View | Details | Raw Unified | Return to bug 54190
Collapse All | Expand All

(-)TestNonLoginAndBasicAuthenticator.java (-71 / +237 lines)
Lines 48-53 Link Here
48
 */
48
 */
49
public class TestNonLoginAndBasicAuthenticator extends TomcatBaseTest {
49
public class TestNonLoginAndBasicAuthenticator extends TomcatBaseTest {
50
50
51
    // these should really be singletons to be type-safe,
52
    // we are in a unit test and don't need to paranoid.
53
    protected static final Boolean EXPECT_REJECT = true;
54
    protected static final Boolean EXPECT_ACCEPT = !EXPECT_REJECT;
55
56
    protected static final Boolean USE_COOKIES = true;
57
    protected static final Boolean NO_COOKIES = !USE_COOKIES;
58
59
    protected static final Boolean PROVIDE_CREDENTIALS = true;
60
    protected static final Boolean NO_CREDENTIALS = !PROVIDE_CREDENTIALS;
61
62
    protected static final Boolean VERIFY_AUTH_SCHEME = true;
63
    protected static final Boolean NO_VERIFY_AUTH_SCHEME = !VERIFY_AUTH_SCHEME;
64
51
    private static final String USER = "user";
65
    private static final String USER = "user";
52
    private static final String PWD = "pwd";
66
    private static final String PWD = "pwd";
53
    private static final String ROLE = "role";
67
    private static final String ROLE = "role";
Lines 58-70 Link Here
58
    private static final String URI_PROTECTED = "/protected";
72
    private static final String URI_PROTECTED = "/protected";
59
    private static final String URI_PUBLIC = "/anyoneCanAccess";
73
    private static final String URI_PUBLIC = "/anyoneCanAccess";
60
74
61
    private static final int SHORT_TIMEOUT_SECS = 4;
75
    private static final int SHORT_TIMEOUT_MINS = 1;
62
    private static final int LONG_TIMEOUT_SECS = 10;
76
    private static final int LONG_TIMEOUT_MINS = 2;
63
    private static final long LONG_TIMEOUT_DELAY_MSECS =
77
    private static final long TIMEOUT_DELAY_MSECS =
64
                                    ((LONG_TIMEOUT_SECS + 2) * 1000);
78
                                    (((SHORT_TIMEOUT_MINS * 60) + 10) * 1000);
65
79
66
    private static String CLIENT_AUTH_HEADER = "authorization";
80
    private static final String CLIENT_AUTH_HEADER = "authorization";
81
    private static final String SERVER_COOKIE_HEADER = "Set-Cookie";
82
    private static final String CLIENT_COOKIE_HEADER = "Cookie";
67
83
84
    private Tomcat tomcat;
85
    private AuthenticatorBase basicAuthenticator;
86
    private AuthenticatorBase nonloginAuthenticator;
87
    private List<String> cookies;
88
68
    /*
89
    /*
69
     * Try to access an unprotected resource in a webapp that
90
     * Try to access an unprotected resource in a webapp that
70
     * does not have a login method defined.
91
     * does not have a login method defined.
Lines 72-78 Link Here
72
     */
93
     */
73
    @Test
94
    @Test
74
    public void testAcceptPublicNonLogin() throws Exception {
95
    public void testAcceptPublicNonLogin() throws Exception {
75
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PUBLIC, false, 200);
96
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PUBLIC,
97
                NO_COOKIES, EXPECT_ACCEPT, 200);
76
    }
98
    }
77
99
78
    /*
100
    /*
Lines 82-88 Link Here
82
     */
104
     */
83
    @Test
105
    @Test
84
    public void testRejectProtectedNonLogin() throws Exception {
106
    public void testRejectProtectedNonLogin() throws Exception {
85
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED, true, 403);
107
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
108
                NO_COOKIES, EXPECT_REJECT, 403);
86
    }
109
    }
87
110
88
    /*
111
    /*
Lines 93-99 Link Here
93
    @Test
116
    @Test
94
    public void testAcceptPublicBasic() throws Exception {
117
    public void testAcceptPublicBasic() throws Exception {
95
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PUBLIC,
118
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PUBLIC,
96
                false, false, 200, false, 200);
119
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
120
                EXPECT_ACCEPT, 200);
97
    }
121
    }
98
122
99
    /*
123
    /*
Lines 104-110 Link Here
104
    @Test
128
    @Test
105
    public void testAcceptProtectedBasic() throws Exception {
129
    public void testAcceptProtectedBasic() throws Exception {
106
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
130
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
107
                false, true, 401, false, 200);
131
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
132
                EXPECT_REJECT, 401);
133
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
134
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
135
                EXPECT_ACCEPT, 200);
108
    }
136
    }
109
137
110
    /*
138
    /*
Lines 116-139 Link Here
116
    @Test
144
    @Test
117
    public void testAuthMethodCaseBasic() throws Exception {
145
    public void testAuthMethodCaseBasic() throws Exception {
118
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
146
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
119
                true, true, 401, false, 200);
147
                VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
148
                EXPECT_REJECT, 401);
149
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
150
                VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
151
                EXPECT_ACCEPT, 200);
120
    }
152
    }
121
153
122
    /*
154
    /*
155
     * Test the default behaviour of BASIC authentication, which does
156
     * NOT create a session on the server. The authentication must be
157
     * performed by the browser sending a valid authenticate header
158
     * with every request for a protected resource.
159
     *
123
     * Logon to access a protected resource in a webapp that uses
160
     * Logon to access a protected resource in a webapp that uses
124
     * BASIC authentication. Wait until that session times-out,
161
     * BASIC authentication. Immediately try to re-access the resource
125
     * then re-access the resource.
162
     * without providing credentials. This should be rejected with
126
     * This should be rejected with SC_FORBIDDEN 401 status, which
163
     * SC_FORBIDDEN 401 status, which can be followed by successful
127
     * can be followed by successful re-authentication.
164
     * re-authentication.
128
     */
165
     */
129
    @Test
166
    @Test
167
    public void testBasicLoginWithoutSession() throws Exception {
168
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
169
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
170
                EXPECT_REJECT, 401);
171
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
172
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
173
                EXPECT_ACCEPT, 200);
174
175
        // next, don't provide credentials initially
176
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
177
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
178
                EXPECT_REJECT, 401);
179
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
180
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
181
                EXPECT_ACCEPT, 200);
182
    }
183
184
    /*
185
     * Test the optional behaviour of BASIC authentication to create
186
     * a session on the server. The server will return a session cookie.
187
     *
188
     * 1. try to access a protected resource without credentials, so
189
     *    get Unauthorized status.
190
     * 2. try to access a protected resource when providing credentials,
191
     *    so get OK status and a server session cookie.
192
     * 3. access the protected resource once more using a session cookie.
193
     * 4. repeat using the session cookie.
194
     *
195
     * Note: The FormAuthenticator is a two-step process and is protected
196
     *       from session fixation attacks by the AuthenticatorBase
197
     *       changeSessionIdOnAuthentication default setting of true.
198
     *       However, BasicAuthenticator is a one-step process and so
199
     *       the AuthenticatorBase does not reissue the sessionId.
200
     */
201
   @Test
202
    public void testBasicLoginSessionPersistence() throws Exception {
203
        setAlwaysUseSession();
204
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
205
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
206
                EXPECT_REJECT, 401);
207
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
208
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
209
                EXPECT_ACCEPT, 200);
210
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
211
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, USE_COOKIES,
212
                EXPECT_ACCEPT, 200);
213
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
214
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, USE_COOKIES,
215
                EXPECT_ACCEPT, 200);
216
    }
217
218
    /*
219
     * Test the optional behaviour of BASIC authentication to create
220
     * a session on the server. The server will return a session cookie.
221
     * Verify the session timeout mechanism.
222
     *
223
     * 1. try to access a protected resource without credentials, so
224
     *    get Unauthorized status.
225
     * 2. try to access a protected resource when providing credentials,
226
     *    so get OK status and a server session cookie.
227
     * 3. access the protected resource once more using a session cookie.
228
     * 4. wait long enough for the session to time out.
229
     * 5. try to access the protected resource once more using the
230
     *    original session cookie. It should be rejected as Unauthorized.
231
     * 6. try to access the protected resource when providing credentials,
232
     *    so get OK status and a new server session cookie.
233
     * 7. access the protected resource once more using the new session cookie.
234
     */
235
   @Test
130
    public void testBasicLoginSessionTimeout() throws Exception {
236
    public void testBasicLoginSessionTimeout() throws Exception {
237
        setAlwaysUseSession();
131
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
238
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
132
                false, true, 401, false, 200);
239
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
133
        // wait long enough for the session above to expire
240
                EXPECT_REJECT, 401);
134
        Thread.sleep(LONG_TIMEOUT_DELAY_MSECS);
135
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
241
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
136
                false, true, 401, false, 200);
242
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
243
                EXPECT_ACCEPT, 200);
244
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
245
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, USE_COOKIES,
246
                EXPECT_ACCEPT, 200);
247
248
        // allow the session to time out and lose authentication
249
        List<String> originalCookies = cookies;
250
        Thread.sleep(TIMEOUT_DELAY_MSECS);
251
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
252
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, USE_COOKIES,
253
                EXPECT_REJECT, 401);
254
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
255
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
256
                EXPECT_ACCEPT, 200);
257
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
258
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, USE_COOKIES,
259
                EXPECT_ACCEPT, 200);
260
261
        // slightly paranoid verification
262
        boolean sameCookies = originalCookies.equals(cookies);
263
        assertTrue(!sameCookies);
137
    }
264
    }
138
265
139
    /*
266
    /*
Lines 146-163 Link Here
146
    @Test
273
    @Test
147
    public void testBasicLoginRejectProtected() throws Exception {
274
    public void testBasicLoginRejectProtected() throws Exception {
148
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
275
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
149
                false, true, 401, false, 200);
276
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
277
                EXPECT_REJECT, 401);
278
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
279
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
280
                EXPECT_ACCEPT, 200);
150
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
281
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
151
                true, 403);
282
                NO_COOKIES, EXPECT_REJECT, 403);
152
    }
283
    }
153
284
285
    /*
286
     * Logon to access a protected resource in a webapp that uses
287
     * BASIC authentication and session id. Then try to access a
288
     * protected resource in a different webapp that does not have
289
     * a login method using the original session.
290
     * This should be rejected with SC_FORBIDDEN 403 status, confirming
291
     * there has been no cross-authentication between the webapps.
292
     */
293
    @Test
294
    public void testBasicLoginRejectProtectedWithSession() throws Exception {
295
        setAlwaysUseSession();
296
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
297
                NO_VERIFY_AUTH_SCHEME, NO_CREDENTIALS, NO_COOKIES,
298
                EXPECT_REJECT, 401);
299
        doTestBasic(USER, PWD, CONTEXT_PATH_LOGIN + URI_PROTECTED,
300
                NO_VERIFY_AUTH_SCHEME, PROVIDE_CREDENTIALS, NO_COOKIES,
301
                EXPECT_ACCEPT, 200);
302
        doTestNonLogin(CONTEXT_PATH_NOLOGIN + URI_PROTECTED,
303
                USE_COOKIES, EXPECT_REJECT, 403);
304
    }
154
305
155
    private void doTestNonLogin(String uri, boolean expectedReject,
156
            int expectedRC) throws Exception {
157
306
307
    private void doTestNonLogin(String uri, boolean useCookie,
308
            boolean expectedReject, int expectedRC) throws Exception {
309
158
        Map<String,List<String>> reqHeaders = new HashMap<>();
310
        Map<String,List<String>> reqHeaders = new HashMap<>();
159
        Map<String,List<String>> respHeaders = new HashMap<>();
311
        Map<String,List<String>> respHeaders = new HashMap<>();
160
312
313
        if (useCookie && (cookies != null)) {
314
            reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
315
        }
316
161
        ByteChunk bc = new ByteChunk();
317
        ByteChunk bc = new ByteChunk();
162
        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders,
318
        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders,
163
                respHeaders);
319
                respHeaders);
Lines 173-256 Link Here
173
    }
329
    }
174
330
175
    private void doTestBasic(String user, String pwd, String uri,
331
    private void doTestBasic(String user, String pwd, String uri,
176
            boolean verifyAuthSchemeCase,
332
            boolean verifyAuthSchemeCase, boolean provideCredentials,
177
            boolean expectedReject1, int expectedRC1,
333
            boolean useCookie, boolean expectedReject, int expectedRC)
178
            boolean expectedReject2, int expectedRC2) throws Exception {
334
            throws Exception {
179
335
180
        // the first access attempt should be challenged
336
        Map<String,List<String>> reqHeaders = new HashMap<>();
181
        Map<String,List<String>> reqHeaders1 = new HashMap<>();
337
        Map<String,List<String>> respHeaders = new HashMap<>();
182
        Map<String,List<String>> respHeaders1 = new HashMap<>();
183
338
184
        ByteChunk bc = new ByteChunk();
339
        if (provideCredentials) {
185
        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders1,
340
            if (useCookie && (cookies != null)) {
186
                respHeaders1);
341
                reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
342
            }
343
            else {
344
                String credentials = user + ":" + pwd;
345
                byte[] credentialsBytes = ByteChunk.convertToBytes(credentials);
346
                String base64auth = Base64.encode(credentialsBytes);
347
                String authScheme = verifyAuthSchemeCase ? "bAsIc " : "Basic ";
348
                String authLine = authScheme + base64auth;
187
349
188
        if (expectedReject1) {
350
                List<String> auth = new ArrayList<>();
189
            assertEquals(expectedRC1, rc);
351
                auth.add(authLine);
190
            assertTrue(bc.getLength() > 0);
352
                reqHeaders.put(CLIENT_AUTH_HEADER, auth);
353
            }
191
        }
354
        }
192
        else {
193
            assertEquals(200, rc);
194
            assertEquals("OK", bc.toString());
195
            return;
196
        }
197
355
198
        // the second access attempt should be sucessful
356
        ByteChunk bc = new ByteChunk();
199
        String credentials = user + ":" + pwd;
357
        int rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders,
200
        byte[] credentialsBytes = ByteChunk.convertToBytes(credentials);
358
                respHeaders);
201
        String base64auth = Base64.encode(credentialsBytes);
202
        String authScheme = verifyAuthSchemeCase ? "bAsIc " : "Basic ";
203
        String authLine = authScheme + base64auth;
204
359
205
        List<String> auth = new ArrayList<>();
360
        if (expectedReject) {
206
        auth.add(authLine);
361
            assertEquals(expectedRC, rc);
207
        Map<String,List<String>> reqHeaders2 = new HashMap<>();
208
        reqHeaders2.put(CLIENT_AUTH_HEADER, auth);
209
210
        Map<String,List<String>> respHeaders2 = new HashMap<>();
211
212
        bc.recycle();
213
        rc = getUrl(HTTP_PREFIX + getPort() + uri, bc, reqHeaders2,
214
                respHeaders2);
215
216
        if (expectedReject2) {
217
            assertEquals(expectedRC2, rc);
218
            assertTrue(bc.getLength() > 0);
362
            assertTrue(bc.getLength() > 0);
219
        }
363
        }
220
        else {
364
        else {
221
            assertEquals(200, rc);
365
            assertEquals(200, rc);
222
            assertEquals("OK", bc.toString());
366
            assertEquals("OK", bc.toString());
367
            List<String> newCookies = respHeaders.get(SERVER_COOKIE_HEADER);
368
            if (newCookies != null) {
369
                // harvest cookies whenever the server sends some new ones
370
                cookies = newCookies;
371
            }
223
        }
372
        }
224
    }
373
    }
225
374
226
375
376
    /*
377
     * setup two webapps for every test
378
     *
379
     * note: the super class tearDown method will stop tomcat
380
     */
227
    @Override
381
    @Override
228
    public void setUp() throws Exception {
382
    public void setUp() throws Exception {
229
383
230
        super.setUp();
384
        super.setUp();
231
385
232
        // create a tomcat server using the default in-memory Realm
386
        // create a tomcat server using the default in-memory Realm
233
        Tomcat tomcat = getTomcatInstance();
387
        tomcat = getTomcatInstance();
234
388
235
        // add the test user and role to the Realm
389
        // add the test user and role to the Realm
236
        tomcat.addUser(USER, PWD);
390
        tomcat.addUser(USER, PWD);
237
        tomcat.addRole(USER, ROLE);
391
        tomcat.addRole(USER, ROLE);
238
392
239
        // setup both NonLogin and Login webapps
393
        // setup both NonLogin and Login webapps
240
        setUpNonLogin(tomcat);
394
        setUpNonLogin();
241
        setUpLogin(tomcat);
395
        setUpLogin();
242
396
243
        tomcat.start();
397
        tomcat.start();
244
    }
398
    }
245
399
246
    private void setUpNonLogin(Tomcat tomcat) throws Exception {
247
400
401
    private void setUpNonLogin() throws Exception {
402
248
        // Must have a real docBase for webapps - just use temp
403
        // Must have a real docBase for webapps - just use temp
249
        Context ctxt = tomcat.addContext(CONTEXT_PATH_NOLOGIN,
404
        Context ctxt = tomcat.addContext(CONTEXT_PATH_NOLOGIN,
250
                System.getProperty("java.io.tmpdir"));
405
                System.getProperty("java.io.tmpdir"));
251
        ctxt.setSessionTimeout(LONG_TIMEOUT_SECS);
406
        ctxt.setSessionTimeout(LONG_TIMEOUT_MINS);
252
407
253
        // Add protected servlet
408
        // Add protected servlet to the context
254
        Tomcat.addServlet(ctxt, "TesterServlet1", new TesterServlet());
409
        Tomcat.addServlet(ctxt, "TesterServlet1", new TesterServlet());
255
        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet1");
410
        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet1");
256
411
Lines 261-267 Link Here
261
        sc1.addCollection(collection1);
416
        sc1.addCollection(collection1);
262
        ctxt.addConstraint(sc1);
417
        ctxt.addConstraint(sc1);
263
418
264
        // Add unprotected servlet
419
        // Add unprotected servlet to the context
265
        Tomcat.addServlet(ctxt, "TesterServlet2", new TesterServlet());
420
        Tomcat.addServlet(ctxt, "TesterServlet2", new TesterServlet());
266
        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet2");
421
        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet2");
267
422
Lines 276-292 Link Here
276
        LoginConfig lc = new LoginConfig();
431
        LoginConfig lc = new LoginConfig();
277
        lc.setAuthMethod("NONE");
432
        lc.setAuthMethod("NONE");
278
        ctxt.setLoginConfig(lc);
433
        ctxt.setLoginConfig(lc);
279
        ctxt.getPipeline().addValve(new NonLoginAuthenticator());
434
        nonloginAuthenticator = new NonLoginAuthenticator();
435
        ctxt.getPipeline().addValve(nonloginAuthenticator);
280
    }
436
    }
281
437
282
    private void setUpLogin(Tomcat tomcat) throws Exception {
438
    private void setUpLogin() throws Exception {
283
439
284
        // Must have a real docBase for webapps - just use temp
440
        // Must have a real docBase for webapps - just use temp
285
        Context ctxt = tomcat.addContext(CONTEXT_PATH_LOGIN,
441
        Context ctxt = tomcat.addContext(CONTEXT_PATH_LOGIN,
286
                System.getProperty("java.io.tmpdir"));
442
                System.getProperty("java.io.tmpdir"));
287
        ctxt.setSessionTimeout(SHORT_TIMEOUT_SECS);
443
        ctxt.setSessionTimeout(SHORT_TIMEOUT_MINS);
288
444
289
        // Add protected servlet
445
        // Add protected servlet to the context
290
        Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet());
446
        Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet());
291
        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3");
447
        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3");
292
        SecurityCollection collection = new SecurityCollection();
448
        SecurityCollection collection = new SecurityCollection();
Lines 296-302 Link Here
296
        sc.addCollection(collection);
452
        sc.addCollection(collection);
297
        ctxt.addConstraint(sc);
453
        ctxt.addConstraint(sc);
298
454
299
        // Add unprotected servlet
455
        // Add unprotected servlet to the context
300
        Tomcat.addServlet(ctxt, "TesterServlet4", new TesterServlet());
456
        Tomcat.addServlet(ctxt, "TesterServlet4", new TesterServlet());
301
        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet4");
457
        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet4");
302
458
Lines 311-317 Link Here
311
        LoginConfig lc = new LoginConfig();
467
        LoginConfig lc = new LoginConfig();
312
        lc.setAuthMethod("BASIC");
468
        lc.setAuthMethod("BASIC");
313
        ctxt.setLoginConfig(lc);
469
        ctxt.setLoginConfig(lc);
314
        ctxt.getPipeline().addValve(new BasicAuthenticator());
470
        basicAuthenticator = new BasicAuthenticator();
471
        ctxt.getPipeline().addValve(basicAuthenticator);
315
    }
472
    }
316
473
474
    /*
475
     * Force non-default behaviour for both Authenticators
476
     */
477
    private void setAlwaysUseSession() {
478
479
        basicAuthenticator.setAlwaysUseSession(true);
480
        nonloginAuthenticator.setAlwaysUseSession(true);
481
    }
482
317
}
483
}

Return to bug 54190