View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package com.acme;
20  
21  import java.io.File;
22  import java.io.IOException;
23  import java.io.PrintStream;
24  import java.net.URL;
25  import java.net.URLClassLoader;
26  import java.util.Calendar;
27  import java.util.GregorianCalendar;
28  
29  import javax.servlet.ServletConfig;
30  import javax.servlet.ServletException;
31  import javax.servlet.ServletOutputStream;
32  import javax.servlet.http.HttpServlet;
33  import javax.servlet.http.HttpServletRequest;
34  import javax.servlet.http.HttpServletResponse;
35  
36  import org.eclipse.jetty.util.log.Log;
37  import org.eclipse.jetty.util.log.Logger;
38  
39  
40  /* ------------------------------------------------------------ */
41  /** Dump Servlet Request.
42   * 
43   */
44  public class SecureModeServlet extends HttpServlet
45  {
46      private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
47  
48      /* ------------------------------------------------------------ */
49      @Override
50      public void init(ServletConfig config) throws ServletException
51      {
52      	super.init(config);
53      }
54  
55      /* ------------------------------------------------------------ */
56      @Override
57      public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
58      {
59          doGet(request, response);
60      }
61  
62      /* ------------------------------------------------------------ */
63      @Override
64      public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
65      {
66           
67          response.setContentType("text/html");
68          ServletOutputStream out = response.getOutputStream();
69          out.println("<html>");
70          out.println("  <title>Secure Jetty Test Webapp</title>");
71  
72          try
73          {
74              runPropertyChecks(out);
75  
76              runFileSystemChecks(out);
77  
78              runLoggingChecks(out);
79  
80              runClassloaderChecks(out);
81          }
82          catch (Exception e)
83          {
84              e.printStackTrace(new PrintStream(out));
85          }
86          out.println("</html>");
87          out.flush();
88  
89          try
90          {
91              Thread.sleep(200);
92          }
93          catch (InterruptedException e)
94          {
95              getServletContext().log("exception",e);
96          }
97      }
98  
99      private void runClassloaderChecks(ServletOutputStream out) throws Exception
100     {
101         out.println("    <h1>Checking Classloader Setup</h1>");
102         out.println("      <p>");
103 
104         System.getProperty("user.dir");
105         try
106         {
107             out.println("check ability to create classloader<br/>");
108             URL url = new URL("http://not.going.to.work");
109             new URLClassLoader(new URL[] { url });
110             out.println("status: <b>SUCCESS - unexpected</b><br/>");
111         }
112         catch (SecurityException e)
113         {
114             out.println("status: <b>FAILURE - expected</b><br/>");
115         }
116 
117         out.println("      </p><br/><br/>");
118     }
119 
120     private void runLoggingChecks(ServletOutputStream out) throws Exception
121     {
122         out.println("    <h1>Checking File System</h1>");
123         out.println("      <p>");
124 
125         String userDir = System.getProperty("user.dir");
126         try
127         {
128             out.println("check ability to log<br/>");
129             LOG.info("testing logging");
130             out.println("status: <b>SUCCESS - expected</b><br/>");
131         }
132         catch (SecurityException e)
133         {
134             out.println("status: <b>FAILURE - unexpected</b><br/>");
135             out.println("<table><tr><td>");
136             e.printStackTrace(new PrintStream(out));
137             out.println("</td></tr></table>");
138         }
139 
140         try
141         {
142             Calendar c = new GregorianCalendar();
143 
144             String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
145 
146             out.println("check ability to access log file directly<br/>");
147             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
148             jettyHomeFile.canRead();
149             out.println("status: <b>SUCCESS - unexpected</b><br/>");
150         }
151         catch (SecurityException e)
152         {
153             out.println("status: <b>FAILURE - expected</b><br/>");
154         }
155 
156         out.println("      </p><br/><br/>");
157     }
158 
159     private void runFileSystemChecks(ServletOutputStream out) throws Exception
160     {
161         out.println("    <h1>Checking File System</h1>");
162 
163         /*
164          * test the reading and writing of a read only permission
165          */
166         out.println("      <p>");
167 
168         String userDir = System.getProperty("user.dir");
169         try
170         {
171             out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
172 
173             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
174             jettyHomeFile.canRead();
175             out.println("status: <b>SUCCESS - expected</b><br/>");
176         }
177         catch (SecurityException e)
178         {
179             out.println("status: <b>FAILURE - unexpected</b><br/>");
180             out.println("<table><tr><td>");
181             e.printStackTrace(new PrintStream(out));
182             out.println("</td></tr></table>");
183         }
184 
185         try
186         {
187             out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
188 
189             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
190             jettyHomeFile.canWrite();
191             out.println("status: <b>SUCCESS - unexpected</b><br/>");
192         }
193         catch (SecurityException e)
194         {
195             out.println("status: <b>FAILURE - expected</b><br/>");
196         }
197 
198         try
199         {
200             out.println("check read permission for $jetty.home/lib<br/>");
201 
202             File jettyHomeFile = new File(userDir + File.separator + "lib");
203             jettyHomeFile.canRead();
204             out.println("status: <b>SUCCESS - unexpected</b><br/>");
205         }
206         catch (SecurityException e)
207         {
208             out.println("status: <b>FAILURE - expected</b><br/>");
209         }
210 
211         try
212         {
213             out.println("check write permission for $jetty.home/lib<br/>");
214 
215             File jettyHomeFile = new File(userDir + File.separator + "lib");
216             jettyHomeFile.canWrite();
217             out.println("status: <b>SUCCESS - unexpected</b><br/>");
218         }
219         catch (SecurityException e)
220         {
221             out.println("status: <b>FAILURE - expected</b><br/>");
222         }
223 
224         try
225         {
226             out.println("check read permission for $jetty.home<br/>");
227 
228             File jettyHomeFile = new File(userDir + File.separator);
229             jettyHomeFile.canRead();
230             out.println("status: <b>SUCCESS - unexpected</b><br/>");
231         }
232         catch (SecurityException e)
233         {
234             out.println("status: <b>FAILURE - expected</b><br/>");
235         }
236 
237         try
238         {
239             out.println("check write permission for $jetty.home<br/>");
240 
241             File jettyHomeFile = new File(userDir + File.separator);
242             jettyHomeFile.canWrite();
243             out.println("status: <b>SUCCESS - unexpected</b><br/>");
244         }
245         catch (SecurityException e)
246         {
247             out.println("status: <b>FAILURE - expected</b><br/>");
248         }
249 
250         try
251         {
252             out.println("check read permission for $jetty.home/logs<br/>");
253 
254             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
255             jettyHomeFile.canRead();
256             out.println("status: <b>SUCCESS - unexpected</b><br/>");
257         }
258         catch (SecurityException e)
259         {
260             out.println("status: <b>FAILURE - expected</b><br/>");
261         }
262 
263         try
264         {
265             out.println("check read permission for $jetty.home/logs<br/>");
266 
267             File jettyHomeFile = new File(userDir + File.separator + "logs");
268             jettyHomeFile.canWrite();
269             out.println("status: <b>SUCCESS - unexpected</b><br/>");
270         }
271         catch (SecurityException e)
272         {
273             out.println("status: <b>FAILURE - expected</b><br/>");
274         }
275 
276         out.println("      </p><br/><br/>");
277     }
278 
279     private void runPropertyChecks(ServletOutputStream out) throws IOException
280     {
281 
282         out.println("    <h1>Checking Properties</h1>");
283 
284         /*
285          * test the reading and writing of a read only permission
286          */
287         out.println("    <h3>Declared Property - read</h3>");
288         out.println("      <p>");
289         try
290         {
291             out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
292             System.getProperty("__ALLOWED_READ_PROPERTY");
293             out.println("status: <b>SUCCESS - expected</b><br/>");
294         }
295         catch (SecurityException e)
296         {
297             out.println("status: <b>FAILURE - unexpected</b><br/>");
298             out.println("<table><tr><td>");
299             e.printStackTrace(new PrintStream(out));
300             out.println("</td></tr></table>");
301         }
302         try
303         {
304             out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
305             System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
306             String value = System.getProperty("__ALLOWED_READ_PROPERTY");
307             out.println("status: <b>" + value + "</b><br/>");
308         }
309         catch (SecurityException e)
310         {
311             out.println("status: <b>FAILURE - expected</b><br/>");
312         }
313 
314         out.println("      </p><br/><br/>");
315         
316         /*
317          * test the reading and writing of a read/write permission
318          */
319         out.println("    <h3>Declared Property - read/write</h3>");
320         out.println("      <p>");
321         try
322         {
323             out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
324             System.getProperty("__ALLOWED_WRITE_PROPERTY");
325             out.println("Status: <b>SUCCESS - expected</b><br/>");
326         }
327         catch (SecurityException e)
328         {
329             out.println("status: <b>FAILURE - unexpected</b><br/>");
330             out.println("<table><tr><td>");
331             e.printStackTrace(new PrintStream(out));
332             out.println("</td></tr></table>");
333         }
334         try
335         {
336             out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
337             System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
338             String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
339             out.println("status: <b>" + value + "</b><br/>");
340         }
341         catch (SecurityException e)
342         {
343             out.println("status: <b>FAILURE - unexpected</b><br/>");
344             out.println("<table><tr><td>");
345             e.printStackTrace(new PrintStream(out));
346             out.println("</td></tr></table>");
347         }
348 
349         out.println("      </p><br/><br/>");
350 
351         /*
352          * test the reading and writing of an undeclared property
353          */
354         out.println("    <h3>checking forbidden properties</h3>");
355         out.println("      <p>");
356         try
357         {
358             out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
359             System.getProperty("__UNDECLARED_PROPERTY");
360             out.println("status: <b>SUCCESS - expected</b><br/>");
361         }
362         catch (SecurityException e)
363         {
364             out.println("status: <b>FAILURE - expected</b><br/>");
365         }
366         try
367         {
368             out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
369             System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
370             String value = System.getProperty("__UNDECLARED_PROPERTY");
371             out.println("status: <b>" + value + "</b><br/>");
372         }
373         catch (SecurityException e)
374         {
375             out.println("status: <b>FAILURE - expected</b><br/>");
376         }
377 
378         out.println("      </p><br/><br/>");
379     }
380  
381     
382 }