stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ff2c987669
jdk-24/test/jdk/java/net/URLPermission/URLTest.java
Weijun Wang 640a2afda3 8267184: Add -Djava.security.manager=allow to tests calling System.setSecurityManager 
Co-authored-by: Lance Andersen <lancea@openjdk.org>
Co-authored-by: Weijun Wang <weijun@openjdk.org>
Reviewed-by: dholmes, alanb, dfuchs, mchung, mullan, prr
2021-05-24 16:55:55 +00:00

310 lines
11 KiB
Java
Raw Blame History

/*
* Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import java.net.URLPermission;
/*
* @test
* @bug 8010464
* @modules jdk.httpserver
* @library /test/lib
* @build jdk.test.lib.net.SimpleSSLContext
* @run main/othervm -Djava.security.manager=allow URLTest
* @run main/othervm -Djava.security.manager=allow -Djava.net.preferIPv6Addresses=true URLTest
* @summary check URLPermission with Http(s)URLConnection
*/
import java.net.*;
import java.io.*;
import java.security.*;
import java.util.concurrent.*;
import com.sun.net.httpserver.*;
import javax.net.ssl.*;
import jdk.test.lib.net.SimpleSSLContext;
public class URLTest {
static boolean failed;
public static void main (String[] args) throws Exception {
createServers();
try {
// Verify without a Security Manager
test1();
test2();
test3();
// Set the security manager. Each test will set its own policy.
Policy.setPolicy(new CustomPolicy());
System.setSecurityManager(new SecurityManager());
System.out.println("\n Security Manager has been set.");
test1();
test2();
test3();
if (failed)
throw new RuntimeException("Test failed");
} finally {
shutdown();
}
}
static void test1() throws IOException {
System.out.println("\n--- Test 1 ---");
boolean expectException = false;
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
expectException = true;
Policy.setPolicy(new CustomPolicy(
new URLPermission("http://" + httpAuth + "/foo.html", "GET:X-Foo,Z-Bar"),
new URLPermission("https://" + httpsAuth + "/foo.html", "POST:X-Fob,T-Bar")));
}
String url1 = "http://" + httpAuth + "/foo.html";
String url2 = "https://" + httpsAuth + "/foo.html";
String url3 = "http://" + httpAuth + "/bar.html";
String url4 = "https://" + httpsAuth + "/bar.html";
// simple positive test. Should succeed
test(url1, "GET", "X-Foo");
test(url1, "GET", "Z-Bar", "X-Foo");
test(url1, "GET", "X-Foo", "Z-Bar");
test(url1, "GET", "Z-Bar");
test(url2, "POST", "X-Fob");
// reverse the methods, should fail
test(url1, "POST", "X-Foo", expectException);
test(url2, "GET", "X-Fob", expectException);
// different URLs, should fail
test(url3, "GET", "X-Foo", expectException);
test(url4, "POST", "X-Fob", expectException);
}
static void test2() throws IOException {
System.out.println("\n--- Test 2 ---");
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
Policy.setPolicy(new CustomPolicy(
new URLPermission("http://" + httpAuth + "/*", "GET:X-Foo"),
new URLPermission("https://" + httpsAuth + "/*", "POST:X-Fob")));
}
String url1 = "http://" + httpAuth + "/foo.html";
String url2 = "https://" + httpsAuth + "/foo.html";
String url3 = "http://" + httpAuth + "/bar.html";
String url4 = "https://" + httpsAuth + "/bar.html";
// simple positive test. Should succeed
test(url1, "GET", "X-Foo");
test(url2, "POST", "X-Fob");
test(url3, "GET", "X-Foo");
test(url4, "POST", "X-Fob");
}
static void test3() throws IOException {
System.out.println("\n--- Test 3 ---");
boolean expectException = false;
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
expectException = true;
Policy.setPolicy(new CustomPolicy(
new URLPermission("http://" + httpAuth + "/a/b/-", "DELETE,GET:X-Foo,Y-Foo"),
new URLPermission("https://" + httpsAuth + "/a/c/-", "POST:*")));
}
String url1 = "http://" + httpAuth + "/foo.html";
String url2 = "https://" + httpsAuth + "/a/c/d/e/foo.html";
String url3 = "http://" + httpAuth + "/a/b/c";
String url4 = "https://" + httpsAuth + "/a/b/c";
test(url1, "GET", "X-Foo", expectException);
test(url2, "POST", "X-Zxc");
test(url3, "DELETE", "Y-Foo");
test(url4, "POST", "Y-Foo", expectException);
}
static String authority(InetSocketAddress address) {
String hostaddr = address.getAddress().getHostAddress();
int port = address.getPort();
if (hostaddr.indexOf(':') > -1) {
return "[" + hostaddr + "]:" + port;
} else {
return hostaddr + ":" + port;
}
}
// Convenience methods to simplify previous explicit test scenarios.
static void test(String u, String method, String header) throws IOException {
test(u, method, header, null, false);
}
static void test(String u, String method, String header, boolean expectException)
throws IOException
{
test(u, method, header, null, expectException);
}
static void test(String u, String method, String header1, String header2)
throws IOException
{
test(u, method, header1, header2, false);
}
static void test(String u,
String method,
String header1,
String header2,
boolean expectException)
throws IOException
{
URL url = new URL(u);
System.out.println("url=" + u + " method=" + method +
" header1=" + header1 + " header2=" + header2 +
" expectException=" + expectException);
HttpURLConnection urlc = (HttpURLConnection)url.openConnection(Proxy.NO_PROXY);
if (urlc instanceof HttpsURLConnection) {
HttpsURLConnection ssl = (HttpsURLConnection)urlc;
ssl.setHostnameVerifier((host, sess) -> true);
ssl.setSSLSocketFactory(ctx.getSocketFactory());
}
urlc.setRequestMethod(method);
if (header1 != null)
urlc.addRequestProperty(header1, "foo");
if (header2 != null)
urlc.addRequestProperty(header2, "bar");
try {
int code = urlc.getResponseCode();
if (expectException) {
failed = true;
System.out.println("FAIL");
return;
}
if (code != 200)
throw new RuntimeException("Unexpected response " + code);
InputStream is = urlc.getInputStream();
is.readAllBytes();
is.close();
} catch (RuntimeException e) {
if (!expectException || !(e.getCause() instanceof SecurityException)) {
System.out.println ("FAIL. Unexpected: " + e.getMessage());
e.printStackTrace();
failed = true;
return;
} else {
System.out.println("Got expected exception: " + e.getMessage());
}
}
System.out.println ("PASS");
}
static HttpServer httpServer;
static HttpsServer httpsServer;
static HttpContext c, cs;
static ExecutorService e, es;
static SSLContext ctx;
static int httpPort;
static int httpsPort;
static String httpAuth;
static String httpsAuth;
static void createServers() throws Exception {
InetAddress loopback = InetAddress.getLoopbackAddress();
InetSocketAddress address = new InetSocketAddress(loopback, 0);
httpServer = HttpServer.create(address, 0);
httpsServer = HttpsServer.create(address, 0);
OkHandler h = new OkHandler();
c = httpServer.createContext("/", h);
cs = httpsServer.createContext("/", h);
e = Executors.newCachedThreadPool();
es = Executors.newCachedThreadPool();
httpServer.setExecutor(e);
httpsServer.setExecutor(es);
ctx = new SimpleSSLContext().get();
httpsServer.setHttpsConfigurator(new HttpsConfigurator (ctx));
httpServer.start();
httpsServer.start();
httpPort = httpServer.getAddress().getPort();
httpsPort = httpsServer.getAddress().getPort();
httpAuth = authority(httpServer.getAddress());
httpsAuth = authority(httpsServer.getAddress());
}
static void shutdown() {
httpServer.stop(1);
httpsServer.stop(1);
e.shutdown();
es.shutdown();
}
static class OkHandler implements HttpHandler {
public void handle(HttpExchange x) throws IOException {
x.sendResponseHeaders(200, -1);
x.close();
}
}
static class CustomPolicy extends Policy {
static final Policy DEFAULT_POLICY = Policy.getPolicy();
final PermissionCollection perms = new Permissions();
CustomPolicy(Permission... permissions) {
java.util.Arrays.stream(permissions).forEach(perms::add);
// needed for the HTTP(S) server
InetAddress loopback = InetAddress.getLoopbackAddress();
InetSocketAddress serverBound = new InetSocketAddress(loopback,1024);
perms.add(new SocketPermission(authority(serverBound) + "-", "listen,resolve,accept"));
// needed by the test to reset the policy, per testX method
perms.add(new SecurityPermission("setPolicy"));
// needed to shutdown the ThreadPoolExecutor ( used by the servers )
perms.add(new RuntimePermission("modifyThread"));
// needed by the client code forHttpsURLConnection.setSSLSocketFactory
perms.add(new RuntimePermission("setFactory"));
}
public PermissionCollection getPermissions(ProtectionDomain domain) {
return perms;
}
public PermissionCollection getPermissions(CodeSource codesource) {
return perms;
}
public boolean implies(ProtectionDomain domain, Permission perm) {
return perms.implies(perm) || DEFAULT_POLICY.implies(domain, perm);
}
}
}
Reference in New Issue View Git Blame Copy Permalink