@Test public void testUncoveredHttpMethodDetection() throws Exception { _security.setAuthenticator(new BasicAuthenticator()); _server.start(); Set<String> paths = _security.getPathsWithUncoveredHttpMethods(); assertEquals(1, paths.size()); assertEquals("/*", paths.iterator().next()); }
private static final SecurityHandler basicAuth(String realm) { OpenfireLoginService l = new OpenfireLoginService(); l.setName(realm); Constraint constraint = new Constraint(); constraint.setName(Constraint.__BASIC_AUTH); constraint.setRoles(new String[] {"jmxweb"}); constraint.setAuthenticate(true); ConstraintMapping cm = new ConstraintMapping(); cm.setConstraint(constraint); cm.setPathSpec("/*"); ConstraintSecurityHandler csh = new ConstraintSecurityHandler(); csh.setAuthenticator(new BasicAuthenticator()); csh.setRealmName(realm); csh.addConstraintMapping(cm); csh.setLoginService(l); return csh; }
@Test public void testUncoveredHttpMethodsDenied() throws Exception { try { _security.setDenyUncoveredHttpMethods(false); _security.setAuthenticator(new BasicAuthenticator()); _server.start(); // There are uncovered methods for GET/POST at url /* // without deny-uncovered-http-methods they should be accessible String response; response = _connector.getResponses("GET /ctx/index.html HTTP/1.0\r\n\r\n"); assertThat(response, startsWith("HTTP/1.1 200 OK")); // set deny-uncovered-http-methods true _security.setDenyUncoveredHttpMethods(true); // check they cannot be accessed response = _connector.getResponses("GET /ctx/index.html HTTP/1.0\r\n\r\n"); assertTrue(response.startsWith("HTTP/1.1 403 Forbidden")); } finally { _security.setDenyUncoveredHttpMethods(false); } }
protected void createServer(Connector connector) throws Exception { _server.setConnectors(new Connector[] {connector}); if (H2O.ARGS.hash_login || H2O.ARGS.ldap_login) { // REFER TO // http://www.eclipse.org/jetty/documentation/9.1.4.v20140401/embedded-examples.html#embedded-secured-hello-handler if (H2O.ARGS.login_conf == null) { Log.err("Must specify -login_conf argument"); H2O.exit(1); } LoginService loginService; if (H2O.ARGS.hash_login) { Log.info("Configuring HashLoginService"); loginService = new HashLoginService("H2O", H2O.ARGS.login_conf); } else if (H2O.ARGS.ldap_login) { Log.info("Configuring JAASLoginService (with LDAP)"); System.setProperty("java.security.auth.login.config", H2O.ARGS.login_conf); loginService = new JAASLoginService("ldaploginmodule"); } else { throw H2O.fail(); } IdentityService identityService = new DefaultIdentityService(); loginService.setIdentityService(identityService); _server.addBean(loginService); // Set a security handler as the first handler in the chain. ConstraintSecurityHandler security = new ConstraintSecurityHandler(); // Set up a constraint to authenticate all calls, and allow certain roles in. Constraint constraint = new Constraint(); constraint.setName("auth"); constraint.setAuthenticate(true); // Configure role stuff (to be disregarded). We are ignoring roles, and only going off the // user name. // // Jetty 8 and prior. // // Jetty 8 requires the security.setStrict(false) and ANY_ROLE. security.setStrict(false); constraint.setRoles(new String[] {Constraint.ANY_ROLE}); // Jetty 9 and later. // // Jetty 9 and later uses a different servlet spec, and ANY_AUTH gives the same behavior // for that API version as ANY_ROLE did previously. This required some low-level // debugging // to figure out, so I'm documenting it here. // Jetty 9 did not require security.setStrict(false). // // constraint.setRoles(new String[]{Constraint.ANY_AUTH}); ConstraintMapping mapping = new ConstraintMapping(); mapping.setPathSpec("/*"); // Lock down all API calls mapping.setConstraint(constraint); security.setConstraintMappings(Collections.singletonList(mapping)); // Authentication / Authorization security.setAuthenticator(new BasicAuthenticator()); security.setLoginService(loginService); // Pass-through to H2O if authenticated. registerHandlers(security); _server.setHandler(security); } else { registerHandlers(_server); } _server.start(); }
@Before public void setupSecurity() { _security = new ConstraintSecurityHandler(); _session.setHandler(_security); RequestHandler _handler = new RequestHandler(); _security.setHandler(_handler); /* <security-constraint> <web-resource-collection> <web-resource-name>precluded methods</web-resource-name> <url-pattern>/*</url-pattern> <url-pattern>/acme/wholesale/*</url-pattern> <url-pattern>/acme/retail/*</url-pattern> <http-method-exception>GET</http-method-exception> <http-method-exception>POST</http-method-exception> </web-resource-collection> <auth-constraint/> </security-constraint> */ Constraint constraint0 = new Constraint(); constraint0.setAuthenticate(true); constraint0.setName("precluded methods"); ConstraintMapping mapping0 = new ConstraintMapping(); mapping0.setPathSpec("/*"); mapping0.setConstraint(constraint0); mapping0.setMethodOmissions(new String[] {"GET", "POST"}); ConstraintMapping mapping1 = new ConstraintMapping(); mapping1.setPathSpec("/acme/wholesale/*"); mapping1.setConstraint(constraint0); mapping1.setMethodOmissions(new String[] {"GET", "POST"}); ConstraintMapping mapping2 = new ConstraintMapping(); mapping2.setPathSpec("/acme/retail/*"); mapping2.setConstraint(constraint0); mapping2.setMethodOmissions(new String[] {"GET", "POST"}); /* <security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>SALESCLERK</role-name> </auth-constraint> </security-constraint> */ Constraint constraint1 = new Constraint(); constraint1.setAuthenticate(true); constraint1.setName("wholesale"); constraint1.setRoles(new String[] {"SALESCLERK"}); ConstraintMapping mapping3 = new ConstraintMapping(); mapping3.setPathSpec("/acme/wholesale/*"); mapping3.setConstraint(constraint1); mapping3.setMethod("GET"); ConstraintMapping mapping4 = new ConstraintMapping(); mapping4.setPathSpec("/acme/wholesale/*"); mapping4.setConstraint(constraint1); mapping4.setMethod("PUT"); /* <security-constraint> <web-resource-collection> <web-resource-name>wholesale 2</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>CONTRACTOR</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> */ Constraint constraint2 = new Constraint(); constraint2.setAuthenticate(true); constraint2.setName("wholesale 2"); constraint2.setRoles(new String[] {"CONTRACTOR"}); constraint2.setDataConstraint(Constraint.DC_CONFIDENTIAL); ConstraintMapping mapping5 = new ConstraintMapping(); mapping5.setPathSpec("/acme/wholesale/*"); mapping5.setMethod("GET"); mapping5.setConstraint(constraint2); ConstraintMapping mapping6 = new ConstraintMapping(); mapping6.setPathSpec("/acme/wholesale/*"); mapping6.setMethod("POST"); mapping6.setConstraint(constraint2); /* <security-constraint> <web-resource-collection> <web-resource-name>retail</web-resource-name> <url-pattern>/acme/retail/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>CONTRACTOR</role-name> <role-name>HOMEOWNER</role-name> </auth-constraint> </security-constraint> */ Constraint constraint4 = new Constraint(); constraint4.setName("retail"); constraint4.setAuthenticate(true); constraint4.setRoles(new String[] {"CONTRACTOR", "HOMEOWNER"}); ConstraintMapping mapping7 = new ConstraintMapping(); mapping7.setPathSpec("/acme/retail/*"); mapping7.setMethod("GET"); mapping7.setConstraint(constraint4); ConstraintMapping mapping8 = new ConstraintMapping(); mapping8.setPathSpec("/acme/retail/*"); mapping8.setMethod("POST"); mapping8.setConstraint(constraint4); Set<String> knownRoles = new HashSet<String>(); knownRoles.add("CONTRACTOR"); knownRoles.add("HOMEOWNER"); knownRoles.add("SALESCLERK"); _security.setConstraintMappings( Arrays.asList( new ConstraintMapping[] { mapping0, mapping1, mapping2, mapping3, mapping4, mapping5, mapping6, mapping7, mapping8 }), knownRoles); }
@Test public void testBasic() throws Exception { _security.setAuthenticator(new BasicAuthenticator()); _server.start(); String response; /* /star all methods except GET/POST forbidden /acme/wholesale/star all methods except GET/POST forbidden /acme/retail/star all methods except GET/POST forbidden /acme/wholesale/star GET must be in role CONTRACTOR or SALESCLERK /acme/wholesale/star POST must be in role CONTRACTOR and confidential transport /acme/retail/star GET must be in role CONTRACTOR or HOMEOWNER /acme/retail/star POST must be in role CONTRACTOR or HOMEOWNER */ // a user in role HOMEOWNER is forbidden HEAD request response = _connector.getResponses("HEAD /ctx/index.html HTTP/1.0\r\n\r\n"); assertTrue(response.startsWith("HTTP/1.1 403 Forbidden")); response = _connector.getResponses( "HEAD /ctx/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 Forbidden")); response = _connector.getResponses( "HEAD /ctx/acme/wholesale/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 Forbidden")); response = _connector.getResponses( "HEAD /ctx/acme/retail/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 Forbidden")); // a user in role CONTRACTOR can do a GET response = _connector.getResponses( "GET /ctx/acme/wholesale/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("chris:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 200 OK")); // a user in role CONTRACTOR can only do a post if confidential response = _connector.getResponses( "POST /ctx/acme/wholesale/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("chris:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 !")); // a user in role HOMEOWNER can do a GET response = _connector.getResponses( "GET /ctx/acme/retail/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 200 OK")); }