View | Details | Raw Unified | Return to bug 54190
Collapse All | Expand All

(-)test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java (-31 / +47 lines)
Lines 32-37 Link Here
32
import org.apache.catalina.deploy.LoginConfig;
32
import org.apache.catalina.deploy.LoginConfig;
33
import org.apache.catalina.deploy.SecurityCollection;
33
import org.apache.catalina.deploy.SecurityCollection;
34
import org.apache.catalina.deploy.SecurityConstraint;
34
import org.apache.catalina.deploy.SecurityConstraint;
35
import org.apache.catalina.session.ManagerBase;
35
import org.apache.catalina.startup.TesterServlet;
36
import org.apache.catalina.startup.TesterServlet;
36
import org.apache.catalina.startup.Tomcat;
37
import org.apache.catalina.startup.Tomcat;
37
import org.apache.catalina.startup.TomcatBaseTest;
38
import org.apache.catalina.startup.TomcatBaseTest;
Lines 64-76 Link Here
64
    private static final String URI_PROTECTED = "/protected";
65
    private static final String URI_PROTECTED = "/protected";
65
    private static final String URI_PUBLIC = "/anyoneCanAccess";
66
    private static final String URI_PUBLIC = "/anyoneCanAccess";
66
67
67
    private static final int SHORT_TIMEOUT_MINS = 1;
68
    private static final int SHORT_SESSION_TIMEOUT_MINS = 1;
68
    private static final int LONG_TIMEOUT_MINS = 2;
69
    private static final int LONG_SESSION_TIMEOUT_MINS = 2;
69
    private static final int MANAGER_SCAN_DELAY_SECS = 60;
70
    private static final int MANAGER_SCAN_INTERVAL_SECS = 10;
71
    private static final int MANAGER_EXPIRE_SESSIONS_FAST = 1;
70
    private static final int EXTRA_DELAY_SECS = 5;
72
    private static final int EXTRA_DELAY_SECS = 5;
71
    private static final long TIMEOUT_DELAY_MSECS =
73
    private static final long TIMEOUT_DELAY_MSECS =
72
            (((SHORT_TIMEOUT_MINS * 60)
74
            (((SHORT_SESSION_TIMEOUT_MINS * 60)
73
                    + MANAGER_SCAN_DELAY_SECS + EXTRA_DELAY_SECS) * 1000);
75
            + (MANAGER_SCAN_INTERVAL_SECS * MANAGER_EXPIRE_SESSIONS_FAST)
76
            + EXTRA_DELAY_SECS) * 1000);
74
77
75
    private static final String CLIENT_AUTH_HEADER = "authorization";
78
    private static final String CLIENT_AUTH_HEADER = "authorization";
76
    private static final String SERVER_AUTH_HEADER = "WWW-Authenticate";
79
    private static final String SERVER_AUTH_HEADER = "WWW-Authenticate";
Lines 94-101 Link Here
94
                new BasicCredentials(NICE_METHOD, USER, " " + PWD + " ");
97
                new BasicCredentials(NICE_METHOD, USER, " " + PWD + " ");
95
98
96
    private Tomcat tomcat;
99
    private Tomcat tomcat;
97
    private AuthenticatorBase basicAuthenticator;
100
    private Context basicContext;
98
    private AuthenticatorBase nonloginAuthenticator;
101
    private Context nonloginContext;
99
    private List<String> cookies;
102
    private List<String> cookies;
100
103
101
    /*
104
    /*
Lines 321-326 Link Here
321
    public void testBasicLoginSessionTimeout() throws Exception {
324
    public void testBasicLoginSessionTimeout() throws Exception {
322
325
323
       setAlwaysUseSession();
326
       setAlwaysUseSession();
327
       setRapidSessionTimeout();
324
328
325
       // this section is identical to testAuthMethodCaseBasic
329
       // this section is identical to testAuthMethodCaseBasic
326
        doTestBasic(CONTEXT_PATH_LOGIN + URI_PROTECTED, NO_CREDENTIALS,
330
        doTestBasic(CONTEXT_PATH_LOGIN + URI_PROTECTED, NO_CREDENTIALS,
Lines 494-567 Link Here
494
    private void setUpNonLogin() throws Exception {
498
    private void setUpNonLogin() throws Exception {
495
499
496
        // Must have a real docBase for webapps - just use temp
500
        // Must have a real docBase for webapps - just use temp
497
        Context ctxt = tomcat.addContext(CONTEXT_PATH_NOLOGIN,
501
        nonloginContext = tomcat.addContext(CONTEXT_PATH_NOLOGIN,
498
                System.getProperty("java.io.tmpdir"));
502
                System.getProperty("java.io.tmpdir"));
499
        ctxt.setSessionTimeout(LONG_TIMEOUT_MINS);
503
        nonloginContext.setSessionTimeout(LONG_SESSION_TIMEOUT_MINS);
500
504
501
        // Add protected servlet to the context
505
        // Add protected servlet to the context
502
        Tomcat.addServlet(ctxt, "TesterServlet1", new TesterServlet());
506
        Tomcat.addServlet(nonloginContext, "TesterServlet1", new TesterServlet());
503
        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet1");
507
        nonloginContext.addServletMapping(URI_PROTECTED, "TesterServlet1");
504
508
505
        SecurityCollection collection1 = new SecurityCollection();
509
        SecurityCollection collection1 = new SecurityCollection();
506
        collection1.addPattern(URI_PROTECTED);
510
        collection1.addPattern(URI_PROTECTED);
507
        SecurityConstraint sc1 = new SecurityConstraint();
511
        SecurityConstraint sc1 = new SecurityConstraint();
508
        sc1.addAuthRole(ROLE);
512
        sc1.addAuthRole(ROLE);
509
        sc1.addCollection(collection1);
513
        sc1.addCollection(collection1);
510
        ctxt.addConstraint(sc1);
514
        nonloginContext.addConstraint(sc1);
511
515
512
        // Add unprotected servlet to the context
516
        // Add unprotected servlet to the context
513
        Tomcat.addServlet(ctxt, "TesterServlet2", new TesterServlet());
517
        Tomcat.addServlet(nonloginContext, "TesterServlet2", new TesterServlet());
514
        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet2");
518
        nonloginContext.addServletMapping(URI_PUBLIC, "TesterServlet2");
515
519
516
        SecurityCollection collection2 = new SecurityCollection();
520
        SecurityCollection collection2 = new SecurityCollection();
517
        collection2.addPattern(URI_PUBLIC);
521
        collection2.addPattern(URI_PUBLIC);
518
        SecurityConstraint sc2 = new SecurityConstraint();
522
        SecurityConstraint sc2 = new SecurityConstraint();
519
        // do not add a role - which signals access permitted without one
523
        // do not add a role - which signals access permitted without one
520
        sc2.addCollection(collection2);
524
        sc2.addCollection(collection2);
521
        ctxt.addConstraint(sc2);
525
        nonloginContext.addConstraint(sc2);
522
526
523
        // Configure the authenticator and inherit the Realm from Engine
527
        // Configure the authenticator and inherit the Realm from Engine
524
        LoginConfig lc = new LoginConfig();
528
        LoginConfig lc = new LoginConfig();
525
        lc.setAuthMethod("NONE");
529
        lc.setAuthMethod("NONE");
526
        ctxt.setLoginConfig(lc);
530
        nonloginContext.setLoginConfig(lc);
527
        nonloginAuthenticator = new NonLoginAuthenticator();
531
        AuthenticatorBase nonloginAuthenticator = new NonLoginAuthenticator();
528
        ctxt.getPipeline().addValve(nonloginAuthenticator);
532
        nonloginContext.getPipeline().addValve(nonloginAuthenticator);
529
    }
533
    }
530
534
531
    private void setUpLogin() throws Exception {
535
    private void setUpLogin() throws Exception {
532
536
533
        // Must have a real docBase for webapps - just use temp
537
        // Must have a real docBase for webapps - just use temp
534
        Context ctxt = tomcat.addContext(CONTEXT_PATH_LOGIN,
538
        basicContext = tomcat.addContext(CONTEXT_PATH_LOGIN,
535
                System.getProperty("java.io.tmpdir"));
539
                System.getProperty("java.io.tmpdir"));
536
        ctxt.setSessionTimeout(SHORT_TIMEOUT_MINS);
540
        basicContext.setSessionTimeout(SHORT_SESSION_TIMEOUT_MINS);
537
541
538
        // Add protected servlet to the context
542
        // Add protected servlet to the context
539
        Tomcat.addServlet(ctxt, "TesterServlet3", new TesterServlet());
543
        Tomcat.addServlet(basicContext, "TesterServlet3", new TesterServlet());
540
        ctxt.addServletMapping(URI_PROTECTED, "TesterServlet3");
544
        basicContext.addServletMapping(URI_PROTECTED, "TesterServlet3");
541
        SecurityCollection collection = new SecurityCollection();
545
        SecurityCollection collection = new SecurityCollection();
542
        collection.addPattern(URI_PROTECTED);
546
        collection.addPattern(URI_PROTECTED);
543
        SecurityConstraint sc = new SecurityConstraint();
547
        SecurityConstraint sc = new SecurityConstraint();
544
        sc.addAuthRole(ROLE);
548
        sc.addAuthRole(ROLE);
545
        sc.addCollection(collection);
549
        sc.addCollection(collection);
546
        ctxt.addConstraint(sc);
550
        basicContext.addConstraint(sc);
547
551
548
        // Add unprotected servlet to the context
552
        // Add unprotected servlet to the context
549
        Tomcat.addServlet(ctxt, "TesterServlet4", new TesterServlet());
553
        Tomcat.addServlet(basicContext, "TesterServlet4", new TesterServlet());
550
        ctxt.addServletMapping(URI_PUBLIC, "TesterServlet4");
554
        basicContext.addServletMapping(URI_PUBLIC, "TesterServlet4");
551
555
552
        SecurityCollection collection2 = new SecurityCollection();
556
        SecurityCollection collection2 = new SecurityCollection();
553
        collection2.addPattern(URI_PUBLIC);
557
        collection2.addPattern(URI_PUBLIC);
554
        SecurityConstraint sc2 = new SecurityConstraint();
558
        SecurityConstraint sc2 = new SecurityConstraint();
555
        // do not add a role - which signals access permitted without one
559
        // do not add a role - which signals access permitted without one
556
        sc2.addCollection(collection2);
560
        sc2.addCollection(collection2);
557
        ctxt.addConstraint(sc2);
561
        basicContext.addConstraint(sc2);
558
562
559
        // Configure the authenticator and inherit the Realm from Engine
563
        // Configure the authenticator and inherit the Realm from Engine
560
        LoginConfig lc = new LoginConfig();
564
        LoginConfig lc = new LoginConfig();
561
        lc.setAuthMethod("BASIC");
565
        lc.setAuthMethod("BASIC");
562
        ctxt.setLoginConfig(lc);
566
        basicContext.setLoginConfig(lc);
563
        basicAuthenticator = new BasicAuthenticator();
567
        AuthenticatorBase basicAuthenticator = new BasicAuthenticator();
564
        ctxt.getPipeline().addValve(basicAuthenticator);
568
        basicContext.getPipeline().addValve(basicAuthenticator);
565
    }
569
    }
566
570
567
    /*
571
    /*
Lines 569-579 Link Here
569
     */
573
     */
570
    private void setAlwaysUseSession() {
574
    private void setAlwaysUseSession() {
571
575
572
        basicAuthenticator.setAlwaysUseSession(true);
576
        ((AuthenticatorBase)basicContext.getAuthenticator())
573
        nonloginAuthenticator.setAlwaysUseSession(true);
577
                .setAlwaysUseSession(true);
578
        ((AuthenticatorBase)nonloginContext.getAuthenticator())
579
                .setAlwaysUseSession(true);
574
    }
580
    }
575
581
576
    /*
582
    /*
583
     * Force rapid timeout scanning for the Basic Authentication webapp
584
     * The StandardManager default service cycle time is 10 seconds,
585
     * with a session expiry scan every 6 cycles.
586
     */
587
    private void setRapidSessionTimeout() {
588
589
        ((ManagerBase) basicContext.getManager())
590
                .setProcessExpiresFrequency(MANAGER_EXPIRE_SESSIONS_FAST);
591
    }
592
    /*
577
     * Encapsulate the logic to generate an HTTP header
593
     * Encapsulate the logic to generate an HTTP header
578
     * for BASIC Authentication.
594
     * for BASIC Authentication.
579
     * Note: only used internally, so no need to validate arguments.
595
     * Note: only used internally, so no need to validate arguments.

Return to bug 54190