KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > jboss > test > web > security > jacc > WebConstraintsUnitTestCase


1 /*
2 * JBoss, Home of Professional Open Source
3 * Copyright 2005, JBoss Inc., and individual contributors as indicated
4 * by the @authors tag. See the copyright.txt in the distribution for a
5 * full listing of individual contributors.
6 *
7 * This is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU Lesser General Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * This software is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this software; if not, write to the Free
19 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21 */
22 package org.jboss.test.web.security.jacc;
23
24 import java.util.ArrayList JavaDoc;
25 import java.util.List JavaDoc;
26 import java.util.HashMap JavaDoc;
27 import java.security.Policy JavaDoc;
28 import java.security.ProtectionDomain JavaDoc;
29 import javax.security.jacc.PolicyConfiguration JavaDoc;
30 import javax.security.jacc.WebResourcePermission JavaDoc;
31 import javax.security.jacc.PolicyContext JavaDoc;
32
33 import junit.framework.TestCase;
34 import org.jboss.metadata.WebMetaData;
35 import org.jboss.metadata.WebSecurityMetaData;
36 import org.jboss.metadata.SecurityRoleMetaData;
37 import org.jboss.web.WebPermissionMapping;
38 import org.jboss.security.jacc.DelegatingPolicy;
39 import org.jboss.security.jacc.JBossPolicyConfigurationFactory;
40 import org.jboss.security.SimplePrincipal;
41
42 /** Test
43
44  <?xml version="1.0" encoding="UTF-8"?>
45  <web-app version="2.4"
46     xmlns="http://java.sun.com/xml/ns/j2ee"
47     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
48     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
49     http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
50
51     <description>Tests of various security-constraints</description>
52
53     <servlet>
54        <servlet-name>ConstraintsServlet</servlet-name>
55        <servlet-class>org.jboss.test.security.servlets.ConstraintsServlet</servlet-class>
56     </servlet>
57
58     <servlet-mapping>
59        <servlet-name>ConstraintsServlet</servlet-name>
60        <url-pattern>/*</url-pattern>
61     </servlet-mapping>
62
63     <security-constraint>
64        <display-name>excluded</display-name>
65        <web-resource-collection>
66           <web-resource-name>No Access</web-resource-name>
67           <url-pattern>/excluded/*</url-pattern>
68           <url-pattern>/restricted/get-only/excluded/*</url-pattern>
69           <url-pattern>/restricted/post-only/excluded/*</url-pattern>
70           <url-pattern>/restricted/any/excluded/*</url-pattern>
71        </web-resource-collection>
72        <web-resource-collection>
73           <web-resource-name>No Access</web-resource-name>
74           <url-pattern>/restricted/*</url-pattern>
75           <http-method>DELETE</http-method>
76           <http-method>PUT</http-method>
77           <http-method>HEAD</http-method>
78           <http-method>OPTIONS</http-method>
79           <http-method>TRACE</http-method>
80           <http-method>GET</http-method>
81           <http-method>POST</http-method>
82        </web-resource-collection>
83        <auth-constraint />
84        <user-data-constraint>
85           <transport-guarantee>NONE</transport-guarantee>
86        </user-data-constraint>
87     </security-constraint>
88
89     <security-constraint>
90        <display-name>unchecked</display-name>
91        <web-resource-collection>
92           <web-resource-name>All Access</web-resource-name>
93           <url-pattern>/unchecked/*</url-pattern>
94           <http-method>DELETE</http-method>
95           <http-method>PUT</http-method>
96           <http-method>HEAD</http-method>
97           <http-method>OPTIONS</http-method>
98           <http-method>TRACE</http-method>
99           <http-method>GET</http-method>
100           <http-method>POST</http-method>
101        </web-resource-collection>
102        <user-data-constraint>
103           <transport-guarantee>NONE</transport-guarantee>
104        </user-data-constraint>
105     </security-constraint>
106
107     <security-constraint>
108        <display-name>Restricted GET</display-name>
109        <web-resource-collection>
110           <web-resource-name>Restricted Access - Get Only</web-resource-name>
111           <url-pattern>/restricted/get-only/*</url-pattern>
112           <http-method>GET</http-method>
113        </web-resource-collection>
114        <auth-constraint>
115           <role-name>GetRole</role-name>
116        </auth-constraint>
117        <user-data-constraint>
118           <transport-guarantee>NONE</transport-guarantee>
119        </user-data-constraint>
120     </security-constraint>
121     <security-constraint>
122        <display-name>Excluded GET</display-name>
123        <web-resource-collection>
124           <web-resource-name>Restricted Access - Get Only</web-resource-name>
125           <url-pattern>/restricted/get-only/*</url-pattern>
126           <http-method>DELETE</http-method>
127           <http-method>PUT</http-method>
128           <http-method>HEAD</http-method>
129           <http-method>OPTIONS</http-method>
130           <http-method>TRACE</http-method>
131           <http-method>POST</http-method>
132        </web-resource-collection>
133        <auth-constraint />
134        <user-data-constraint>
135           <transport-guarantee>NONE</transport-guarantee>
136        </user-data-constraint>
137     </security-constraint>
138
139     <security-constraint>
140        <display-name>Restricted POST</display-name>
141        <web-resource-collection>
142           <web-resource-name>Restricted Access - Post Only</web-resource-name>
143           <url-pattern>/restricted/post-only/*</url-pattern>
144           <http-method>POST</http-method>
145        </web-resource-collection>
146        <auth-constraint>
147           <role-name>PostRole</role-name>
148        </auth-constraint>
149        <user-data-constraint>
150           <transport-guarantee>NONE</transport-guarantee>
151        </user-data-constraint>
152     </security-constraint>
153     <security-constraint>
154        <display-name>Excluded POST</display-name>
155        <web-resource-collection>
156           <web-resource-name>Restricted Access - Post Only</web-resource-name>
157           <url-pattern>/restricted/post-only/*</url-pattern>
158           <http-method>DELETE</http-method>
159           <http-method>PUT</http-method>
160           <http-method>HEAD</http-method>
161           <http-method>OPTIONS</http-method>
162           <http-method>TRACE</http-method>
163           <http-method>GET</http-method>
164        </web-resource-collection>
165        <auth-constraint />
166        <user-data-constraint>
167           <transport-guarantee>NONE</transport-guarantee>
168        </user-data-constraint>
169     </security-constraint>
170
171     <security-constraint>
172        <display-name>Restricted ANY</display-name>
173        <web-resource-collection>
174           <web-resource-name>Restricted Access - Any</web-resource-name>
175           <url-pattern>/restricted/any/*</url-pattern>
176           <http-method>DELETE</http-method>
177           <http-method>PUT</http-method>
178           <http-method>HEAD</http-method>
179           <http-method>OPTIONS</http-method>
180           <http-method>TRACE</http-method>
181           <http-method>GET</http-method>
182           <http-method>POST</http-method>
183        </web-resource-collection>
184        <auth-constraint>
185           <role-name>*</role-name>
186        </auth-constraint>
187        <user-data-constraint>
188           <transport-guarantee>NONE</transport-guarantee>
189        </user-data-constraint>
190     </security-constraint>
191
192     <security-constraint>
193        <display-name>Unrestricted</display-name>
194        <web-resource-collection>
195           <web-resource-name>Restricted Access - Any</web-resource-name>
196           <url-pattern>/restricted/not/*</url-pattern>
197           <http-method>DELETE</http-method>
198           <http-method>PUT</http-method>
199           <http-method>HEAD</http-method>
200           <http-method>OPTIONS</http-method>
201           <http-method>TRACE</http-method>
202           <http-method>GET</http-method>
203           <http-method>POST</http-method>
204        </web-resource-collection>
205        <user-data-constraint>
206           <transport-guarantee>NONE</transport-guarantee>
207        </user-data-constraint>
208     </security-constraint>
209
210     <security-role>
211        <role-name>GetRole</role-name>
212     </security-role>
213     <security-role>
214        <role-name>PostRole</role-name>
215     </security-role>
216
217     <login-config>
218        <auth-method>BASIC</auth-method>
219        <realm-name>WebConstraintsUnitTestCase</realm-name>
220     </login-config>
221  </web-app>
222
223  @author Scott.Stark@jboss.org
224  @version $Revision: 37459 $
225  */
226 public class WebConstraintsUnitTestCase extends TestCase
227 {
228    private PolicyConfiguration JavaDoc pc;
229
230    public void testUnchecked() throws Exception JavaDoc
231    {
232       Policy JavaDoc p = Policy.getPolicy();
233       SimplePrincipal[] caller = null;
234       ProtectionDomain JavaDoc pd = new ProtectionDomain JavaDoc(null, null, null, caller);
235       // Test /unchecked
236 WebResourcePermission JavaDoc wrp = new WebResourcePermission JavaDoc("/unchecked", "GET");
237       assertTrue("/unchecked GET", p.implies(pd, wrp));
238       wrp = new WebResourcePermission JavaDoc("/unchecked/x", "GET");
239       assertTrue("/unchecked/x GET", p.implies(pd, wrp));
240
241       // Test the Unrestricted security-constraint
242 wrp = new WebResourcePermission JavaDoc("/restricted/not", "GET");
243       assertTrue("/restricted/not GET", p.implies(pd, wrp));
244       wrp = new WebResourcePermission JavaDoc("/restricted/not/x", "GET");
245       assertTrue("/restricted/not/x GET", p.implies(pd, wrp));
246       wrp = new WebResourcePermission JavaDoc("/restricted/not/x", "HEAD");
247       assertTrue("/restricted/not/x HEAD", p.implies(pd, wrp));
248       wrp = new WebResourcePermission JavaDoc("/restricted/not/x", "POST");
249       assertTrue("/restricted/not/x POST", p.implies(pd, wrp));
250
251       wrp = new WebResourcePermission JavaDoc("/", "GET");
252       assertTrue("/ GET", p.implies(pd, wrp));
253       wrp = new WebResourcePermission JavaDoc("/other", "GET");
254       assertTrue("/other GET", p.implies(pd, wrp));
255       wrp = new WebResourcePermission JavaDoc("/other", "HEAD");
256       assertTrue("/other HEAD", p.implies(pd, wrp));
257       wrp = new WebResourcePermission JavaDoc("/other", "POST");
258       assertTrue("/other POST", p.implies(pd, wrp));
259    }
260
261    public void testGetAccess() throws Exception JavaDoc
262    {
263       Policy JavaDoc p = Policy.getPolicy();
264       SimplePrincipal[] caller = {new SimplePrincipal("GetRole")};
265       ProtectionDomain JavaDoc pd = new ProtectionDomain JavaDoc(null, null, null, caller);
266
267       // Test the Restricted GET security-constraint
268 WebResourcePermission JavaDoc wrp = new WebResourcePermission JavaDoc("/restricted/get-only", "GET");
269       assertTrue("/restricted/get-only GET", p.implies(pd, wrp));
270
271       wrp = new WebResourcePermission JavaDoc("/restricted/get-only/x", "GET");
272       assertTrue("/restricted/get-only/x GET", p.implies(pd, wrp));
273
274       // Test the Restricted ANY security-constraint
275 wrp = new WebResourcePermission JavaDoc("/restricted/any/x", "GET");
276       assertTrue("/restricted/any/x GET", p.implies(pd, wrp));
277
278       // Test that a POST to the Restricted GET security-constraint fails
279 wrp = new WebResourcePermission JavaDoc("/restricted/get-only/x", "POST");
280       assertFalse("/restricted/get-only/x POST", p.implies(pd, wrp));
281
282       // Test that Restricted POST security-constraint fails
283 wrp = new WebResourcePermission JavaDoc("/restricted/post-only/x", "GET");
284       assertFalse("/restricted/post-only/x GET", p.implies(pd, wrp));
285
286       // Validate that the excluded subcontext if not accessible
287 wrp = new WebResourcePermission JavaDoc("/restricted/get-only/excluded/x", "GET");
288       assertFalse("/restricted/get-only/excluded/x GET", p.implies(pd, wrp));
289
290       caller = new SimplePrincipal[]{new SimplePrincipal("OtherRole")};
291       pd = new ProtectionDomain JavaDoc(null, null, null, caller);
292       // Test the Restricted GET security-constraint
293 wrp = new WebResourcePermission JavaDoc("/restricted/get-only", "GET");
294       assertFalse("/restricted/get-only GET", p.implies(pd, wrp));
295       wrp = new WebResourcePermission JavaDoc("/restricted/get-only/x", "GET");
296       assertFalse("/restricted/get-only/x GET", p.implies(pd, wrp));
297
298       /* Test the Restricted ANY security-constraint. Note that this would be
299       allowed by the non-JACC and standalone tomcat as they interpret the "*"
300       role-name to mean any role while the JACC mapping simply replaces "*" with
301       the web.xml security-role/role-name values.
302       */
303       wrp = new WebResourcePermission JavaDoc("/restricted/any/x", "GET");
304       assertFalse("/restricted/any/x GET", p.implies(pd, wrp));
305    }
306
307    /** Test that the excluded paths are not accessible by anyone
308     */
309    public void testExcludedAccess() throws Exception JavaDoc
310    {
311       Policy JavaDoc p = Policy.getPolicy();
312       SimplePrincipal[] caller = {new SimplePrincipal("GetRole")};
313       ProtectionDomain JavaDoc pd = new ProtectionDomain JavaDoc(null, null, null, caller);
314
315       WebResourcePermission JavaDoc wrp = new WebResourcePermission JavaDoc("/excluded/x", "GET");
316       assertFalse("/excluded/x GET", p.implies(pd, wrp));
317       wrp = new WebResourcePermission JavaDoc("/excluded/x", "OPTIONS");
318       assertFalse("/excluded/x OPTIONS", p.implies(pd, wrp));
319       wrp = new WebResourcePermission JavaDoc("/excluded/x", "HEAD");
320       assertFalse("/excluded/x HEAD", p.implies(pd, wrp));
321       wrp = new WebResourcePermission JavaDoc("/excluded/x", "POST");
322       assertFalse("/excluded/x POST", p.implies(pd, wrp));
323
324       wrp = new WebResourcePermission JavaDoc("/restricted/", "GET");
325       assertFalse("/restricted/ GET", p.implies(pd, wrp));
326       wrp = new WebResourcePermission JavaDoc("/restricted/", "OPTIONS");
327       assertFalse("/restricted/ OPTIONS", p.implies(pd, wrp));
328       wrp = new WebResourcePermission JavaDoc("/restricted/", "HEAD");
329       assertFalse("/restricted/ HEAD", p.implies(pd, wrp));
330       wrp = new WebResourcePermission JavaDoc("/restricted/", "POST");
331       assertFalse("/restricted/ POST", p.implies(pd, wrp));
332
333       wrp = new WebResourcePermission JavaDoc("/restricted/get-only/excluded/x", "GET");
334       assertFalse("/restricted/get-only/excluded/x GET", p.implies(pd, wrp));
335       wrp = new WebResourcePermission JavaDoc("/restricted/get-only/excluded/x", "OPTIONS");
336       assertFalse("/restricted/get-only/excluded/x OPTIONS", p.implies(pd, wrp));
337       wrp = new WebResourcePermission JavaDoc("/restricted/get-only/excluded/x", "HEAD");
338       assertFalse("/restricted/get-only/excluded/x HEAD", p.implies(pd, wrp));
339       wrp = new WebResourcePermission JavaDoc("/restricted/get-only/excluded/x", "POST");
340       assertFalse("/restricted/get-only/excluded/x POST", p.implies(pd, wrp));
341
342       wrp = new WebResourcePermission JavaDoc("/restricted/post-only/excluded/x", "GET");
343       assertFalse("/restricted/post-only/excluded/x GET", p.implies(pd, wrp));
344       wrp = new WebResourcePermission JavaDoc("/restricted/post-only/excluded/x", "OPTIONS");
345       assertFalse("/restricted/post-only/excluded/x OPTIONS", p.implies(pd, wrp));
346       wrp = new WebResourcePermission JavaDoc("/restricted/post-only/excluded/x", "HEAD");
347       assertFalse("/restricted/post-only/excluded/x HEAD", p.implies(pd, wrp));
348       wrp = new WebResourcePermission JavaDoc("/restricted/post-only/excluded/x", "POST");
349       assertFalse("/restricted/post-only/excluded/x POST", p.implies(pd, wrp));
350
351       wrp = new WebResourcePermission JavaDoc("/restricted/any/excluded/x", "GET");
352       assertFalse("/restricted/any/excluded/x GET", p.implies(pd, wrp));
353       wrp = new WebResourcePermission JavaDoc("/restricted/any/excluded/x", "OPTIONS");
354       assertFalse("/restricted/any/excluded/x OPTIONS", p.implies(pd, wrp));
355       wrp = new WebResourcePermission JavaDoc("/restricted/any/excluded/x", "HEAD");
356       assertFalse("/restricted/any/excluded/x HEAD", p.implies(pd, wrp));
357       wrp = new WebResourcePermission JavaDoc("/restricted/any/excluded/x", "POST");
358       assertFalse("/restricted/any/excluded/x POST", p.implies(pd, wrp));
359    }
360
361    /** Test POSTs against URLs that only allows the POST method and required
362     * the PostRole role
363     */
364    public void testPostAccess() throws Exception JavaDoc
365    {
366       Policy JavaDoc p = Policy.getPolicy();
367       SimplePrincipal[] caller = {new SimplePrincipal("PostRole")};
368       ProtectionDomain JavaDoc pd = new ProtectionDomain JavaDoc(null, null, null, caller);
369
370       WebResourcePermission JavaDoc wrp = new WebResourcePermission JavaDoc("/restricted/post-only/", "POST");
371       assertTrue("/restricted/post-only/ POST", p.implies(pd, wrp));
372       wrp = new WebResourcePermission JavaDoc("/restricted/post-only/x", "POST");
373       assertTrue("/restricted/post-only/x POST", p.implies(pd, wrp));
374
375       // Test the Restricted ANY security-constraint
376 wrp = new WebResourcePermission JavaDoc("/restricted/any/x", "POST");
377       assertTrue("/restricted/any/x POST", p.implies(pd, wrp));
378
379       // Validate that the excluded subcontext if not accessible
380 wrp = new WebResourcePermission JavaDoc("/restricted/post-only/excluded/x", "POST");
381       assertFalse("/restricted/post-only/excluded/x POST", p.implies(pd, wrp));
382
383       // Test that a GET to the Restricted POST security-constraint fails
384 wrp = new WebResourcePermission JavaDoc("/restricted/post-only/x", "GET");
385       assertFalse("/restricted/post-only/excluded/x GET", p.implies(pd, wrp));
386       // Test that Restricted POST security-constraint fails
387 wrp = new WebResourcePermission JavaDoc("/restricted/get-only/x", "POST");
388       assertFalse("/restricted/get-only/x POST", p.implies(pd, wrp));
389
390       // Change to otherUser to test failure
391 caller = new SimplePrincipal[]{new SimplePrincipal("OtherRole")};
392       pd = new ProtectionDomain JavaDoc(null, null, null, caller);
393
394       // Test the Restricted Post security-constraint
395 wrp = new WebResourcePermission JavaDoc("/restricted/post-only", "POST");
396       assertFalse("/restricted/post-only POST", p.implies(pd, wrp));
397       wrp = new WebResourcePermission JavaDoc("/restricted/post-only/x", "POST");
398       assertFalse("/restricted/post-only/x POST", p.implies(pd, wrp));
399
400    }
401
402    protected void setUp() throws Exception JavaDoc
403    {
404       WebMetaData metaData = new WebMetaData();
405       ArrayList JavaDoc securityContraints = new ArrayList JavaDoc();
406       addExcluded(securityContraints);
407       addAllAccessSC(securityContraints);
408       addRestrictedGetSC(securityContraints);
409       addExcludedGetSC(securityContraints);
410       addRestrictedPostSC(securityContraints);
411       addExcludedPostSC(securityContraints);
412       addRestrictedAnySC(metaData, securityContraints);
413       addUnrestrictedSC(securityContraints);
414       metaData.setSecurityConstraints(securityContraints);
415
416       DelegatingPolicy policy = new DelegatingPolicy();
417       Policy.setPolicy(policy);
418       JBossPolicyConfigurationFactory pcf = new JBossPolicyConfigurationFactory();
419       pc = pcf.getPolicyConfiguration("WebConstraintsUnitTestCase", true);
420       WebPermissionMapping.createPermissions(metaData, pc);
421       pc.commit();
422       System.out.println(policy.listContextPolicies());
423       PolicyContext.setContextID("WebConstraintsUnitTestCase");
424    }
425
426    private void addExcluded(List JavaDoc securityContraints)
427    {
428       // security-constraint/ display-name = excluded
429 WebSecurityMetaData wsmd = new WebSecurityMetaData();
430       securityContraints.add(wsmd);
431       // web-resource-collection/web-resource-name = No Access
432 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("No Access");
433       wrc.addPattern("/excluded/*");
434       wrc.addPattern("/restricted/get-only/excluded/*");
435       wrc.addPattern("/restricted/post-only/excluded/*");
436       wrc.addPattern("/restricted/any/excluded/*");
437       wrc.addPattern("/excluded/*");
438
439       // web-resource-collection/web-resource-name = No Access
440 wrc = wsmd.addWebResource("No Access");
441       wrc.addPattern("/restricted/*");
442       wrc.addHttpMethod("DELETE");
443       wrc.addHttpMethod("PUT");
444       wrc.addHttpMethod("HEAD");
445       wrc.addHttpMethod("OPTIONS");
446       wrc.addHttpMethod("TRACE");
447       wrc.addHttpMethod("GET");
448       wrc.addHttpMethod("POST");
449
450       // empty auth-constraint
451 wsmd.setExcluded(true);
452
453       // user-data-constraint/transport-guarantee
454 wsmd.setTransportGuarantee("NONE");
455    }
456
457    private void addAllAccessSC(List JavaDoc securityContraints)
458    {
459       WebSecurityMetaData wsmd = new WebSecurityMetaData();
460       securityContraints.add(wsmd);
461
462       // All Access
463 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("All Access");
464       wrc.addPattern("/unchecked/*");
465       wrc.addHttpMethod("DELETE");
466       wrc.addHttpMethod("PUT");
467       wrc.addHttpMethod("HEAD");
468       wrc.addHttpMethod("OPTIONS");
469       wrc.addHttpMethod("TRACE");
470       wrc.addHttpMethod("GET");
471       wrc.addHttpMethod("POST");
472
473       // No auth-constraint
474 wsmd.setUnchecked(true);
475       // user-data-constraint/transport-guarantee
476 wsmd.setTransportGuarantee("NONE");
477    }
478
479    private void addRestrictedGetSC(List JavaDoc securityContraints)
480    {
481       WebSecurityMetaData wsmd = new WebSecurityMetaData();
482       securityContraints.add(wsmd);
483
484       // web-resource-name = Restricted Access - Get Only
485 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("Restricted Access - Get Only");
486       wrc.addPattern("/restricted/get-only/*");
487       wrc.addHttpMethod("GET");
488
489       // auth-constraint/role-name = GetRole
490 wsmd.addRole("GetRole");
491       // user-data-constraint/transport-guarantee
492 wsmd.setTransportGuarantee("NONE");
493    }
494
495    private void addExcludedGetSC(List JavaDoc securityContraints)
496    {
497       WebSecurityMetaData wsmd = new WebSecurityMetaData();
498       securityContraints.add(wsmd);
499
500       // web-resource-name = Restricted Access - Get Only
501 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("Restricted Access - Get Only");
502       wrc.addPattern("/restricted/get-only/*");
503       wrc.addHttpMethod("DELETE");
504       wrc.addHttpMethod("PUT");
505       wrc.addHttpMethod("HEAD");
506       wrc.addHttpMethod("OPTIONS");
507       wrc.addHttpMethod("TRACE");
508       wrc.addHttpMethod("POST");
509
510       // empty auth-constraint
511 wsmd.setExcluded(true);
512       // user-data-constraint/transport-guarantee
513 wsmd.setTransportGuarantee("NONE");
514    }
515
516    private void addRestrictedPostSC(List JavaDoc securityContraints)
517    {
518       WebSecurityMetaData wsmd = new WebSecurityMetaData();
519       securityContraints.add(wsmd);
520
521       // web-resource-name = Restricted Access - Post Only
522 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("Restricted Access - Post Only");
523       wrc.addPattern("/restricted/post-only/*");
524       wrc.addHttpMethod("POST");
525
526       // auth-constraint/role-name = PostRole
527 wsmd.addRole("PostRole");
528       // user-data-constraint/transport-guarantee
529 wsmd.setTransportGuarantee("NONE");
530    }
531
532    private void addExcludedPostSC(List JavaDoc securityContraints)
533    {
534       WebSecurityMetaData wsmd = new WebSecurityMetaData();
535       securityContraints.add(wsmd);
536
537       // web-resource-name = Restricted Access - Post Only
538 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("Restricted Access - Post Only");
539       wrc.addPattern("/restricted/post-only/*");
540       wrc.addHttpMethod("DELETE");
541       wrc.addHttpMethod("PUT");
542       wrc.addHttpMethod("HEAD");
543       wrc.addHttpMethod("OPTIONS");
544       wrc.addHttpMethod("TRACE");
545       wrc.addHttpMethod("GET");
546
547       // empty auth-constraint
548 wsmd.setExcluded(true);
549       // user-data-constraint/transport-guarantee
550 wsmd.setTransportGuarantee("NONE");
551    }
552
553    private void addRestrictedAnySC(WebMetaData wmd, List JavaDoc securityContraints)
554    {
555       WebSecurityMetaData wsmd = new WebSecurityMetaData();
556       securityContraints.add(wsmd);
557
558       // web-resource-name = Restricted Access - Any
559 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("Restricted Access - Any");
560       wrc.addPattern("/restricted/any/*");
561       wrc.addHttpMethod("DELETE");
562       wrc.addHttpMethod("PUT");
563       wrc.addHttpMethod("HEAD");
564       wrc.addHttpMethod("OPTIONS");
565       wrc.addHttpMethod("TRACE");
566       wrc.addHttpMethod("GET");
567       wrc.addHttpMethod("POST");
568
569       // auth-constraint/role-name = *
570 wsmd.addRole("*");
571       // Add the security-role/role-name values * would map to
572 HashMap JavaDoc roles = new HashMap JavaDoc();
573       roles.put("GetRole", new SecurityRoleMetaData("GetRole"));
574       roles.put("PostRole", new SecurityRoleMetaData("PostRole"));
575       wmd.setSecurityRoles(roles);
576       // user-data-constraint/transport-guarantee
577 wsmd.setTransportGuarantee("NONE");
578    }
579
580    private void addUnrestrictedSC(List JavaDoc securityContraints)
581    {
582       WebSecurityMetaData wsmd = new WebSecurityMetaData();
583       securityContraints.add(wsmd);
584
585       // web-resource-name = Restricted Access - Any
586 WebSecurityMetaData.WebResourceCollection wrc = wsmd.addWebResource("Restricted Access - Any");
587       wrc.addPattern("/restricted/not/*");
588       wrc.addHttpMethod("DELETE");
589       wrc.addHttpMethod("PUT");
590       wrc.addHttpMethod("HEAD");
591       wrc.addHttpMethod("OPTIONS");
592       wrc.addHttpMethod("TRACE");
593       wrc.addHttpMethod("GET");
594       wrc.addHttpMethod("POST");
595
596       // no auth-constraint
597 wsmd.setUnchecked(true);
598       // user-data-constraint/transport-guarantee
599 wsmd.setTransportGuarantee("NONE");
600    }
601 }
602
Popular Tags