1
2
3
4
5
6
7
8
9
10
11
12
13
14 package com.acme;
15
16 import java.io.File;
17 import java.io.IOException;
18 import java.io.PrintStream;
19 import java.net.URL;
20 import java.net.URLClassLoader;
21 import java.util.Calendar;
22 import java.util.GregorianCalendar;
23
24 import javax.servlet.ServletConfig;
25 import javax.servlet.ServletException;
26 import javax.servlet.ServletOutputStream;
27 import javax.servlet.http.HttpServlet;
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletResponse;
30
31 import org.eclipse.jetty.util.log.Log;
32 import org.eclipse.jetty.util.log.Logger;
33
34
35
36
37
38
39 public class SecureModeServlet extends HttpServlet
40 {
41 private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
42
43
44 @Override
45 public void init(ServletConfig config) throws ServletException
46 {
47 super.init(config);
48 }
49
50
51 @Override
52 public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
53 {
54 doGet(request, response);
55 }
56
57
58 @Override
59 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
60 {
61
62 response.setContentType("text/html");
63 ServletOutputStream out = response.getOutputStream();
64 out.println("<html>");
65 out.println(" <title>Secure Jetty Test Webapp</title>");
66
67 try
68 {
69 runPropertyChecks(out);
70
71 runFileSystemChecks(out);
72
73 runLoggingChecks(out);
74
75 runClassloaderChecks(out);
76 }
77 catch (Exception e)
78 {
79 e.printStackTrace(new PrintStream(out));
80 }
81 out.println("</html>");
82 out.flush();
83
84 try
85 {
86 Thread.sleep(200);
87 }
88 catch (InterruptedException e)
89 {
90 getServletContext().log("exception",e);
91 }
92 }
93
94 private void runClassloaderChecks(ServletOutputStream out) throws Exception
95 {
96 out.println(" <h1>Checking Classloader Setup</h1>");
97 out.println(" <p>");
98
99 System.getProperty("user.dir");
100 try
101 {
102 out.println("check ability to create classloader<br/>");
103 URL url = new URL("http://not.going.to.work");
104 new URLClassLoader(new URL[] { url });
105 out.println("status: <b>SUCCESS - unexpected</b><br/>");
106 }
107 catch (SecurityException e)
108 {
109 out.println("status: <b>FAILURE - expected</b><br/>");
110 }
111
112 out.println(" </p><br/><br/>");
113 }
114
115 private void runLoggingChecks(ServletOutputStream out) throws Exception
116 {
117 out.println(" <h1>Checking File System</h1>");
118 out.println(" <p>");
119
120 String userDir = System.getProperty("user.dir");
121 try
122 {
123 out.println("check ability to log<br/>");
124 LOG.info("testing logging");
125 out.println("status: <b>SUCCESS - expected</b><br/>");
126 }
127 catch (SecurityException e)
128 {
129 out.println("status: <b>FAILURE - unexpected</b><br/>");
130 out.println("<table><tr><td>");
131 e.printStackTrace(new PrintStream(out));
132 out.println("</td></tr></table>");
133 }
134
135 try
136 {
137 Calendar c = new GregorianCalendar();
138
139 String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
140
141 out.println("check ability to access log file directly<br/>");
142 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
143 jettyHomeFile.canRead();
144 out.println("status: <b>SUCCESS - unexpected</b><br/>");
145 }
146 catch (SecurityException e)
147 {
148 out.println("status: <b>FAILURE - expected</b><br/>");
149 }
150
151 out.println(" </p><br/><br/>");
152 }
153
154 private void runFileSystemChecks(ServletOutputStream out) throws Exception
155 {
156 out.println(" <h1>Checking File System</h1>");
157
158
159
160
161 out.println(" <p>");
162
163 String userDir = System.getProperty("user.dir");
164 try
165 {
166 out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
167
168 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
169 jettyHomeFile.canRead();
170 out.println("status: <b>SUCCESS - expected</b><br/>");
171 }
172 catch (SecurityException e)
173 {
174 out.println("status: <b>FAILURE - unexpected</b><br/>");
175 out.println("<table><tr><td>");
176 e.printStackTrace(new PrintStream(out));
177 out.println("</td></tr></table>");
178 }
179
180 try
181 {
182 out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
183
184 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
185 jettyHomeFile.canWrite();
186 out.println("status: <b>SUCCESS - unexpected</b><br/>");
187 }
188 catch (SecurityException e)
189 {
190 out.println("status: <b>FAILURE - expected</b><br/>");
191 }
192
193 try
194 {
195 out.println("check read permission for $jetty.home/lib<br/>");
196
197 File jettyHomeFile = new File(userDir + File.separator + "lib");
198 jettyHomeFile.canRead();
199 out.println("status: <b>SUCCESS - unexpected</b><br/>");
200 }
201 catch (SecurityException e)
202 {
203 out.println("status: <b>FAILURE - expected</b><br/>");
204 }
205
206 try
207 {
208 out.println("check write permission for $jetty.home/lib<br/>");
209
210 File jettyHomeFile = new File(userDir + File.separator + "lib");
211 jettyHomeFile.canWrite();
212 out.println("status: <b>SUCCESS - unexpected</b><br/>");
213 }
214 catch (SecurityException e)
215 {
216 out.println("status: <b>FAILURE - expected</b><br/>");
217 }
218
219 try
220 {
221 out.println("check read permission for $jetty.home<br/>");
222
223 File jettyHomeFile = new File(userDir + File.separator);
224 jettyHomeFile.canRead();
225 out.println("status: <b>SUCCESS - unexpected</b><br/>");
226 }
227 catch (SecurityException e)
228 {
229 out.println("status: <b>FAILURE - expected</b><br/>");
230 }
231
232 try
233 {
234 out.println("check write permission for $jetty.home<br/>");
235
236 File jettyHomeFile = new File(userDir + File.separator);
237 jettyHomeFile.canWrite();
238 out.println("status: <b>SUCCESS - unexpected</b><br/>");
239 }
240 catch (SecurityException e)
241 {
242 out.println("status: <b>FAILURE - expected</b><br/>");
243 }
244
245 try
246 {
247 out.println("check read permission for $jetty.home/logs<br/>");
248
249 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
250 jettyHomeFile.canRead();
251 out.println("status: <b>SUCCESS - unexpected</b><br/>");
252 }
253 catch (SecurityException e)
254 {
255 out.println("status: <b>FAILURE - expected</b><br/>");
256 }
257
258 try
259 {
260 out.println("check read permission for $jetty.home/logs<br/>");
261
262 File jettyHomeFile = new File(userDir + File.separator + "logs");
263 jettyHomeFile.canWrite();
264 out.println("status: <b>SUCCESS - unexpected</b><br/>");
265 }
266 catch (SecurityException e)
267 {
268 out.println("status: <b>FAILURE - expected</b><br/>");
269 }
270
271 out.println(" </p><br/><br/>");
272 }
273
274 private void runPropertyChecks(ServletOutputStream out) throws IOException
275 {
276
277 out.println(" <h1>Checking Properties</h1>");
278
279
280
281
282 out.println(" <h3>Declared Property - read</h3>");
283 out.println(" <p>");
284 try
285 {
286 out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
287 System.getProperty("__ALLOWED_READ_PROPERTY");
288 out.println("status: <b>SUCCESS - expected</b><br/>");
289 }
290 catch (SecurityException e)
291 {
292 out.println("status: <b>FAILURE - unexpected</b><br/>");
293 out.println("<table><tr><td>");
294 e.printStackTrace(new PrintStream(out));
295 out.println("</td></tr></table>");
296 }
297 try
298 {
299 out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
300 System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
301 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
302 out.println("status: <b>" + value + "</b><br/>");
303 }
304 catch (SecurityException e)
305 {
306 out.println("status: <b>FAILURE - expected</b><br/>");
307 }
308
309 out.println(" </p><br/><br/>");
310
311
312
313
314 out.println(" <h3>Declared Property - read/write</h3>");
315 out.println(" <p>");
316 try
317 {
318 out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
319 System.getProperty("__ALLOWED_WRITE_PROPERTY");
320 out.println("Status: <b>SUCCESS - expected</b><br/>");
321 }
322 catch (SecurityException e)
323 {
324 out.println("status: <b>FAILURE - unexpected</b><br/>");
325 out.println("<table><tr><td>");
326 e.printStackTrace(new PrintStream(out));
327 out.println("</td></tr></table>");
328 }
329 try
330 {
331 out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
332 System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
333 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
334 out.println("status: <b>" + value + "</b><br/>");
335 }
336 catch (SecurityException e)
337 {
338 out.println("status: <b>FAILURE - unexpected</b><br/>");
339 out.println("<table><tr><td>");
340 e.printStackTrace(new PrintStream(out));
341 out.println("</td></tr></table>");
342 }
343
344 out.println(" </p><br/><br/>");
345
346
347
348
349 out.println(" <h3>checking forbidden properties</h3>");
350 out.println(" <p>");
351 try
352 {
353 out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
354 System.getProperty("__UNDECLARED_PROPERTY");
355 out.println("status: <b>SUCCESS - expected</b><br/>");
356 }
357 catch (SecurityException e)
358 {
359 out.println("status: <b>FAILURE - expected</b><br/>");
360 }
361 try
362 {
363 out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
364 System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
365 String value = System.getProperty("__UNDECLARED_PROPERTY");
366 out.println("status: <b>" + value + "</b><br/>");
367 }
368 catch (SecurityException e)
369 {
370 out.println("status: <b>FAILURE - expected</b><br/>");
371 }
372
373 out.println(" </p><br/><br/>");
374 }
375
376
377 }