Basic authentication

Run
How to run the sample
The source code for this sample can be found in the javaee7-samples GitHub repository. The first thing we need to do is to get the source by downloading the repository and then go into the samples folder:
git clone git://github.com/javaee-samples/javaee7-samples.git
cd javaee7-samples/jaspic/basic-authentication/
Now we are ready to start testing. You can run all the tests in this sample by executing:
mvn test
Or you can run individual tests by executing one of the following:
mvn test -Dtest=BasicAuthenticationProtectedTestmvn test -Dtest=BasicAuthenticationPublicTestmvn test -Dtest=BasicAuthenticationStatelessTest

BasicAuthenticationProtectedTest

This tests that we can login from a protected resource (a resource for which security constraints have been set) and then access it.

Missing a description for the deployment. Add some javadoc to the @Deployment method. Show me how! 
@Deployment(testable = false)
public static WebArchive createDeployment() {
    return defaultArchive();
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testProtectedPageNotLoggedin() throws IOException, SAXException {

    String response = getFromServerPath("protected/servlet");

    // Not logged-in thus should not be accessible.
    assertFalse(response.contains("This is a protected servlet"));
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testProtectedPageLoggedin() throws IOException, SAXException {

    String response = getFromServerPath("protected/servlet?doLogin=true");

    // Now has to be logged-in so page is accessible
    assertTrue(response.contains("This is a protected servlet"));
}

BasicAuthenticationPublicTest

This tests that we can login from a public page (a page for which no security constraints have been set).

Missing a description for the deployment. Add some javadoc to the @Deployment method. Show me how! 
@Deployment(testable = false)
public static WebArchive createDeployment() {
    return defaultArchive();
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testPublicPageNotLoggedin() throws IOException, SAXException {

    String response = getFromServerPath("public/servlet");

    // Not logged-in
    assertTrue(response.contains("web username: null"));
    assertTrue(response.contains("web user has role \"architect\": false"));
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testPublicPageLoggedin() throws IOException, SAXException {

    // JASPIC has to be able to authenticate a user when accessing a public (non-protected) resource.

    String response = getFromServerPath("public/servlet?doLogin");

    // Now has to be logged-in
    assertTrue(response.contains("web username: test"));
    assertTrue(response.contains("web user has role \"architect\": true"));
}
Missing a description for the test scenario. Add some javadoc to the @Test method. Show me how! 
@Test
public void testPublicPageNotRememberLogin() throws IOException, SAXException {


    // -------------------- Request 1 ---------------------------

    String response = getFromServerPath("public/servlet");

    // Not logged-in
    assertTrue(response.contains("web username: null"));
    assertTrue(response.contains("web user has role \"architect\": false"));


    // -------------------- Request 2 ---------------------------

    response = getFromServerPath("public/servlet?doLogin");

    // Now has to be logged-in
    assertTrue(response.contains("web username: test"));
    assertTrue(response.contains("web user has role \"architect\": true"));


    // -------------------- Request 3 ---------------------------

    response = getFromServerPath("public/servlet");

    // Not logged-in
    assertTrue(response.contains("web username: null"));
    assertTrue(response.contains("web user has role \"architect\": false"));
}

BasicAuthenticationStatelessTest

Missing a description for the story. Add some javadoc to the TestClass. Show me how!
Missing a description for the deployment. Add some javadoc to the @Deployment method. Show me how! 
@Deployment(testable = false)
public static WebArchive createDeployment() {
    return defaultArchive();
}

Tests that access to a protected page does not depend on the authenticated identity that was established in a previous request.

@Test
public void testProtectedAccessIsStateless() throws IOException, SAXException {


    // -------------------- Request 1 ---------------------------

    // Accessing protected page without login
    String response = getFromServerPath("protected/servlet");

    // Not logged-in thus should not be accessible.
    assertFalse(response.contains("This is a protected servlet"));


    // -------------------- Request 2 ---------------------------

    // JASPIC is stateless and login (re-authenticate) has to happen for every request
    //
    // If the following fails but "testProtectedPageLoggedin" has succeeded,
    // the container has probably remembered the "unauthenticated identity", e.g. it has remembered that
    // we're not authenticated and it will deny further attempts to authenticate. This may happen when
    // the container does not correctly recognize the JASPIC protocol for "do nothing".

    response = getFromServerPath("protected/servlet?doLogin");

    // Now has to be logged-in so page is accessible
    assertTrue("Could not access protected page, but should be able to. "
            + "Did the container remember the previously set 'unauthenticated identity'?",
            response.contains("This is a protected servlet"));


    // -------------------- Request 3 ---------------------------

    // JASPIC is stateless and login (re-authenticate) has to happen for every request
    //
    // In the following method we do a call without logging in after one where we did login.
    // The container should not remember this login and has to deny access.
    response = getFromServerPath("protected/servlet");

    // Not logged-in thus should not be accessible.
    assertFalse("Could access protected page, but should not be able to. "
            + "Did the container remember the authenticated identity that was set in previous request?",
            response.contains("This is a protected servlet"));
}

Tests that access to a protected page does not depend on the authenticated identity that was established in a previous request, but use a different request order than the previous test.

@Test
public void testProtectedAccessIsStateless2() throws IOException, SAXException {

    // -------------------- Request 1 ---------------------------

    // Start with doing a login
    String response = getFromServerPath("protected/servlet?doLogin");


    // -------------------- Request 2 ---------------------------

    // JASPIC is stateless and login (re-authenticate) has to happen for every request
    //
    // In the following method we do a call without logging in after one where we did login.
    // The container should not remember this login and has to deny access.

    // Accessing protected page without login
    response = getFromServerPath("protected/servlet");

    // Not logged-in thus should not be accessible.
    assertFalse("Could access protected page, but should not be able to. "
            + "Did the container remember the authenticated identity that was set in previous request?",
            response.contains("This is a protected servlet"));
}

Tests independently from being able to access a protected resource if any details of a previously established authenticated identity are remembered

@Test
public void testUserIdentityIsStateless() throws IOException, SAXException {


    // -------------------- Request 1 ---------------------------

    // Accessing protected page with login
    String response = getFromServerPath("protected/servlet?doLogin");


    // -------------------- Request 2 ---------------------------

    // Accessing public page without login
    response = getFromServerPath("public/servlet");

    // No details should linger around
    assertFalse("User principal was 'test', but it should be null here. "
            + "The container seemed to have remembered it from the previous request.",
            response.contains("web username: test"));
    assertTrue("User principal was not null, but it should be null here. ",
            response.contains("web username: null"));
    assertTrue("The unauthenticated user has the role 'architect', which should not be the case. "
            + "The container seemed to have remembered it from the previous request.",
            response.contains("web user has role \"architect\": false"));
}

Share the Knowledge

Find this sample useful? Share on

There's a lot more about JavaEE to cover. If you're ready to learn more, check out the other available samples.

Help Improve

Find a bug in the sample? Something missing? You can fix it by editing the source, making the correction and sending a pull request. Or report the problem to the issue tracker

Recent Changelog

  • Jan 11, 2014: Replaced httpunit by htmlunit, added convenience method for getting raw by arjan tijms
  • Jan 07, 2014: Add jboss-web.xml to web deployments by Stefan Guilhen
  • Dec 10, 2013: Port of jaspic tests from by arjan tijms
How to help improve this sample
The source code for this sample can be found in the javaee7-samples GitHub repository. The first thing you need to do is to get the source by downloading the repository and then go into the samples folder:
git clone git://github.com/javaee-samples/javaee7-samples.git
cd javaee7-samples/jaspic/basic-authentication/

Do the changes as you see fit and send a pull request!

Good Luck!