1
2
3
4
5
6
7
8
9
10
11
12
13
14 package com.acme;
15
16 import java.io.File;
17 import java.io.IOException;
18 import java.io.PrintStream;
19 import java.net.URL;
20 import java.net.URLClassLoader;
21 import java.util.Calendar;
22 import java.util.GregorianCalendar;
23
24 import javax.servlet.ServletConfig;
25 import javax.servlet.ServletException;
26 import javax.servlet.ServletOutputStream;
27 import javax.servlet.http.HttpServlet;
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletResponse;
30
31 import org.eclipse.jetty.util.log.Log;
32
33
34
35
36
37
38 public class SecureModeServlet extends HttpServlet
39 {
40
41 @Override
42 public void init(ServletConfig config) throws ServletException
43 {
44 super.init(config);
45 }
46
47
48 @Override
49 public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
50 {
51 doGet(request, response);
52 }
53
54
55 @Override
56 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
57 {
58
59 response.setContentType("text/html");
60 ServletOutputStream out = response.getOutputStream();
61 out.println("<html>");
62 out.println(" <title>Secure Jetty Test Webapp</title>");
63
64 try
65 {
66 runPropertyChecks(out);
67
68 runFileSystemChecks(out);
69
70 runLoggingChecks(out);
71
72 runClassloaderChecks(out);
73 }
74 catch (Exception e)
75 {
76 e.printStackTrace(new PrintStream(out));
77 }
78 out.println("</html>");
79 out.flush();
80
81 try
82 {
83 Thread.sleep(200);
84 }
85 catch (InterruptedException e)
86 {
87 getServletContext().log("exception",e);
88 }
89 }
90
91 private void runClassloaderChecks(ServletOutputStream out) throws Exception
92 {
93 out.println(" <h1>Checking Classloader Setup</h1>");
94 out.println(" <p>");
95
96 String userDir = System.getProperty("user.dir");
97 try
98 {
99 out.println("check ability to create classloader<br/>");
100 URL url = new URL("http://not.going.to.work");
101 URLClassLoader cl = new URLClassLoader(new URL[]
102 { url });
103 out.println("status: <b>SUCCESS - unexpected</b><br/>");
104 }
105 catch (SecurityException e)
106 {
107 out.println("status: <b>FAILURE - expected</b><br/>");
108 }
109
110 out.println(" </p><br/><br/>");
111 }
112
113 private void runLoggingChecks(ServletOutputStream out) throws Exception
114 {
115 out.println(" <h1>Checking File System</h1>");
116 out.println(" <p>");
117
118 String userDir = System.getProperty("user.dir");
119 try
120 {
121 out.println("check ability to log<br/>");
122 Log.info("testing logging");
123 out.println("status: <b>SUCCESS - expected</b><br/>");
124 }
125 catch (SecurityException e)
126 {
127 out.println("status: <b>FAILURE - unexpected</b><br/>");
128 out.println("<table><tr><td>");
129 e.printStackTrace(new PrintStream(out));
130 out.println("</td></tr></table>");
131 }
132
133 try
134 {
135 Calendar c = new GregorianCalendar();
136
137 String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
138
139 out.println("check ability to access log file directly<br/>");
140 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
141 jettyHomeFile.canRead();
142 out.println("status: <b>SUCCESS - unexpected</b><br/>");
143 }
144 catch (SecurityException e)
145 {
146 out.println("status: <b>FAILURE - expected</b><br/>");
147 }
148
149 out.println(" </p><br/><br/>");
150 }
151
152 private void runFileSystemChecks(ServletOutputStream out) throws Exception
153 {
154 out.println(" <h1>Checking File System</h1>");
155
156
157
158
159 out.println(" <p>");
160
161 String userDir = System.getProperty("user.dir");
162 try
163 {
164 out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
165
166 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
167 jettyHomeFile.canRead();
168 out.println("status: <b>SUCCESS - expected</b><br/>");
169 }
170 catch (SecurityException e)
171 {
172 out.println("status: <b>FAILURE - unexpected</b><br/>");
173 out.println("<table><tr><td>");
174 e.printStackTrace(new PrintStream(out));
175 out.println("</td></tr></table>");
176 }
177
178 try
179 {
180 out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
181
182 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
183 jettyHomeFile.canWrite();
184 out.println("status: <b>SUCCESS - unexpected</b><br/>");
185 }
186 catch (SecurityException e)
187 {
188 out.println("status: <b>FAILURE - expected</b><br/>");
189 }
190
191 try
192 {
193 out.println("check read permission for $jetty.home/lib<br/>");
194
195 File jettyHomeFile = new File(userDir + File.separator + "lib");
196 jettyHomeFile.canRead();
197 out.println("status: <b>SUCCESS - unexpected</b><br/>");
198 }
199 catch (SecurityException e)
200 {
201 out.println("status: <b>FAILURE - expected</b><br/>");
202 }
203
204 try
205 {
206 out.println("check write permission for $jetty.home/lib<br/>");
207
208 File jettyHomeFile = new File(userDir + File.separator + "lib");
209 jettyHomeFile.canWrite();
210 out.println("status: <b>SUCCESS - unexpected</b><br/>");
211 }
212 catch (SecurityException e)
213 {
214 out.println("status: <b>FAILURE - expected</b><br/>");
215 }
216
217 try
218 {
219 out.println("check read permission for $jetty.home<br/>");
220
221 File jettyHomeFile = new File(userDir + File.separator);
222 jettyHomeFile.canRead();
223 out.println("status: <b>SUCCESS - unexpected</b><br/>");
224 }
225 catch (SecurityException e)
226 {
227 out.println("status: <b>FAILURE - expected</b><br/>");
228 }
229
230 try
231 {
232 out.println("check write permission for $jetty.home<br/>");
233
234 File jettyHomeFile = new File(userDir + File.separator);
235 jettyHomeFile.canWrite();
236 out.println("status: <b>SUCCESS - unexpected</b><br/>");
237 }
238 catch (SecurityException e)
239 {
240 out.println("status: <b>FAILURE - expected</b><br/>");
241 }
242
243 try
244 {
245 out.println("check read permission for $jetty.home/logs<br/>");
246
247 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
248 jettyHomeFile.canRead();
249 out.println("status: <b>SUCCESS - unexpected</b><br/>");
250 }
251 catch (SecurityException e)
252 {
253 out.println("status: <b>FAILURE - expected</b><br/>");
254 }
255
256 try
257 {
258 out.println("check read permission for $jetty.home/logs<br/>");
259
260 File jettyHomeFile = new File(userDir + File.separator + "logs");
261 jettyHomeFile.canWrite();
262 out.println("status: <b>SUCCESS - unexpected</b><br/>");
263 }
264 catch (SecurityException e)
265 {
266 out.println("status: <b>FAILURE - expected</b><br/>");
267 }
268
269 out.println(" </p><br/><br/>");
270 }
271
272 private void runPropertyChecks(ServletOutputStream out) throws IOException
273 {
274
275 out.println(" <h1>Checking Properties</h1>");
276
277
278
279
280 out.println(" <h3>Declared Property - read</h3>");
281 out.println(" <p>");
282 try
283 {
284 out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
285 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
286 out.println("status: <b>SUCCESS - expected</b><br/>");
287 }
288 catch (SecurityException e)
289 {
290 out.println("status: <b>FAILURE - unexpected</b><br/>");
291 out.println("<table><tr><td>");
292 e.printStackTrace(new PrintStream(out));
293 out.println("</td></tr></table>");
294 }
295 try
296 {
297 out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
298 System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
299 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
300 out.println("status: <b>" + value + "</b><br/>");
301 }
302 catch (SecurityException e)
303 {
304 out.println("status: <b>FAILURE - expected</b><br/>");
305 }
306
307 out.println(" </p><br/><br/>");
308
309
310
311
312 out.println(" <h3>Declared Property - read/write</h3>");
313 out.println(" <p>");
314 try
315 {
316 out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
317 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
318 out.println("Status: <b>SUCCESS - expected</b><br/>");
319 }
320 catch (SecurityException e)
321 {
322 out.println("status: <b>FAILURE - unexpected</b><br/>");
323 out.println("<table><tr><td>");
324 e.printStackTrace(new PrintStream(out));
325 out.println("</td></tr></table>");
326 }
327 try
328 {
329 out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
330 System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
331 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
332 out.println("status: <b>" + value + "</b><br/>");
333 }
334 catch (SecurityException e)
335 {
336 out.println("status: <b>FAILURE - unexpected</b><br/>");
337 out.println("<table><tr><td>");
338 e.printStackTrace(new PrintStream(out));
339 out.println("</td></tr></table>");
340 }
341
342 out.println(" </p><br/><br/>");
343
344
345
346
347 out.println(" <h3>checking forbidden properties</h3>");
348 out.println(" <p>");
349 try
350 {
351 out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
352 String value = System.getProperty("__UNDECLARED_PROPERTY");
353 out.println("status: <b>SUCCESS - expected</b><br/>");
354 }
355 catch (SecurityException e)
356 {
357 out.println("status: <b>FAILURE - expected</b><br/>");
358 }
359 try
360 {
361 out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
362 System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
363 String value = System.getProperty("__UNDECLARED_PROPERTY");
364 out.println("status: <b>" + value + "</b><br/>");
365 }
366 catch (SecurityException e)
367 {
368 out.println("status: <b>FAILURE - expected</b><br/>");
369 }
370
371 out.println(" </p><br/><br/>");
372 }
373
374
375 }