View Javadoc

1   // ========================================================================
2   // Copyright (c) 1996-2009 Mort Bay Consulting Pty. Ltd.
3   // ------------------------------------------------------------------------
4   // All rights reserved. This program and the accompanying materials
5   // are made available under the terms of the Eclipse Public License v1.0
6   // and Apache License v2.0 which accompanies this distribution.
7   // The Eclipse Public License is available at 
8   // http://www.eclipse.org/legal/epl-v10.html
9   // The Apache License v2.0 is available at
10  // http://www.opensource.org/licenses/apache2.0.php
11  // You may elect to redistribute this code under either of these licenses. 
12  // ========================================================================
13  
14  package com.acme;
15  
16  import java.io.File;
17  import java.io.IOException;
18  import java.io.PrintStream;
19  import java.net.URL;
20  import java.net.URLClassLoader;
21  import java.util.Calendar;
22  import java.util.GregorianCalendar;
23  
24  import javax.servlet.ServletConfig;
25  import javax.servlet.ServletException;
26  import javax.servlet.ServletOutputStream;
27  import javax.servlet.http.HttpServlet;
28  import javax.servlet.http.HttpServletRequest;
29  import javax.servlet.http.HttpServletResponse;
30  
31  import org.eclipse.jetty.util.log.Log;
32  import org.eclipse.jetty.util.log.Logger;
33  
34  
35  /* ------------------------------------------------------------ */
36  /** Dump Servlet Request.
37   * 
38   */
39  public class SecureModeServlet extends HttpServlet
40  {
41      private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
42  
43      /* ------------------------------------------------------------ */
44      @Override
45      public void init(ServletConfig config) throws ServletException
46      {
47      	super.init(config);
48      }
49  
50      /* ------------------------------------------------------------ */
51      @Override
52      public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
53      {
54          doGet(request, response);
55      }
56  
57      /* ------------------------------------------------------------ */
58      @Override
59      public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
60      {
61           
62          response.setContentType("text/html");
63          ServletOutputStream out = response.getOutputStream();
64          out.println("<html>");
65          out.println("  <title>Secure Jetty Test Webapp</title>");
66  
67          try
68          {
69              runPropertyChecks(out);
70  
71              runFileSystemChecks(out);
72  
73              runLoggingChecks(out);
74  
75              runClassloaderChecks(out);
76          }
77          catch (Exception e)
78          {
79              e.printStackTrace(new PrintStream(out));
80          }
81          out.println("</html>");
82          out.flush();
83  
84          try
85          {
86              Thread.sleep(200);
87          }
88          catch (InterruptedException e)
89          {
90              getServletContext().log("exception",e);
91          }
92      }
93  
94      private void runClassloaderChecks(ServletOutputStream out) throws Exception
95      {
96          out.println("    <h1>Checking Classloader Setup</h1>");
97          out.println("      <p>");
98  
99          System.getProperty("user.dir");
100         try
101         {
102             out.println("check ability to create classloader<br/>");
103             URL url = new URL("http://not.going.to.work");
104             new URLClassLoader(new URL[] { url });
105             out.println("status: <b>SUCCESS - unexpected</b><br/>");
106         }
107         catch (SecurityException e)
108         {
109             out.println("status: <b>FAILURE - expected</b><br/>");
110         }
111 
112         out.println("      </p><br/><br/>");
113     }
114 
115     private void runLoggingChecks(ServletOutputStream out) throws Exception
116     {
117         out.println("    <h1>Checking File System</h1>");
118         out.println("      <p>");
119 
120         String userDir = System.getProperty("user.dir");
121         try
122         {
123             out.println("check ability to log<br/>");
124             LOG.info("testing logging");
125             out.println("status: <b>SUCCESS - expected</b><br/>");
126         }
127         catch (SecurityException e)
128         {
129             out.println("status: <b>FAILURE - unexpected</b><br/>");
130             out.println("<table><tr><td>");
131             e.printStackTrace(new PrintStream(out));
132             out.println("</td></tr></table>");
133         }
134 
135         try
136         {
137             Calendar c = new GregorianCalendar();
138 
139             String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
140 
141             out.println("check ability to access log file directly<br/>");
142             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
143             jettyHomeFile.canRead();
144             out.println("status: <b>SUCCESS - unexpected</b><br/>");
145         }
146         catch (SecurityException e)
147         {
148             out.println("status: <b>FAILURE - expected</b><br/>");
149         }
150 
151         out.println("      </p><br/><br/>");
152     }
153 
154     private void runFileSystemChecks(ServletOutputStream out) throws Exception
155     {
156         out.println("    <h1>Checking File System</h1>");
157 
158         /*
159          * test the reading and writing of a read only permission
160          */
161         out.println("      <p>");
162 
163         String userDir = System.getProperty("user.dir");
164         try
165         {
166             out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
167 
168             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
169             jettyHomeFile.canRead();
170             out.println("status: <b>SUCCESS - expected</b><br/>");
171         }
172         catch (SecurityException e)
173         {
174             out.println("status: <b>FAILURE - unexpected</b><br/>");
175             out.println("<table><tr><td>");
176             e.printStackTrace(new PrintStream(out));
177             out.println("</td></tr></table>");
178         }
179 
180         try
181         {
182             out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
183 
184             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
185             jettyHomeFile.canWrite();
186             out.println("status: <b>SUCCESS - unexpected</b><br/>");
187         }
188         catch (SecurityException e)
189         {
190             out.println("status: <b>FAILURE - expected</b><br/>");
191         }
192 
193         try
194         {
195             out.println("check read permission for $jetty.home/lib<br/>");
196 
197             File jettyHomeFile = new File(userDir + File.separator + "lib");
198             jettyHomeFile.canRead();
199             out.println("status: <b>SUCCESS - unexpected</b><br/>");
200         }
201         catch (SecurityException e)
202         {
203             out.println("status: <b>FAILURE - expected</b><br/>");
204         }
205 
206         try
207         {
208             out.println("check write permission for $jetty.home/lib<br/>");
209 
210             File jettyHomeFile = new File(userDir + File.separator + "lib");
211             jettyHomeFile.canWrite();
212             out.println("status: <b>SUCCESS - unexpected</b><br/>");
213         }
214         catch (SecurityException e)
215         {
216             out.println("status: <b>FAILURE - expected</b><br/>");
217         }
218 
219         try
220         {
221             out.println("check read permission for $jetty.home<br/>");
222 
223             File jettyHomeFile = new File(userDir + File.separator);
224             jettyHomeFile.canRead();
225             out.println("status: <b>SUCCESS - unexpected</b><br/>");
226         }
227         catch (SecurityException e)
228         {
229             out.println("status: <b>FAILURE - expected</b><br/>");
230         }
231 
232         try
233         {
234             out.println("check write permission for $jetty.home<br/>");
235 
236             File jettyHomeFile = new File(userDir + File.separator);
237             jettyHomeFile.canWrite();
238             out.println("status: <b>SUCCESS - unexpected</b><br/>");
239         }
240         catch (SecurityException e)
241         {
242             out.println("status: <b>FAILURE - expected</b><br/>");
243         }
244 
245         try
246         {
247             out.println("check read permission for $jetty.home/logs<br/>");
248 
249             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
250             jettyHomeFile.canRead();
251             out.println("status: <b>SUCCESS - unexpected</b><br/>");
252         }
253         catch (SecurityException e)
254         {
255             out.println("status: <b>FAILURE - expected</b><br/>");
256         }
257 
258         try
259         {
260             out.println("check read permission for $jetty.home/logs<br/>");
261 
262             File jettyHomeFile = new File(userDir + File.separator + "logs");
263             jettyHomeFile.canWrite();
264             out.println("status: <b>SUCCESS - unexpected</b><br/>");
265         }
266         catch (SecurityException e)
267         {
268             out.println("status: <b>FAILURE - expected</b><br/>");
269         }
270 
271         out.println("      </p><br/><br/>");
272     }
273 
274     private void runPropertyChecks(ServletOutputStream out) throws IOException
275     {
276 
277         out.println("    <h1>Checking Properties</h1>");
278 
279         /*
280          * test the reading and writing of a read only permission
281          */
282         out.println("    <h3>Declared Property - read</h3>");
283         out.println("      <p>");
284         try
285         {
286             out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
287             System.getProperty("__ALLOWED_READ_PROPERTY");
288             out.println("status: <b>SUCCESS - expected</b><br/>");
289         }
290         catch (SecurityException e)
291         {
292             out.println("status: <b>FAILURE - unexpected</b><br/>");
293             out.println("<table><tr><td>");
294             e.printStackTrace(new PrintStream(out));
295             out.println("</td></tr></table>");
296         }
297         try
298         {
299             out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
300             System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
301             String value = System.getProperty("__ALLOWED_READ_PROPERTY");
302             out.println("status: <b>" + value + "</b><br/>");
303         }
304         catch (SecurityException e)
305         {
306             out.println("status: <b>FAILURE - expected</b><br/>");
307         }
308 
309         out.println("      </p><br/><br/>");
310         
311         /*
312          * test the reading and writing of a read/write permission
313          */
314         out.println("    <h3>Declared Property - read/write</h3>");
315         out.println("      <p>");
316         try
317         {
318             out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
319             System.getProperty("__ALLOWED_WRITE_PROPERTY");
320             out.println("Status: <b>SUCCESS - expected</b><br/>");
321         }
322         catch (SecurityException e)
323         {
324             out.println("status: <b>FAILURE - unexpected</b><br/>");
325             out.println("<table><tr><td>");
326             e.printStackTrace(new PrintStream(out));
327             out.println("</td></tr></table>");
328         }
329         try
330         {
331             out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
332             System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
333             String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
334             out.println("status: <b>" + value + "</b><br/>");
335         }
336         catch (SecurityException e)
337         {
338             out.println("status: <b>FAILURE - unexpected</b><br/>");
339             out.println("<table><tr><td>");
340             e.printStackTrace(new PrintStream(out));
341             out.println("</td></tr></table>");
342         }
343 
344         out.println("      </p><br/><br/>");
345 
346         /*
347          * test the reading and writing of an undeclared property
348          */
349         out.println("    <h3>checking forbidden properties</h3>");
350         out.println("      <p>");
351         try
352         {
353             out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
354             System.getProperty("__UNDECLARED_PROPERTY");
355             out.println("status: <b>SUCCESS - expected</b><br/>");
356         }
357         catch (SecurityException e)
358         {
359             out.println("status: <b>FAILURE - expected</b><br/>");
360         }
361         try
362         {
363             out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
364             System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
365             String value = System.getProperty("__UNDECLARED_PROPERTY");
366             out.println("status: <b>" + value + "</b><br/>");
367         }
368         catch (SecurityException e)
369         {
370             out.println("status: <b>FAILURE - expected</b><br/>");
371         }
372 
373         out.println("      </p><br/><br/>");
374     }
375  
376     
377 }