Adding a new sample/test for JAX-RS basic authentication security

Author: arun-gupta

jaxrs/jaxrs-security-declarative/pom.xml

@@ -0,0 +1,13 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.javaee7.jaxrs</groupId>
+        <artifactId>jaxrs-samples</artifactId>
+        <version>1.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>jaxrs-security-declarative</artifactId>
+    <packaging>war</packaging>
+</project>

jaxrs/jaxrs-security-declarative/src/main/java/org/javaee7/jaxrs/security/declarative/MyApplication.java

@@ -0,0 +1,59 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.javaee7.jaxrs.security.declarative;
+
+import java.util.Set;
+import javax.ws.rs.ApplicationPath;
+import javax.ws.rs.core.Application;
+
+/**
+ * @author Arun Gupta
+ */
+@ApplicationPath("webresources")
+public class MyApplication extends Application {
+
+    @Override
+    public Set<Class<?>> getClasses() {
+        Set<Class<?>> resources = new java.util.HashSet<>();
+        resources.add(MyResource.class);
+        return resources;
+    }
+    
+}

jaxrs/jaxrs-security-declarative/src/main/java/org/javaee7/jaxrs/security/declarative/MyResource.java

@@ -0,0 +1,48 @@
+package org.javaee7.jaxrs.security.declarative;
+
+import javax.ejb.EJB;
+import javax.enterprise.context.RequestScoped;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+/**
+ * @author Arun Gupta
+ */
+@Path("myresource")
+@RequestScoped
+public class MyResource {
+    @GET
+    public String get() {
+        return "get";
+    }
+    
+    @GET
+    @Path("{id}")
+    public String getPerson(@PathParam("id")int id) {
+        return "get" + id;
+    }
+
+    @POST
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    public String addToList(@FormParam("name") String name) {
+        return "post " + name;
+    }
+
+    @PUT
+    public void putToList() {
+        System.out.println("put invoked");
+    }
+
+    @DELETE
+    public void delete() {
+        System.out.println("delete invoked");
+    }
+}

jaxrs/jaxrs-security-declarative/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+	 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+	 version="3.1">
+    <deny-uncovered-http-methods/>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>SecureResource</web-resource-name>
+            <url-pattern>/webresources/*</url-pattern>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>g1</role-name>
+        </auth-constraint>
+    </security-constraint>
+    
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>file</realm-name>
+    </login-config>
+    
+    <security-role>
+        <role-name>g1</role-name>
+    </security-role>
+</web-app>

jaxrs/jaxrs-security-declarative/src/test/java/org/javaee7/jaxrs/security/declarative/MyResourceTest.java

@@ -0,0 +1,121 @@
+package org.javaee7.jaxrs.security.declarative;
+
+import com.meterware.httpunit.AuthorizationRequiredException;
+import com.meterware.httpunit.GetMethodWebRequest;
+import com.meterware.httpunit.HttpException;
+import com.meterware.httpunit.PostMethodWebRequest;
+import com.meterware.httpunit.PutMethodWebRequest;
+import com.meterware.httpunit.WebConversation;
+import com.meterware.httpunit.WebResponse;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import static org.junit.Assert.assertEquals;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.xml.sax.SAXException;
+
+/**
+ * @author Arun Gupta
+ */
+@RunWith(Arquillian.class)
+public class MyResourceTest {
+
+    @ArquillianResource
+    private URL base;
+    
+    private static final String WEBAPP_SRC = "src/main/webapp";
+    
+    @Deployment(testable = false)
+    public static WebArchive createDeployment() {
+        return ShrinkWrap.create(WebArchive.class)
+                .addAsWebInfResource((new File(WEBAPP_SRC + "/WEB-INF", "web.xml")))
+                .addClasses(MyApplication.class, MyResource.class);
+    }
+
+    @Test
+    public void testGetWithCorrectCredentials() throws IOException, SAXException {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/webresources/myresource");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("get"));
+    }
+
+    @Test
+    public void testGetSubResourceWithCorrectCredentials() throws IOException, SAXException {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/webresources/myresource/1");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("get1"));
+    }
+
+    @Test
+    public void testGetWithIncorrectCredentials() throws IOException, SAXException {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "random", "random");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/webresources/myresource");
+        try {
+            WebResponse response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            assertNotNull(e);
+            return;
+        }
+        fail("GET can be called with incorrect credentials");
+    }
+
+    @Test
+    public void testPost() throws IOException, SAXException {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        PostMethodWebRequest postRequest = new PostMethodWebRequest(base + "/webresources/myresource");
+        try {
+            WebResponse response = conv.getResponse(postRequest);
+        } catch (HttpException e) {
+            assertNotNull(e);
+            assertEquals(403, e.getResponseCode());
+            return;
+        }
+        fail("POST is not authorized and can still be called");
+    }
+
+    @Test
+    public void testPut() throws IOException, SAXException {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        byte[] bytes = new byte[8];
+        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+        PutMethodWebRequest putRequest = new PutMethodWebRequest(base + "/webresources/myresource", bais, "text/plain");
+        try {
+            WebResponse response = conv.getResponse(putRequest);
+        } catch (HttpException e) {
+            assertNotNull(e);
+            assertEquals(403, e.getResponseCode());
+            return;
+        }
+        fail("PUT is not authorized and can still be called");
+    }
+}

jaxrs/pom.xml

@@ -40,5 +40,6 @@
         <!--<module>server-sent-event</module>-->
         <module>singleton</module>
         <module>readerwriter-injection</module>
+        <module>jaxrs-security-declarative</module>
     </modules>
 </project>