org.jboss.as.test.integration.web.security.servlet.methods.DenyUncoveredHttpMethodsTestCase.java Source code

Java tutorial

Introduction

Here is the source code for org.jboss.as.test.integration.web.security.servlet.methods.DenyUncoveredHttpMethodsTestCase.java

Source

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2015, Red Hat, Inc., and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.as.test.integration.web.security.servlet.methods;

import java.io.IOException;
import java.net.URL;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.client.methods.HttpOptions;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpTrace;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.DefaultHttpClient;
import static org.hamcrest.CoreMatchers.is;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.as.arquillian.api.ServerSetup;
import org.jboss.as.test.integration.web.security.WebTestsSecurityDomainSetup;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import static org.junit.Assert.assertThat;

import org.junit.Test;
import org.junit.runner.RunWith;

/**
 * Tests whether the <deny-uncovered-http-methods/> tag in web.xml behavior is correct.
 *
 * @author Jan Tymel
 */
@RunWith(Arquillian.class)
@RunAsClient
@ServerSetup(WebTestsSecurityDomainSetup.class)
public class DenyUncoveredHttpMethodsTestCase {

    @ArquillianResource(SecuredServlet.class)
    URL deploymentURL;

    @Test
    public void testCorrectUserAndPassword() throws Exception {
        HttpGet httpGet = new HttpGet(getURL());
        HttpResponse response = getHttpResponse(httpGet);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_UNAUTHORIZED));
    }

    @Test
    public void testHeadMethod() throws Exception {
        HttpHead httpHead = new HttpHead(getURL());
        HttpResponse response = getHttpResponse(httpHead);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_UNAUTHORIZED));
    }

    @Test
    public void testTraceMethod() throws Exception {
        HttpTrace httpTrace = new HttpTrace(getURL());
        HttpResponse response = getHttpResponse(httpTrace);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_METHOD_NOT_ALLOWED));
    }

    @Test
    public void testPostMethod() throws Exception {
        HttpPost httpPost = new HttpPost(getURL());
        HttpResponse response = getHttpResponse(httpPost);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
    }

    @Test
    public void testPutMethod() throws Exception {
        HttpPut httpPut = new HttpPut(getURL());
        HttpResponse response = getHttpResponse(httpPut);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
    }

    @Test
    public void testDeleteMethod() throws Exception {
        HttpDelete httpDelete = new HttpDelete(getURL());
        HttpResponse response = getHttpResponse(httpDelete);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
    }

    @Test
    public void testOptionsMethod() throws Exception {
        HttpOptions httpOptions = new HttpOptions(getURL());
        HttpResponse response = getHttpResponse(httpOptions);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
    }

    /**
     * Tests whether the <deny-uncovered-http-methods/> tag filters methods before the servlet is called. This test creates
     * custom HTTP method and tries to invoke it. If <deny-uncovered-http-methods/> works correctly status code 403 should be
     * returned. 403 should be returned also in case the servlet returns anything else for unknown HTTP methods as well.
     *
     * @throws Exception
     */
    @Test
    public void testCustomMethod() throws Exception {
        HttpUriRequest request = new HttpGet(getURL()) {

            @Override
            public String getMethod() {
                return "customMethod";
            }
        };

        HttpResponse response = getHttpResponse(request);

        assertThat(statusCodeOf(response), is(HttpServletResponse.SC_FORBIDDEN));
    }

    private HttpResponse getHttpResponse(HttpUriRequest request) throws IOException {
        DefaultHttpClient httpClient = new DefaultHttpClient();
        HttpResponse response = httpClient.execute(request);
        return response;
    }

    private int statusCodeOf(HttpResponse response) {
        return response.getStatusLine().getStatusCode();
    }

    private String getURL() {
        return deploymentURL.toString() + "secured/";
    }

    @Deployment
    public static WebArchive deployment() throws IOException {
        WebArchive war = ShrinkWrap.create(WebArchive.class, "deny-uncovered-http-methods.war");
        war.addClass(SecuredServlet.class);

        Package warPackage = DenyUncoveredHttpMethodsTestCase.class.getPackage();

        war.setWebXML(warPackage, "web.xml");

        return war;
    }
}