1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package com.acme;
20
21 import java.io.File;
22 import java.io.IOException;
23 import java.io.PrintStream;
24 import java.net.URL;
25 import java.net.URLClassLoader;
26 import java.util.Calendar;
27 import java.util.GregorianCalendar;
28 import javax.servlet.ServletConfig;
29 import javax.servlet.ServletException;
30 import javax.servlet.ServletOutputStream;
31 import javax.servlet.http.HttpServlet;
32 import javax.servlet.http.HttpServletRequest;
33 import javax.servlet.http.HttpServletResponse;
34
35 import org.eclipse.jetty.util.log.Log;
36 import org.eclipse.jetty.util.log.Logger;
37
38
39
40
41 @SuppressWarnings("serial")
42 public class SecureModeServlet extends HttpServlet
43 {
44 private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
45
46
47 @Override
48 public void init(ServletConfig config) throws ServletException
49 {
50 super.init(config);
51 }
52
53
54 @Override
55 public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
56 {
57 doGet(request, response);
58 }
59
60
61 @Override
62 public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
63 {
64
65 response.setContentType("text/html");
66 ServletOutputStream out = response.getOutputStream();
67 out.println("<html>");
68 out.println(" <title>Secure Jetty Test Webapp</title>");
69
70 try
71 {
72 runPropertyChecks(out);
73
74 runFileSystemChecks(out);
75
76 runLoggingChecks(out);
77
78 runClassloaderChecks(out);
79 }
80 catch (Exception e)
81 {
82 e.printStackTrace(new PrintStream(out));
83 }
84 out.println("</html>");
85 out.flush();
86
87 try
88 {
89 Thread.sleep(200);
90 }
91 catch (InterruptedException e)
92 {
93 getServletContext().log("exception",e);
94 }
95 }
96
97 private void runClassloaderChecks(ServletOutputStream out) throws Exception
98 {
99 out.println(" <h1>Checking Classloader Setup</h1>");
100 out.println(" <p>");
101
102 System.getProperty("user.dir");
103 try
104 {
105 out.println("check ability to create classloader<br/>");
106 URL url = new URL("http://not.going.to.work");
107 new URLClassLoader(new URL[] { url });
108 out.println("status: <b>SUCCESS - unexpected</b><br/>");
109 }
110 catch (SecurityException e)
111 {
112 out.println("status: <b>FAILURE - expected</b><br/>");
113 }
114
115 out.println(" </p><br/><br/>");
116 }
117
118 private void runLoggingChecks(ServletOutputStream out) throws Exception
119 {
120 out.println(" <h1>Checking File System</h1>");
121 out.println(" <p>");
122
123 String userDir = System.getProperty("user.dir");
124 try
125 {
126 out.println("check ability to log<br/>");
127 LOG.info("testing logging");
128 out.println("status: <b>SUCCESS - expected</b><br/>");
129 }
130 catch (SecurityException e)
131 {
132 out.println("status: <b>FAILURE - unexpected</b><br/>");
133 out.println("<table><tr><td>");
134 e.printStackTrace(new PrintStream(out));
135 out.println("</td></tr></table>");
136 }
137
138 try
139 {
140 Calendar c = new GregorianCalendar();
141
142 String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
143
144 out.println("check ability to access log file directly<br/>");
145 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
146 jettyHomeFile.canRead();
147 out.println("status: <b>SUCCESS - unexpected</b><br/>");
148 }
149 catch (SecurityException e)
150 {
151 out.println("status: <b>FAILURE - expected</b><br/>");
152 }
153
154 out.println(" </p><br/><br/>");
155 }
156
157 private void runFileSystemChecks(ServletOutputStream out) throws Exception
158 {
159 out.println(" <h1>Checking File System</h1>");
160
161
162
163
164 out.println(" <p>");
165
166 String userDir = System.getProperty("user.dir");
167 try
168 {
169 out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
170
171 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
172 jettyHomeFile.canRead();
173 out.println("status: <b>SUCCESS - expected</b><br/>");
174 }
175 catch (SecurityException e)
176 {
177 out.println("status: <b>FAILURE - unexpected</b><br/>");
178 out.println("<table><tr><td>");
179 e.printStackTrace(new PrintStream(out));
180 out.println("</td></tr></table>");
181 }
182
183 try
184 {
185 out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
186
187 File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
188 jettyHomeFile.canWrite();
189 out.println("status: <b>SUCCESS - unexpected</b><br/>");
190 }
191 catch (SecurityException e)
192 {
193 out.println("status: <b>FAILURE - expected</b><br/>");
194 }
195
196 try
197 {
198 out.println("check read permission for $jetty.home/lib<br/>");
199
200 File jettyHomeFile = new File(userDir + File.separator + "lib");
201 jettyHomeFile.canRead();
202 out.println("status: <b>SUCCESS - unexpected</b><br/>");
203 }
204 catch (SecurityException e)
205 {
206 out.println("status: <b>FAILURE - expected</b><br/>");
207 }
208
209 try
210 {
211 out.println("check write permission for $jetty.home/lib<br/>");
212
213 File jettyHomeFile = new File(userDir + File.separator + "lib");
214 jettyHomeFile.canWrite();
215 out.println("status: <b>SUCCESS - unexpected</b><br/>");
216 }
217 catch (SecurityException e)
218 {
219 out.println("status: <b>FAILURE - expected</b><br/>");
220 }
221
222 try
223 {
224 out.println("check read permission for $jetty.home<br/>");
225
226 File jettyHomeFile = new File(userDir + File.separator);
227 jettyHomeFile.canRead();
228 out.println("status: <b>SUCCESS - unexpected</b><br/>");
229 }
230 catch (SecurityException e)
231 {
232 out.println("status: <b>FAILURE - expected</b><br/>");
233 }
234
235 try
236 {
237 out.println("check write permission for $jetty.home<br/>");
238
239 File jettyHomeFile = new File(userDir + File.separator);
240 jettyHomeFile.canWrite();
241 out.println("status: <b>SUCCESS - unexpected</b><br/>");
242 }
243 catch (SecurityException e)
244 {
245 out.println("status: <b>FAILURE - expected</b><br/>");
246 }
247
248 try
249 {
250 out.println("check read permission for $jetty.home/logs<br/>");
251
252 File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
253 jettyHomeFile.canRead();
254 out.println("status: <b>SUCCESS - unexpected</b><br/>");
255 }
256 catch (SecurityException e)
257 {
258 out.println("status: <b>FAILURE - expected</b><br/>");
259 }
260
261 try
262 {
263 out.println("check read permission for $jetty.home/logs<br/>");
264
265 File jettyHomeFile = new File(userDir + File.separator + "logs");
266 jettyHomeFile.canWrite();
267 out.println("status: <b>SUCCESS - unexpected</b><br/>");
268 }
269 catch (SecurityException e)
270 {
271 out.println("status: <b>FAILURE - expected</b><br/>");
272 }
273
274 out.println(" </p><br/><br/>");
275 }
276
277 private void runPropertyChecks(ServletOutputStream out) throws IOException
278 {
279
280 out.println(" <h1>Checking Properties</h1>");
281
282
283
284
285 out.println(" <h3>Declared Property - read</h3>");
286 out.println(" <p>");
287 try
288 {
289 out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
290 System.getProperty("__ALLOWED_READ_PROPERTY");
291 out.println("status: <b>SUCCESS - expected</b><br/>");
292 }
293 catch (SecurityException e)
294 {
295 out.println("status: <b>FAILURE - unexpected</b><br/>");
296 out.println("<table><tr><td>");
297 e.printStackTrace(new PrintStream(out));
298 out.println("</td></tr></table>");
299 }
300 try
301 {
302 out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
303 System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
304 String value = System.getProperty("__ALLOWED_READ_PROPERTY");
305 out.println("status: <b>" + value + "</b><br/>");
306 }
307 catch (SecurityException e)
308 {
309 out.println("status: <b>FAILURE - expected</b><br/>");
310 }
311
312 out.println(" </p><br/><br/>");
313
314
315
316
317 out.println(" <h3>Declared Property - read/write</h3>");
318 out.println(" <p>");
319 try
320 {
321 out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
322 System.getProperty("__ALLOWED_WRITE_PROPERTY");
323 out.println("Status: <b>SUCCESS - expected</b><br/>");
324 }
325 catch (SecurityException e)
326 {
327 out.println("status: <b>FAILURE - unexpected</b><br/>");
328 out.println("<table><tr><td>");
329 e.printStackTrace(new PrintStream(out));
330 out.println("</td></tr></table>");
331 }
332 try
333 {
334 out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
335 System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
336 String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
337 out.println("status: <b>" + value + "</b><br/>");
338 }
339 catch (SecurityException e)
340 {
341 out.println("status: <b>FAILURE - unexpected</b><br/>");
342 out.println("<table><tr><td>");
343 e.printStackTrace(new PrintStream(out));
344 out.println("</td></tr></table>");
345 }
346
347 out.println(" </p><br/><br/>");
348
349
350
351
352 out.println(" <h3>checking forbidden properties</h3>");
353 out.println(" <p>");
354 try
355 {
356 out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
357 System.getProperty("__UNDECLARED_PROPERTY");
358 out.println("status: <b>SUCCESS - expected</b><br/>");
359 }
360 catch (SecurityException e)
361 {
362 out.println("status: <b>FAILURE - expected</b><br/>");
363 }
364 try
365 {
366 out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
367 System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
368 String value = System.getProperty("__UNDECLARED_PROPERTY");
369 out.println("status: <b>" + value + "</b><br/>");
370 }
371 catch (SecurityException e)
372 {
373 out.println("status: <b>FAILURE - expected</b><br/>");
374 }
375
376 out.println(" </p><br/><br/>");
377 }
378
379
380 }