@Test
  public void testUncoveredHttpMethodDetection() throws Exception {
    _security.setAuthenticator(new BasicAuthenticator());
    _server.start();

    Set<String> paths = _security.getPathsWithUncoveredHttpMethods();
    assertEquals(1, paths.size());
    assertEquals("/*", paths.iterator().next());
  }
Esempio n. 2
0
  private static final SecurityHandler basicAuth(String realm) {

    OpenfireLoginService l = new OpenfireLoginService();
    l.setName(realm);

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__BASIC_AUTH);
    constraint.setRoles(new String[] {"jmxweb"});
    constraint.setAuthenticate(true);

    ConstraintMapping cm = new ConstraintMapping();
    cm.setConstraint(constraint);
    cm.setPathSpec("/*");

    ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
    csh.setAuthenticator(new BasicAuthenticator());
    csh.setRealmName(realm);
    csh.addConstraintMapping(cm);
    csh.setLoginService(l);

    return csh;
  }
  @Test
  public void testUncoveredHttpMethodsDenied() throws Exception {
    try {
      _security.setDenyUncoveredHttpMethods(false);
      _security.setAuthenticator(new BasicAuthenticator());
      _server.start();

      // There are uncovered methods for GET/POST at url /*
      // without deny-uncovered-http-methods they should be accessible
      String response;
      response = _connector.getResponses("GET /ctx/index.html HTTP/1.0\r\n\r\n");
      assertThat(response, startsWith("HTTP/1.1 200 OK"));

      // set deny-uncovered-http-methods true
      _security.setDenyUncoveredHttpMethods(true);

      // check they cannot be accessed
      response = _connector.getResponses("GET /ctx/index.html HTTP/1.0\r\n\r\n");
      assertTrue(response.startsWith("HTTP/1.1 403 Forbidden"));
    } finally {
      _security.setDenyUncoveredHttpMethods(false);
    }
  }
Esempio n. 4
0
  protected void createServer(Connector connector) throws Exception {
    _server.setConnectors(new Connector[] {connector});

    if (H2O.ARGS.hash_login || H2O.ARGS.ldap_login) {
      // REFER TO
      // http://www.eclipse.org/jetty/documentation/9.1.4.v20140401/embedded-examples.html#embedded-secured-hello-handler
      if (H2O.ARGS.login_conf == null) {
        Log.err("Must specify -login_conf argument");
        H2O.exit(1);
      }

      LoginService loginService;
      if (H2O.ARGS.hash_login) {
        Log.info("Configuring HashLoginService");
        loginService = new HashLoginService("H2O", H2O.ARGS.login_conf);
      } else if (H2O.ARGS.ldap_login) {
        Log.info("Configuring JAASLoginService (with LDAP)");
        System.setProperty("java.security.auth.login.config", H2O.ARGS.login_conf);
        loginService = new JAASLoginService("ldaploginmodule");
      } else {
        throw H2O.fail();
      }
      IdentityService identityService = new DefaultIdentityService();
      loginService.setIdentityService(identityService);
      _server.addBean(loginService);

      // Set a security handler as the first handler in the chain.
      ConstraintSecurityHandler security = new ConstraintSecurityHandler();

      // Set up a constraint to authenticate all calls, and allow certain roles in.
      Constraint constraint = new Constraint();
      constraint.setName("auth");
      constraint.setAuthenticate(true);

      // Configure role stuff (to be disregarded).  We are ignoring roles, and only going off the
      // user name.
      //
      //   Jetty 8 and prior.
      //
      //     Jetty 8 requires the security.setStrict(false) and ANY_ROLE.
      security.setStrict(false);
      constraint.setRoles(new String[] {Constraint.ANY_ROLE});

      //   Jetty 9 and later.
      //
      //     Jetty 9 and later uses a different servlet spec, and ANY_AUTH gives the same behavior
      //     for that API version as ANY_ROLE did previously.  This required some low-level
      // debugging
      //     to figure out, so I'm documenting it here.
      //     Jetty 9 did not require security.setStrict(false).
      //
      // constraint.setRoles(new String[]{Constraint.ANY_AUTH});

      ConstraintMapping mapping = new ConstraintMapping();
      mapping.setPathSpec("/*"); // Lock down all API calls
      mapping.setConstraint(constraint);
      security.setConstraintMappings(Collections.singletonList(mapping));

      // Authentication / Authorization
      security.setAuthenticator(new BasicAuthenticator());
      security.setLoginService(loginService);

      // Pass-through to H2O if authenticated.
      registerHandlers(security);
      _server.setHandler(security);
    } else {
      registerHandlers(_server);
    }

    _server.start();
  }
  @Before
  public void setupSecurity() {
    _security = new ConstraintSecurityHandler();
    _session.setHandler(_security);
    RequestHandler _handler = new RequestHandler();
    _security.setHandler(_handler);

    /*

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>precluded methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <url-pattern>/acme/wholesale/*</url-pattern>
    <url-pattern>/acme/retail/*</url-pattern>
    <http-method-exception>GET</http-method-exception>
    <http-method-exception>POST</http-method-exception>
    </web-resource-collection>
    <auth-constraint/>
    </security-constraint>
    */

    Constraint constraint0 = new Constraint();
    constraint0.setAuthenticate(true);
    constraint0.setName("precluded methods");
    ConstraintMapping mapping0 = new ConstraintMapping();
    mapping0.setPathSpec("/*");
    mapping0.setConstraint(constraint0);
    mapping0.setMethodOmissions(new String[] {"GET", "POST"});

    ConstraintMapping mapping1 = new ConstraintMapping();
    mapping1.setPathSpec("/acme/wholesale/*");
    mapping1.setConstraint(constraint0);
    mapping1.setMethodOmissions(new String[] {"GET", "POST"});

    ConstraintMapping mapping2 = new ConstraintMapping();
    mapping2.setPathSpec("/acme/retail/*");
    mapping2.setConstraint(constraint0);
    mapping2.setMethodOmissions(new String[] {"GET", "POST"});

    /*

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>wholesale</web-resource-name>
    <url-pattern>/acme/wholesale/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>SALESCLERK</role-name>
    </auth-constraint>
    </security-constraint>
    */
    Constraint constraint1 = new Constraint();
    constraint1.setAuthenticate(true);
    constraint1.setName("wholesale");
    constraint1.setRoles(new String[] {"SALESCLERK"});
    ConstraintMapping mapping3 = new ConstraintMapping();
    mapping3.setPathSpec("/acme/wholesale/*");
    mapping3.setConstraint(constraint1);
    mapping3.setMethod("GET");
    ConstraintMapping mapping4 = new ConstraintMapping();
    mapping4.setPathSpec("/acme/wholesale/*");
    mapping4.setConstraint(constraint1);
    mapping4.setMethod("PUT");

    /*
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>wholesale 2</web-resource-name>
        <url-pattern>/acme/wholesale/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>CONTRACTOR</role-name>
      </auth-constraint>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
     */
    Constraint constraint2 = new Constraint();
    constraint2.setAuthenticate(true);
    constraint2.setName("wholesale 2");
    constraint2.setRoles(new String[] {"CONTRACTOR"});
    constraint2.setDataConstraint(Constraint.DC_CONFIDENTIAL);
    ConstraintMapping mapping5 = new ConstraintMapping();
    mapping5.setPathSpec("/acme/wholesale/*");
    mapping5.setMethod("GET");
    mapping5.setConstraint(constraint2);
    ConstraintMapping mapping6 = new ConstraintMapping();
    mapping6.setPathSpec("/acme/wholesale/*");
    mapping6.setMethod("POST");
    mapping6.setConstraint(constraint2);

    /*
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>retail</web-resource-name>
    <url-pattern>/acme/retail/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>CONTRACTOR</role-name>
    <role-name>HOMEOWNER</role-name>
    </auth-constraint>
    </security-constraint>
    */
    Constraint constraint4 = new Constraint();
    constraint4.setName("retail");
    constraint4.setAuthenticate(true);
    constraint4.setRoles(new String[] {"CONTRACTOR", "HOMEOWNER"});
    ConstraintMapping mapping7 = new ConstraintMapping();
    mapping7.setPathSpec("/acme/retail/*");
    mapping7.setMethod("GET");
    mapping7.setConstraint(constraint4);
    ConstraintMapping mapping8 = new ConstraintMapping();
    mapping8.setPathSpec("/acme/retail/*");
    mapping8.setMethod("POST");
    mapping8.setConstraint(constraint4);

    Set<String> knownRoles = new HashSet<String>();
    knownRoles.add("CONTRACTOR");
    knownRoles.add("HOMEOWNER");
    knownRoles.add("SALESCLERK");

    _security.setConstraintMappings(
        Arrays.asList(
            new ConstraintMapping[] {
              mapping0, mapping1, mapping2, mapping3, mapping4, mapping5, mapping6, mapping7,
              mapping8
            }),
        knownRoles);
  }
  @Test
  public void testBasic() throws Exception {

    _security.setAuthenticator(new BasicAuthenticator());
    _server.start();

    String response;
    /*
      /star                 all methods except GET/POST forbidden
      /acme/wholesale/star  all methods except GET/POST forbidden
      /acme/retail/star     all methods except GET/POST forbidden
      /acme/wholesale/star  GET must be in role CONTRACTOR or SALESCLERK
      /acme/wholesale/star  POST must be in role CONTRACTOR and confidential transport
      /acme/retail/star     GET must be in role CONTRACTOR or HOMEOWNER
      /acme/retail/star     POST must be in role CONTRACTOR or HOMEOWNER
    */

    // a user in role HOMEOWNER is forbidden HEAD request
    response = _connector.getResponses("HEAD /ctx/index.html HTTP/1.0\r\n\r\n");
    assertTrue(response.startsWith("HTTP/1.1 403 Forbidden"));

    response =
        _connector.getResponses(
            "HEAD /ctx/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));

    response =
        _connector.getResponses(
            "HEAD /ctx/acme/wholesale/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));

    response =
        _connector.getResponses(
            "HEAD /ctx/acme/retail/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));

    // a user in role CONTRACTOR can do a GET
    response =
        _connector.getResponses(
            "GET /ctx/acme/wholesale/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("chris:password")
                + "\r\n"
                + "\r\n");

    assertThat(response, startsWith("HTTP/1.1 200 OK"));

    // a user in role CONTRACTOR can only do a post if confidential
    response =
        _connector.getResponses(
            "POST /ctx/acme/wholesale/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("chris:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 !"));

    // a user in role HOMEOWNER can do a GET
    response =
        _connector.getResponses(
            "GET /ctx/acme/retail/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 200 OK"));
  }