1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package com.acme;
20
21 import java.io.File;
22 import java.io.IOException;
23 import java.io.PrintStream;
24 import java.net.URL;
25 import java.net.URLClassLoader;
26 import java.util.Calendar;
27 import java.util.GregorianCalendar;
28
29 import javax.servlet.ServletConfig;
30 import javax.servlet.ServletException;
31 import javax.servlet.ServletOutputStream;
32 import javax.servlet.http.HttpServlet;
33 import javax.servlet.http.HttpServletRequest;
34 import javax.servlet.http.HttpServletResponse;
35
36 import org.eclipse.jetty.util.log.Log;
37 import org.eclipse.jetty.util.log.Logger;
38
39
40
41
42
43
44 public class SecureModeServlet extends HttpServlet
45 {
46 private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
47
48
49 @Override
50 public void init(ServletConfig config) throws ServletException
51 {
52 super.init(config);
53 }
54
55
56 @Override
57 public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
58 {
59 doGet(request, response);
60 }
61
62
63 @Override
64 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
65 {
66
67 response.setContentType("text/html");
68 ServletOutputStream out = response.getOutputStream();
69 out.println("<html>");
70 out.println(" <title>Secure Jetty Test Webapp</title>");
71
72 try
73 {
74 runPropertyChecks(out);
75
76 runFileSystemChecks(out);
77
78 runLoggingChecks(out);
79
80 runClassloaderChecks(out);
81 }
82 catch (Exception e)
83 {
84 e.printStackTrace(new PrintStream(out));
85 }
86 out.println("</html>");
87 out.flush();
88
89 try
90 {
91 Thread.sleep(200);
92 }
93 catch (InterruptedException e)
94 {
95 getServletContext().log("exception",e);
96 }
97 }
98
99 private void runClassloaderChecks(ServletOutputStream out) throws Exception
100 {
101 out.println(" <h1>Checking Classloader Setup</h1>");
102 out.println(" <p>");
103
104 System.getProperty("user.dir");
105 try
106 {
107 out.println("check ability to create classloader<br/>");
108 URL url = new URL("http://not.going.to.work");
109 new URLClassLoader(new URL[] { url });
110 out.println("status: <b>SUCCESS - unexpected</b><br/>");
111 }
112 catch (SecurityException e)
113 {
114 out.println("status: <b>FAILURE - expected</b><br/>");
115 }
116
117 out.println(" </p><br/><br/>");
118 }
119
120 private void runLoggingChecks(ServletOutputStream out) throws Exception
121 {
122 out.println(" <h1>Checking File System</h1>");
123 out.println(" <p>");
124
125 String userDir = System.getProperty("user.dir");
126 try
127 {
128 out.println("check ability to log<br/>");
129 LOG.info("testing logging");
130 out.println("status: <b>SUCCESS - expected</b><br/>");
131 }
132 catch (SecurityException e)
133 {
134 out.println("status: <b>FAILURE - unexpected</b><br/>");
135 out.println("<table><tr><td>");
136 e.printStackTrace(new PrintStream(out));
137 out.println("</td></tr></table>");
138 }
139
140 try
141 {
142 Calendar c = new GregorianCalendar();
143
144 String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
145
146 out.println("check ability to access log file directly<br/>");
147 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
148 jettyHomeFile.canRead();
149 out.println("status: <b>SUCCESS - unexpected</b><br/>");
150 }
151 catch (SecurityException e)
152 {
153 out.println("status: <b>FAILURE - expected</b><br/>");
154 }
155
156 out.println(" </p><br/><br/>");
157 }
158
159 private void runFileSystemChecks(ServletOutputStream out) throws Exception
160 {
161 out.println(" <h1>Checking File System</h1>");
162
163
164
165
166 out.println(" <p>");
167
168 String userDir = System.getProperty("user.dir");
169 try
170 {
171 out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
172
173 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
174 jettyHomeFile.canRead();
175 out.println("status: <b>SUCCESS - expected</b><br/>");
176 }
177 catch (SecurityException e)
178 {
179 out.println("status: <b>FAILURE - unexpected</b><br/>");
180 out.println("<table><tr><td>");
181 e.printStackTrace(new PrintStream(out));
182 out.println("</td></tr></table>");
183 }
184
185 try
186 {
187 out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
188
189 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
190 jettyHomeFile.canWrite();
191 out.println("status: <b>SUCCESS - unexpected</b><br/>");
192 }
193 catch (SecurityException e)
194 {
195 out.println("status: <b>FAILURE - expected</b><br/>");
196 }
197
198 try
199 {
200 out.println("check read permission for $jetty.home/lib<br/>");
201
202 File jettyHomeFile = new File(userDir + File.separator + "lib");
203 jettyHomeFile.canRead();
204 out.println("status: <b>SUCCESS - unexpected</b><br/>");
205 }
206 catch (SecurityException e)
207 {
208 out.println("status: <b>FAILURE - expected</b><br/>");
209 }
210
211 try
212 {
213 out.println("check write permission for $jetty.home/lib<br/>");
214
215 File jettyHomeFile = new File(userDir + File.separator + "lib");
216 jettyHomeFile.canWrite();
217 out.println("status: <b>SUCCESS - unexpected</b><br/>");
218 }
219 catch (SecurityException e)
220 {
221 out.println("status: <b>FAILURE - expected</b><br/>");
222 }
223
224 try
225 {
226 out.println("check read permission for $jetty.home<br/>");
227
228 File jettyHomeFile = new File(userDir + File.separator);
229 jettyHomeFile.canRead();
230 out.println("status: <b>SUCCESS - unexpected</b><br/>");
231 }
232 catch (SecurityException e)
233 {
234 out.println("status: <b>FAILURE - expected</b><br/>");
235 }
236
237 try
238 {
239 out.println("check write permission for $jetty.home<br/>");
240
241 File jettyHomeFile = new File(userDir + File.separator);
242 jettyHomeFile.canWrite();
243 out.println("status: <b>SUCCESS - unexpected</b><br/>");
244 }
245 catch (SecurityException e)
246 {
247 out.println("status: <b>FAILURE - expected</b><br/>");
248 }
249
250 try
251 {
252 out.println("check read permission for $jetty.home/logs<br/>");
253
254 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
255 jettyHomeFile.canRead();
256 out.println("status: <b>SUCCESS - unexpected</b><br/>");
257 }
258 catch (SecurityException e)
259 {
260 out.println("status: <b>FAILURE - expected</b><br/>");
261 }
262
263 try
264 {
265 out.println("check read permission for $jetty.home/logs<br/>");
266
267 File jettyHomeFile = new File(userDir + File.separator + "logs");
268 jettyHomeFile.canWrite();
269 out.println("status: <b>SUCCESS - unexpected</b><br/>");
270 }
271 catch (SecurityException e)
272 {
273 out.println("status: <b>FAILURE - expected</b><br/>");
274 }
275
276 out.println(" </p><br/><br/>");
277 }
278
279 private void runPropertyChecks(ServletOutputStream out) throws IOException
280 {
281
282 out.println(" <h1>Checking Properties</h1>");
283
284
285
286
287 out.println(" <h3>Declared Property - read</h3>");
288 out.println(" <p>");
289 try
290 {
291 out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
292 System.getProperty("__ALLOWED_READ_PROPERTY");
293 out.println("status: <b>SUCCESS - expected</b><br/>");
294 }
295 catch (SecurityException e)
296 {
297 out.println("status: <b>FAILURE - unexpected</b><br/>");
298 out.println("<table><tr><td>");
299 e.printStackTrace(new PrintStream(out));
300 out.println("</td></tr></table>");
301 }
302 try
303 {
304 out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
305 System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
306 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
307 out.println("status: <b>" + value + "</b><br/>");
308 }
309 catch (SecurityException e)
310 {
311 out.println("status: <b>FAILURE - expected</b><br/>");
312 }
313
314 out.println(" </p><br/><br/>");
315
316
317
318
319 out.println(" <h3>Declared Property - read/write</h3>");
320 out.println(" <p>");
321 try
322 {
323 out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
324 System.getProperty("__ALLOWED_WRITE_PROPERTY");
325 out.println("Status: <b>SUCCESS - expected</b><br/>");
326 }
327 catch (SecurityException e)
328 {
329 out.println("status: <b>FAILURE - unexpected</b><br/>");
330 out.println("<table><tr><td>");
331 e.printStackTrace(new PrintStream(out));
332 out.println("</td></tr></table>");
333 }
334 try
335 {
336 out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
337 System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
338 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
339 out.println("status: <b>" + value + "</b><br/>");
340 }
341 catch (SecurityException e)
342 {
343 out.println("status: <b>FAILURE - unexpected</b><br/>");
344 out.println("<table><tr><td>");
345 e.printStackTrace(new PrintStream(out));
346 out.println("</td></tr></table>");
347 }
348
349 out.println(" </p><br/><br/>");
350
351
352
353
354 out.println(" <h3>checking forbidden properties</h3>");
355 out.println(" <p>");
356 try
357 {
358 out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
359 System.getProperty("__UNDECLARED_PROPERTY");
360 out.println("status: <b>SUCCESS - expected</b><br/>");
361 }
362 catch (SecurityException e)
363 {
364 out.println("status: <b>FAILURE - expected</b><br/>");
365 }
366 try
367 {
368 out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
369 System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
370 String value = System.getProperty("__UNDECLARED_PROPERTY");
371 out.println("status: <b>" + value + "</b><br/>");
372 }
373 catch (SecurityException e)
374 {
375 out.println("status: <b>FAILURE - expected</b><br/>");
376 }
377
378 out.println(" </p><br/><br/>");
379 }
380
381
382 }