@Deployment(testable = false)
public static WebArchive createDeployment() {
return defaultArchive();
}
cd javaee7-samples/jaspic/basic-authentication/Now we are ready to start testing. You can run all the tests in this sample by executing:
mvn test
Or you can run individual tests by executing one of the following:mvn test -Dtest=BasicAuthenticationProtectedTestmvn test -Dtest=BasicAuthenticationPublicTestmvn test -Dtest=BasicAuthenticationStatelessTest
This tests that we can login from a protected resource (a resource for which security constraints have been set) and then access it.
@Deployment(testable = false)
public static WebArchive createDeployment() {
return defaultArchive();
}
@Test
public void testProtectedPageNotLoggedin() throws IOException, SAXException {
String response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse(response.contains("This is a protected servlet"));
}
@Test
public void testProtectedPageLoggedin() throws IOException, SAXException {
String response = getFromServerPath("protected/servlet?doLogin=true");
// Now has to be logged-in so page is accessible
assertTrue(response.contains("This is a protected servlet"));
}
This tests that we can login from a public page (a page for which no security constraints have been set).
@Deployment(testable = false)
public static WebArchive createDeployment() {
return defaultArchive();
}
@Test
public void testPublicPageNotLoggedin() throws IOException, SAXException {
String response = getFromServerPath("public/servlet");
// Not logged-in
assertTrue(response.contains("web username: null"));
assertTrue(response.contains("web user has role \"architect\": false"));
}
@Test
public void testPublicPageLoggedin() throws IOException, SAXException {
// JASPIC has to be able to authenticate a user when accessing a public (non-protected) resource.
String response = getFromServerPath("public/servlet?doLogin");
// Now has to be logged-in
assertTrue(response.contains("web username: test"));
assertTrue(response.contains("web user has role \"architect\": true"));
}
@Test
public void testPublicPageNotRememberLogin() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
String response = getFromServerPath("public/servlet");
// Not logged-in
assertTrue(response.contains("web username: null"));
assertTrue(response.contains("web user has role \"architect\": false"));
// -------------------- Request 2 ---------------------------
response = getFromServerPath("public/servlet?doLogin");
// Now has to be logged-in
assertTrue(response.contains("web username: test"));
assertTrue(response.contains("web user has role \"architect\": true"));
// -------------------- Request 3 ---------------------------
response = getFromServerPath("public/servlet");
// Not logged-in
assertTrue(response.contains("web username: null"));
assertTrue(response.contains("web user has role \"architect\": false"));
}
@Deployment(testable = false)
public static WebArchive createDeployment() {
return defaultArchive();
}
Tests that access to a protected page does not depend on the authenticated identity that was established in a previous request.
@Test
public void testProtectedAccessIsStateless() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
// Accessing protected page without login
String response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse(response.contains("This is a protected servlet"));
// -------------------- Request 2 ---------------------------
// JASPIC is stateless and login (re-authenticate) has to happen for every request
//
// If the following fails but "testProtectedPageLoggedin" has succeeded,
// the container has probably remembered the "unauthenticated identity", e.g. it has remembered that
// we're not authenticated and it will deny further attempts to authenticate. This may happen when
// the container does not correctly recognize the JASPIC protocol for "do nothing".
response = getFromServerPath("protected/servlet?doLogin");
// Now has to be logged-in so page is accessible
assertTrue("Could not access protected page, but should be able to. "
+ "Did the container remember the previously set 'unauthenticated identity'?",
response.contains("This is a protected servlet"));
// -------------------- Request 3 ---------------------------
// JASPIC is stateless and login (re-authenticate) has to happen for every request
//
// In the following method we do a call without logging in after one where we did login.
// The container should not remember this login and has to deny access.
response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse("Could access protected page, but should not be able to. "
+ "Did the container remember the authenticated identity that was set in previous request?",
response.contains("This is a protected servlet"));
}
Tests that access to a protected page does not depend on the authenticated identity that was established in a previous request, but use a different request order than the previous test.
@Test
public void testProtectedAccessIsStateless2() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
// Start with doing a login
String response = getFromServerPath("protected/servlet?doLogin");
// -------------------- Request 2 ---------------------------
// JASPIC is stateless and login (re-authenticate) has to happen for every request
//
// In the following method we do a call without logging in after one where we did login.
// The container should not remember this login and has to deny access.
// Accessing protected page without login
response = getFromServerPath("protected/servlet");
// Not logged-in thus should not be accessible.
assertFalse("Could access protected page, but should not be able to. "
+ "Did the container remember the authenticated identity that was set in previous request?",
response.contains("This is a protected servlet"));
}
Tests independently from being able to access a protected resource if any details of a previously established authenticated identity are remembered
@Test
public void testUserIdentityIsStateless() throws IOException, SAXException {
// -------------------- Request 1 ---------------------------
// Accessing protected page with login
String response = getFromServerPath("protected/servlet?doLogin");
// -------------------- Request 2 ---------------------------
// Accessing public page without login
response = getFromServerPath("public/servlet");
// No details should linger around
assertFalse("User principal was 'test', but it should be null here. "
+ "The container seemed to have remembered it from the previous request.",
response.contains("web username: test"));
assertTrue("User principal was not null, but it should be null here. ",
response.contains("web username: null"));
assertTrue("The unauthenticated user has the role 'architect', which should not be the case. "
+ "The container seemed to have remembered it from the previous request.",
response.contains("web user has role \"architect\": false"));
}
There's a lot more about JavaEE to cover. If you're ready to learn more, check out the other available samples.
git clone git://github.com/javaee-samples/javaee7-samples.git
cd javaee7-samples/jaspic/basic-authentication/
Do the changes as you see fit and send a pull request!
Good Luck!