svn commit: r1495414 - in /tomcat/trunk: java/org/apache/catalina/core/StandardContext.java test/org/apache/catalina/core/TestStandardWrapper.java

Fri, 21 Jun 2013 05:41:42 -0700 

Author: markt
Date: Fri Jun 21 12:41:13 2013
New Revision: 1495414

URL: http://svn.apache.org/r1495414
Log:
Expand test cases for servlet security annotations to include deny uncovered 
http methods.
Fix the failure identified by violetagg

Modified:
    tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
    tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1495414&r1=1495413&r2=1495414&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Fri Jun 21 
12:41:13 2013
@@ -5291,7 +5291,7 @@ public class StandardContext extends Con
             // Needs to be after SCIs and listeners as they may programatically
             // change constraints
             if (ok) {
-                checkConstraintsForUncoveredMethods();
+                checkConstraintsForUncoveredMethods(findConstraints());
             }
 
             try {
@@ -5358,9 +5358,10 @@ public class StandardContext extends Con
     }
 
 
-    private void checkConstraintsForUncoveredMethods() {
+    private void checkConstraintsForUncoveredMethods(
+            SecurityConstraint[] constraints) {
         SecurityConstraint[] newConstraints =
-                SecurityConstraint.findUncoveredHttpMethods(findConstraints(),
+                SecurityConstraint.findUncoveredHttpMethods(constraints,
                         getDenyUncoveredHttpMethods(), getLogger());
         for (SecurityConstraint constraint : newConstraints) {
             addConstraint(constraint);
@@ -5838,6 +5839,8 @@ public class StandardContext extends Con
                         newSecurityConstraints) {
                     addConstraint(securityConstraint);
                 }
+
+                checkConstraintsForUncoveredMethods(newSecurityConstraints);
             }
         }
 

Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java?rev=1495414&r1=1495413&r2=1495414&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java 
(original)
+++ tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java Fri Jun 
21 12:41:13 2013
@@ -62,37 +62,89 @@ public class TestStandardWrapper extends
 
     @Test
     public void testSecurityAnnotationsSimple() throws Exception {
-        doTest(DenyAllServlet.class.getName(), false, false, false);
+        doTest(DenyAllServlet.class.getName(), false, false, false, false);
     }
 
     @Test
     public void testSecurityAnnotationsSubclass1() throws Exception {
-        doTest(SubclassDenyAllServlet.class.getName(), false, false, false);
+        doTest(SubclassDenyAllServlet.class.getName(),
+                false, false, false,false);
     }
 
     @Test
     public void testSecurityAnnotationsSubclass2() throws Exception {
-        doTest(SubclassAllowAllServlet.class.getName(), false, false, true);
+        doTest(SubclassAllowAllServlet.class.getName(),
+                false, false, true, false);
     }
 
     @Test
     public void testSecurityAnnotationsMethods1() throws Exception {
-        doTest(MethodConstraintServlet.class.getName(), false, false, false);
+        doTest(MethodConstraintServlet.class.getName(),
+                false, false, false, false);
     }
 
     @Test
     public void testSecurityAnnotationsMethods2() throws Exception {
-        doTest(MethodConstraintServlet.class.getName(), true, false, true);
+        doTest(MethodConstraintServlet.class.getName(),
+                true, false, true, false);
     }
 
     @Test
     public void testSecurityAnnotationsRole1() throws Exception {
-        doTest(RoleAllowServlet.class.getName(), false, true, true);
+        doTest(RoleAllowServlet.class.getName(), false, true, true, false);
     }
 
     @Test
     public void testSecurityAnnotationsRole2() throws Exception {
-        doTest(RoleDenyServlet.class.getName(), false, true, false);
+        doTest(RoleDenyServlet.class.getName(), false, true, false, false);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet01() throws Exception {
+        // Use a POST with role - should be allowed
+        doTest(UncoveredGetServlet.class.getName(), true, true, true, false);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet02() throws Exception {
+        // Use a POST with role - should be allowed
+        doTest(UncoveredGetServlet.class.getName(), true, true, true, true);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet03() throws Exception {
+        // Use a POST no role - should be blocked
+        doTest(UncoveredGetServlet.class.getName(), true, false, false, false);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet04() throws Exception {
+        // Use a POST no role - should be blocked
+        doTest(UncoveredGetServlet.class.getName(), true, false, false, true);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet05() throws Exception {
+        // Use a GET with role - should be allowed as denyUncovered is false
+        doTest(UncoveredGetServlet.class.getName(), false, true, true, false);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet06() throws Exception {
+        // Use a GET with role - should be blocked as denyUncovered is true
+        doTest(UncoveredGetServlet.class.getName(), false, true, false, true);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet07() throws Exception {
+        // Use a GET no role - should be allowed as denyUncovered is false
+        doTest(UncoveredGetServlet.class.getName(), false, false, true, false);
+    }
+
+    @Test
+    public void testSecurityAnnotationsUncoveredGet08() throws Exception {
+        // Use a GET no role - should be blocked as denyUncovered is true
+        doTest(UncoveredGetServlet.class.getName(), true, false, false, true);
     }
 
     @Test
@@ -223,7 +275,8 @@ public class TestStandardWrapper extends
     }
 
     private void doTest(String servletClassName, boolean usePost,
-            boolean useRole, boolean expect200) throws Exception {
+            boolean useRole, boolean expect200, boolean denyUncovered)
+            throws Exception {
 
         // Setup Tomcat instance
         Tomcat tomcat = getTomcatInstance();
@@ -231,6 +284,7 @@ public class TestStandardWrapper extends
         // Must have a real docBase - just use temp
         Context ctx =
             tomcat.addContext("", System.getProperty("java.io.tmpdir"));
+        ctx.setDenyUncoveredHttpMethods(denyUncovered);
 
         Wrapper wrapper = Tomcat.addServlet(ctx, "servlet", servletClassName);
         wrapper.setAsyncSupported(true);
@@ -318,6 +372,14 @@ public class TestStandardWrapper extends
         private static final long serialVersionUID = 1L;
     }
 
+    @ServletSecurity(httpMethodConstraints = {
+            @HttpMethodConstraint(value="POST",rolesAllowed = "testRole")
+        }
+    )
+    public static class UncoveredGetServlet extends TestServlet {
+        private static final long serialVersionUID = 1L;
+    }
+
     @ServletSecurity(@HttpConstraint(rolesAllowed = "testRole"))
     public static class RoleAllowServlet extends TestServlet {
         private static final long serialVersionUID = 1L;



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to