[jboss-cvs] JBossAS SVN: r80853 - in trunk/testsuite: src/main/org/jboss/test/security and 7 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Nov 12 12:19:26 EST 2008
Author: sguilhen at redhat.com
Date: 2008-11-12 12:19:26 -0500 (Wed, 12 Nov 2008)
New Revision: 80853
Added:
trunk/testsuite/src/main/org/jboss/test/security/ejb3/
trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSession.java
trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSessionBean.java
trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSession.java
trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSessionBean.java
trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleSession.java
trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatefulSessionBean.java
trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatelessSessionBean.java
trunk/testsuite/src/main/org/jboss/test/security/test/EJB3SpecUnitTestCase.java
trunk/testsuite/src/resources/security/ejb3/
trunk/testsuite/src/resources/security/ejb3/META-INF/
trunk/testsuite/src/resources/security/ejb3/META-INF/jboss.xml
trunk/testsuite/src/resources/security/ejb3/config/
trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-jboss-beans.xml
trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-roles.properties
trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-users.properties
Modified:
trunk/testsuite/imports/sections/security.xml
trunk/testsuite/src/resources/security/authorization/aclpolicy-jboss-beans.xml
Log:
Added a test case to validate the security behavior of EJB3 beans.
Modified: trunk/testsuite/imports/sections/security.xml
===================================================================
--- trunk/testsuite/imports/sections/security.xml 2008-11-12 17:13:55 UTC (rev 80852)
+++ trunk/testsuite/imports/sections/security.xml 2008-11-12 17:19:26 UTC (rev 80853)
@@ -467,5 +467,20 @@
</fileset>
</jar>
+ <!-- ejb3 security ear -->
+ <jar destfile="${build.lib}/security-ejb3.jar">
+ <metainf dir="${build.resources}/security/ejb3/META-INF">
+ <include name="jboss.xml" />
+ </metainf>
+ <fileset dir="${build.resources}/security/ejb3/config">
+ <include name="ejb3-test-users.properties"/>
+ <include name="ejb3-test-roles.properties"/>
+ <include name="ejb3-test-jboss-beans.xml"/>
+ </fileset>
+ <fileset dir="${build.classes}">
+ <include name="org/jboss/test/security/ejb3/*.class"/>
+ </fileset>
+ </jar>
+
</target>
</project>
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSession.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSession.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSession.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+/**
+ * <p>
+ * Local session interface used in the EJB3 run-as tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public interface DelegateSession
+{
+
+ /**
+ * <p>
+ * Method available to {@code Manager} users. Implementations should use a {@code @RolesAllowed{"Manager"}}
+ * annotation to specify that a role of {@code Manager} is required.
+ * </p>
+ *
+ * @return the {@code Principal} of the user that is calling the session.
+ */
+ public Principal invokeDelegate();
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSessionBean.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSessionBean.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/DelegateSessionBean.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+import javax.annotation.Resource;
+import javax.annotation.security.RolesAllowed;
+import javax.ejb.Local;
+import javax.ejb.SessionContext;
+import javax.ejb.Stateless;
+
+/**
+ * <p>
+ * Stateless session bean implementation used in the EJB3 run-as security tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+ at Stateless
+ at Local(DelegateSession.class)
+public class DelegateSessionBean implements DelegateSession
+{
+
+ @Resource
+ private SessionContext context;
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.DelegateSession#invokeDelegate()
+ */
+ @RolesAllowed("Manager")
+ public Principal invokeDelegate()
+ {
+ return context.getCallerPrincipal();
+ }
+
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSession.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSession.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSession.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+/**
+ * <p>
+ * Remote session interface used in the EJB3 run-as security tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public interface RunAsSession
+{
+
+ /**
+ * <p>
+ * Method available to {@code RegularUser}s. Implementations should delegate the call to a {@code DelegateSession}
+ * using a {@code @RunAs} annotation.
+ * </p>
+ *
+ * @return the {@code Principal} of the identity used to call the {@code DelegateSession}.
+ */
+ public Principal invokeRunAs();
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSessionBean.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSessionBean.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/RunAsSessionBean.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+import javax.annotation.security.RolesAllowed;
+import javax.annotation.security.RunAs;
+import javax.ejb.EJB;
+import javax.ejb.Remote;
+import javax.ejb.Stateless;
+
+/**
+ * <p>
+ * Stateless session bean implementation used in the EJB3 run-as security tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+ at Stateless
+ at Remote(RunAsSession.class)
+ at RunAs("Manager")
+public class RunAsSessionBean implements RunAsSession
+{
+
+ @EJB
+ private DelegateSession delegate;
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.RunAsSession#invokeRunAs()
+ */
+ @RolesAllowed({"RegularUser"})
+ public Principal invokeRunAs()
+ {
+ return delegate.invokeDelegate();
+ }
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleSession.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleSession.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleSession.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+/**
+ * <p>
+ * This is the remote interface of session beans used in the EJB3 security tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public interface SimpleSession
+{
+ /**
+ * <p>
+ * This is a method available for regular users and administrators. Implementations must annotate either the class or
+ * this method with {@code @RolesAllowed({"RegularUser", "Administrator"})} to enforce that only these roles should
+ * be granted access to this method.
+ * </p>
+ *
+ * @return the caller's {@code Principal}.
+ */
+ public Principal invokeRegularMethod();
+
+ /**
+ * <p>
+ * This is a method available for administrators only. Implementations must annotate either the class or this method
+ * with {@code @RolesAllowed({"Administrator"})} to enforce that only administrators should be granted access to
+ * this method.
+ * </p>
+ *
+ * @return the caller's {@code Principal}.
+ */
+ public Principal invokeAdministrativeMethod();
+
+ /**
+ * <p>
+ * This is a method available for all authenticated users, regardless or role. Implementations must annotate this
+ * method with {@code @PermitAll} to specify that all security roles should be granted access.
+ * </p>
+ *
+ * @return the caller's {@code Principal}.
+ */
+ public Principal invokeUnprotectedMethod();
+
+ /**
+ * <p>
+ * This is a method that is unavailable for everybody. Implementations must annotate this method with
+ * {@code @DenyAll} to specify that access should be restricted for everybody.
+ * </p>
+ *
+ * @return the caller's {@code Principal}.
+ */
+ public Principal invokeUnavailableMethod();
+
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatefulSessionBean.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatefulSessionBean.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatefulSessionBean.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,97 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+import javax.annotation.Resource;
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+import javax.ejb.Remote;
+import javax.ejb.SessionContext;
+import javax.ejb.Stateful;
+
+/**
+ * <p>
+ * Stateful session bean implementation used in the EJB3 security tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+ at Stateful
+ at Remote(SimpleSession.class)
+ at RolesAllowed({"RegularUser", "Administrator"})
+public class SimpleStatefulSessionBean implements SimpleSession
+{
+
+ @Resource
+ private SessionContext context;
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeRegularMethod()
+ */
+ public Principal invokeRegularMethod()
+ {
+ // this method allows the same roles as the class.
+ return this.context.getCallerPrincipal();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeAdministrativeMethod()
+ */
+ @RolesAllowed({"Administrator"})
+ public Principal invokeAdministrativeMethod()
+ {
+ // this method overrides the roles defined by the class to grant access to admnistrators only.
+ return this.context.getCallerPrincipal();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnprotectedMethod()
+ */
+ @PermitAll
+ public Principal invokeUnprotectedMethod()
+ {
+ // this method overrides the roles defined by the class to grant access to all roles.
+ return this.context.getCallerPrincipal();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnavailableMethod()
+ */
+ @DenyAll
+ public Principal invokeUnavailableMethod()
+ {
+ // this method should never be called - it overrides the class roles to deny access to all roles.
+ return this.context.getCallerPrincipal();
+ }
+
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatelessSessionBean.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatelessSessionBean.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/ejb3/SimpleStatelessSessionBean.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,96 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.ejb3;
+
+import java.security.Principal;
+
+import javax.annotation.Resource;
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+import javax.ejb.Remote;
+import javax.ejb.SessionContext;
+import javax.ejb.Stateless;
+
+/**
+ * <p>
+ * Stateless session bean implementation used in the EJB3 security tests.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+ at Stateless
+ at Remote(SimpleSession.class)
+ at RolesAllowed({"RegularUser", "Administrator"})
+public class SimpleStatelessSessionBean implements SimpleSession
+{
+
+ @Resource
+ private SessionContext context;
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeRegularMethod()
+ */
+ public Principal invokeRegularMethod()
+ {
+ // this method allows the same roles as the class.
+ return this.context.getCallerPrincipal();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokerAdministrativeMethod()
+ */
+ @RolesAllowed({"Administrator"})
+ public Principal invokeAdministrativeMethod()
+ {
+ // this method overrides the roles defined by the class to grant access to admnistrators only.
+ return this.context.getCallerPrincipal();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnprotectedMethod()
+ */
+ @PermitAll
+ public Principal invokeUnprotectedMethod()
+ {
+ // this method overrides the roles defined by the class to grant access to all roles.
+ return this.context.getCallerPrincipal();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnavailableMethod()
+ */
+ @DenyAll
+ public Principal invokeUnavailableMethod()
+ {
+ // this method should never be called - it overrides the class roles to deny access to all roles.
+ return this.context.getCallerPrincipal();
+ }
+}
Added: trunk/testsuite/src/main/org/jboss/test/security/test/EJB3SpecUnitTestCase.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/test/EJB3SpecUnitTestCase.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/test/EJB3SpecUnitTestCase.java 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,347 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.test;
+
+import java.security.Principal;
+
+import javax.ejb.EJBAccessException;
+import javax.rmi.PortableRemoteObject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import junit.extensions.TestSetup;
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+import org.jboss.test.JBossTestCase;
+import org.jboss.test.JBossTestSetup;
+import org.jboss.test.security.ejb3.RunAsSession;
+import org.jboss.test.security.ejb3.SimpleSession;
+import org.jboss.test.util.AppCallbackHandler;
+
+/**
+ * <p>
+ * This {@code TestCase} validates the security behavior of protected EJB3 beans.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public class EJB3SpecUnitTestCase extends JBossTestCase
+{
+
+ private LoginContext loginContext;
+
+ /**
+ * <p>
+ * Creates an instance of {@code EJB3SpecUnitTestCase} with the specified name.
+ * </p>
+ *
+ * @param name a {@code String} that represents the name of the test case.
+ */
+ public EJB3SpecUnitTestCase(String name)
+ {
+ super(name);
+ // set the login config file if it hasn't been set yet.
+ if (System.getProperty("java.security.auth.login.config") == null)
+ System.setProperty("java.security.auth.login.config", "output/resources/security/auth.conf");
+ }
+
+ /**
+ * <p>
+ * Tests accessing protected methods using a client that has the {@code Administrator} role.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testAdministratorMethodAccess() throws Exception
+ {
+ // login with a user that has the Administrator role.
+ this.login("UserA", "PassA".toCharArray());
+
+ // get a reference to the remote protected stateless session bean.
+ Object obj = getInitialContext().lookup("SimpleStatelessSessionBean/remote");
+ SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+
+ // an administrator should have access to all methods but invokeUnavailableMethod.
+ this.assertMethodAccessResults(session, true, true);
+
+ // repeat the tests, this time calling a stateful session bean.
+ obj = getInitialContext().lookup("SimpleStatefulSessionBean/remote");
+ session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+ this.assertMethodAccessResults(session, true, true);
+
+ this.logout();
+ }
+
+ /**
+ * <p>
+ * Tests accessing protected methods using a client that has the {@code RegularUser} role.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testRegularUserMethodAccess() throws Exception
+ {
+ // login with a user that has the RegularUser role.
+ this.login("UserB", "PassB".toCharArray());
+
+ // get a reference to the remote protected stateless session bean.
+ Object obj = getInitialContext().lookup("SimpleStatelessSessionBean/remote");
+ SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+
+ // a regular user cannot access administrative methods.
+ this.assertMethodAccessResults(session, true, false);
+
+ // repeat the tests, this time calling a stateful session bean.
+ obj = getInitialContext().lookup("SimpleStatefulSessionBean/remote");
+ session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+ this.assertMethodAccessResults(session, true, false);
+
+ this.logout();
+ }
+
+ /**
+ * <p>
+ * Tests accessing protected methods using a client that has the {@code Guest} role.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testGuestMethodAccess() throws Exception
+ {
+ // login with a user that has the Guest role.
+ this.login("UserC", "PassC".toCharArray());
+
+ // get a reference to the remote protected stateless session bean.
+ Object obj = getInitialContext().lookup("SimpleStatelessSessionBean/remote");
+ SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+
+ // a guest user should have access to unprotected methods only.
+ this.assertMethodAccessResults(session, false, false);
+
+ // repeat the tests, this time calling a stateful session bean.
+ obj = getInitialContext().lookup("SimpleStatefulSessionBean/remote");
+ session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+ this.assertMethodAccessResults(session, false, false);
+
+ this.logout();
+ }
+
+ /**
+ * <p>
+ * Tests accessing protected methods using an unauthenticated client.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testUnauthenticatedMethodAccess() throws Exception
+ {
+ // get a reference to the remote protected stateless session bean.
+ Object obj = getInitialContext().lookup("SimpleStatelessSessionBean/remote");
+ SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+
+ // an unauthenticated user should have access to unprotected methods only.
+ this.assertMethodAccessResults(session, false, false);
+
+ // repeat the tests, this time calling a stateful session bean.
+ obj = getInitialContext().lookup("SimpleStatefulSessionBean/remote");
+ session = (SimpleSession) PortableRemoteObject.narrow(obj, SimpleSession.class);
+ this.assertMethodAccessResults(session, false, false);
+ }
+
+ /**
+ * <p>
+ * Tests the following scenario:
+ * <ol>
+ * <li>a client associated with a {@code RegularUser} role invokes the {@code RunAsSession}.</li>
+ * <li>the {@code RunAsSession#invokeRunAs()} method delegates the call to the {@code DelegateSession} using a
+ * {@code @RunAs("Manager")} annotation.</li>
+ * </ol>
+ *
+ * {@code DelegateSession#invokeDelegate()} requires a role {@code Manager} to run. As the client doesn't have the
+ * required role, the call will only succeed if the {@code RunAsSession} propagates an identity with the
+ * {@code Manager} role using a {@code @RunAs} annotation.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testRunAsMethodAccess() throws Exception
+ {
+ // login with a user that has the RegularUser role.
+ this.login("UserB", "PassB".toCharArray());
+
+ // get a reference to the remote run-as session.
+ Object obj = getInitialContext().lookup("RunAsSessionBean/remote");
+ RunAsSession session = (RunAsSession) PortableRemoteObject.narrow(obj, RunAsSession.class);
+
+ // invoke the session, that delegates the invocation to the delegate session using @RunAs.
+ Principal principal = session.invokeRunAs();
+ assertNotNull("Found unexpected null principal", principal);
+ // run-as identity should be the default unauthenticated identity configured in the login module.
+ assertEquals("anonymous", principal.getName());
+
+ this.logout();
+ }
+
+ /**
+ * <p>
+ * Validates the results received when calling all methods on a {@code SimpleSession}.
+ * </p>
+ *
+ * @param session the {@code SimpleSession} to be called.
+ * @param succeedRegular {@code true} if the call to {@code SimpleSession#invokeRegularMethod()} must succeed;
+ * {@code false} otherwise.
+ * @param succeedAdministrative {@code true} if the call to {@code SimpleSession#invokeAdministrativeMethod()} must
+ * succeed; {@code false} otherwise.
+ */
+ private void assertMethodAccessResults(SimpleSession session, boolean succeedRegular, boolean succeedAdministrative)
+ {
+ // access to unprotected (@PermitAll) methods should always be granted.
+ Principal principal = session.invokeUnprotectedMethod();
+ assertNotNull("Found unexpected null principal", principal);
+
+ // access to unavailable (@DenyAll) method should always fail.
+ try
+ {
+ principal = session.invokeUnavailableMethod();
+ fail("Client should not be able to invoke a method annotated with @DenyAll");
+ }
+ catch (EJBAccessException ex)
+ {
+ super.log.debug("Got expected exception: ", ex);
+ }
+
+ // check access to regular method.
+ if (succeedRegular)
+ {
+ principal = session.invokeRegularMethod();
+ assertNotNull("Found unexpected null principal", principal);
+ }
+ else
+ {
+ try
+ {
+ principal = session.invokeRegularMethod();
+ fail("Client should not be able to invoke a regular method");
+ }
+ catch (EJBAccessException ex)
+ {
+ super.log.debug("Got expected exception: ", ex);
+ }
+ }
+
+ // check access to administrative method.
+ if (succeedAdministrative)
+ {
+ principal = session.invokeAdministrativeMethod();
+ assertNotNull("Found unexpected null principal", principal);
+ }
+ else
+ {
+ try
+ {
+ principal = session.invokeAdministrativeMethod();
+ fail("Client should not be able to invoke an administrative method");
+ }
+ catch (EJBAccessException ex)
+ {
+ super.log.debug("Got expected exception: ", ex);
+ }
+ }
+ }
+
+ /**
+ * <p>
+ * Authenticates the client identified by the given {@code username} using the specified {@code password}.
+ * </p>
+ *
+ * @param username a {@code String} that identifies the client that is being logged in.
+ * @param password a {@code char[]} that contains the password that asserts the client's identity.
+ * @throws LoginException if an error occurs while authenticating the client.
+ */
+ private void login(String username, char[] password) throws LoginException
+ {
+ // get the conf name from a system property - default is spec-test.
+ String confName = System.getProperty("conf.name", "spec-test");
+ AppCallbackHandler handler = new AppCallbackHandler(username, password);
+ this.loginContext = new LoginContext(confName, handler);
+ this.loginContext.login();
+ }
+
+ /**
+ * <p>
+ * Perform a logout of the current user.
+ * </p>
+ *
+ * @throws LoginException if an error occurs while logging the user out.
+ */
+ private void logout() throws LoginException
+ {
+ this.loginContext.logout();
+ }
+
+ /**
+ * <p>
+ * Sets up the test suite.
+ * </p>
+ *
+ * @return a {@code TestSuite} that contains this test case.
+ * @throws Exception if an error occurs while setting up the {@code TestSuite}.
+ */
+ public static Test suite() throws Exception
+ {
+ TestSuite suite = new TestSuite();
+ suite.addTest(new TestSuite(EJB3SpecUnitTestCase.class));
+
+ TestSetup wrapper = new JBossTestSetup(suite)
+ {
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.JBossTestSetup#setUp()
+ */
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ // deploy the ejb3 test application.
+ super.deploy("security-ejb3.jar");
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.test.JBossTestSetup#tearDown()
+ */
+ @Override
+ protected void tearDown() throws Exception
+ {
+ // undeploy the ejb3 test application.
+ super.undeploy("security-ejb3.jar");
+ // flush the authentication cache of the test domain.
+ super.flushAuthCache("security-ejb3-test");
+ super.tearDown();
+ }
+ };
+ return wrapper;
+ }
+}
Modified: trunk/testsuite/src/resources/security/authorization/aclpolicy-jboss-beans.xml
===================================================================
--- trunk/testsuite/src/resources/security/authorization/aclpolicy-jboss-beans.xml 2008-11-12 17:13:55 UTC (rev 80852)
+++ trunk/testsuite/src/resources/security/authorization/aclpolicy-jboss-beans.xml 2008-11-12 17:19:26 UTC (rev 80853)
@@ -1,17 +1,17 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<deployment xmlns="urn:jboss:bean-deployer:2.0">
-
- <!-- acl application-policy definition -->
- <application-policy xmlns="urn:jboss:security-beans:1.0" name="acl-domain">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="optional"/>
+<?xml version="1.0" encoding="UTF-8"?>
+
+<deployment xmlns="urn:jboss:bean-deployer:2.0">
+
+ <!-- acl application-policy definition -->
+ <application-policy xmlns="urn:jboss:security-beans:1.0" name="acl-domain">
+ <authentication>
+ <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="optional"/>
</authentication>
<acl>
<acl-module code="org.jboss.security.acl.ACLProviderImpl" flag="optional">
<module-option name="persistenceStrategy">org.jboss.security.plugins.acl.PolicyRegistrationStrategy</module-option>
</acl-module>
- </acl>
- </application-policy>
-
-</deployment>
+ </acl>
+ </application-policy>
+
+</deployment>
Added: trunk/testsuite/src/resources/security/ejb3/META-INF/jboss.xml
===================================================================
--- trunk/testsuite/src/resources/security/ejb3/META-INF/jboss.xml (rev 0)
+++ trunk/testsuite/src/resources/security/ejb3/META-INF/jboss.xml 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<!DOCTYPE jboss PUBLIC
+ "-//JBoss//DTD JBOSS 5.0//EN"
+ "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
+<jboss>
+ <security-domain>java:/jaas/security-ejb3-test</security-domain>
+</jboss>
Added: trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-jboss-beans.xml
===================================================================
--- trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-jboss-beans.xml (rev 0)
+++ trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-jboss-beans.xml 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<deployment xmlns="urn:jboss:bean-deployer:2.0">
+
+ <!-- ejb3 test application-policy definition -->
+ <application-policy xmlns="urn:jboss:security-beans:1.0" name="security-ejb3-test">
+ <authentication>
+ <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
+ <module-option name="unauthenticatedIdentity">anonymous</module-option>
+ <module-option name="usersProperties">ejb3-test-users.properties</module-option>
+ <module-option name="rolesProperties">ejb3-test-roles.properties</module-option>
+ </login-module>
+ </authentication>
+ </application-policy>
+
+</deployment>
Added: trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-roles.properties
===================================================================
--- trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-roles.properties (rev 0)
+++ trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-roles.properties 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,3 @@
+UserA=RegularUser,Administrator
+UserB=RegularUser
+UserC=Guest
\ No newline at end of file
Added: trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-users.properties
===================================================================
--- trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-users.properties (rev 0)
+++ trunk/testsuite/src/resources/security/ejb3/config/ejb3-test-users.properties 2008-11-12 17:19:26 UTC (rev 80853)
@@ -0,0 +1,3 @@
+UserA=PassA
+UserB=PassB
+UserC=PassC
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list