View Javadoc
1   /*
2    * Copyright (c) MuleSoft, Inc.  All rights reserved.  http://www.mulesoft.com
3    * The software in this package is published under the terms of the CPAL v1.0
4    * license, a copy of which has been included with this distribution in the
5    * LICENSE.txt file.
6    */
7   package org.mule.module.cxf;
8   
9   import org.mule.tck.junit4.FunctionalTestCase;
10  import org.mule.tck.junit4.rule.DynamicPort;
11  import org.mule.transport.http.HttpConstants;
12  
13  import org.apache.commons.httpclient.HttpClient;
14  import org.apache.commons.httpclient.UsernamePasswordCredentials;
15  import org.apache.commons.httpclient.auth.AuthScope;
16  import org.apache.commons.httpclient.methods.GetMethod;
17  import org.apache.commons.httpclient.methods.PostMethod;
18  import org.apache.commons.httpclient.methods.StringRequestEntity;
19  import org.junit.Rule;
20  import org.junit.Test;
21  
22  import static org.junit.Assert.assertEquals;
23  import static org.junit.Assert.assertNotNull;
24  
25  public class HttpSecurityFilterFunctionalTestCase extends FunctionalTestCase
26  {
27      
28      private static String soapRequest = 
29          "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:unk=\"http://unknown.namespace/\">" +
30             "<soapenv:Header/>" +
31             "<soapenv:Body>" +
32                "<unk:echo>" +         
33                   "<arg0>asdf</arg0>" +
34                "</unk:echo>" +
35             "</soapenv:Body>" +
36          "</soapenv:Envelope>";
37  
38      @Rule
39      public DynamicPort dynamicPort1 = new DynamicPort("port1");
40  
41      @Rule
42      public DynamicPort dynamicPort2 = new DynamicPort("port2");
43      
44      @Override
45      protected String getConfigResources()
46      {
47          return "http-security-filter-test.xml";
48      }
49  
50      /**
51       * By putting this test method that uses https first we can test MULE-4558
52       * 
53       * @throws Exception
54       */
55      @Test
56      public void testAuthenticationFailureBadCredentialsGetHttps() throws Exception
57      {
58          doGet(null, "localhost", "anonX", "anonX", "https://localhost:" + dynamicPort2.getNumber() + "/services/Echo", true, true, 401);
59      }
60  
61      @Test
62      public void testAuthenticationFailureNoContextGet() throws Exception
63      {
64          HttpClient client = new HttpClient();
65          client.getParams().setAuthenticationPreemptive(true);
66          GetMethod get = new GetMethod("http://localhost:" + dynamicPort1.getNumber() + "/services/Echo");
67  
68          get.setDoAuthentication(false);
69  
70          try
71          {
72              int status = client.executeMethod(get);
73              assertEquals(HttpConstants.SC_UNAUTHORIZED, status);
74              assertEquals(
75                  "Registered authentication is set to org.mule.module.acegi.filters.http.HttpBasicAuthenticationFilter "
76                                  + "but there was no security context on the session. Authentication denied on "
77                                  + "endpoint http://localhost:" + dynamicPort1.getNumber() + "/services/Echo. Message payload is of type: "
78                                  + "String", get.getResponseBodyAsString());
79          }
80          finally
81          {
82              get.releaseConnection();
83          }
84      }
85  
86      @Test
87      public void testAuthenticationFailureNoContextPost() throws Exception
88      {
89          HttpClient client = new HttpClient();
90          client.getParams().setAuthenticationPreemptive(true);
91          PostMethod post = new PostMethod("http://localhost:" + dynamicPort1.getNumber() + "/services/Echo");
92  
93          post.setDoAuthentication(false);
94  
95          StringRequestEntity requestEntity = new StringRequestEntity(soapRequest, "text/xml", "UTF-8");
96          post.setRequestEntity(requestEntity);
97  
98          try
99          {
100             int status = client.executeMethod(post);
101             assertEquals(HttpConstants.SC_UNAUTHORIZED, status);
102             assertEquals(
103                 "Registered authentication is set to org.mule.module.acegi.filters.http.HttpBasicAuthenticationFilter "
104                                 + "but there was no security context on the session. Authentication denied on "
105                                 + "endpoint http://localhost:" + dynamicPort1.getNumber() + "/services/Echo. Message payload is of type: "
106                                 + "ContentLengthInputStream",   post.getResponseBodyAsString());
107         }
108         finally
109         {
110             post.releaseConnection();
111         }
112     }
113 
114     @Test
115     public void testAuthenticationFailureBadCredentialsGet() throws Exception
116     {
117         doGet(null, "localhost", "anonX", "anonX", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo/echo/echo/hello", true, true, 401);
118     }
119 
120     @Test
121     public void testAuthenticationFailureBadCredentialsPost() throws Exception
122     {
123         doPost(null, "localhost", "anonX", "anonX", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo", true, true, 401);
124     }
125 
126     @Test
127     public void testAuthenticationFailureBadCredentialsPostHttps() throws Exception
128     {
129         doPost(null, "localhost", "anonX", "anonX", "https://localhost:" + dynamicPort2.getNumber() + "/services/Echo", true, true, 401);
130     }
131 
132     @Test
133     public void testAuthenticationAuthorisedGet() throws Exception
134     {
135         doGet(null, "localhost", "anon", "anon", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo/echo/echo/hello", false, true, 200);
136     }
137 
138     @Test
139     public void testAuthenticationAuthorisedGetHttps() throws Exception
140     {
141         doGet(null, "localhost", "anon", "anon", "https://localhost:" + dynamicPort2.getNumber() + "/services/Echo/echo/echo/hello", false, true, 200);
142     }
143 
144     @Test
145     public void testAuthenticationAuthorisedPost() throws Exception
146     {
147         doPost(null, "localhost", "anon", "anon", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo", false, true, 200);
148     }
149 
150     @Test
151     public void testAuthenticationAuthorisedPostHttps() throws Exception
152     {
153         doPost(null, "localhost", "anon", "anon", "https://localhost:" + dynamicPort2.getNumber() + "/services/Echo", false, true, 200);
154     }
155 
156     @Test
157     public void testAuthenticationAuthorisedWithHandshakeGet() throws Exception
158     {
159         doGet(null, "localhost", "anon", "anon", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo/echo/echo/hello", true, false, 200);
160     }
161 
162     @Test
163     public void testAuthenticationAuthorisedWithHandshakePost() throws Exception
164     {
165         doPost(null, "localhost", "anon", "anon", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo", true, false, 200);
166     }
167 
168     @Test
169     public void testAuthenticationAuthorisedWithHandshakeAndBadRealmGet() throws Exception
170     {
171         doGet("blah", "localhost", "anon", "anon", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo/echo/echo/hello", true, false, 401);
172     }
173 
174     @Test
175     public void testAuthenticationAuthorisedWithHandshakeAndBadRealmPost() throws Exception
176     {
177         doPost("blah", "localhost", "anon", "anon", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo", true, false, 401);
178     }
179 
180     @Test
181     public void testAuthenticationAuthorisedWithHandshakeAndRealmGet() throws Exception
182     {
183         doGet("mule-realm", "localhost", "ross", "ross", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo/echo/echo/hello", true, false,
184             200);
185     }
186 
187     @Test
188     public void testAuthenticationAuthorisedWithHandshakeAndRealmPost() throws Exception
189     {
190         doPost("mule-realm", "localhost", "ross", "ross", "http://localhost:" + dynamicPort1.getNumber() + "/services/Echo", true,
191             false, 200);
192     }
193 
194     private void doGet(String realm,
195                        String host,
196                        String user,
197                        String pass,
198                        String url,
199                        boolean handshake,
200                        boolean preemtive,
201                        int result) throws Exception
202     {
203         HttpClient client = new HttpClient();
204         client.getParams().setAuthenticationPreemptive(preemtive);
205         client.getState().setCredentials(new AuthScope(host, -1, realm),
206             new UsernamePasswordCredentials(user, pass));
207         GetMethod get = new GetMethod(url);
208         get.setDoAuthentication(handshake);
209 
210         try
211         {
212             int status = client.executeMethod(get);
213             assertEquals(result, status);
214         }
215         finally
216         {
217             get.releaseConnection();
218         }
219     }
220 
221     private void doPost(String realm,
222                         String host,
223                         String user,
224                         String pass,
225                         String url,
226                         boolean handshake,
227                         boolean preemtive,
228                         int result) throws Exception
229     {
230         HttpClient client = new HttpClient();
231         client.getParams().setAuthenticationPreemptive(preemtive);
232         client.getState().setCredentials(new AuthScope(host, -1, realm),
233             new UsernamePasswordCredentials(user, pass));
234         PostMethod post = new PostMethod(url);
235         post.setDoAuthentication(handshake);
236         StringRequestEntity requestEntity = new StringRequestEntity(soapRequest, "text/xml", "UTF-8");
237         post.setRequestEntity(requestEntity);
238         try
239         {
240             int status = client.executeMethod(post);
241             assertEquals(result, status);
242             assertNotNull(post.getResponseBodyAsString());
243         }
244         finally
245         {
246             post.releaseConnection();
247         }
248     }
249 
250 }