/tests/e2e-client/src/test/java/org/glassfish/jersey/tests/e2e/client/HttpAuthorizationTest.java
Java | 567 lines | 422 code | 86 blank | 59 comment | 15 complexity | 20353f01dbf5e12485bcdc11bce8af17 MD5 | raw file
- /*
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
- *
- * Copyright (c) 2013-2017 Oracle and/or its affiliates. All rights reserved.
- *
- * The contents of this file are subject to the terms of either the GNU
- * General Public License Version 2 only ("GPL") or the Common Development
- * and Distribution License("CDDL") (collectively, the "License"). You
- * may not use this file except in compliance with the License. You can
- * obtain a copy of the License at
- * https://oss.oracle.com/licenses/CDDL+GPL-1.1
- * or LICENSE.txt. See the License for the specific
- * language governing permissions and limitations under the License.
- *
- * When distributing the software, include this License Header Notice in each
- * file and include the License file at LICENSE.txt.
- *
- * GPL Classpath Exception:
- * Oracle designates this particular file as subject to the "Classpath"
- * exception as provided by Oracle in the GPL Version 2 section of the License
- * file that accompanied this code.
- *
- * Modifications:
- * If applicable, add the following below the License Header, with the fields
- * enclosed by brackets [] replaced by your own identifying information:
- * "Portions Copyright [year] [name of copyright owner]"
- *
- * Contributor(s):
- * If you wish your version of this file to be governed by only the CDDL or
- * only the GPL Version 2, indicate your decision by adding "[Contributor]
- * elects to include this software in this distribution under the [CDDL or GPL
- * Version 2] license." If you don't indicate a single choice of license, a
- * recipient has the option to distribute your version of this file under
- * either the CDDL, the GPL Version 2 or to extend the choice of license to
- * its licensees as provided above. However, if you add GPL Version 2 code
- * and therefore, elected the GPL Version 2 license, then the option applies
- * only if the new code is made subject to such option by the copyright
- * holder.
- */
- package org.glassfish.jersey.tests.e2e.client;
- import java.io.IOException;
- import java.lang.annotation.ElementType;
- import java.lang.annotation.Retention;
- import java.lang.annotation.RetentionPolicy;
- import java.lang.annotation.Target;
- import java.nio.charset.Charset;
- import java.security.Principal;
- import java.util.regex.Matcher;
- import java.util.regex.Pattern;
- import javax.ws.rs.GET;
- import javax.ws.rs.NameBinding;
- import javax.ws.rs.Path;
- import javax.ws.rs.client.WebTarget;
- import javax.ws.rs.container.ContainerRequestContext;
- import javax.ws.rs.container.ContainerRequestFilter;
- import javax.ws.rs.core.Application;
- import javax.ws.rs.core.Context;
- import javax.ws.rs.core.HttpHeaders;
- import javax.ws.rs.core.Response;
- import javax.ws.rs.core.SecurityContext;
- import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature;
- import org.glassfish.jersey.internal.util.Base64;
- import org.glassfish.jersey.logging.LoggingFeature;
- import org.glassfish.jersey.server.ResourceConfig;
- import org.glassfish.jersey.test.JerseyTest;
- import org.glassfish.jersey.test.util.runner.ConcurrentRunner;
- import org.junit.Assert;
- import org.junit.Test;
- import org.junit.runner.RunWith;
- /**
- * Tests {@link org.glassfish.jersey.client.authentication.HttpAuthenticationFeature}.
- *
- * @author Miroslav Fuksa
- */
- @RunWith(ConcurrentRunner.class)
- public class HttpAuthorizationTest extends JerseyTest {
- @NameBinding
- @Target({ElementType.TYPE, ElementType.METHOD})
- @Retention(value = RetentionPolicy.RUNTIME)
- public static @interface Digest {
- }
- @NameBinding
- @Target({ElementType.TYPE, ElementType.METHOD})
- @Retention(value = RetentionPolicy.RUNTIME)
- public static @interface Basic {
- }
- @NameBinding
- @Target({ElementType.TYPE, ElementType.METHOD})
- @Retention(value = RetentionPolicy.RUNTIME)
- public static @interface Alternating {
- }
- /**
- * Alternates between BASIC and DIGEST (each is used for 2 requests).
- */
- @Alternating
- public static class AlternatingDigestBasicFilter implements ContainerRequestFilter {
- int counter = 0;
- @Override
- public void filter(ContainerRequestContext requestContext) throws IOException {
- if ((counter++ / 2) % 2 == 0) {
- new BasicFilter().filter(requestContext);
- } else {
- new DigestFilter().filter(requestContext);
- }
- }
- }
- @Digest
- public static class DigestFilter implements ContainerRequestFilter {
- @Override
- public void filter(ContainerRequestContext requestContext) throws IOException {
- final String authorization = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
- if (authorization != null && authorization.trim().toUpperCase().startsWith("DIGEST")) {
- final Matcher match = Pattern.compile("username=\"([^\"]+)\"").matcher(authorization);
- if (!match.find()) {
- return;
- }
- final String username = match.group(1);
- requestContext.setSecurityContext(new SecurityContext() {
- @Override
- public Principal getUserPrincipal() {
- return new Principal() {
- @Override
- public String getName() {
- return username;
- }
- };
- }
- @Override
- public boolean isUserInRole(String role) {
- return false;
- }
- @Override
- public boolean isSecure() {
- return false;
- }
- @Override
- public String getAuthenticationScheme() {
- return "DIGEST";
- }
- });
- return;
- }
- requestContext.abortWith(Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE,
- "Digest realm=\"my-realm\", domain=\"\", nonce=\"n9iv3MeSNkEfM3uJt2gnBUaWUbKAljxp\", algorithm=MD5, "
- + "qop=\"auth\", stale=false")
- .build());
- }
- }
- /**
- * Basic Auth: password must be the same as user name except first letter is capitalized.
- * Example: username "homer" -> password "Homer"
- */
- @Basic
- public static class BasicFilter implements ContainerRequestFilter {
- static final Charset CHARACTER_SET = Charset.forName("iso-8859-1");
- public static final String AUTH_SCHEME_CASE = "Auth-Scheme-Case";
- @Override
- public void filter(ContainerRequestContext request) throws IOException {
- String authHeader = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
- if (authHeader != null && authHeader.trim().toUpperCase().startsWith("BASIC")) {
- String decoded = new String(Base64.decode(authHeader.substring(6).getBytes()), CHARACTER_SET);
- // String decoded = Base64.decodeAsString(authHeader.substring(6));
- final String[] split = decoded.split(":");
- final String username = split[0];
- final String pwd = split[1];
- String capitalizedUserName = username.substring(0, 1).toUpperCase() + username.substring(1);
- if (capitalizedUserName.equals(pwd)) {
- request.setSecurityContext(new SecurityContext() {
- @Override
- public Principal getUserPrincipal() {
- return new Principal() {
- @Override
- public String getName() {
- return username;
- }
- };
- }
- @Override
- public boolean isUserInRole(String role) {
- return true;
- }
- @Override
- public boolean isSecure() {
- return false;
- }
- @Override
- public String getAuthenticationScheme() {
- return "BASIC";
- }
- });
- return;
- }
- }
- final String authSchemeCase = request.getHeaderString(AUTH_SCHEME_CASE);
- final String authScheme;
- if ("uppercase".equals(authSchemeCase)) {
- authScheme = "BASIC";
- } else if ("lowercase".equals(authSchemeCase)) {
- authScheme = "basic";
- } else {
- authScheme = "Basic";
- }
- request.abortWith(Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, authScheme).build());
- }
- }
- @Override
- protected Application configure() {
- ResourceConfig resourceConfig = new ResourceConfig(MyResource.class);
- resourceConfig.register(LoggingFeature.class);
- resourceConfig.register(new BasicFilter());
- resourceConfig.register(new DigestFilter());
- resourceConfig.register(new AlternatingDigestBasicFilter());
- return resourceConfig;
- }
- @Path("resource")
- public static class MyResource {
- @Context
- SecurityContext securityContext;
- @GET
- public String unsecure() {
- return "unsecure";
- }
- @GET
- @Path("basic")
- @Basic
- public String basic() {
- return securityContext.getAuthenticationScheme() + ":" + securityContext.getUserPrincipal().getName();
- }
- @GET
- @Path("digest")
- @Digest
- public String digest() {
- return securityContext.getAuthenticationScheme() + ":" + securityContext.getUserPrincipal().getName();
- }
- @GET
- @Path("alternating")
- @Alternating
- public String alternating() {
- return securityContext.getAuthenticationScheme() + ":" + securityContext.getUserPrincipal().getName();
- }
- }
- @Test
- public void testBasicPreemptive() {
- Response response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.basicBuilder().credentials("homer", "Homer").build())
- .request().get();
- check(response, 200, "BASIC:homer");
- }
- @Test
- public void testBasicNonPreemptive() {
- Response response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.basicBuilder().nonPreemptive().credentials("homer", "Homer").build())
- .request().get();
- check(response, 200, "BASIC:homer");
- }
- @Test
- public void testBasicNonPreemptiveWithEmptyPassword() {
- final WebTarget target = target().path("resource")
- .register(HttpAuthenticationFeature.basicBuilder().nonPreemptive().build());
- Response response = target.request().get();
- check(response, 200, "unsecure");
- try {
- response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.basicBuilder().nonPreemptive().build())
- .request().get();
- Assert.fail("should throw an exception as credentials are missing");
- } catch (Exception e) {
- // ok
- }
- response = target.path("basic").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_PASSWORD, "Bart")
- .get();
- check(response, 200, "BASIC:bart");
- }
- @Test
- public void testUniversalBasic() {
- Response response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "Homer").build())
- .request().get();
- check(response, 200, "BASIC:homer");
- }
- /**
- * Reproducer for JERSEY-2941: BasicAuthenticator#filterResponseAndAuthenticate: auth-scheme checks should be case
- * insensitve.
- */
- @Test
- public void testUniversalBasicCaseSensitivity() {
- Response response;
- response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "Homer").build())
- .request()
- // no AUTH_SCHEME_CASE header = mixed case
- .get();
- check(response, 200, "BASIC:homer");
- response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "Homer").build())
- .request()
- .header(BasicFilter.AUTH_SCHEME_CASE, "lowercase")
- .get();
- check(response, 200, "BASIC:homer");
- response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "Homer").build())
- .request()
- .header(BasicFilter.AUTH_SCHEME_CASE, "uppercase")
- .get();
- check(response, 200, "BASIC:homer");
- }
- @Test
- public void testUniversalBasicWrongPassword() {
- Response response = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "FOO").build())
- .request().get();
- check(response, 401);
- }
- @Test
- public void testBasicWithDifferentCredentials() {
- final WebTarget target = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.basicBuilder().credentials("marge", "Marge").build());
- _testBasicWithDifferentCredentials(target);
- }
- @Test
- public void testBasicUniversalWithDifferentCredentials() {
- final WebTarget target = target().path("resource").path("basic")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("marge", "Marge").build());
- _testBasicWithDifferentCredentials(target);
- }
- public void _testBasicWithDifferentCredentials(WebTarget target) {
- Response response = target
- .request().get();
- check(response, 200, "BASIC:marge");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_PASSWORD, "Bart")
- .get();
- check(response, 200, "BASIC:bart");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_PASSWORD, "Bart")
- .get();
- check(response, 200, "BASIC:bart");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_PASSWORD, "Bart")
- .get();
- check(response, 200, "BASIC:marge");
- }
- @Test
- public void testDigest() {
- Response response = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.digest("homer", "Homer"))
- .request().get();
- check(response, 200, "DIGEST:homer");
- }
- @Test
- public void testDigestWithPasswords() {
- final WebTarget target = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.digest("homer", "Homer"));
- _testDigestWithPasswords(target);
- }
- @Test
- public void testUniversalDigestWithPasswords() {
- final WebTarget target = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "Homer").build());
- _testDigestWithPasswords(target);
- }
- public void _testDigestWithPasswords(WebTarget target) {
- Response response = target.request().get();
- check(response, 200, "DIGEST:homer");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_PASSWORD, "Bart")
- .get();
- check(response, 200, "DIGEST:bart");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_PASSWORD, "Bart")
- .get();
- check(response, 200, "DIGEST:homer");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_PASSWORD, "Bart")
- .get();
- check(response, 200, "DIGEST:bart");
- }
- @Test
- public void testDigestWithEmptyDefaultPassword() {
- final WebTarget target = target().path("resource")
- .register(HttpAuthenticationFeature.digest());
- _testDigestWithEmptyDefaultPassword(target);
- }
- @Test
- public void testDigestUniversalWithEmptyDefaultPassword() {
- final WebTarget target = target().path("resource")
- .register(HttpAuthenticationFeature.universalBuilder().build());
- _testDigestWithEmptyDefaultPassword(target);
- }
- public void _testDigestWithEmptyDefaultPassword(WebTarget target) {
- Response response = target.request().get();
- check(response, 200, "unsecure");
- response = target.request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_PASSWORD, "Bart")
- .get();
- check(response, 200, "unsecure");
- response = target.path("digest").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_PASSWORD, "Bart")
- .get();
- check(response, 200, "DIGEST:bart");
- try {
- target.path("digest").request()
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_PASSWORD, "Bart")
- .get();
- Assert.fail("should throw an exception as no credentials were supplied for digest auth");
- } catch (Exception e) {
- // ok
- }
- response = target.path("digest").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_PASSWORD, "Bart")
- .get();
- check(response, 200, "DIGEST:bart");
- }
- private void check(Response response, int status, String entity) {
- Assert.assertEquals(status, response.getStatus());
- Assert.assertEquals(entity, response.readEntity(String.class));
- }
- private void check(Response response, int status) {
- Assert.assertEquals(status, response.getStatus());
- }
- @Test
- public void testDigestUniversalSimple() {
- Response response = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.universalBuilder().credentials("homer", "Homer").build())
- .request().get();
- check(response, 200, "DIGEST:homer");
- }
- @Test
- public void testDigestUniversalSimple2() {
- Response response = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.universalBuilder().credentialsForDigest("homer", "Homer").build())
- .request().get();
- check(response, 200, "DIGEST:homer");
- }
- @Test
- public void testDigestUniversalSimple3() {
- Response response = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.universalBuilder()
- .credentialsForDigest("homer", "Homer")
- .credentialsForBasic("foo", "bar")
- .build())
- .request().get();
- check(response, 200, "DIGEST:homer");
- }
- @Test
- public void testDigestUniversalSimple4() {
- Response response = target().path("resource").path("digest")
- .register(HttpAuthenticationFeature.universal("homer", "Homer"))
- .request().get();
- check(response, 200, "DIGEST:homer");
- }
- @Test
- public void testUniversal() {
- final WebTarget target = target().path("resource")
- .register(HttpAuthenticationFeature.universal("homer", "Homer"));
- check(target.request().get(), 200, "unsecure");
- check(target.path("digest").request().get(), 200, "DIGEST:homer");
- check(target.path("basic").request().get(), 200, "BASIC:homer");
- check(target.path("basic").request().get(), 200, "BASIC:homer");
- check(target.path("digest").request().get(), 200, "DIGEST:homer");
- check(target.path("digest").request().get(), 200, "DIGEST:homer");
- check(target.path("digest").request().get(), 200, "DIGEST:homer");
- check(target.path("basic").request().get(), 200, "BASIC:homer");
- check(target.path("basic").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_PASSWORD, "Bart").get(), 200, "BASIC:homer");
- check(target.path("digest").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_DIGEST_PASSWORD, "Bart").get(), 200, "DIGEST:bart");
- check(target.path("digest").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_PASSWORD, "Bart").get(), 200, "DIGEST:bart");
- check(target.path("alternating").request().get(), 200, "BASIC:homer");
- check(target.path("alternating").request().get(), 200, "DIGEST:homer");
- check(target.path("alternating").request().get(), 200, "BASIC:homer");
- check(target.path("basic").request().get(), 200, "BASIC:homer");
- check(target.path("alternating").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_PASSWORD, "Bart").get(), 200, "DIGEST:bart");
- check(target.path("alternating").request().property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_USERNAME, "bart")
- .property(HttpAuthenticationFeature.HTTP_AUTHENTICATION_PASSWORD, "Bart").get(), 200, "BASIC:bart");
- }
- }