Adding a new sample/test for @ServletSecurity - still failing and needs further investigation on how security needs to be specified completely using annotations

Author: arun-gupta

servlet/security-annotated/pom.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.javaee7.servlet</groupId>
+        <artifactId>servlet-samples</artifactId>
+        <version>1.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>security-annotated</artifactId>
+    <packaging>war</packaging>
+</project>

servlet/security-annotated/src/main/java/org/javaee7/servlet/security/annotated/SecureServlet.java

@@ -0,0 +1,79 @@
+package org.javaee7.servlet.security.annotated;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.HttpMethodConstraint;
+import javax.servlet.annotation.ServletSecurity;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author Arun Gupta
+ */
+@WebServlet("/SecureServlet")
+@ServletSecurity(value = @HttpConstraint(rolesAllowed = {"g1"}),
+        httpMethodConstraints = {
+            @HttpMethodConstraint(value = "GET", rolesAllowed = {"g1"}),
+            @HttpMethodConstraint(value = "POST", rolesAllowed = {"g1"})
+        })
+public class SecureServlet extends HttpServlet {
+
+    protected void processRequest(HttpServletRequest request, HttpServletResponse response, String method)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        PrintWriter out = response.getWriter();
+        out.println("<!DOCTYPE html>");
+        out.println("<html>");
+        out.println("<head>");
+        out.println("<title>Servlet Security Annotated - Basic Auth with File-base Realm</title>");
+        out.println("</head>");
+        out.println("<body>");
+        out.println("<h1>Basic Auth with File-base Realm (" + method + ")</h1>");
+        out.println("<h2>Were you prompted for username/password ?</h2>");
+        out.println("</body>");
+        out.println("</html>");
+    }
+
+    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
+    /**
+     * Handles the HTTP <code>GET</code> method.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        processRequest(request, response, "GET");
+    }
+
+    /**
+     * Handles the HTTP <code>POST</code> method.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        processRequest(request, response, "POST");
+    }
+
+    /**
+     * Returns a short description of the servlet.
+     *
+     * @return a String containing servlet description
+     */
+    @Override
+    public String getServletInfo() {
+        return "Short description";
+    }// </editor-fold>
+}

servlet/security-annotated/src/main/webapp/WEB-INF/glassfish-web.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+-->
+<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
+<glassfish-web-app error-url="">
+    <security-role-mapping>
+        <role-name>g1</role-name>
+        <principal-name>g1</principal-name>
+        <group-name>g1</group-name>
+    </security-role-mapping>
+</glassfish-web-app>

servlet/security-annotated/src/test/java/org/javaee7/servlet/security/annotated/SecureServletTest.java

@@ -0,0 +1,92 @@
+package org.javaee7.servlet.security.annotated;
+
+import com.meterware.httpunit.AuthorizationRequiredException;
+import com.meterware.httpunit.GetMethodWebRequest;
+import com.meterware.httpunit.PostMethodWebRequest;
+import com.meterware.httpunit.WebConversation;
+import com.meterware.httpunit.WebResponse;
+import java.net.URL;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.junit.runner.RunWith;
+
+/**
+ * @author Arun Gupta
+ */
+@RunWith(Arquillian.class)
+public class SecureServletTest {
+    
+    @ArquillianResource
+    private URL base;
+    
+    @Deployment(testable = false)
+    public static WebArchive createDeployment() {
+        WebArchive war = ShrinkWrap.create(WebArchive.class).
+                addClass(SecureServlet.class);
+        return war;
+    }
+
+    @Test
+    public void testGetWithCorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security Annotated - Basic Auth with File-base Realm</title>"));
+    }
+
+    @Test
+    public void testGetWithIncorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "random", "random");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/SecureServlet");
+        try {
+            conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            assertNotNull(e);
+            return;
+        }
+        fail("/SecureServlet could be accessed without proper security credentials");
+    }
+
+    @Test
+    public void testPostWithCorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        PostMethodWebRequest getRequest = new PostMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security Annotated - Basic Auth with File-base Realm</title>"));
+    }
+
+    @Test
+    public void testPostWithIncorrectCredentials() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "random", "random");
+        PostMethodWebRequest getRequest = new PostMethodWebRequest(base + "/SecureServlet");
+        try {
+            conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            assertNotNull(e);
+            return;
+        }
+        fail("/SecureServlet could be accessed without proper security credentials");
+    }
+    
+}