import javax.servlet.ServletException;
import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.HttpMethodConstraint;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic;
import javax.servlet.http.HttpServlet;
public class TestStandardWrapper extends TomcatBaseTest {
public void testSecurityAnnotationsSimple() throws Exception {
- doDenyTest(DenyServlet.class.getName());
+ doTest(DenyAllServlet.class.getName(), false, false);
}
public void testSecurityAnnotationsSubclass1() throws Exception {
- doDenyTest(SubclassDenyServlet.class.getName());
+ doTest(SubclassDenyAllServlet.class.getName(), false, false);
}
public void testSecurityAnnotationsSubclass2() throws Exception {
- doAllowTest(SubclassAllowServlet.class.getName());
+ doTest(SubclassAllowAllServlet.class.getName(), false, true);
}
- private void doDenyTest(String servletClassName) throws Exception {
- // Setup Tomcat instance
- Tomcat tomcat = getTomcatInstance();
-
- // Must have a real docBase - just use temp
- Context ctx =
- tomcat.addContext("", System.getProperty("java.io.tmpdir"));
-
- Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", servletClassName);
- wrapper.setAsyncSupported(true);
- ctx.addServletMapping("/", "servlet");
-
- tomcat.start();
-
- // Call the servlet once
- ByteChunk bc = new ByteChunk();
- int rc = getUrl("http://localhost:" + getPort() + "/", bc, null);
-
- assertNull(bc.toString());
- assertEquals(403, rc);
-
+ public void testSecurityAnnotationsMethods1() throws Exception {
+ doTest(MethodConstraintServlet.class.getName(), false, false);
+ }
+
+ public void testSecurityAnnotationsMethods2() throws Exception {
+ doTest(MethodConstraintServlet.class.getName(), true, true);
}
- private void doAllowTest(String servletClassName) throws Exception {
+ private void doTest(String servletClassName, boolean usePost,
+ boolean expect200) throws Exception {
+
// Setup Tomcat instance
Tomcat tomcat = getTomcatInstance();
// Call the servlet once
ByteChunk bc = new ByteChunk();
- int rc = getUrl("http://localhost:" + getPort() + "/", bc, null);
-
- assertEquals("OK", bc.toString());
- assertEquals(200, rc);
+ int rc;
+ if (usePost) {
+ rc = postUrl(null, "http://localhost:" + getPort() + "/", bc, null);
+ } else {
+ rc = getUrl("http://localhost:" + getPort() + "/", bc, null);
+ }
+ if (expect200) {
+ assertEquals("OK", bc.toString());
+ assertEquals(200, rc);
+ } else {
+ assertNull(bc.toString());
+ assertEquals(403, rc);
+ }
}
- @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
- public static class DenyServlet extends HttpServlet {
+ public static class TestServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
resp.setContentType("text/plain");
resp.getWriter().print("OK");
}
+
+ @Override
+ protected void doPost(HttpServletRequest req, HttpServletResponse resp)
+ throws ServletException, IOException {
+ doGet(req, resp);
+ }
+ }
+
+ @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY))
+ public static class DenyAllServlet extends TestServlet {
+ private static final long serialVersionUID = 1L;
}
- public static class SubclassDenyServlet extends DenyServlet {
+ public static class SubclassDenyAllServlet extends DenyAllServlet {
private static final long serialVersionUID = 1L;
}
@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.PERMIT))
- public static class SubclassAllowServlet extends DenyServlet {
+ public static class SubclassAllowAllServlet extends DenyAllServlet {
+ private static final long serialVersionUID = 1L;
+ }
+
+ @ServletSecurity(value= @HttpConstraint(EmptyRoleSemantic.PERMIT),
+ httpMethodConstraints = {
+ @HttpMethodConstraint(value="GET",
+ emptyRoleSemantic = EmptyRoleSemantic.DENY)
+ }
+ )
+ public static class MethodConstraintServlet extends TestServlet {
private static final long serialVersionUID = 1L;
}
}
projects / tomcat7.0 / commitdiff