package org.jboss.seam.test.integration.security;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import org.jboss.seam.Component;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.contexts.Lifecycle;
import org.jboss.seam.mock.AbstractSeamTest;
import org.jboss.seam.mock.MockLoginModule;
import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity;
import org.jboss.seam.security.NotLoggedInException;
import org.jboss.seam.web.Session;
import org.testng.annotations.Test;
/**
* Seam Security Unit Tests
*
* @author Shane Bryzak
*/
public class SecurityTest extends AbstractSeamTest
{
private Configuration createMockJAASConfiguration()
{
return new Configuration()
{
private AppConfigurationEntry[] aces = { new AppConfigurationEntry(
MockLoginModule.class.getName(),
LoginModuleControlFlag.REQUIRED,
new HashMap<String,String>()
) };
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name)
{
return aces;
}
@Override
public void refresh() {}
};
}
public class MockIdentity extends Identity
{
@Override
protected LoginContext getLoginContext() throws LoginException
{
return new LoginContext("default", getSubject(), getCredentials().createCallbackHandler(),
createMockJAASConfiguration());
}
}
@Test
public void testLogin()
{
try
{
Lifecycle.beginApplication(new HashMap<String,Object>());
Lifecycle.beginCall();
// Create a mock session
Contexts.getSessionContext().set(Component.getComponentName(Session.class), new Session());
Identity identity = new MockIdentity();
identity.create();
// Put the identity into our session context
Contexts.getSessionContext().set(Component.getComponentName(Identity.class), identity);
// Test addRole()
identity.addRole("admin");
assert(!identity.hasRole("admin"));
try
{
// This should throw a NotLoggedInException
identity.checkRole("admin");
assert(false);
}
catch (NotLoggedInException ex)
{
// expected
}
identity.getCredentials().setUsername("foo");
identity.getCredentials().setPassword("bar");
assert("foo".equals(identity.getCredentials().getUsername()));
assert("bar".equals(identity.getCredentials().getPassword()));
assert("loggedIn".equals(identity.login()));
assert(identity.isLoggedIn());
// Pre-authenticated roles are cleared before authenticating,
// so this should still return false
assert(!identity.hasRole("admin"));
// The foo role is added by MockLoginModule
assert(identity.hasRole("foo"));
identity.removeRole("foo");
assert(!identity.hasRole("foo"));
try
{
// This should throw an AuthorizationException
identity.checkRole("foo");
assert(false);
}
catch (AuthorizationException ex)
{
// expected
}
// Now that we're authenticated, adding a role should have an immediate effect
identity.addRole("admin");
assert(identity.hasRole("admin"));
identity.logout();
assert(!identity.hasRole("admin"));
assert(!identity.isLoggedIn());
}
finally
{
Lifecycle.endApplication();
}
}
@Test
public void testDisableSecurity()
{
try
{
Identity identity = new Identity();
identity.create();
// Disable security
Identity.setSecurityEnabled(false);
assert(!Identity.isSecurityEnabled());
assert(identity.hasRole("admin"));
assert(identity.hasPermission("foo", "bar"));
// This shouldn't throw an exception while security is disabled
identity.checkRestriction("foo");
// Enable security
Identity.setSecurityEnabled(true);
assert(Identity.isSecurityEnabled());
assert(!identity.hasRole("admin"));
assert(!identity.hasPermission("foo", "bar"));
}
finally
{
Identity.setSecurityEnabled(true);
}
}
}