1
2
3
4
5
6
7
8
9
10
11
12
13
14 package com.acme;
15
16 import java.io.File;
17 import java.io.IOException;
18 import java.io.PrintStream;
19 import java.net.URL;
20 import java.net.URLClassLoader;
21 import java.util.Calendar;
22 import java.util.GregorianCalendar;
23
24 import javax.servlet.ServletConfig;
25 import javax.servlet.ServletException;
26 import javax.servlet.ServletOutputStream;
27 import javax.servlet.http.HttpServlet;
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletResponse;
30
31 import org.eclipse.jetty.util.log.Log;
32
33
34
35
36
37
38 public class SecureModeServlet extends HttpServlet
39 {
40
41 @Override
42 public void init(ServletConfig config) throws ServletException
43 {
44 super.init(config);
45 }
46
47
48 @Override
49 public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
50 {
51 doGet(request, response);
52 }
53
54
55 @Override
56 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
57 {
58
59 response.setContentType("text/html");
60 ServletOutputStream out = response.getOutputStream();
61 out.println("<html>");
62 out.println(" <title>Secure Jetty Test Webapp</title>");
63
64 try
65 {
66 runPropertyChecks(out);
67
68 runFileSystemChecks(out);
69
70 runLoggingChecks(out);
71
72 runClassloaderChecks(out);
73 }
74 catch (Exception e)
75 {
76 e.printStackTrace(new PrintStream(out));
77 }
78 out.println("</html>");
79 out.flush();
80
81 try
82 {
83 Thread.sleep(200);
84 }
85 catch (InterruptedException e)
86 {
87 getServletContext().log("exception",e);
88 }
89 }
90
91 private void runClassloaderChecks(ServletOutputStream out) throws Exception
92 {
93 out.println(" <h1>Checking Classloader Setup</h1>");
94 out.println(" <p>");
95
96 System.getProperty("user.dir");
97 try
98 {
99 out.println("check ability to create classloader<br/>");
100 URL url = new URL("http://not.going.to.work");
101 new URLClassLoader(new URL[] { url });
102 out.println("status: <b>SUCCESS - unexpected</b><br/>");
103 }
104 catch (SecurityException e)
105 {
106 out.println("status: <b>FAILURE - expected</b><br/>");
107 }
108
109 out.println(" </p><br/><br/>");
110 }
111
112 private void runLoggingChecks(ServletOutputStream out) throws Exception
113 {
114 out.println(" <h1>Checking File System</h1>");
115 out.println(" <p>");
116
117 String userDir = System.getProperty("user.dir");
118 try
119 {
120 out.println("check ability to log<br/>");
121 Log.info("testing logging");
122 out.println("status: <b>SUCCESS - expected</b><br/>");
123 }
124 catch (SecurityException e)
125 {
126 out.println("status: <b>FAILURE - unexpected</b><br/>");
127 out.println("<table><tr><td>");
128 e.printStackTrace(new PrintStream(out));
129 out.println("</td></tr></table>");
130 }
131
132 try
133 {
134 Calendar c = new GregorianCalendar();
135
136 String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
137
138 out.println("check ability to access log file directly<br/>");
139 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
140 jettyHomeFile.canRead();
141 out.println("status: <b>SUCCESS - unexpected</b><br/>");
142 }
143 catch (SecurityException e)
144 {
145 out.println("status: <b>FAILURE - expected</b><br/>");
146 }
147
148 out.println(" </p><br/><br/>");
149 }
150
151 private void runFileSystemChecks(ServletOutputStream out) throws Exception
152 {
153 out.println(" <h1>Checking File System</h1>");
154
155
156
157
158 out.println(" <p>");
159
160 String userDir = System.getProperty("user.dir");
161 try
162 {
163 out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
164
165 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
166 jettyHomeFile.canRead();
167 out.println("status: <b>SUCCESS - expected</b><br/>");
168 }
169 catch (SecurityException e)
170 {
171 out.println("status: <b>FAILURE - unexpected</b><br/>");
172 out.println("<table><tr><td>");
173 e.printStackTrace(new PrintStream(out));
174 out.println("</td></tr></table>");
175 }
176
177 try
178 {
179 out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
180
181 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
182 jettyHomeFile.canWrite();
183 out.println("status: <b>SUCCESS - unexpected</b><br/>");
184 }
185 catch (SecurityException e)
186 {
187 out.println("status: <b>FAILURE - expected</b><br/>");
188 }
189
190 try
191 {
192 out.println("check read permission for $jetty.home/lib<br/>");
193
194 File jettyHomeFile = new File(userDir + File.separator + "lib");
195 jettyHomeFile.canRead();
196 out.println("status: <b>SUCCESS - unexpected</b><br/>");
197 }
198 catch (SecurityException e)
199 {
200 out.println("status: <b>FAILURE - expected</b><br/>");
201 }
202
203 try
204 {
205 out.println("check write permission for $jetty.home/lib<br/>");
206
207 File jettyHomeFile = new File(userDir + File.separator + "lib");
208 jettyHomeFile.canWrite();
209 out.println("status: <b>SUCCESS - unexpected</b><br/>");
210 }
211 catch (SecurityException e)
212 {
213 out.println("status: <b>FAILURE - expected</b><br/>");
214 }
215
216 try
217 {
218 out.println("check read permission for $jetty.home<br/>");
219
220 File jettyHomeFile = new File(userDir + File.separator);
221 jettyHomeFile.canRead();
222 out.println("status: <b>SUCCESS - unexpected</b><br/>");
223 }
224 catch (SecurityException e)
225 {
226 out.println("status: <b>FAILURE - expected</b><br/>");
227 }
228
229 try
230 {
231 out.println("check write permission for $jetty.home<br/>");
232
233 File jettyHomeFile = new File(userDir + File.separator);
234 jettyHomeFile.canWrite();
235 out.println("status: <b>SUCCESS - unexpected</b><br/>");
236 }
237 catch (SecurityException e)
238 {
239 out.println("status: <b>FAILURE - expected</b><br/>");
240 }
241
242 try
243 {
244 out.println("check read permission for $jetty.home/logs<br/>");
245
246 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
247 jettyHomeFile.canRead();
248 out.println("status: <b>SUCCESS - unexpected</b><br/>");
249 }
250 catch (SecurityException e)
251 {
252 out.println("status: <b>FAILURE - expected</b><br/>");
253 }
254
255 try
256 {
257 out.println("check read permission for $jetty.home/logs<br/>");
258
259 File jettyHomeFile = new File(userDir + File.separator + "logs");
260 jettyHomeFile.canWrite();
261 out.println("status: <b>SUCCESS - unexpected</b><br/>");
262 }
263 catch (SecurityException e)
264 {
265 out.println("status: <b>FAILURE - expected</b><br/>");
266 }
267
268 out.println(" </p><br/><br/>");
269 }
270
271 private void runPropertyChecks(ServletOutputStream out) throws IOException
272 {
273
274 out.println(" <h1>Checking Properties</h1>");
275
276
277
278
279 out.println(" <h3>Declared Property - read</h3>");
280 out.println(" <p>");
281 try
282 {
283 out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
284 System.getProperty("__ALLOWED_READ_PROPERTY");
285 out.println("status: <b>SUCCESS - expected</b><br/>");
286 }
287 catch (SecurityException e)
288 {
289 out.println("status: <b>FAILURE - unexpected</b><br/>");
290 out.println("<table><tr><td>");
291 e.printStackTrace(new PrintStream(out));
292 out.println("</td></tr></table>");
293 }
294 try
295 {
296 out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
297 System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
298 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
299 out.println("status: <b>" + value + "</b><br/>");
300 }
301 catch (SecurityException e)
302 {
303 out.println("status: <b>FAILURE - expected</b><br/>");
304 }
305
306 out.println(" </p><br/><br/>");
307
308
309
310
311 out.println(" <h3>Declared Property - read/write</h3>");
312 out.println(" <p>");
313 try
314 {
315 out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
316 System.getProperty("__ALLOWED_WRITE_PROPERTY");
317 out.println("Status: <b>SUCCESS - expected</b><br/>");
318 }
319 catch (SecurityException e)
320 {
321 out.println("status: <b>FAILURE - unexpected</b><br/>");
322 out.println("<table><tr><td>");
323 e.printStackTrace(new PrintStream(out));
324 out.println("</td></tr></table>");
325 }
326 try
327 {
328 out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
329 System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
330 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
331 out.println("status: <b>" + value + "</b><br/>");
332 }
333 catch (SecurityException e)
334 {
335 out.println("status: <b>FAILURE - unexpected</b><br/>");
336 out.println("<table><tr><td>");
337 e.printStackTrace(new PrintStream(out));
338 out.println("</td></tr></table>");
339 }
340
341 out.println(" </p><br/><br/>");
342
343
344
345
346 out.println(" <h3>checking forbidden properties</h3>");
347 out.println(" <p>");
348 try
349 {
350 out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
351 System.getProperty("__UNDECLARED_PROPERTY");
352 out.println("status: <b>SUCCESS - expected</b><br/>");
353 }
354 catch (SecurityException e)
355 {
356 out.println("status: <b>FAILURE - expected</b><br/>");
357 }
358 try
359 {
360 out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
361 System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
362 String value = System.getProperty("__UNDECLARED_PROPERTY");
363 out.println("status: <b>" + value + "</b><br/>");
364 }
365 catch (SecurityException e)
366 {
367 out.println("status: <b>FAILURE - expected</b><br/>");
368 }
369
370 out.println(" </p><br/><br/>");
371 }
372
373
374 }