You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2010/10/11 15:43:54 UTC
svn commit: r1021345 -
/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java
Author: fmeschbe
Date: Mon Oct 11 13:43:54 2010
New Revision: 1021345
URL: http://svn.apache.org/viewvc?rev=1021345&view=rev
Log:
SLING-1831 introduce utility method for comparing the X-Reason header with the response content and add test to validate a login loop is replied to with 403 in case of unsuccessful authentication
Modified:
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java
Modified: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java?rev=1021345&r1=1021344&r2=1021345&view=diff
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java (original)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java Mon Oct 11 13:43:54 2010
@@ -29,6 +29,7 @@ import org.apache.commons.httpclient.Htt
import org.apache.commons.httpclient.NameValuePair;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.auth.AuthScope;
+import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.sling.commons.testing.integration.HttpTestBase;
@@ -80,13 +81,7 @@ public class AuthenticationResponseCodeT
headers.add(new Header("Cookie", "sling.formauth=garbage"));
HttpMethod post = assertPostStatus(HTTP_BASE_URL + "/j_security_check", HttpServletResponse.SC_FORBIDDEN, params, headers, null);
-
- // expected the X-Reason header
- final Header reason = post.getResponseHeader("X-Reason");
- assertNotNull(reason);
-
- // expect the response to be the same as the reason (SLING-1831)
- assertEquals(reason.getValue(), post.getResponseBodyAsString().trim());
+ assertXReason(post);
}
public void testValidatingIncorrectHttpBasicCredentials() throws Exception {
@@ -99,22 +94,26 @@ public class AuthenticationResponseCodeT
List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new NameValuePair("j_validate", "true"));
HttpMethod post = assertPostStatus(HTTP_BASE_URL + "/j_security_check", HttpServletResponse.SC_FORBIDDEN, params, null);
-
- // expected the X-Reason header
- Header reason = post.getResponseHeader("X-Reason");
- assertNotNull(reason);
-
- // expect the response to be the same as the reason (SLING-1831)
- assertEquals(reason.getValue(), post.getResponseBodyAsString().trim());
+ assertXReason(post);
HttpMethod get = assertHttpStatus(HTTP_BASE_URL + "?j_validate=true", HttpServletResponse.SC_FORBIDDEN);
+ assertXReason(get);
+ }
- // expected the X-Reason header
- reason = post.getResponseHeader("X-Reason");
- assertNotNull(reason);
+ public void testPreventLoopIncorrectHttpBasicCredentials() throws Exception {
- // expect the response to be the same as the reason (SLING-1831)
- assertEquals(reason.getValue(), post.getResponseBodyAsString().trim());
+ // assume http and webdav are on the same host + port
+ URL url = new URL(HTTP_BASE_URL);
+ Credentials defaultcreds = new UsernamePasswordCredentials("garbage", "garbage");
+ httpClient.getState().setCredentials(new AuthScope(url.getHost(), url.getPort(), AuthScope.ANY_REALM), defaultcreds);
+
+ final String requestUrl = HTTP_BASE_URL + "/junk?param1=1";
+ HttpMethod get = new GetMethod(requestUrl);
+ get.setRequestHeader("Referer", requestUrl);
+ get.setRequestHeader("Accept", "text/*"); // simulate a browser request
+ int status = httpClient.executeMethod(get);
+ assertEquals(HttpServletResponse.SC_FORBIDDEN, status);
+ assertXReason(get);
}
public void testXRequestedWithIncorrectCredentials() throws Exception {
@@ -196,4 +195,12 @@ public class AuthenticationResponseCodeT
return post;
}
+ private void assertXReason(final HttpMethod method) throws IOException {
+ // expected the X-Reason header
+ final Header reason = method.getResponseHeader("X-Reason");
+ assertNotNull(reason);
+
+ // expect the response to be the same as the reason (SLING-1831)
+ assertEquals(reason.getValue(), method.getResponseBodyAsString().trim());
+ }
}