View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package com.acme;
20  
21  import java.io.File;
22  import java.io.IOException;
23  import java.io.PrintStream;
24  import java.net.URL;
25  import java.net.URLClassLoader;
26  import java.util.Calendar;
27  import java.util.GregorianCalendar;
28  
29  import javax.servlet.ServletConfig;
30  import javax.servlet.ServletException;
31  import javax.servlet.ServletOutputStream;
32  import javax.servlet.http.HttpServlet;
33  import javax.servlet.http.HttpServletRequest;
34  import javax.servlet.http.HttpServletResponse;
35  
36  import org.eclipse.jetty.util.log.Log;
37  import org.eclipse.jetty.util.log.Logger;
38  
39  /** 
40   * Dump Servlet Request.
41   */
42  @SuppressWarnings("serial")
43  public class SecureModeServlet extends HttpServlet
44  {
45      private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
46  
47      /* ------------------------------------------------------------ */
48      @Override
49      public void init(ServletConfig config) throws ServletException
50      {
51          super.init(config);
52      }
53  
54      /* ------------------------------------------------------------ */
55      @Override
56      public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
57      {
58          doGet(request, response);
59      }
60  
61      /* ------------------------------------------------------------ */
62      @Override
63      public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
64      {
65  
66          response.setContentType("text/html");
67          ServletOutputStream out = response.getOutputStream();
68          out.println("<html>");
69          out.println("  <title>Secure Jetty Test Webapp</title>");
70  
71          try
72          {
73              runPropertyChecks(out);
74  
75              runFileSystemChecks(out);
76  
77              runLoggingChecks(out);
78  
79              runClassloaderChecks(out);
80          }
81          catch (Exception e)
82          {
83              e.printStackTrace(new PrintStream(out));
84          }
85          out.println("</html>");
86          out.flush();
87  
88          try
89          {
90              Thread.sleep(200);
91          }
92          catch (InterruptedException e)
93          {
94              getServletContext().log("exception",e);
95          }
96      }
97  
98      private void runClassloaderChecks(ServletOutputStream out) throws Exception
99      {
100         out.println("    <h1>Checking Classloader Setup</h1>");
101         out.println("      <p>");
102 
103         System.getProperty("user.dir");
104         try
105         {
106             out.println("check ability to create classloader<br/>");
107             URL url = new URL("http://not.going.to.work");
108             new URLClassLoader(new URL[] { url });
109             out.println("status: <b>SUCCESS - unexpected</b><br/>");
110         }
111         catch (SecurityException e)
112         {
113             out.println("status: <b>FAILURE - expected</b><br/>");
114         }
115 
116         out.println("      </p><br/><br/>");
117     }
118 
119     private void runLoggingChecks(ServletOutputStream out) throws Exception
120     {
121         out.println("    <h1>Checking File System</h1>");
122         out.println("      <p>");
123 
124         String userDir = System.getProperty("user.dir");
125         try
126         {
127             out.println("check ability to log<br/>");
128             LOG.info("testing logging");
129             out.println("status: <b>SUCCESS - expected</b><br/>");
130         }
131         catch (SecurityException e)
132         {
133             out.println("status: <b>FAILURE - unexpected</b><br/>");
134             out.println("<table><tr><td>");
135             e.printStackTrace(new PrintStream(out));
136             out.println("</td></tr></table>");
137         }
138 
139         try
140         {
141             Calendar c = new GregorianCalendar();
142 
143             String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
144 
145             out.println("check ability to access log file directly<br/>");
146             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
147             jettyHomeFile.canRead();
148             out.println("status: <b>SUCCESS - unexpected</b><br/>");
149         }
150         catch (SecurityException e)
151         {
152             out.println("status: <b>FAILURE - expected</b><br/>");
153         }
154 
155         out.println("      </p><br/><br/>");
156     }
157 
158     private void runFileSystemChecks(ServletOutputStream out) throws Exception
159     {
160         out.println("    <h1>Checking File System</h1>");
161 
162         /*
163          * test the reading and writing of a read only permission
164          */
165         out.println("      <p>");
166 
167         String userDir = System.getProperty("user.dir");
168         try
169         {
170             out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
171 
172             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
173             jettyHomeFile.canRead();
174             out.println("status: <b>SUCCESS - expected</b><br/>");
175         }
176         catch (SecurityException e)
177         {
178             out.println("status: <b>FAILURE - unexpected</b><br/>");
179             out.println("<table><tr><td>");
180             e.printStackTrace(new PrintStream(out));
181             out.println("</td></tr></table>");
182         }
183 
184         try
185         {
186             out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
187 
188             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
189             jettyHomeFile.canWrite();
190             out.println("status: <b>SUCCESS - unexpected</b><br/>");
191         }
192         catch (SecurityException e)
193         {
194             out.println("status: <b>FAILURE - expected</b><br/>");
195         }
196 
197         try
198         {
199             out.println("check read permission for $jetty.home/lib<br/>");
200 
201             File jettyHomeFile = new File(userDir + File.separator + "lib");
202             jettyHomeFile.canRead();
203             out.println("status: <b>SUCCESS - unexpected</b><br/>");
204         }
205         catch (SecurityException e)
206         {
207             out.println("status: <b>FAILURE - expected</b><br/>");
208         }
209 
210         try
211         {
212             out.println("check write permission for $jetty.home/lib<br/>");
213 
214             File jettyHomeFile = new File(userDir + File.separator + "lib");
215             jettyHomeFile.canWrite();
216             out.println("status: <b>SUCCESS - unexpected</b><br/>");
217         }
218         catch (SecurityException e)
219         {
220             out.println("status: <b>FAILURE - expected</b><br/>");
221         }
222 
223         try
224         {
225             out.println("check read permission for $jetty.home<br/>");
226 
227             File jettyHomeFile = new File(userDir + File.separator);
228             jettyHomeFile.canRead();
229             out.println("status: <b>SUCCESS - unexpected</b><br/>");
230         }
231         catch (SecurityException e)
232         {
233             out.println("status: <b>FAILURE - expected</b><br/>");
234         }
235 
236         try
237         {
238             out.println("check write permission for $jetty.home<br/>");
239 
240             File jettyHomeFile = new File(userDir + File.separator);
241             jettyHomeFile.canWrite();
242             out.println("status: <b>SUCCESS - unexpected</b><br/>");
243         }
244         catch (SecurityException e)
245         {
246             out.println("status: <b>FAILURE - expected</b><br/>");
247         }
248 
249         try
250         {
251             out.println("check read permission for $jetty.home/logs<br/>");
252 
253             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
254             jettyHomeFile.canRead();
255             out.println("status: <b>SUCCESS - unexpected</b><br/>");
256         }
257         catch (SecurityException e)
258         {
259             out.println("status: <b>FAILURE - expected</b><br/>");
260         }
261 
262         try
263         {
264             out.println("check read permission for $jetty.home/logs<br/>");
265 
266             File jettyHomeFile = new File(userDir + File.separator + "logs");
267             jettyHomeFile.canWrite();
268             out.println("status: <b>SUCCESS - unexpected</b><br/>");
269         }
270         catch (SecurityException e)
271         {
272             out.println("status: <b>FAILURE - expected</b><br/>");
273         }
274 
275         out.println("      </p><br/><br/>");
276     }
277 
278     private void runPropertyChecks(ServletOutputStream out) throws IOException
279     {
280 
281         out.println("    <h1>Checking Properties</h1>");
282 
283         /*
284          * test the reading and writing of a read only permission
285          */
286         out.println("    <h3>Declared Property - read</h3>");
287         out.println("      <p>");
288         try
289         {
290             out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
291             System.getProperty("__ALLOWED_READ_PROPERTY");
292             out.println("status: <b>SUCCESS - expected</b><br/>");
293         }
294         catch (SecurityException e)
295         {
296             out.println("status: <b>FAILURE - unexpected</b><br/>");
297             out.println("<table><tr><td>");
298             e.printStackTrace(new PrintStream(out));
299             out.println("</td></tr></table>");
300         }
301         try
302         {
303             out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
304             System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
305             String value = System.getProperty("__ALLOWED_READ_PROPERTY");
306             out.println("status: <b>" + value + "</b><br/>");
307         }
308         catch (SecurityException e)
309         {
310             out.println("status: <b>FAILURE - expected</b><br/>");
311         }
312 
313         out.println("      </p><br/><br/>");
314 
315         /*
316          * test the reading and writing of a read/write permission
317          */
318         out.println("    <h3>Declared Property - read/write</h3>");
319         out.println("      <p>");
320         try
321         {
322             out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
323             System.getProperty("__ALLOWED_WRITE_PROPERTY");
324             out.println("Status: <b>SUCCESS - expected</b><br/>");
325         }
326         catch (SecurityException e)
327         {
328             out.println("status: <b>FAILURE - unexpected</b><br/>");
329             out.println("<table><tr><td>");
330             e.printStackTrace(new PrintStream(out));
331             out.println("</td></tr></table>");
332         }
333         try
334         {
335             out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
336             System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
337             String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
338             out.println("status: <b>" + value + "</b><br/>");
339         }
340         catch (SecurityException e)
341         {
342             out.println("status: <b>FAILURE - unexpected</b><br/>");
343             out.println("<table><tr><td>");
344             e.printStackTrace(new PrintStream(out));
345             out.println("</td></tr></table>");
346         }
347 
348         out.println("      </p><br/><br/>");
349 
350         /*
351          * test the reading and writing of an undeclared property
352          */
353         out.println("    <h3>checking forbidden properties</h3>");
354         out.println("      <p>");
355         try
356         {
357             out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
358             System.getProperty("__UNDECLARED_PROPERTY");
359             out.println("status: <b>SUCCESS - expected</b><br/>");
360         }
361         catch (SecurityException e)
362         {
363             out.println("status: <b>FAILURE - expected</b><br/>");
364         }
365         try
366         {
367             out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
368             System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
369             String value = System.getProperty("__UNDECLARED_PROPERTY");
370             out.println("status: <b>" + value + "</b><br/>");
371         }
372         catch (SecurityException e)
373         {
374             out.println("status: <b>FAILURE - expected</b><br/>");
375         }
376 
377         out.println("      </p><br/><br/>");
378     }
379 
380 
381 }