Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-506: Fix as suggested by reporter. Split the disgest header string ignoring separating commas which occur between quotes.

This commit is contained in:
Luke Taylor 2007-08-28 00:31:30 +00:00
parent 3f123e1478
commit c8077c5e87
4 changed files with 177 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
core/src/main/java/org/acegisecurity/ui/digestauth/DigestProcessingFilter.java
View File

@ -68,20 +68,20 @@ import javax.servlet.http.HttpServletResponse;
* <code>SecurityContextHolder</code>.<p>For a detailed background on what this filter is designed to process,
* refer to <a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a> (which superseded RFC 2069, although this
* filter support clients that implement either RFC 2617 or RFC 2069).</p>
* <p>This filter can be used to provide Digest authentication services to both remoting protocol clients (such as
* <p>This filter can be used to provide Digest authentication services to both remoting protocol clients (such as
* Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).</p>
* <p>This Digest implementation has been designed to avoid needing to store session state between invocations.
* <p>This Digest implementation has been designed to avoid needing to store session state between invocations.
* All session management information is stored in the "nonce" that is sent to the client by the {@link
* DigestProcessingFilterEntryPoint}.</p>
* <P>If authentication is successful, the resulting {@link org.acegisecurity.Authentication Authentication}
* <P>If authentication is successful, the resulting {@link org.acegisecurity.Authentication Authentication}
* object will be placed into the <code>SecurityContextHolder</code>.</p>
* <p>If authentication fails, an {@link org.acegisecurity.ui.AuthenticationEntryPoint AuthenticationEntryPoint}
* <p>If authentication fails, an {@link org.acegisecurity.ui.AuthenticationEntryPoint AuthenticationEntryPoint}
* implementation is called. This must always be {@link DigestProcessingFilterEntryPoint}, which will prompt the user
* to authenticate again via Digest authentication.</p>
* <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
* <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
* than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
* authentication over Basic authentication, including commentary on the limitations that it still imposes.</p>
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.acegisecurity.util.FilterToBeanProxy}.</p>
*/
public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
@ -105,10 +105,11 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
Assert.notNull(authenticationEntryPoint, "A DigestProcessingFilterEntryPoint is required");
}
public void destroy() {}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
throw new ServletException("Can only process HttpServletRequest");
}
@ -128,7 +129,7 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
if ((header != null) && header.startsWith("Digest ")) {
String section212response = header.substring(7);
String[] headerEntries = StringUtils.commaDelimitedListToStringArray(section212response);
String[] headerEntries = StringSplitUtils.splitIgnoringQuotes(section212response, ',');
Map headerMap = StringSplitUtils.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");
String username = (String) headerMap.get("username");
@ -144,12 +145,12 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
if ((username == null) || (realm == null) || (nonce == null) || (uri == null) || (response == null)) {
if (logger.isDebugEnabled()) {
logger.debug("extracted username: '" + username + "'; realm: '" + username + "'; nonce: '"
+ username + "'; uri: '" + username + "'; response: '" + username + "'");
+ username + "'; uri: '" + username + "'; response: '" + username + "'");
}
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.missingMandatory",
new Object[] {section212response}, "Missing mandatory digest value; received header {0}")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.missingMandatory",
new Object[]{section212response}, "Missing mandatory digest value; received header {0}")));
return;
}
@ -162,8 +163,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
}
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.missingAuth",
new Object[] {section212response}, "Missing mandatory digest value; received header {0}")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.missingAuth",
new Object[]{section212response}, "Missing mandatory digest value; received header {0}")));
return;
}
@ -172,9 +173,9 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
// Check realm name equals what we expected
if (!this.getAuthenticationEntryPoint().getRealmName().equals(realm)) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.incorrectRealm",
new Object[] {realm, this.getAuthenticationEntryPoint().getRealmName()},
"Response realm name '{0}' does not match system realm name of '{1}'")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.incorrectRealm",
new Object[]{realm, this.getAuthenticationEntryPoint().getRealmName()},
"Response realm name '{0}' does not match system realm name of '{1}'")));
return;
}
@ -182,22 +183,22 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
// Check nonce was a Base64 encoded (as sent by DigestProcessingFilterEntryPoint)
if (!Base64.isArrayByteBase64(nonce.getBytes())) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceEncoding",
new Object[] {nonce}, "Nonce is not encoded in Base64; received nonce {0}")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceEncoding",
new Object[]{nonce}, "Nonce is not encoded in Base64; received nonce {0}")));
return;
}
// Decode nonce from Base64
// format of nonce is:
// format of nonce is:
// base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
String nonceAsPlainText = new String(Base64.decodeBase64(nonce.getBytes()));
String[] nonceTokens = StringUtils.delimitedListToStringArray(nonceAsPlainText, ":");
if (nonceTokens.length != 2) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceNotTwoTokens",
new Object[] {nonceAsPlainText}, "Nonce should have yielded two tokens but was {0}")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceNotTwoTokens",
new Object[]{nonceAsPlainText}, "Nonce should have yielded two tokens but was {0}")));
return;
}
@ -209,9 +210,9 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
nonceExpiryTime = new Long(nonceTokens[0]).longValue();
} catch (NumberFormatException nfe) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceNotNumeric",
new Object[] {nonceAsPlainText},
"Nonce token should have yielded a numeric first token, but was {0}")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceNotNumeric",
new Object[]{nonceAsPlainText},
"Nonce token should have yielded a numeric first token, but was {0}")));
return;
}
@ -222,8 +223,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
if (!expectedNonceSignature.equals(nonceTokens[1])) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceCompromised",
new Object[] {nonceAsPlainText}, "Nonce token compromised {0}")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceCompromised",
new Object[]{nonceAsPlainText}, "Nonce token compromised {0}")));
return;
}
@ -241,15 +242,15 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
user = userDetailsService.loadUserByUsername(username);
} catch (UsernameNotFoundException notFound) {
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.usernameNotFound",
new Object[] {username}, "Username {0} not found")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.usernameNotFound",
new Object[]{username}, "Username {0} not found")));
return;
}
if (user == null) {
throw new AuthenticationServiceException(
"AuthenticationDao returned null, which is an interface contract violation");
"AuthenticationDao returned null, which is an interface contract violation");
}
userCache.putUserInCache(user);
@ -266,7 +267,7 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
if (!serverDigestMd5.equals(responseDigest) && !loadedFromDao) {
if (logger.isDebugEnabled()) {
logger.debug(
"Digest comparison failure; trying to refresh user from DAO in case password had changed");
"Digest comparison failure; trying to refresh user from DAO in case password had changed");
}
try {
@ -274,8 +275,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
} catch (UsernameNotFoundException notFound) {
// Would very rarely happen, as user existed earlier
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.usernameNotFound",
new Object[] {username}, "Username {0} not found")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.usernameNotFound",
new Object[]{username}, "Username {0} not found")));
}
userCache.putUserInCache(user);
@ -289,12 +290,12 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
if (!serverDigestMd5.equals(responseDigest)) {
if (logger.isDebugEnabled()) {
logger.debug("Expected response: '" + serverDigestMd5 + "' but received: '" + responseDigest
+ "'; is AuthenticationDao returning clear text passwords?");
+ "'; is AuthenticationDao returning clear text passwords?");
}
fail(request, response,
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.incorrectResponse",
"Incorrect response")));
new BadCredentialsException(messages.getMessage("DigestProcessingFilter.incorrectResponse",
"Incorrect response")));
return;
}
@ -305,15 +306,15 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
// but the request was otherwise appearing to be valid
if (nonceExpiryTime < System.currentTimeMillis()) {
fail(request, response,
new NonceExpiredException(messages.getMessage("DigestProcessingFilter.nonceExpired",
"Nonce has expired/timed out")));
new NonceExpiredException(messages.getMessage("DigestProcessingFilter.nonceExpired",
"Nonce has expired/timed out")));
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Authentication success for user: '" + username + "' with response: '" + responseDigest
+ "'");
+ "'");
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(user,
@ -335,7 +336,7 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
}
private void fail(ServletRequest request, ServletResponse response, AuthenticationException failed)
throws IOException, ServletException {
throws IOException, ServletException {
SecurityContextHolder.getContext().setAuthentication(null);
if (logger.isDebugEnabled()) {
@ -351,24 +352,22 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
* coding of user agents.
*
* @param passwordAlreadyEncoded true if the password argument is already encoded in the correct format. False if
* it is plain text.
* @param username the user's login name.
* @param realm the name of the realm.
* @param password the user's password in plaintext or ready-encoded.
* @param httpMethod the HTTP request method (GET, POST etc.)
* @param uri the request URI.
* @param qop the qop directive, or null if not set.
* @param nonce the nonce supplied by the server
* @param nc the "nonce-count" as defined in RFC 2617.
* @param cnonce opaque string supplied by the client when qop is set.
*
* it is plain text.
* @param username the user's login name.
* @param realm the name of the realm.
* @param password the user's password in plaintext or ready-encoded.
* @param httpMethod the HTTP request method (GET, POST etc.)
* @param uri the request URI.
* @param qop the qop directive, or null if not set.
* @param nonce the nonce supplied by the server
* @param nc the "nonce-count" as defined in RFC 2617.
* @param cnonce opaque string supplied by the client when qop is set.
* @return the MD5 of the digest authentication response, encoded in hex
*
* @throws IllegalArgumentException if the supplied qop value is unsupported.
*/
public static String generateDigest(boolean passwordAlreadyEncoded, String username, String realm, String password,
String httpMethod, String uri, String qop, String nonce, String nc, String cnonce)
throws IllegalArgumentException {
String httpMethod, String uri, String qop, String nonce, String nc, String cnonce)
throws IllegalArgumentException {
String a1Md5 = null;
String a2 = httpMethod + ":" + uri;
String a2Md5 = new String(DigestUtils.md5Hex(a2));
@ -408,7 +407,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
return userDetailsService;
}
public void init(FilterConfig ignored) throws ServletException {}
public void init(FilterConfig ignored) throws ServletException {
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");

72
core/src/main/java/org/acegisecurity/util/StringSplitUtils.java
View File

@ -20,6 +20,8 @@ import org.springframework.util.StringUtils;
import java.util.HashMap;
import java.util.Map;
import java.util.ArrayList;
import java.util.List;
/**
@ -29,6 +31,9 @@ import java.util.Map;
* @version $Id$
*/
public final class StringSplitUtils {
//~ Static fields/initializers =====================================================================================
private static final String[] EMPTY_STRING_ARRAY = new String[0];
//~ Constructors ===================================================================================================
private StringSplitUtils() {
@ -40,12 +45,10 @@ public final class StringSplitUtils {
* Splits a <code>String</code> at the first instance of the delimiter.<p>Does not include the delimiter in
* the response.</p>
*
* @param toSplit the string to split
* @param toSplit the string to split
* @param delimiter to split the string up with
*
* @return a two element array with index 0 being before the delimiter, and index 1 being after the delimiter
* (neither element includes the delimiter)
*
* @throws IllegalArgumentException if an argument was invalid
*/
public static String[] split(String toSplit, String delimiter) {
@ -65,7 +68,7 @@ public final class StringSplitUtils {
String beforeDelimiter = toSplit.substring(0, offset);
String afterDelimiter = toSplit.substring(offset + 1);
return new String[] {beforeDelimiter, afterDelimiter};
return new String[]{beforeDelimiter, afterDelimiter};
}
/**
@ -74,11 +77,10 @@ public final class StringSplitUtils {
* then generated, with the left of the delimiter providing the key, and the right of the delimiter providing the
* value.<p>Will trim both the key and value before adding to the <code>Map</code>.</p>
*
* @param array the array to process
* @param delimiter to split each element using (typically the equals symbol)
* @param array the array to process
* @param delimiter to split each element using (typically the equals symbol)
* @param removeCharacters one or more characters to remove from each element prior to attempting the split
* operation (typically the quotation mark symbol) or <code>null</code> if no removal should occur
*
* operation (typically the quotation mark symbol) or <code>null</code> if no removal should occur
* @return a <code>Map</code> representing the array contents, or <code>null</code> if the array to process was
* null or empty
*/
@ -135,4 +137,58 @@ public final class StringSplitUtils {
return str.substring(pos + separator.length());
}
/**
* Splits a given string on the given separator character, skips the contents of quoted substrings
* when looking for separators.
* Introduced for use in DigestProcessingFilter (see SEC-506).
* <p/>
* This was copied and modified from commons-lang StringUtils
*/
public static String[] splitIgnoringQuotes(String str, char separatorChar) {
if (str == null) {
return null;
}
int len = str.length();
if (len == 0) {
return EMPTY_STRING_ARRAY;
}
List list = new ArrayList();
int i = 0;
int start = 0;
boolean match = false;
while (i < len) {
if (str.charAt(i) == '"') {
i++;
while (i < len) {
if (str.charAt(i) == '"') {
i++;
break;
}
i++;
}
match = true;
continue;
}
if (str.charAt(i) == separatorChar) {
if (match) {
list.add(str.substring(start, i));
match = false;
}
start = ++i;
continue;
}
match = true;
i++;
}
if (match) {
list.add(str.substring(start, i));
}
return (String[]) list.toArray(new String[list.size()]);
}
}

87
core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java
View File

@ -62,25 +62,28 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
private static final String NC = "00000002";
private static final String CNONCE = "c822c727a648aba7";
private static final String REALM = "The Correct Realm Name";
private static final String REALM = "The Actual, Correct Realm Name";
private static final String KEY = "acegi";
private static final String QOP = "auth";
private static final String USERNAME = "marissa";
private static final String USERNAME = "marissa,ok";
private static final String PASSWORD = "koala";
private static final String REQUEST_URI = "/some_file.html";
/** A standard valid nonce with a validity period of 60 seconds */
/**
* A standard valid nonce with a validity period of 60 seconds
*/
private static final String NONCE = generateNonce(60);
//~ Instance fields ================================================================================================
// private ApplicationContext ctx;
// private ApplicationContext ctx;
private DigestProcessingFilter filter;
private MockHttpServletRequest request;
//~ Constructors ===================================================================================================
public DigestProcessingFilterTests() {}
public DigestProcessingFilterTests() {
}
public DigestProcessingFilterTests(String arg0) {
super(arg0);
@ -89,13 +92,13 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
//~ Methods ========================================================================================================
private String createAuthorizationHeader(String username, String realm, String nonce, String uri,
String responseDigest, String qop, String nc, String cnonce) {
String responseDigest, String qop, String nc, String cnonce) {
return "Digest username=\"" + username + "\", realm=\"" + realm + "\", nonce=\"" + nonce + "\", uri=\"" + uri
+ "\", response=\"" + responseDigest + "\", qop=" + qop + ", nc=" + nc + ", cnonce=\"" + cnonce + "\"";
+ "\", response=\"" + responseDigest + "\", qop=" + qop + ", nc=" + nc + ", cnonce=\"" + cnonce + "\"";
}
private MockHttpServletResponse executeFilterInContainerSimulator(Filter filter, ServletRequest request,
boolean expectChainToProceed) throws ServletException, IOException {
boolean expectChainToProceed) throws ServletException, IOException {
filter.init(new MockFilterConfig());
MockHttpServletResponse response = new MockHttpServletResponse();
@ -118,10 +121,6 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
return new String(Base64.encodeBase64(nonceValue.getBytes()));
}
public static void main(String[] args) {
junit.textui.TestRunner.run(DigestProcessingFilterTests.class);
}
protected void setUp() throws Exception {
super.setUp();
SecurityContextHolder.clearContext();
@ -129,7 +128,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
// Create User Details Service
InMemoryDaoImpl dao = new InMemoryDaoImpl();
UserMapEditor editor = new UserMapEditor();
editor.setAsText("marissa=koala,ROLE_ONE,ROLE_TWO,enabled\r\n");
editor.setAsText("marissa,ok=koala,ROLE_ONE,ROLE_TWO,enabled\r\n");
dao.setUserMap((UserMap) editor.getValue());
DigestProcessingFilterEntryPoint ep = new DigestProcessingFilterEntryPoint();
@ -150,7 +149,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testDoFilterWithNonHttpServletRequestDetected()
throws Exception {
throws Exception {
DigestProcessingFilter filter = new DigestProcessingFilter();
try {
@ -162,7 +161,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testDoFilterWithNonHttpServletResponseDetected()
throws Exception {
throws Exception {
DigestProcessingFilter filter = new DigestProcessingFilter();
try {
@ -174,13 +173,13 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testExpiredNonceReturnsForbiddenWithStaleHeader()
throws Exception {
throws Exception {
String nonce = generateNonce(0);
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
Thread.sleep(1000); // ensures token expired
@ -196,7 +195,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testFilterIgnoresRequestsContainingNoAuthorizationHeader()
throws Exception {
throws Exception {
executeFilterInContainerSimulator(filter, request, true);
assertNull(SecurityContextHolder.getContext().getAuthentication());
@ -217,7 +216,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testInvalidDigestAuthorizationTokenGeneratesError()
throws Exception {
throws Exception {
String token = "NOT_A_VALID_TOKEN_AS_MISSING_COLON";
request.addHeader("Authorization", "Digest " + new String(Base64.encodeBase64(token.getBytes())));
@ -238,14 +237,14 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testNonBase64EncodedNonceReturnsForbidden()
throws Exception {
throws Exception {
String nonce = "NOT_BASE_64_ENCODED";
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -254,13 +253,13 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testNonceWithIncorrectSignatureForNumericFieldReturnsForbidden()
throws Exception {
throws Exception {
String nonce = new String(Base64.encodeBase64("123456:incorrectStringPassword".getBytes()));
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -269,13 +268,13 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testNonceWithNonNumericFirstElementReturnsForbidden()
throws Exception {
throws Exception {
String nonce = new String(Base64.encodeBase64("hello:ignoredSecondElement".getBytes()));
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -284,13 +283,13 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testNonceWithoutTwoColonSeparatedElementsReturnsForbidden()
throws Exception {
throws Exception {
String nonce = new String(Base64.encodeBase64("a base 64 string without a colon".getBytes()));
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, nonce, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, nonce, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -299,38 +298,38 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testNormalOperationWhenPasswordIsAlreadyEncoded()
throws Exception {
throws Exception {
String encodedPassword = DigestProcessingFilter.encodePasswordInA1Format(USERNAME, REALM, PASSWORD);
String responseDigest = DigestProcessingFilter.generateDigest(true, USERNAME, REALM, encodedPassword, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
executeFilterInContainerSimulator(filter, request, true);
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(USERNAME,
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
}
public void testNormalOperationWhenPasswordNotAlreadyEncoded()
throws Exception {
throws Exception {
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
executeFilterInContainerSimulator(filter, request, true);
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
assertEquals(USERNAME,
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername());
}
public void testOtherAuthorizationSchemeIsIgnored()
throws Exception {
throws Exception {
request.addHeader("Authorization", "SOME_OTHER_AUTHENTICATION_SCHEME");
executeFilterInContainerSimulator(filter, request, true);
@ -339,7 +338,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testStartupDetectsMissingAuthenticationEntryPoint()
throws Exception {
throws Exception {
try {
DigestProcessingFilter filter = new DigestProcessingFilter();
filter.setUserDetailsService(new InMemoryDaoImpl());
@ -351,7 +350,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testStartupDetectsMissingUserDetailsService()
throws Exception {
throws Exception {
try {
DigestProcessingFilter filter = new DigestProcessingFilter();
filter.setAuthenticationEntryPoint(new DigestProcessingFilterEntryPoint());
@ -363,12 +362,12 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testSuccessLoginThenFailureLoginResultsInSessionLosingToken()
throws Exception {
throws Exception {
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
executeFilterInContainerSimulator(filter, request, true);
@ -380,7 +379,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
request = new MockHttpServletRequest();
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -390,14 +389,14 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
}
public void testWrongCnonceBasedOnDigestReturnsForbidden()
throws Exception {
throws Exception {
String cnonce = "NOT_SAME_AS_USED_FOR_DIGEST_COMPUTATION";
String responseDigest = DigestProcessingFilter.generateDigest(false, USERNAME, REALM, PASSWORD, "GET",
REQUEST_URI, QOP, NONCE, NC, "DIFFERENT_CNONCE");
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, cnonce));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, cnonce));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -411,7 +410,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -425,7 +424,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, realm, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, realm, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);
@ -438,7 +437,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
"GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
request.addHeader("Authorization",
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, responseDigest, QOP, NC, CNONCE));
MockHttpServletResponse response = executeFilterInContainerSimulator(filter, request, false);

18
core/src/test/java/org/acegisecurity/util/StringSplitUtilsTests.java
View File

@ -32,6 +32,7 @@ public class StringSplitUtilsTests extends TestCase {
//~ Constructors ===================================================================================================
// ===========================================================
public StringSplitUtilsTests() {
super();
}
@ -43,6 +44,7 @@ public class StringSplitUtilsTests extends TestCase {
//~ Methods ========================================================================================================
// ================================================================
public static void main(String[] args) {
junit.textui.TestRunner.run(StringSplitUtilsTests.class);
}
@ -57,7 +59,7 @@ public class StringSplitUtilsTests extends TestCase {
assertEquals("Contacts Realm", headerMap.get("realm"));
assertEquals("MTEwOTAyMzU1MTQ4NDo1YzY3OWViYWM5NDNmZWUwM2UwY2NmMDBiNDQzMTQ0OQ==", headerMap.get("nonce"));
assertEquals("/acegi-security-sample-contacts-filter/secure/adminPermission.htm?contactId=4",
headerMap.get("uri"));
headerMap.get("uri"));
assertEquals("38644211cf9ac3da63ab639807e2baff", headerMap.get("response"));
assertEquals("auth", headerMap.get("qop"));
assertEquals("00000004", headerMap.get("nc"));
@ -74,7 +76,7 @@ public class StringSplitUtilsTests extends TestCase {
assertEquals("\"Contacts Realm\"", headerMap.get("realm"));
assertEquals("\"MTEwOTAyMzU1MTQ4NDo1YzY3OWViYWM5NDNmZWUwM2UwY2NmMDBiNDQzMTQ0OQ==\"", headerMap.get("nonce"));
assertEquals("\"/acegi-security-sample-contacts-filter/secure/adminPermission.htm?contactId=4\"",
headerMap.get("uri"));
headerMap.get("uri"));
assertEquals("\"38644211cf9ac3da63ab639807e2baff\"", headerMap.get("response"));
assertEquals("auth", headerMap.get("qop"));
assertEquals("00000004", headerMap.get("nc"));
@ -84,7 +86,7 @@ public class StringSplitUtilsTests extends TestCase {
public void testSplitEachArrayElementAndCreateMapReturnsNullIfArrayEmptyOrNull() {
assertNull(StringSplitUtils.splitEachArrayElementAndCreateMap(null, "=", "\""));
assertNull(StringSplitUtils.splitEachArrayElementAndCreateMap(new String[] {}, "=", "\""));
assertNull(StringSplitUtils.splitEachArrayElementAndCreateMap(new String[]{}, "=", "\""));
}
public void testSplitNormalOperation() {
@ -137,4 +139,14 @@ public class StringSplitUtilsTests extends TestCase {
// only guarantees to split at FIRST delimiter, not EACH delimiter
assertEquals(2, StringSplitUtils.split("18|marissa|foo|bar", "|").length);
}
public void testAuthorizationHeaderWithCommasIsSplitCorrectly() {
String header = "Digest username=\"hamilton,bob\", realm=\"bobs,ok,realm\", nonce=\"the,nonce\", " +
"uri=\"the,Uri\", response=\"the,response,Digest\", qop=theqop, nc=thenc, cnonce=\"the,cnonce\"";
String[] parts = StringSplitUtils.splitIgnoringQuotes(header, ',');
assertEquals(8, parts.length);
}
}