checkForInsecureComponentEventRequest(ComponentEventRequestParameters parameters) throws IOException
{
if (!needsRedirect(parameters.getActivePageName()))
+ {
return false;
+ }
// Page is secure but request is not, so redirect.
// We can safely ignore the forForm parameter since secure form requests are always done from
@@ -83,15 +80,21 @@ public class RequestSecurityManagerImpl
private boolean needsRedirect(String pageName)
{
if (!securityEnabled)
+ {
return false;
+ }
// We don't (at this time) redirect from secure to insecure, just from insecure to secure.
if (request.isSecure())
+ {
return false;
+ }
if (!isSecure(pageName))
+ {
return false;
+ }
return true;
}
@@ -104,12 +107,16 @@ public class RequestSecurityManagerImpl
public LinkSecurity checkPageSecurity(String pageName)
{
if (!securityEnabled)
- return LinkSecurity.INSECURE;
+ {
+ return request.isSecure() ? LinkSecurity.SECURE : LinkSecurity.INSECURE;
+ }
boolean securePage = isSecure(pageName);
if (request.isSecure() == securePage)
+ {
return securePage ? LinkSecurity.SECURE : LinkSecurity.INSECURE;
+ }
// Return a value that will, ultimately, force an absolute URL.
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java?rev=1188278&r1=1188277&r2=1188278&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RequestSecurityManagerImplTest.java Mon Oct 24 18:33:25 2011
@@ -1,4 +1,4 @@
-// Copyright 2008, 2009, 2010 The Apache Software Foundation
+// Copyright 2008, 2009, 2010, 2011 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -18,11 +18,7 @@ import org.apache.tapestry5.Link;
import org.apache.tapestry5.MetaDataConstants;
import org.apache.tapestry5.internal.EmptyEventContext;
import org.apache.tapestry5.internal.test.InternalBaseTestCase;
-import org.apache.tapestry5.services.ComponentEventLinkEncoder;
-import org.apache.tapestry5.services.MetaDataLocator;
-import org.apache.tapestry5.services.PageRenderRequestParameters;
-import org.apache.tapestry5.services.Request;
-import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.*;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
@@ -106,7 +102,7 @@ public class RequestSecurityManagerImplT
}
private void train_createPageRenderLink(ComponentEventLinkEncoder encoder, PageRenderRequestParameters parameters,
- Link link)
+ Link link)
{
expect(encoder.createPageRenderLink(parameters)).andReturn(link);
}
@@ -115,11 +111,11 @@ public class RequestSecurityManagerImplT
public Object[][] check_page_security_data()
{
return new Object[][]
- {
- { true, true, LinkSecurity.SECURE },
- { false, false, LinkSecurity.INSECURE },
- { true, false, LinkSecurity.FORCE_INSECURE },
- { false, true, LinkSecurity.FORCE_SECURE } };
+ {
+ {true, true, LinkSecurity.SECURE},
+ {false, false, LinkSecurity.INSECURE},
+ {true, false, LinkSecurity.FORCE_INSECURE},
+ {false, true, LinkSecurity.FORCE_SECURE}};
}
@Test(dataProvider = "check_page_security_data")
@@ -148,4 +144,34 @@ public class RequestSecurityManagerImplT
expect(locator.findMeta(MetaDataConstants.SECURE_PAGE, pageName, Boolean.class)).andReturn(securePage);
}
+ @DataProvider
+ public Object[][] security_disabled_data()
+ {
+ return new Object[][]{
+ {false, LinkSecurity.INSECURE},
+ {true, LinkSecurity.SECURE}
+ };
+ }
+
+ /**
+ * https://issues.apache.org/jira/browse/TAP5-1511
+ */
+ @Test(dataProvider = "security_disabled_data")
+ public void link_security_when_security_is_disabled(boolean secureRequest, LinkSecurity expectedLinkSecurity)
+ {
+ Request request = mockRequest();
+ Response response = mockResponse();
+ MetaDataLocator locator = mockMetaDataLocator();
+
+ train_isSecure(request, secureRequest);
+
+ replay();
+
+ RequestSecurityManager manager = new RequestSecurityManagerImpl(request, response, null, locator, false);
+
+ assertEquals(manager.checkPageSecurity(PAGE_NAME), expectedLinkSecurity);
+
+ verify();
+ }
+
}