You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/06/21 14:41:14 UTC
svn commit: r1495414 - in /tomcat/trunk:
java/org/apache/catalina/core/StandardContext.java
test/org/apache/catalina/core/TestStandardWrapper.java
Author: markt
Date: Fri Jun 21 12:41:13 2013
New Revision: 1495414
URL: http://svn.apache.org/r1495414
Log:
Expand test cases for servlet security annotations to include deny uncovered http methods.
Fix the failure identified by violetagg
Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1495414&r1=1495413&r2=1495414&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Fri Jun 21 12:41:13 2013
@@ -5291,7 +5291,7 @@ public class StandardContext extends Con
// Needs to be after SCIs and listeners as they may programatically
// change constraints
if (ok) {
- checkConstraintsForUncoveredMethods();
+ checkConstraintsForUncoveredMethods(findConstraints());
}
try {
@@ -5358,9 +5358,10 @@ public class StandardContext extends Con
}
- private void checkConstraintsForUncoveredMethods() {
+ private void checkConstraintsForUncoveredMethods(
+ SecurityConstraint[] constraints) {
SecurityConstraint[] newConstraints =
- SecurityConstraint.findUncoveredHttpMethods(findConstraints(),
+ SecurityConstraint.findUncoveredHttpMethods(constraints,
getDenyUncoveredHttpMethods(), getLogger());
for (SecurityConstraint constraint : newConstraints) {
addConstraint(constraint);
@@ -5838,6 +5839,8 @@ public class StandardContext extends Con
newSecurityConstraints) {
addConstraint(securityConstraint);
}
+
+ checkConstraintsForUncoveredMethods(newSecurityConstraints);
}
}
Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java?rev=1495414&r1=1495413&r2=1495414&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java (original)
+++ tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java Fri Jun 21 12:41:13 2013
@@ -62,37 +62,89 @@ public class TestStandardWrapper extends
@Test
public void testSecurityAnnotationsSimple() throws Exception {
- doTest(DenyAllServlet.class.getName(), false, false, false);
+ doTest(DenyAllServlet.class.getName(), false, false, false, false);
}
@Test
public void testSecurityAnnotationsSubclass1() throws Exception {
- doTest(SubclassDenyAllServlet.class.getName(), false, false, false);
+ doTest(SubclassDenyAllServlet.class.getName(),
+ false, false, false,false);
}
@Test
public void testSecurityAnnotationsSubclass2() throws Exception {
- doTest(SubclassAllowAllServlet.class.getName(), false, false, true);
+ doTest(SubclassAllowAllServlet.class.getName(),
+ false, false, true, false);
}
@Test
public void testSecurityAnnotationsMethods1() throws Exception {
- doTest(MethodConstraintServlet.class.getName(), false, false, false);
+ doTest(MethodConstraintServlet.class.getName(),
+ false, false, false, false);
}
@Test
public void testSecurityAnnotationsMethods2() throws Exception {
- doTest(MethodConstraintServlet.class.getName(), true, false, true);
+ doTest(MethodConstraintServlet.class.getName(),
+ true, false, true, false);
}
@Test
public void testSecurityAnnotationsRole1() throws Exception {
- doTest(RoleAllowServlet.class.getName(), false, true, true);
+ doTest(RoleAllowServlet.class.getName(), false, true, true, false);
}
@Test
public void testSecurityAnnotationsRole2() throws Exception {
- doTest(RoleDenyServlet.class.getName(), false, true, false);
+ doTest(RoleDenyServlet.class.getName(), false, true, false, false);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet01() throws Exception {
+ // Use a POST with role - should be allowed
+ doTest(UncoveredGetServlet.class.getName(), true, true, true, false);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet02() throws Exception {
+ // Use a POST with role - should be allowed
+ doTest(UncoveredGetServlet.class.getName(), true, true, true, true);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet03() throws Exception {
+ // Use a POST no role - should be blocked
+ doTest(UncoveredGetServlet.class.getName(), true, false, false, false);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet04() throws Exception {
+ // Use a POST no role - should be blocked
+ doTest(UncoveredGetServlet.class.getName(), true, false, false, true);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet05() throws Exception {
+ // Use a GET with role - should be allowed as denyUncovered is false
+ doTest(UncoveredGetServlet.class.getName(), false, true, true, false);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet06() throws Exception {
+ // Use a GET with role - should be blocked as denyUncovered is true
+ doTest(UncoveredGetServlet.class.getName(), false, true, false, true);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet07() throws Exception {
+ // Use a GET no role - should be allowed as denyUncovered is false
+ doTest(UncoveredGetServlet.class.getName(), false, false, true, false);
+ }
+
+ @Test
+ public void testSecurityAnnotationsUncoveredGet08() throws Exception {
+ // Use a GET no role - should be blocked as denyUncovered is true
+ doTest(UncoveredGetServlet.class.getName(), true, false, false, true);
}
@Test
@@ -223,7 +275,8 @@ public class TestStandardWrapper extends
}
private void doTest(String servletClassName, boolean usePost,
- boolean useRole, boolean expect200) throws Exception {
+ boolean useRole, boolean expect200, boolean denyUncovered)
+ throws Exception {
// Setup Tomcat instance
Tomcat tomcat = getTomcatInstance();
@@ -231,6 +284,7 @@ public class TestStandardWrapper extends
// Must have a real docBase - just use temp
Context ctx =
tomcat.addContext("", System.getProperty("java.io.tmpdir"));
+ ctx.setDenyUncoveredHttpMethods(denyUncovered);
Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", servletClassName);
wrapper.setAsyncSupported(true);
@@ -318,6 +372,14 @@ public class TestStandardWrapper extends
private static final long serialVersionUID = 1L;
}
+ @ServletSecurity(httpMethodConstraints = {
+ @HttpMethodConstraint(value="POST",rolesAllowed = "testRole")
+ }
+ )
+ public static class UncoveredGetServlet extends TestServlet {
+ private static final long serialVersionUID = 1L;
+ }
+
@ServletSecurity(@HttpConstraint(rolesAllowed = "testRole"))
public static class RoleAllowServlet extends TestServlet {
private static final long serialVersionUID = 1L;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org