View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.web.mgt;
20  
21  import org.apache.shiro.authc.UsernamePasswordToken;
22  import org.apache.shiro.config.Ini;
23  import org.apache.shiro.realm.text.IniRealm;
24  import org.apache.shiro.session.ExpiredSessionException;
25  import org.apache.shiro.session.Session;
26  import org.apache.shiro.session.mgt.AbstractSessionManager;
27  import org.apache.shiro.subject.PrincipalCollection;
28  import org.apache.shiro.subject.SimplePrincipalCollection;
29  import org.apache.shiro.subject.Subject;
30  import org.apache.shiro.web.config.WebIniSecurityManagerFactory;
31  import org.apache.shiro.web.servlet.ShiroHttpSession;
32  import org.apache.shiro.web.session.mgt.WebSessionManager;
33  import org.apache.shiro.web.subject.WebSubject;
34  import org.junit.After;
35  import org.junit.Before;
36  import org.junit.Test;
37  
38  import javax.servlet.ServletRequest;
39  import javax.servlet.ServletResponse;
40  import javax.servlet.http.Cookie;
41  import javax.servlet.http.HttpServletRequest;
42  import javax.servlet.http.HttpServletResponse;
43  import java.io.Serializable;
44  
45  import static org.easymock.EasyMock.*;
46  import static org.junit.Assert.*;
47  
48  /**
49   * @since 0.9
50   */
51  public class DefaultWebSecurityManagerTest extends AbstractWebSecurityManagerTest {
52  
53      private DefaultWebSecurityManager sm;
54  
55      @Before
56      public void setup() {
57          sm = new DefaultWebSecurityManager();
58          sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
59          Ini ini = new Ini();
60          Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
61          section.put("lonestarr", "vespa");
62          sm.setRealm(new IniRealm(ini));
63      }
64  
65      @After
66      public void tearDown() {
67          sm.destroy();
68          super.tearDown();
69      }
70  
71      protected Subject newSubject(ServletRequest request, ServletResponse response) {
72          return new WebSubject.Builder(sm, request, response).buildSubject();
73      }
74  
75  	@Test
76  	public void checkSessionManagerDeterminesContainerSessionMode() {
77  		sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
78  		WebSessionManager sessionManager = createMock(WebSessionManager.class);
79  
80  		expect(sessionManager.isServletContainerSessions()).andReturn(true).anyTimes();
81  
82  		replay(sessionManager);
83  
84  		sm.setSessionManager(sessionManager);
85  
86  		assertTrue("The set SessionManager is not being used to determine isHttpSessionMode.", sm.isHttpSessionMode());
87  
88  		verify(sessionManager);
89  	}
90  
91      @Test
92      public void shiroSessionModeInit() {
93          sm.setSessionMode(DefaultWebSecurityManager.NATIVE_SESSION_MODE);
94      }
95  
96      protected void sleep(long millis) {
97          try {
98              Thread.sleep(millis);
99          } catch (InterruptedException e) {
100             throw new IllegalStateException(e);
101         }
102     }
103 
104     @Test
105     public void testLogin() {
106         HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
107         HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
108 
109         expect(mockRequest.getCookies()).andReturn(null);
110         expect(mockRequest.getContextPath()).andReturn("/");
111 
112         replay(mockRequest);
113 
114         Subject subject = newSubject(mockRequest, mockResponse);
115 
116         assertFalse(subject.isAuthenticated());
117 
118         subject.login(new UsernamePasswordToken("lonestarr", "vespa"));
119 
120         assertTrue(subject.isAuthenticated());
121         assertNotNull(subject.getPrincipal());
122         assertTrue(subject.getPrincipal().equals("lonestarr"));
123     }
124 
125     @Test
126     public void testSessionTimeout() {
127         shiroSessionModeInit();
128         long globalTimeout = 100;
129         ((AbstractSessionManager) sm.getSessionManager()).setGlobalSessionTimeout(globalTimeout);
130 
131         HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
132         HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
133 
134         expect(mockRequest.getCookies()).andReturn(null);
135         expect(mockRequest.getContextPath()).andReturn("/");
136 
137         replay(mockRequest);
138 
139         Subject subject = newSubject(mockRequest, mockResponse);
140 
141         Session session = subject.getSession();
142         assertEquals(session.getTimeout(), globalTimeout);
143         session.setTimeout(125);
144         assertEquals(session.getTimeout(), 125);
145         sleep(200);
146         try {
147             session.getTimeout();
148             fail("Session should have expired.");
149         } catch (ExpiredSessionException expected) {
150         }
151     }
152 
153     @Test
154     public void testGetSubjectByRequestResponsePair() {
155         shiroSessionModeInit();
156 
157         HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
158         HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
159 
160         expect(mockRequest.getCookies()).andReturn(null);
161 
162         replay(mockRequest);
163         replay(mockResponse);
164 
165         Subject subject = newSubject(mockRequest, mockResponse);
166 
167         verify(mockRequest);
168         verify(mockResponse);
169 
170         assertNotNull(subject);
171         assertTrue(subject.getPrincipals() == null || subject.getPrincipals().isEmpty());
172         assertTrue(subject.getSession(false) == null);
173         assertFalse(subject.isAuthenticated());
174     }
175 
176     @Test
177     public void testGetSubjectByRequestSessionId() {
178 
179         shiroSessionModeInit();
180 
181         HttpServletRequest mockRequest = createNiceMock(HttpServletRequest.class);
182         HttpServletResponse mockResponse = createNiceMock(HttpServletResponse.class);
183 
184         replay(mockRequest);
185         replay(mockResponse);
186 
187         Subject subject = newSubject(mockRequest, mockResponse);
188 
189         Session session = subject.getSession();
190         Serializable sessionId = session.getId();
191 
192         assertNotNull(sessionId);
193 
194         verify(mockRequest);
195         verify(mockResponse);
196 
197         mockRequest = createNiceMock(HttpServletRequest.class);
198         mockResponse = createNiceMock(HttpServletResponse.class);
199         //now simulate the cookie going with the request and the Subject should be acquired based on that:
200         Cookie[] cookies = new Cookie[]{new Cookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME, sessionId.toString())};
201         expect(mockRequest.getCookies()).andReturn(cookies).anyTimes();
202         expect(mockRequest.getParameter(isA(String.class))).andReturn(null).anyTimes();
203 
204         replay(mockRequest);
205         replay(mockResponse);
206 
207         subject = newSubject(mockRequest, mockResponse);
208 
209         session = subject.getSession(false);
210         assertNotNull(session);
211         assertEquals(sessionId, session.getId());
212 
213         verify(mockRequest);
214         verify(mockResponse);
215     }
216 
217     /**
218      * Asserts fix for <a href="https://issues.apache.org/jira/browse/SHIRO-350">SHIRO-350</a>.
219      */
220     @Test
221     public void testBuildNonWebSubjectWithDefaultServletContainerSessionManager() {
222 
223         Ini ini = new Ini();
224         Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
225         section.put("user1", "user1");
226 
227         WebIniSecurityManagerFactory factory = new WebIniSecurityManagerFactory(ini);
228 
229         WebSecurityManager securityManager = (WebSecurityManager)factory.getInstance();
230 
231         PrincipalCollection principals = new SimplePrincipalCollection("user1", "iniRealm");
232         Subject subject = new Subject.Builder(securityManager).principals(principals).buildSubject();
233 
234         assertNotNull(subject);
235         assertEquals("user1", subject.getPrincipal());
236     }
237 
238 }