/* * Choreograph the steps of the test dialogue with the server * 1. while not authenticated, try to access a protected resource * 2. respond to the login challenge with good credentials * 3. after successful login, follow the redirect to the original page * 4. repeatedly access the protected resource to demonstrate * persistence of the authenticated session * * @param resourceMethod HTTP method for accessing the protected resource * @param redirectMethod HTTP method for the login FORM reply * @param useContinue whether the HTTP client should expect a 100 Continue * @param clientShouldUseCookies whether the client should send cookies * @param serverWillUseCookies whether the server should send cookies * */ private String doTest( String resourceMethod, String redirectMethod, boolean useContinue, boolean clientShouldUseCookies, boolean serverWillUseCookies, boolean serverWillChangeSessid) throws Exception { client = new FormAuthClient(clientShouldUseCookies, serverWillUseCookies, serverWillChangeSessid); // First request for protected resource gets the login page client.setUseContinue(useContinue); client.doResourceRequest(resourceMethod, false, null, null); assertTrue(client.isResponse200()); assertTrue(client.isResponseBodyOK()); String loginUri = client.extractBodyUri(FormAuthClient.LOGIN_PARAM_TAG, FormAuthClient.LOGIN_RESOURCE); String originalSessionId = null; if (serverWillUseCookies && clientShouldUseCookies) { originalSessionId = client.getSessionId(); } else { originalSessionId = client.extractPathSessionId(loginUri); } client.reset(); // Second request replies to the login challenge client.setUseContinue(useContinue); client.doLoginRequest(loginUri); assertTrue("login failed " + client.getResponseLine(), client.isResponse302()); assertTrue(client.isResponseBodyOK()); String redirectUri = client.getRedirectUri(); client.reset(); // Third request - the login was successful so // follow the redirect to the protected resource client.doResourceRequest(redirectMethod, true, redirectUri, null); if ("POST".equals(redirectMethod)) { client.setUseContinue(useContinue); } assertTrue(client.isResponse200()); assertTrue(client.isResponseBodyOK()); String protectedUri = client.extractBodyUri(FormAuthClient.RESOURCE_PARAM_TAG, FormAuthClient.PROTECTED_RESOURCE); String newSessionId = null; if (serverWillUseCookies && clientShouldUseCookies) { newSessionId = client.getSessionId(); } else { newSessionId = client.extractPathSessionId(protectedUri); } boolean sessionIdIsChanged = !(originalSessionId.equals(newSessionId)); assertTrue(sessionIdIsChanged == serverWillChangeSessid); client.reset(); // Subsequent requests - keep accessing the protected resource doTestProtected(resourceMethod, protectedUri, useContinue, FormAuthClient.LOGIN_SUCCESSFUL, 5); return protectedUri; // in case more requests will be issued }
/* * Repeatedly access the protected resource after the client has * successfully logged-in to the webapp. The current session attributes * will be used and cannot be changed. * 3. after successful login, follow the redirect to the original page * 4. repeatedly access the protected resource to demonstrate * persistence of the authenticated session * * @param resourceMethod HTTP method for accessing the protected resource * @param protectedUri to access (with or withour sessionid) * @param useContinue whether the HTTP client should expect a 100 Continue * @param clientShouldUseCookies whether the client should send cookies * @param serverWillUseCookies whether the server should send cookies * */ private void doTestProtected( String resourceMethod, String protectedUri, boolean useContinue, int phase, int repeatCount) throws Exception { // Subsequent requests - keep accessing the protected resource for (int i = 0; i < repeatCount; i++) { client.setUseContinue(useContinue); client.doResourceRequest(resourceMethod, false, protectedUri, null); assertTrue(client.isResponse200()); assertTrue(client.isResponseBodyOK(phase)); client.reset(); } }