SecurityContextTest.java
/*
* Copyright (c) 2012, 2022 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package org.glassfish.jersey.server;
import java.io.IOException;
import java.security.Principal;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import javax.annotation.Priority;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;
/**
* Test class for testing security context in the Filter and resource.
*
* @author Miroslav Fuksa
*/
public class SecurityContextTest {
private static final String PRINCIPAL_NAME = "SetByFilter";
private static final String PRINCIPAL_NAME_SECOND = "SetByFilterSecond";
private static final String SKIP_FILTER = "skipFilter";
private static final String PRINCIPAL_IS_NULL = "principalIsNull";
@Priority(100)
private static class SecurityContextFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext rc) throws IOException {
// test injections
assertNotNull(rc.getSecurityContext());
assertTrue(rc.getSecurityContext().getUserPrincipal() == null);
String header = rc.getHeaders().getFirst(SKIP_FILTER);
if ("true".equals(header)) {
return;
}
// set new Security Context
rc.setSecurityContext(new SecurityContext() {
@Override
public boolean isUserInRole(String role) {
return false;
}
@Override
public boolean isSecure() {
return false;
}
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return PRINCIPAL_NAME;
}
@Override
public int hashCode() {
return super.hashCode();
}
@Override
public boolean equals(Object obj) {
return (obj instanceof Principal)
&& PRINCIPAL_NAME.equals(((Principal) obj).getName());
}
@Override
public String toString() {
return super.toString();
}
};
}
@Override
public String getAuthenticationScheme() {
return null;
}
@Override
public int hashCode() {
return super.hashCode();
}
@Override
public boolean equals(Object that) {
return (that != null && that.getClass() == this.getClass());
}
@Override
public String toString() {
return super.toString();
}
});
}
}
@Priority(101)
private static class SecurityContextFilterSecondInChain implements ContainerRequestFilter {
@Context
SecurityContext sc;
@Override
public void filter(ContainerRequestContext rc) throws IOException {
assertNotNull(sc);
assertEquals(sc.getUserPrincipal().getName(), PRINCIPAL_NAME);
assertEquals(sc, rc.getSecurityContext());
String header = rc.getHeaders().getFirst(SKIP_FILTER);
if ("true".equals(header)) {
return;
}
// set new Security Context
rc.setSecurityContext(new SecurityContext() {
@Override
public boolean isUserInRole(String role) {
return false;
}
@Override
public boolean isSecure() {
return false;
}
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return PRINCIPAL_NAME_SECOND;
}
@Override
public int hashCode() {
return super.hashCode();
}
@Override
public boolean equals(Object obj) {
return (obj instanceof Principal)
&& PRINCIPAL_NAME_SECOND.equals(((Principal) obj).getName());
}
@Override
public String toString() {
return super.toString();
}
};
}
@Override
public String getAuthenticationScheme() {
return null;
}
@Override
public int hashCode() {
return super.hashCode();
}
@Override
public boolean equals(Object that) {
return (that != null && that.getClass() == this.getClass());
}
@Override
public String toString() {
return super.toString();
}
});
}
}
/**
* Tests SecurityContext injection into a resource method.
*
* @throws Exception Thrown when request processing fails in the application.
*/
@Test
public void testSecurityContextInjection() throws Exception {
final ResourceConfig resourceConfig = new ResourceConfig(Resource.class, SecurityContextFilter.class,
SecurityContextFilterSecondInChain.class);
final ApplicationHandler application = new ApplicationHandler(resourceConfig);
ContainerResponse response = application.apply(RequestContextBuilder.from("/test/2", "GET").build()).get();
assertEquals(200, response.getStatus());
assertEquals(PRINCIPAL_NAME_SECOND, response.getEntity());
}
/**
* Tests SecurityContext in filter.
*
* @throws Exception Thrown when request processing fails in the application.
*/
@Test
public void testSecurityContextInjectionFilter() throws Exception {
final ResourceConfig resourceConfig = new ResourceConfig(Resource.class, SecurityContextFilter.class);
final ApplicationHandler application = new ApplicationHandler(resourceConfig);
ContainerResponse response = application.apply(RequestContextBuilder.from("/test", "GET").build()).get();
assertEquals(200, response.getStatus());
assertEquals(PRINCIPAL_NAME, response.getEntity());
}
/**
* Tests SecurityContext in filter.
*
* @throws Exception Thrown when request processing fails in the
* application.
*/
@Test
public void testDefaultSecurityContext() throws Exception {
final ResourceConfig resourceConfig = new ResourceConfig(Resource.class, SecurityContextFilter.class);
final ApplicationHandler application = new ApplicationHandler(resourceConfig);
ContainerResponse response =
application.apply(RequestContextBuilder.from("/test", "GET").header(SKIP_FILTER, "true").build()).get();
assertEquals(200, response.getStatus());
Object entity = response.getEntity();
assertTrue(!PRINCIPAL_NAME.equals(entity));
}
/**
* Test resource class.
*/
@Path("test")
public static class Resource {
/**
* Test resource method.
*
* @param cr Container request context.
* @return String response with principal name.
*/
@GET
public String getSomething(@Context ContainerRequestContext cr) {
assertNotNull(cr.getSecurityContext());
Principal userPrincipal = cr.getSecurityContext().getUserPrincipal();
return userPrincipal == null ? PRINCIPAL_IS_NULL : userPrincipal.getName();
}
/**
* Test resource method.
*
* @param sc security context.
* @param cr container request context.
* @return String response with principal name.
*/
@GET
@Path("2")
public String getSomething2(@Context SecurityContext sc, @Context ContainerRequestContext cr) {
assertEquals(sc, cr.getSecurityContext());
Principal userPrincipal = sc.getUserPrincipal();
return userPrincipal == null ? PRINCIPAL_IS_NULL : userPrincipal.getName();
}
}
}