Adding a new sample/test to check for deny-uncovered-http element in web.xml

Author: arun-gupta

servlet/security-deny-uncovered/pom.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.javaee7.servlet</groupId>
+        <artifactId>servlet-samples</artifactId>
+        <version>1.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>security-deny-uncovered</artifactId>
+    <packaging>war</packaging>
+</project>

servlet/security-deny-uncovered/src/main/java/org/javaee7/servlet/security/deny/uncovered/SecureServlet.java

@@ -0,0 +1,80 @@
+package org.javaee7.servlet.security.deny.uncovered;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author Arun Gupta
+ */
+@WebServlet(urlPatterns = {"/SecureServlet"})
+public class SecureServlet extends HttpServlet {
+
+    /**
+     * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
+     * methods.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    protected void processRequest(HttpServletRequest request, HttpServletResponse response, String method)
+            throws ServletException, IOException {
+        response.setContentType("text/html;charset=UTF-8");
+        PrintWriter out = response.getWriter();
+        out.println("<!DOCTYPE html>");
+        out.println("<html>");
+        out.println("<head>");
+        out.println("<title>Servlet Security - Basic Auth with File-base Realm</title>");
+        out.println("</head>");
+        out.println("<body>");
+        out.println("<h1>Basic Auth with File-base Realm (" + method + ")</h1>");
+        out.println("<h2>Were you prompted for username/password ?</h2>");
+        out.println("</body>");
+        out.println("</html>");
+    }
+
+    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
+    /**
+     * Handles the HTTP <code>GET</code> method.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        processRequest(request, response, "GET");
+    }
+
+    /**
+     * Handles the HTTP <code>POST</code> method.
+     *
+     * @param request servlet request
+     * @param response servlet response
+     * @throws ServletException if a servlet-specific error occurs
+     * @throws IOException if an I/O error occurs
+     */
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        processRequest(request, response, "POST");
+    }
+
+    /**
+     * Returns a short description of the servlet.
+     *
+     * @return a String containing servlet description
+     */
+    @Override
+    public String getServletInfo() {
+        return "Short description";
+    }// </editor-fold>
+}

servlet/security-deny-uncovered/src/main/webapp/WEB-INF/glassfish-web.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
+<glassfish-web-app error-url="">
+    <security-role-mapping>
+        <role-name>g1</role-name>
+        <principal-name>g1</principal-name>
+        <group-name>g1</group-name>
+    </security-role-mapping>
+</glassfish-web-app>

servlet/security-deny-uncovered/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1">
+    <deny-uncovered-http-methods/>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>SecureServlet</web-resource-name>
+            <url-pattern>/SecureServlet</url-pattern>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>g1</role-name>
+        </auth-constraint>
+    </security-constraint>
+    
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>file</realm-name>
+    </login-config>
+    
+    <security-role>
+        <role-name>g1</role-name>
+    </security-role>
+</web-app>

servlet/security-deny-uncovered/src/main/webapp/index.jsp

@@ -0,0 +1,19 @@
+<%@page contentType="text/html" pageEncoding="UTF-8"%>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+   "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+    <head>
+        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+        <title>Servlet : Security</title>
+    </head>
+    <body>
+        <h1>Servlet : Security</h1>
+        
+        Make sure to create a user:<br><br>
+        
+        For WildFly: Invoke "./bin/add-user.sh -a -u u1 -p p1 -g g1"<br>
+        For GlassFish: Invoke "./bin/asadmin create-file-user --groups g1 u1" and use the password "p1" when prompted.<br><br>
+        Then call the <a href="${pageContext.request.contextPath}/SecureServlet">GET</a> method.<br/>
+    </body>
+</html>

servlet/security-deny-uncovered/src/test/java/org/javaee7/servlet/security/deny/uncovered/SecureServletTest.java

@@ -0,0 +1,87 @@
+package org.javaee7.servlet.security.deny.uncovered;
+
+import com.meterware.httpunit.AuthorizationRequiredException;
+import com.meterware.httpunit.GetMethodWebRequest;
+import com.meterware.httpunit.HttpException;
+import com.meterware.httpunit.PostMethodWebRequest;
+import com.meterware.httpunit.PutMethodWebRequest;
+import com.meterware.httpunit.WebConversation;
+import com.meterware.httpunit.WebResponse;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.net.URL;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.junit.runner.RunWith;
+
+/**
+ * @author Arun Gupta
+ */
+@RunWith(Arquillian.class)
+public class SecureServletTest {
+    
+    private static final String WEBAPP_SRC = "src/main/webapp";
+
+    @ArquillianResource
+    private URL base;
+    
+    @Deployment(testable = false)
+    public static WebArchive createDeployment() {
+        WebArchive war = ShrinkWrap.create(WebArchive.class).
+                addClass(SecureServlet.class).
+                addAsWebInfResource((new File(WEBAPP_SRC + "/WEB-INF", "web.xml")));
+        return war;
+    }
+
+    @Test
+    public void testGetMethod() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        GetMethodWebRequest getRequest = new GetMethodWebRequest(base + "/SecureServlet");
+        WebResponse response = null;
+        try {
+            response = conv.getResponse(getRequest);
+        } catch (AuthorizationRequiredException e) {
+            fail(e.getMessage());
+        }
+        assertNotNull(response);
+        assertTrue(response.getText().contains("<title>Servlet Security - Basic Auth with File-base Realm</title>"));
+    }
+
+    @Test
+    public void testPostMethod() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        
+        PostMethodWebRequest postRequest = new PostMethodWebRequest(base + "/SecureServlet");
+        try {
+            conv.getResponse(postRequest);
+        } catch (HttpException e) {
+            assertEquals(403, e.getResponseCode());
+            return;
+        }
+        fail("POST method could be called");
+    }
+
+    @Test
+    public void testPutMethod() throws Exception {
+        WebConversation conv = new WebConversation();
+        conv.setAuthentication("file", "u1", "p1");
+        
+        byte[] bytes = new byte[10];
+        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+        PutMethodWebRequest putRequest = new PutMethodWebRequest(base + "/SecureServlet", bais, "text/plain");
+        try {
+            conv.getResponse(putRequest);
+        } catch (HttpException e) {
+            assertEquals(403, e.getResponseCode());
+            return;
+        }
+        fail("PUT method could be called");
+    }
+}