View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package com.acme;
20  
21  import java.io.File;
22  import java.io.IOException;
23  import java.io.PrintStream;
24  import java.net.URL;
25  import java.net.URLClassLoader;
26  import java.util.Calendar;
27  import java.util.GregorianCalendar;
28  import javax.servlet.ServletConfig;
29  import javax.servlet.ServletException;
30  import javax.servlet.ServletOutputStream;
31  import javax.servlet.http.HttpServlet;
32  import javax.servlet.http.HttpServletRequest;
33  import javax.servlet.http.HttpServletResponse;
34  
35  import org.eclipse.jetty.util.log.Log;
36  import org.eclipse.jetty.util.log.Logger;
37  
38  /** 
39   * Dump Servlet Request.
40   */
41  @SuppressWarnings("serial")
42  public class SecureModeServlet extends HttpServlet
43  {
44      private static final Logger LOG = Log.getLogger(SecureModeServlet.class);
45  
46      /* ------------------------------------------------------------ */
47      @Override
48      public void init(ServletConfig config) throws ServletException
49      {
50      	super.init(config);
51      }
52  
53      /* ------------------------------------------------------------ */
54      @Override
55      public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
56      {
57          doGet(request, response);
58      }
59  
60      /* ------------------------------------------------------------ */
61      @Override
62      public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
63      {
64  
65          response.setContentType("text/html");
66          ServletOutputStream out = response.getOutputStream();
67          out.println("<html>");
68          out.println("  <title>Secure Jetty Test Webapp</title>");
69  
70          try
71          {
72              runPropertyChecks(out);
73  
74              runFileSystemChecks(out);
75  
76              runLoggingChecks(out);
77  
78              runClassloaderChecks(out);
79          }
80          catch (Exception e)
81          {
82              e.printStackTrace(new PrintStream(out));
83          }
84          out.println("</html>");
85          out.flush();
86  
87          try
88          {
89              Thread.sleep(200);
90          }
91          catch (InterruptedException e)
92          {
93              getServletContext().log("exception",e);
94          }
95      }
96  
97      private void runClassloaderChecks(ServletOutputStream out) throws Exception
98      {
99          out.println("    <h1>Checking Classloader Setup</h1>");
100         out.println("      <p>");
101 
102         System.getProperty("user.dir");
103         try
104         {
105             out.println("check ability to create classloader<br/>");
106             URL url = new URL("http://not.going.to.work");
107             new URLClassLoader(new URL[] { url });
108             out.println("status: <b>SUCCESS - unexpected</b><br/>");
109         }
110         catch (SecurityException e)
111         {
112             out.println("status: <b>FAILURE - expected</b><br/>");
113         }
114 
115         out.println("      </p><br/><br/>");
116     }
117 
118     private void runLoggingChecks(ServletOutputStream out) throws Exception
119     {
120         out.println("    <h1>Checking File System</h1>");
121         out.println("      <p>");
122 
123         String userDir = System.getProperty("user.dir");
124         try
125         {
126             out.println("check ability to log<br/>");
127             LOG.info("testing logging");
128             out.println("status: <b>SUCCESS - expected</b><br/>");
129         }
130         catch (SecurityException e)
131         {
132             out.println("status: <b>FAILURE - unexpected</b><br/>");
133             out.println("<table><tr><td>");
134             e.printStackTrace(new PrintStream(out));
135             out.println("</td></tr></table>");
136         }
137 
138         try
139         {
140             Calendar c = new GregorianCalendar();
141 
142             String logFile = c.get(Calendar.YEAR) + "_" + c.get(Calendar.MONTH) + "_" + c.get(Calendar.DAY_OF_MONTH) + ".request.log";
143 
144             out.println("check ability to access log file directly<br/>");
145             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator + logFile);
146             jettyHomeFile.canRead();
147             out.println("status: <b>SUCCESS - unexpected</b><br/>");
148         }
149         catch (SecurityException e)
150         {
151             out.println("status: <b>FAILURE - expected</b><br/>");
152         }
153 
154         out.println("      </p><br/><br/>");
155     }
156 
157     private void runFileSystemChecks(ServletOutputStream out) throws Exception
158     {
159         out.println("    <h1>Checking File System</h1>");
160 
161         /*
162          * test the reading and writing of a read only permission
163          */
164         out.println("      <p>");
165 
166         String userDir = System.getProperty("user.dir");
167         try
168         {
169             out.println("check read for $jetty.home/lib/policy/jetty.policy<br/>");
170 
171             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
172             jettyHomeFile.canRead();
173             out.println("status: <b>SUCCESS - expected</b><br/>");
174         }
175         catch (SecurityException e)
176         {
177             out.println("status: <b>FAILURE - unexpected</b><br/>");
178             out.println("<table><tr><td>");
179             e.printStackTrace(new PrintStream(out));
180             out.println("</td></tr></table>");
181         }
182 
183         try
184         {
185             out.println("check write permission for $jetty.home/lib/policy/jetty.policy<br/>");
186 
187             File jettyHomeFile = new File(userDir + File.separator + "lib" + File.separator + "policy" + File.separator + "jetty.policy");
188             jettyHomeFile.canWrite();
189             out.println("status: <b>SUCCESS - unexpected</b><br/>");
190         }
191         catch (SecurityException e)
192         {
193             out.println("status: <b>FAILURE - expected</b><br/>");
194         }
195 
196         try
197         {
198             out.println("check read permission for $jetty.home/lib<br/>");
199 
200             File jettyHomeFile = new File(userDir + File.separator + "lib");
201             jettyHomeFile.canRead();
202             out.println("status: <b>SUCCESS - unexpected</b><br/>");
203         }
204         catch (SecurityException e)
205         {
206             out.println("status: <b>FAILURE - expected</b><br/>");
207         }
208 
209         try
210         {
211             out.println("check write permission for $jetty.home/lib<br/>");
212 
213             File jettyHomeFile = new File(userDir + File.separator + "lib");
214             jettyHomeFile.canWrite();
215             out.println("status: <b>SUCCESS - unexpected</b><br/>");
216         }
217         catch (SecurityException e)
218         {
219             out.println("status: <b>FAILURE - expected</b><br/>");
220         }
221 
222         try
223         {
224             out.println("check read permission for $jetty.home<br/>");
225 
226             File jettyHomeFile = new File(userDir + File.separator);
227             jettyHomeFile.canRead();
228             out.println("status: <b>SUCCESS - unexpected</b><br/>");
229         }
230         catch (SecurityException e)
231         {
232             out.println("status: <b>FAILURE - expected</b><br/>");
233         }
234 
235         try
236         {
237             out.println("check write permission for $jetty.home<br/>");
238 
239             File jettyHomeFile = new File(userDir + File.separator);
240             jettyHomeFile.canWrite();
241             out.println("status: <b>SUCCESS - unexpected</b><br/>");
242         }
243         catch (SecurityException e)
244         {
245             out.println("status: <b>FAILURE - expected</b><br/>");
246         }
247 
248         try
249         {
250             out.println("check read permission for $jetty.home/logs<br/>");
251 
252             File jettyHomeFile = new File(userDir + File.separator + "logs" + File.separator);
253             jettyHomeFile.canRead();
254             out.println("status: <b>SUCCESS - unexpected</b><br/>");
255         }
256         catch (SecurityException e)
257         {
258             out.println("status: <b>FAILURE - expected</b><br/>");
259         }
260 
261         try
262         {
263             out.println("check read permission for $jetty.home/logs<br/>");
264 
265             File jettyHomeFile = new File(userDir + File.separator + "logs");
266             jettyHomeFile.canWrite();
267             out.println("status: <b>SUCCESS - unexpected</b><br/>");
268         }
269         catch (SecurityException e)
270         {
271             out.println("status: <b>FAILURE - expected</b><br/>");
272         }
273 
274         out.println("      </p><br/><br/>");
275     }
276 
277     private void runPropertyChecks(ServletOutputStream out) throws IOException
278     {
279 
280         out.println("    <h1>Checking Properties</h1>");
281 
282         /*
283          * test the reading and writing of a read only permission
284          */
285         out.println("    <h3>Declared Property - read</h3>");
286         out.println("      <p>");
287         try
288         {
289             out.println("check read permission for __ALLOWED_READ_PROPERTY <br/>");
290             System.getProperty("__ALLOWED_READ_PROPERTY");
291             out.println("status: <b>SUCCESS - expected</b><br/>");
292         }
293         catch (SecurityException e)
294         {
295             out.println("status: <b>FAILURE - unexpected</b><br/>");
296             out.println("<table><tr><td>");
297             e.printStackTrace(new PrintStream(out));
298             out.println("</td></tr></table>");
299         }
300         try
301         {
302             out.println("check write permission for __ALLOWED_READ_PROPERTY<br/>");
303             System.setProperty("__ALLOWED_READ_PROPERTY","SUCCESS - unexpected");
304             String value = System.getProperty("__ALLOWED_READ_PROPERTY");
305             out.println("status: <b>" + value + "</b><br/>");
306         }
307         catch (SecurityException e)
308         {
309             out.println("status: <b>FAILURE - expected</b><br/>");
310         }
311 
312         out.println("      </p><br/><br/>");
313 
314         /*
315          * test the reading and writing of a read/write permission
316          */
317         out.println("    <h3>Declared Property - read/write</h3>");
318         out.println("      <p>");
319         try
320         {
321             out.println("check read permission for __ALLOWED_WRITE_PROPERTY<br/>");
322             System.getProperty("__ALLOWED_WRITE_PROPERTY");
323             out.println("Status: <b>SUCCESS - expected</b><br/>");
324         }
325         catch (SecurityException e)
326         {
327             out.println("status: <b>FAILURE - unexpected</b><br/>");
328             out.println("<table><tr><td>");
329             e.printStackTrace(new PrintStream(out));
330             out.println("</td></tr></table>");
331         }
332         try
333         {
334             out.println("check write permission for __ALLOWED_WRITE_PROPERTY<br/>");
335             System.setProperty("__ALLOWED_WRITE_PROPERTY","SUCCESS - expected");
336             String value = System.getProperty("__ALLOWED_WRITE_PROPERTY");
337             out.println("status: <b>" + value + "</b><br/>");
338         }
339         catch (SecurityException e)
340         {
341             out.println("status: <b>FAILURE - unexpected</b><br/>");
342             out.println("<table><tr><td>");
343             e.printStackTrace(new PrintStream(out));
344             out.println("</td></tr></table>");
345         }
346 
347         out.println("      </p><br/><br/>");
348 
349         /*
350          * test the reading and writing of an undeclared property
351          */
352         out.println("    <h3>checking forbidden properties</h3>");
353         out.println("      <p>");
354         try
355         {
356             out.println("check read permission for __UNDECLARED_PROPERTY: <br/>");
357             System.getProperty("__UNDECLARED_PROPERTY");
358             out.println("status: <b>SUCCESS - expected</b><br/>");
359         }
360         catch (SecurityException e)
361         {
362             out.println("status: <b>FAILURE - expected</b><br/>");
363         }
364         try
365         {
366             out.println("check write permission for __UNDECLARED_PROPERTY: <br/>");
367             System.setProperty("__UNDECLARED_PROPERTY","SUCCESS - unexpected");
368             String value = System.getProperty("__UNDECLARED_PROPERTY");
369             out.println("status: <b>" + value + "</b><br/>");
370         }
371         catch (SecurityException e)
372         {
373             out.println("status: <b>FAILURE - expected</b><br/>");
374         }
375 
376         out.println("      </p><br/><br/>");
377     }
378 
379 
380 }