All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.wildfly.elytron.web.undertow.common.BasicAuthenticationBase Maven / Gradle / Ivy

/*
 * JBoss, Home of Professional Open Source
 *
 * Copyright 2016 Red Hat, Inc. and/or its affiliates.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.wildfly.elytron.web.undertow.common;

import static io.undertow.util.Headers.AUTHORIZATION;
import static io.undertow.util.Headers.BASIC;
import static io.undertow.util.Headers.WWW_AUTHENTICATE;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.wildfly.security.password.interfaces.ClearPassword.ALGORITHM_CLEAR;

import java.util.Collections;
import java.util.HashMap;
import java.util.Map;

import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.HttpClientBuilder;
import org.junit.Rule;
import org.junit.Test;
import org.wildfly.security.auth.permission.LoginPermission;
import org.wildfly.security.auth.realm.SimpleMapBackedSecurityRealm;
import org.wildfly.security.auth.realm.SimpleRealmEntry;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.spec.ClearPasswordSpec;
import org.wildfly.security.permission.PermissionVerifier;

import io.undertow.util.FlexBase64;
import io.undertow.util.StatusCodes;

/**
 * Test case to test HTTP BASIC authentication where authentication is backed by Elytron.
 *
 * @author Darran Lofthouse
 */
public abstract class BasicAuthenticationBase extends AbstractHttpServerMechanismTest {

    @Rule
    public UndertowServer server = createUndertowServer();

    protected BasicAuthenticationBase() throws Exception {
    }

    @Test
    public void testUnauthorized() throws Exception {
        HttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet get = new HttpGet(server.createUri());

        assertUnauthorizedResponse(httpClient.execute(get));
    }

    @Test
    public void testSuccessfulAuthentication() throws Exception {
        HttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet get = new HttpGet(server.createUri());

        get.addHeader(AUTHORIZATION.toString(), BASIC + " " + FlexBase64.encodeString("elytron:Coleoptera".getBytes(), false));

        HttpResponse result = httpClient.execute(get);

        assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
        assertSuccessfulResponse(result, "elytron");
    }

    @Test
    public void testFailedAuthentication() throws Exception {
        HttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet get = new HttpGet(server.createUri());

        get.addHeader(AUTHORIZATION.toString(), BASIC + " " + FlexBase64.encodeString("elytron:bad_password".getBytes(), false));

        assertUnauthorizedResponse(httpClient.execute(get));
    }

    @Test
    public void testUnconstrainedAccessWithCorrectPassword() throws Exception {
        HttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet get = new HttpGet(server.createUri("/unsecure"));

        get.addHeader(AUTHORIZATION.toString(), BASIC + " " + FlexBase64.encodeString("elytron:Coleoptera".getBytes(), false));

        HttpResponse result = httpClient.execute(get);

        assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
        assertSuccessfulUnconstraintResponse(result, "elytron");
    }

    @Test
    public void testUnconstrainedAccessWithIncorrectPassword() throws Exception {
        HttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet get = new HttpGet(server.createUri("/unsecure"));

        get.addHeader(AUTHORIZATION.toString(), BASIC + " " + FlexBase64.encodeString("elytron:bad_password".getBytes(), false));

        HttpResponse result = httpClient.execute(get);

        assertUnauthorizedResponse(result);
    }

    @Test
    public void testUnconstrainedAccessWithoutPassword() throws Exception {
        HttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet get = new HttpGet(server.createUri("/unsecure"));

        HttpResponse result = httpClient.execute(get);

        assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
        assertSuccessfulUnconstraintResponse(result, null);
    }

    private void assertUnauthorizedResponse(HttpResponse result) {
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());

        Header wwwAuthenticateHeader = result.getFirstHeader(WWW_AUTHENTICATE.toString());

        assertNotNull(wwwAuthenticateHeader);
        assertEquals(BASIC + " realm=\"Elytron Realm\"", wwwAuthenticateHeader.getValue());
    }

    @Override
    protected String getMechanismName() {
        return "BASIC";
    }

    @Override
    protected SecurityDomain doCreateSecurityDomain() throws Exception {
        PasswordFactory passwordFactory = PasswordFactory.getInstance(ALGORITHM_CLEAR);

        Map passwordMap = new HashMap<>();
        passwordMap.put("elytron", new SimpleRealmEntry(Collections.singletonList(new PasswordCredential(passwordFactory.generatePassword(new ClearPasswordSpec("Coleoptera".toCharArray()))))));

        SimpleMapBackedSecurityRealm simpleRealm = new SimpleMapBackedSecurityRealm();
        simpleRealm.setPasswordMap(passwordMap);

        SecurityDomain.Builder builder = SecurityDomain.builder()
                .setDefaultRealmName("TestRealm");

        builder.addRealm("TestRealm", simpleRealm).build();
        builder.setPermissionMapper((principal, roles) -> PermissionVerifier.from(new LoginPermission()));

        return builder.build();
    }

    protected abstract UndertowServer createUndertowServer() throws Exception;

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy