Adding a new sample/test for http-omission

Author: arun-gupta

servlet/pom.xml

@@ -30,5 +30,8 @@
         <module>security-form-based</module>
         <module>security-programmatic</module>
         <module>security-deny-uncovered</module>
+<!--        <module>security-annotated</module>
+        <module>security-digest</module>-->
+        <module>security-basicauth-omission</module>
     </modules>
 </project>

servlet/security-basicauth-omission/pom.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.javaee7.servlet</groupId>
+        <artifactId>servlet-samples</artifactId>
+        <version>1.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>security-basicauth-omission</artifactId>
+    <packaging>war</packaging>
+</project>

servlet/security-basicauth-omission/src/main/java/org/javaee7/servlet/security/basicauth/omission/SecureServlet.java

@@ -0,0 +1,119 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.javaee7.servlet.security.basicauth.omission;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author Arun Gupta
+ */
+@WebServlet(urlPatterns = {"/SecureServlet"})
+public class SecureServlet extends HttpServlet {
+
+    /**
+     * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
+     * methods.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    protected void processRequest(HttpServletRequest request, HttpServletResponse response, String method)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        PrintWriter out = response.getWriter();
+        out.println("<!DOCTYPE html>");
+        out.println("<html>");
+        out.println("<head>");
+        out.println("<title>Servlet Security - Basic Auth with File-base Realm</title>");
+        out.println("</head>");
+        out.println("<body>");
+        out.println("<h1>Basic Auth with File-base Realm (" + method + ")</h1>");
+        out.println("<h2>Were you prompted for username/password ?</h2>");
+        out.println("</body>");
+        out.println("</html>");
+    }
+
+    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
+    /**
+     * Handles the HTTP <code>GET</code> method.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        processRequest(request, response, "GET");
+    }
+
+    /**
+     * Handles the HTTP <code>POST</code> method.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        processRequest(request, response, "POST");
+    }
+
+    /**
+     * Returns a short description of the servlet.
+     *
+     * @return a String containing servlet description
+     */
+    @Override
+    public String getServletInfo() {
+        return "Short description";
+    }// </editor-fold>
+}

servlet/security-basicauth-omission/src/main/webapp/WEB-INF/glassfish-web.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+-->
+<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
+<glassfish-web-app error-url="">
+    <security-role-mapping>
+        <role-name>g1</role-name>
+        <principal-name>g1</principal-name>
+        <group-name>g1</group-name>
+    </security-role-mapping>
+</glassfish-web-app>

servlet/security-basicauth-omission/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1">
+    <!--<deny-uncovered-http-methods/>-->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>SecureServlet</web-resource-name>
+            <url-pattern>/SecureServlet</url-pattern>
+            <!--<http-method>GET</http-method>-->
+            <http-method-omission>POST</http-method-omission>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>g1</role-name>
+        </auth-constraint>
+    </security-constraint>
+    
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>file</realm-name>
+    </login-config>
+    
+    <security-role>
+        <role-name>g1</role-name>
+    </security-role>
+</web-app>

servlet/security-basicauth-omission/src/main/webapp/index.jsp

@@ -0,0 +1,61 @@
+<!-- 
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+-->
+
+<%@page contentType="text/html" pageEncoding="UTF-8"%>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+   "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+    <head>
+        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+        <title>Servlet : Security</title>
+    </head>
+    <body>
+        <h1>Servlet : Security</h1>
+        
+        Make sure to create a user:<br><br>
+        
+        For WildFly: Invoke "./bin/add-user.sh -a -u u1 -p p1 -g g1"<br>
+        For GlassFish: Invoke "./bin/asadmin create-file-user --groups g1 u1" and use the password "p1" when prompted.<br><br>
+        Then call the <a href="${pageContext.request.contextPath}/SecureServlet">GET</a> method.<br/>
+    </body>
+</html>

servlet/security-basicauth-omission/src/test/java/org/javaee7/servlet/security/basicauth/omission/SecureServletTest.java

@@ -0,0 +1,113 @@
+package org.javaee7.servlet.security.basicauth.omission;
+
+import com.meterware.httpunit.AuthorizationRequiredException;
+import com.meterware.httpunit.GetMethodWebRequest;
+import com.meterware.httpunit.PostMethodWebRequest;
+import com.meterware.httpunit.WebConversation;
+import com.meterware.httpunit.WebResponse;
+import java.io.File;
+import java.net.URL;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.junit.runner.RunWith;
+
+/**
+ * @author Arun Gupta
+ */
+@RunWith(Arquillian.class)
+public class SecureServletTest {
+    
+    private static final String WEBAPP_SRC = "src/main/webapp";
+
+    @ArquillianResource
+    private URL base;
+    
+    @Deployment(testable = false)
+    public static WebArchive createDeployment() {
+        WebArchive war = ShrinkWrap.create(WebArchive.class).
+                addClass(SecureServlet.class).
+                addAsWebInfResource((new File(WEBAPP_SRC + "/WEB-INF", "web.xml")));
+        return war;
+    }
+
+    @Test
+    public void testGetWithCorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security - Basic Auth with File-base Realm</title>"));
+    }
+
+    @Test
+    public void testGetWithIncorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u", "p1");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/SecureServlet");
+        try {
+            conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            assertNotNull(e);
+            return;
+        }
+        fail("/SecureServlet could be accessed without proper security credentials");
+    }    
+
+    @Test
+    public void testSPostWithNoCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+//        conv.setAuthentication("file", "u1", "p1");
+        PostMethodWebRequest getRequest = new PostMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security - Basic Auth with File-base Realm</title>"));
+    }
+
+    @Test
+    public void testPostWithCorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        PostMethodWebRequest getRequest = new PostMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security - Basic Auth with File-base Realm</title>"));
+    }
+    
+
+    @Test
+    public void testPostWithIncorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "random", "random");
+        PostMethodWebRequest getRequest = new PostMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security - Basic Auth with File-base Realm</title>"));
+    }
+    
+}