Register session

Run
How to run the sample
The source code for this sample can be found in the javaee7-samples GitHub repository. The first thing we need to do is to get the source by downloading the repository and then go into the samples folder:
git clone git://github.com/javaee-samples/javaee7-samples.git
cd javaee7-samples/jaspic/register-session/
Now we are ready to start testing. You can run all the tests in this sample by executing:
mvn test
Or you can run individual tests by executing one of the following:
mvn test -Dtest=RegisterSessionTest

RegisterSessionTest

Missing a description for the story. Add some javadoc to the TestClass. Show me how!
Missing a description for the deployment. Add some javadoc to the @Deployment method. Show me how! 
@Deployment(testable = false)
public static WebArchive createDeployment() {
    return defaultArchive();
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testRemembersSession() throws IOException, SAXException {


    // -------------------- Request 1 ---------------------------

    // Accessing protected page without login
    String response = getFromServerPath("protected/servlet");

    // Not logged-in thus should not be accessible.
    assertFalse(response.contains("This is a protected servlet"));


    // -------------------- Request 2 ---------------------------

    // We access the protected page again and now login

    response = getFromServerPath("protected/servlet?doLogin");

    // Now has to be logged-in so page is accessible
    assertTrue("Could not access protected page, but should be able to. "
            + "Did the container remember the previously set 'unauthenticated identity'?",
            response.contains("This is a protected servlet"));


    // -------------------- Request 3 ---------------------------

    // JASPIC is normally stateless, but for this test the SAM uses the register session feature so now
    // we should be logged-in when doing a call without explicitly logging in again.

    response = getFromServerPath("protected/servlet?continueSession");

    // Logged-in thus should be accessible.
    assertTrue("Could not access protected page, but should be able to. "
            + "Did the container not remember the authenticated identity via 'javax.servlet.http.registerSession'?",
            response.contains("This is a protected servlet"));

    // Both the user name and roles/groups have to be restored

    // *** NOTE ***: The JASPIC 1.1 spec is NOT clear about remembering roles, but spec lead Ron Monzillo clarified that
    // this should indeed be the case. The next JASPIC revision of the spec will have to mention this explicitly.
    // Intuitively it should make sense though that the authenticated identity is fully restored and not partially,
    // but again the spec should make this clear to avoid ambiguity.
    assertTrue(response.contains("web username: test"));
    assertTrue(response.contains("web user has role \"architect\": true"));


    // -------------------- Request 4 ---------------------------

    // The session should also be remembered for other resources, including public ones

    response = getFromServerPath("public/servlet?continueSession");

    // This test almost can't fail, but include for clarity
    assertTrue(response.contains("This is a public servlet"));

    // When accessing the public page, the username and roles should be restored and be available
    // just as on protected pages
    assertTrue(response.contains("web username: test"));
    assertTrue(response.contains("web user has role \"architect\": true"));
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testJoinSessionIsOptional() throws IOException, SAXException {


    // -------------------- Request 1 ---------------------------

    // We access a protected page and login
    //

    String response = getFromServerPath("protected/servlet?doLogin");

    // Now has to be logged-in so page is accessible
    assertTrue("Could not access protected page, but should be able to. "
            + "Did the container remember the previously set 'unauthenticated identity'?",
            response.contains("This is a protected servlet"));


    // -------------------- Request 2 ---------------------------

    // JASPIC is normally stateless, but for this test the SAM uses the register session feature so now
    // we should be logged-in when doing a call without explicitly logging in again.

    response = getFromServerPath("protected/servlet?continueSession");

    // Logged-in thus should be accessible.
    assertTrue("Could not access protected page, but should be able to. "
            + "Did the container not remember the authenticated identity via 'javax.servlet.http.registerSession'?",
            response.contains("This is a protected servlet"));

    // Both the user name and roles/groups have to be restored

    // *** NOTE ***: The JASPIC 1.1 spec is NOT clear about remembering roles, but spec lead Ron Monzillo clarified that
    // this should indeed be the case. The next JASPIC revision of the spec will have to mention this explicitly.
    // Intuitively it should make sense though that the authenticated identity is fully restored and not partially,
    // but again the spec should make this clear to avoid ambiguity.
    assertTrue(response.contains("web username: test"));
    assertTrue(response.contains("web user has role \"architect\": true"));


    // -------------------- Request 3 ---------------------------

    // Although the container remembers the authentication session, the SAM needs to OPT-IN to it.
    // If the SAM instead "does nothing", we should not have access to the protected resource anymore
    // even within the same HTTP session.

    response = getFromServerPath("protected/servlet");
    assertFalse(response.contains("This is a protected servlet"));


    // -------------------- Request 4 ---------------------------

    // Access to a public page is unaffected by joining or not joining the session, but if we do not join the
    // session we shouldn't see the user's name and roles.

    // THIS NOW FAILS ON GLASSFISH 4.0. CHECKED WITH RON MONZILLO THAT THIS IS INDEED AN ERROR AND FILED A BUG

    response = getFromServerPath("public/servlet");

    assertTrue(response.contains("This is a public servlet"));
    assertFalse(response.contains("web username: test"));
    assertFalse(response.contains("web user has role \"architect\": true"));
}

Share the Knowledge

Find this sample useful? Share on

There's a lot more about JavaEE to cover. If you're ready to learn more, check out the other available samples.

Help Improve

Find a bug in the sample? Something missing? You can fix it by editing the source, making the correction and sending a pull request. Or report the problem to the issue tracker

Recent Changelog

  • Jul 15, 2014: Removed header license. the licensing is now referenced in the license file in the root of the project by Roberto Cortez
  • Jan 11, 2014: Replaced httpunit by htmlunit, added convenience method for getting raw by arjan tijms
  • Jan 07, 2014: Add jboss-web.xml to web deployments by Stefan Guilhen
  • Dec 14, 2013: Re-enabled test by arjan tijms
  • Dec 14, 2013: Added test for the javax.servlet.http.registersession feature and by arjan tijms
How to help improve this sample
The source code for this sample can be found in the javaee7-samples GitHub repository. The first thing you need to do is to get the source by downloading the repository and then go into the samples folder:
git clone git://github.com/javaee-samples/javaee7-samples.git
cd javaee7-samples/jaspic/register-session/

Do the changes as you see fit and send a pull request!

Good Luck!