[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] security-constraint auth-constraint role-name * (asterisk) fails

Hi All. I'm learning Jetty embedded ( jetty-all-8.1.3.v20120416.jar ) and I
have a dead simple servlet that I've enabled a <security-constraint> (HTTP
BASIC) on. My two unit tests that check authorization correctly pass and
fail (one makes the request using the username and password in my
realm.properties, and the other tries to connect with no authentication)
when I have <role-name>users</role-name>, but fail for
<role-name>*</role-name>. JUnit summary of incorrect results (see method
definitions below):

testPingServletAuthenticated(): Expected: OK, Actual: Forbidden
testPingServletUnauthenticated(): Passed

File snippets are included below ('====' separates them). I hope that's
enough information. Thanks in advance! -- matt


==== web.xml ====
servlet-mapping
  servlet-name: hello-servlet
  url-pattern: /hello-web-xml

security-constraint
  url-pattern: /*
  auth-constraint:
    role-name: users

login-config
  auth-method: BASIC
  realm-name: test security realm

security-role
  role-name: users


==== realm.properties ====
theuser:password,users


==== HelloServlet.java ====
very simple doGet()


==== JettySetupTest.java ====
    public static void startJettyServer() throws Exception {
        WebAppContext webAppContext = new WebAppContext();
       
webAppContext.setDescriptor("out/artifacts/diy_embedded_testing_war_exploded/WEB-INF/web.xml");
       
webAppContext.setResourceBase("out/artifacts/diy_embedded_testing_war_exploded/");
        webAppContext.setContextPath(CONTEXT_PATH);
        webAppContext.setParentLoaderPriority(true);    // Q: needed?

        LoginService loginService = new HashLoginService("test security
realm", "test/embed/realm.properties"); // NB: must match realm name in
web.xml's <login-config><realm-name>
        webAppContext.getSecurityHandler().setLoginService(loginService);

        SERVER = new Server(PORT);
        SERVER.setHandler(webAppContext);
        SERVER.start();
    }


    @Test
    public void testPingServletAuthenticated() throws IOException {
        Client client = Client.create();
        WebResource webResource = client.resource(BASE_URL +
"/hello-web-xml");     // http://localhost:8080/app/hello-web-xml
        webResource.addFilter(new HTTPBasicAuthFilter("theuser",
"password"));
        ClientResponse clientResponse = webResource
                .accept(MediaType.TEXT_PLAIN)
                .get(ClientResponse.class);     // @GET
        assertEquals(ClientResponse.Status.OK,
clientResponse.getClientResponseStatus());
        assertEquals(HelloServlet.GREETING + "\n",
clientResponse.getEntity(String.class));
    }


    @Test
    public void testPingServletUnauthenticated() throws IOException {
        Client client = Client.create();
        WebResource webResource = client.resource(BASE_URL +
"/hello-web-xml");     // http://localhost:8080/app/hello-web-xml
        ClientResponse clientResponse = webResource
                .accept(MediaType.TEXT_PLAIN)
                .get(ClientResponse.class);     // @GET
        assertEquals(ClientResponse.Status.UNAUTHORIZED,
clientResponse.getClientResponseStatus());
    }




--
View this message in context: http://jetty.4.n6.nabble.com/security-constraint-auth-constraint-role-name-asterisk-fails-tp4958675.html
Sent from the Jetty User mailing list archive at Nabble.com.