1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.shiro.web.mgt;
20
21 import org.apache.shiro.authc.UsernamePasswordToken;
22 import org.apache.shiro.config.Ini;
23 import org.apache.shiro.realm.text.IniRealm;
24 import org.apache.shiro.session.ExpiredSessionException;
25 import org.apache.shiro.session.Session;
26 import org.apache.shiro.session.mgt.AbstractSessionManager;
27 import org.apache.shiro.subject.PrincipalCollection;
28 import org.apache.shiro.subject.SimplePrincipalCollection;
29 import org.apache.shiro.subject.Subject;
30 import org.apache.shiro.web.config.WebIniSecurityManagerFactory;
31 import org.apache.shiro.web.servlet.ShiroHttpSession;
32 import org.apache.shiro.web.session.mgt.WebSessionManager;
33 import org.apache.shiro.web.subject.WebSubject;
34 import org.junit.After;
35 import org.junit.Before;
36 import org.junit.Test;
37
38 import javax.servlet.ServletRequest;
39 import javax.servlet.ServletResponse;
40 import javax.servlet.http.Cookie;
41 import javax.servlet.http.HttpServletRequest;
42 import javax.servlet.http.HttpServletResponse;
43 import java.io.Serializable;
44
45 import static org.easymock.EasyMock.*;
46 import static org.junit.Assert.*;
47
48
49
50
51 public class DefaultWebSecurityManagerTest extends AbstractWebSecurityManagerTest {
52
53 private DefaultWebSecurityManager sm;
54
55 @Before
56 public void setup() {
57 sm = new DefaultWebSecurityManager();
58 sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
59 Ini ini = new Ini();
60 Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
61 section.put("lonestarr", "vespa");
62 sm.setRealm(new IniRealm(ini));
63 }
64
65 @After
66 public void tearDown() {
67 sm.destroy();
68 super.tearDown();
69 }
70
71 protected Subject newSubject(ServletRequest request, ServletResponse response) {
72 return new WebSubject.Builder(sm, request, response).buildSubject();
73 }
74
75 @Test
76 public void checkSessionManagerDeterminesContainerSessionMode() {
77 sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
78 WebSessionManager sessionManager = createMock(WebSessionManager.class);
79
80 expect(sessionManager.isServletContainerSessions()).andReturn(true).anyTimes();
81
82 replay(sessionManager);
83
84 sm.setSessionManager(sessionManager);
85
86 assertTrue("The set SessionManager is not being used to determine isHttpSessionMode.", sm.isHttpSessionMode());
87
88 verify(sessionManager);
89 }
90
91 @Test
92 public void shiroSessionModeInit() {
93 sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
94 }
95
96 protected void sleep(long millis) {
97 try {
98 Thread.sleep(millis);
99 } catch (InterruptedException e) {
100 throw new IllegalStateException(e);
101 }
102 }
103
104 @Test
105 public void testLogin() {
106 HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
107 HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
108
109 expect(mockRequest.getCookies()).andReturn(null);
110 expect(mockRequest.getContextPath()).andReturn("/");
111
112 replay(mockRequest);
113
114 Subject subject = newSubject(mockRequest, mockResponse);
115
116 assertFalse(subject.isAuthenticated());
117
118 subject.login(new UsernamePasswordToken("lonestarr", "vespa"));
119
120 assertTrue(subject.isAuthenticated());
121 assertNotNull(subject.getPrincipal());
122 assertTrue(subject.getPrincipal().equals("lonestarr"));
123 }
124
125 @Test
126 public void testSessionTimeout() {
127 shiroSessionModeInit();
128 long globalTimeout = 100;
129 ((AbstractSessionManager) sm.getSessionManager()).setGlobalSessionTimeout(globalTimeout);
130
131 HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
132 HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
133
134 expect(mockRequest.getCookies()).andReturn(null);
135 expect(mockRequest.getContextPath()).andReturn("/");
136
137 replay(mockRequest);
138
139 Subject subject = newSubject(mockRequest, mockResponse);
140
141 Session session = subject.getSession();
142 assertEquals(session.getTimeout(), globalTimeout);
143 session.setTimeout(125);
144 assertEquals(session.getTimeout(), 125);
145 sleep(200);
146 try {
147 session.getTimeout();
148 fail("Session should have expired.");
149 } catch (ExpiredSessionException expected) {
150 }
151 }
152
153 @Test
154 public void testGetSubjectByRequestResponsePair() {
155 shiroSessionModeInit();
156
157 HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
158 HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
159
160 expect(mockRequest.getCookies()).andReturn(null);
161
162 replay(mockRequest);
163 replay(mockResponse);
164
165 Subject subject = newSubject(mockRequest, mockResponse);
166
167 verify(mockRequest);
168 verify(mockResponse);
169
170 assertNotNull(subject);
171 assertTrue(subject.getPrincipals() == null || subject.getPrincipals().isEmpty());
172 assertTrue(subject.getSession(false) == null);
173 assertFalse(subject.isAuthenticated());
174 }
175
176 @Test
177 public void testGetSubjectByRequestSessionId() {
178
179 shiroSessionModeInit();
180
181 HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
182 HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
183
184 replay(mockRequest);
185 replay(mockResponse);
186
187 Subject subject = newSubject(mockRequest, mockResponse);
188
189 Session session = subject.getSession();
190 Serializable sessionId = session.getId();
191
192 assertNotNull(sessionId);
193
194 verify(mockRequest);
195 verify(mockResponse);
196
197 mockRequest = createNiceMock(HttpServletRequest.class);
198 mockResponse = createNiceMock(HttpServletResponse.class);
199
200 Cookie[] cookies = new Cookie[]{new Cookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME, sessionId.toString())};
201 expect(mockRequest.getCookies()).andReturn(cookies).anyTimes();
202 expect(mockRequest.getParameter(isA(String.class))).andReturn(null).anyTimes();
203
204 replay(mockRequest);
205 replay(mockResponse);
206
207 subject = newSubject(mockRequest, mockResponse);
208
209 session = subject.getSession(false);
210 assertNotNull(session);
211 assertEquals(sessionId, session.getId());
212
213 verify(mockRequest);
214 verify(mockResponse);
215 }
216
217
218
219
220 @Test
221 public void testBuildNonWebSubjectWithDefaultServletContainerSessionManager() {
222
223 Ini ini = new Ini();
224 Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
225 section.put("user1", "user1");
226
227 WebIniSecurityManagerFactory factory = new WebIniSecurityManagerFactory(ini);
228
229 WebSecurityManager securityManager = (WebSecurityManager)factory.getInstance();
230
231 PrincipalCollection principals = new SimplePrincipalCollection("user1", "iniRealm");
232 Subject subject = new Subject.Builder(securityManager).principals(principals).buildSubject();
233
234 assertNotNull(subject);
235 assertEquals("user1", subject.getPrincipal());
236 }
237
238 }