1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package com.acme;
20
21 import java.io.File;
22 import java.io.IOException;
23 import java.io.PrintStream;
24 import java.net.URL;
25 import java.net.URLClassLoader;
26 import java.util.Calendar;
27 import java.util.GregorianCalendar;
28
29 import javax.servlet.ServletConfig;
30 import javax.servlet.ServletException;
31 import javax.servlet.ServletOutputStream;
32 import javax.servlet.http.HttpServlet;
33 import javax.servlet.http.HttpServletRequest;
34 import javax.servlet.http.HttpServletResponse;
35
36 import org.eclipse.jetty.util.log.Log;
37 import org.eclipse.jetty.util.log.Logger;
38
39
40
41
42 @SuppressWarnings("serial")
43 public class SecureModeServlet extends HttpServlet
44 {
45 private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
46
47
48 @Override
49 public void init(ServletConfig config) throws ServletException
50 {
51 super.init(config);
52 }
53
54
55 @Override
56 public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
57 {
58 doGet(request, response);
59 }
60
61
62 @Override
63 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
64 {
65
66 response.setContentType("text/html");
67 ServletOutputStream out = response.getOutputStream();
68 out.println("<html>");
69 out.println(" <title>Secure Jetty Test Webapp</title>");
70
71 try
72 {
73 runPropertyChecks(out);
74
75 runFileSystemChecks(out);
76
77 runLoggingChecks(out);
78
79 runClassloaderChecks(out);
80 }
81 catch (Exception e)
82 {
83 e.printStackTrace(new PrintStream(out));
84 }
85 out.println("</html>");
86 out.flush();
87
88 try
89 {
90 Thread.sleep(200);
91 }
92 catch (InterruptedException e)
93 {
94 getServletContext().log("exception",e);
95 }
96 }
97
98 private void runClassloaderChecks(ServletOutputStream out) throws Exception
99 {
100 out.println(" <h1>Checking Classloader Setup</h1>");
101 out.println(" <p>");
102
103 System.getProperty("user.dir");
104 try
105 {
106 out.println("check ability to create classloader<br/>");
107 URL url = new URL("http://not.going.to.work");
108 new URLClassLoader(new URL[] { url });
109 out.println("status: <b>SUCCESS - unexpected</b><br/>");
110 }
111 catch (SecurityException e)
112 {
113 out.println("status: <b>FAILURE - expected</b><br/>");
114 }
115
116 out.println(" </p><br/><br/>");
117 }
118
119 private void runLoggingChecks(ServletOutputStream out) throws Exception
120 {
121 out.println(" <h1>Checking File System</h1>");
122 out.println(" <p>");
123
124 String userDir = System.getProperty("user.dir");
125 try
126 {
127 out.println("check ability to log<br/>");
128 LOG.info("testing logging");
129 out.println("status: <b>SUCCESS - expected</b><br/>");
130 }
131 catch (SecurityException e)
132 {
133 out.println("status: <b>FAILURE - unexpected</b><br/>");
134 out.println("<table><tr><td>");
135 e.printStackTrace(new PrintStream(out));
136 out.println("</td></tr></table>");
137 }
138
139 try
140 {
141 Calendar c = new GregorianCalendar();
142
143 String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
144
145 out.println("check ability to access log file directly<br/>");
146 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
147 jettyHomeFile.canRead();
148 out.println("status: <b>SUCCESS - unexpected</b><br/>");
149 }
150 catch (SecurityException e)
151 {
152 out.println("status: <b>FAILURE - expected</b><br/>");
153 }
154
155 out.println(" </p><br/><br/>");
156 }
157
158 private void runFileSystemChecks(ServletOutputStream out) throws Exception
159 {
160 out.println(" <h1>Checking File System</h1>");
161
162
163
164
165 out.println(" <p>");
166
167 String userDir = System.getProperty("user.dir");
168 try
169 {
170 out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
171
172 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
173 jettyHomeFile.canRead();
174 out.println("status: <b>SUCCESS - expected</b><br/>");
175 }
176 catch (SecurityException e)
177 {
178 out.println("status: <b>FAILURE - unexpected</b><br/>");
179 out.println("<table><tr><td>");
180 e.printStackTrace(new PrintStream(out));
181 out.println("</td></tr></table>");
182 }
183
184 try
185 {
186 out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
187
188 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
189 jettyHomeFile.canWrite();
190 out.println("status: <b>SUCCESS - unexpected</b><br/>");
191 }
192 catch (SecurityException e)
193 {
194 out.println("status: <b>FAILURE - expected</b><br/>");
195 }
196
197 try
198 {
199 out.println("check read permission for $jetty.home/lib<br/>");
200
201 File jettyHomeFile = new File(userDir + File.separator + "lib");
202 jettyHomeFile.canRead();
203 out.println("status: <b>SUCCESS - unexpected</b><br/>");
204 }
205 catch (SecurityException e)
206 {
207 out.println("status: <b>FAILURE - expected</b><br/>");
208 }
209
210 try
211 {
212 out.println("check write permission for $jetty.home/lib<br/>");
213
214 File jettyHomeFile = new File(userDir + File.separator + "lib");
215 jettyHomeFile.canWrite();
216 out.println("status: <b>SUCCESS - unexpected</b><br/>");
217 }
218 catch (SecurityException e)
219 {
220 out.println("status: <b>FAILURE - expected</b><br/>");
221 }
222
223 try
224 {
225 out.println("check read permission for $jetty.home<br/>");
226
227 File jettyHomeFile = new File(userDir + File.separator);
228 jettyHomeFile.canRead();
229 out.println("status: <b>SUCCESS - unexpected</b><br/>");
230 }
231 catch (SecurityException e)
232 {
233 out.println("status: <b>FAILURE - expected</b><br/>");
234 }
235
236 try
237 {
238 out.println("check write permission for $jetty.home<br/>");
239
240 File jettyHomeFile = new File(userDir + File.separator);
241 jettyHomeFile.canWrite();
242 out.println("status: <b>SUCCESS - unexpected</b><br/>");
243 }
244 catch (SecurityException e)
245 {
246 out.println("status: <b>FAILURE - expected</b><br/>");
247 }
248
249 try
250 {
251 out.println("check read permission for $jetty.home/logs<br/>");
252
253 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
254 jettyHomeFile.canRead();
255 out.println("status: <b>SUCCESS - unexpected</b><br/>");
256 }
257 catch (SecurityException e)
258 {
259 out.println("status: <b>FAILURE - expected</b><br/>");
260 }
261
262 try
263 {
264 out.println("check read permission for $jetty.home/logs<br/>");
265
266 File jettyHomeFile = new File(userDir + File.separator + "logs");
267 jettyHomeFile.canWrite();
268 out.println("status: <b>SUCCESS - unexpected</b><br/>");
269 }
270 catch (SecurityException e)
271 {
272 out.println("status: <b>FAILURE - expected</b><br/>");
273 }
274
275 out.println(" </p><br/><br/>");
276 }
277
278 private void runPropertyChecks(ServletOutputStream out) throws IOException
279 {
280
281 out.println(" <h1>Checking Properties</h1>");
282
283
284
285
286 out.println(" <h3>Declared Property - read</h3>");
287 out.println(" <p>");
288 try
289 {
290 out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
291 System.getProperty("__ALLOWED_READ_PROPERTY");
292 out.println("status: <b>SUCCESS - expected</b><br/>");
293 }
294 catch (SecurityException e)
295 {
296 out.println("status: <b>FAILURE - unexpected</b><br/>");
297 out.println("<table><tr><td>");
298 e.printStackTrace(new PrintStream(out));
299 out.println("</td></tr></table>");
300 }
301 try
302 {
303 out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
304 System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
305 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
306 out.println("status: <b>" + value + "</b><br/>");
307 }
308 catch (SecurityException e)
309 {
310 out.println("status: <b>FAILURE - expected</b><br/>");
311 }
312
313 out.println(" </p><br/><br/>");
314
315
316
317
318 out.println(" <h3>Declared Property - read/write</h3>");
319 out.println(" <p>");
320 try
321 {
322 out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
323 System.getProperty("__ALLOWED_WRITE_PROPERTY");
324 out.println("Status: <b>SUCCESS - expected</b><br/>");
325 }
326 catch (SecurityException e)
327 {
328 out.println("status: <b>FAILURE - unexpected</b><br/>");
329 out.println("<table><tr><td>");
330 e.printStackTrace(new PrintStream(out));
331 out.println("</td></tr></table>");
332 }
333 try
334 {
335 out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
336 System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
337 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
338 out.println("status: <b>" + value + "</b><br/>");
339 }
340 catch (SecurityException e)
341 {
342 out.println("status: <b>FAILURE - unexpected</b><br/>");
343 out.println("<table><tr><td>");
344 e.printStackTrace(new PrintStream(out));
345 out.println("</td></tr></table>");
346 }
347
348 out.println(" </p><br/><br/>");
349
350
351
352
353 out.println(" <h3>checking forbidden properties</h3>");
354 out.println(" <p>");
355 try
356 {
357 out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
358 System.getProperty("__UNDECLARED_PROPERTY");
359 out.println("status: <b>SUCCESS - expected</b><br/>");
360 }
361 catch (SecurityException e)
362 {
363 out.println("status: <b>FAILURE - expected</b><br/>");
364 }
365 try
366 {
367 out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
368 System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
369 String value = System.getProperty("__UNDECLARED_PROPERTY");
370 out.println("status: <b>" + value + "</b><br/>");
371 }
372 catch (SecurityException e)
373 {
374 out.println("status: <b>FAILURE - expected</b><br/>");
375 }
376
377 out.println(" </p><br/><br/>");
378 }
379
380
381 }