7 Replies Latest reply on Aug 1, 2007 9:56 AM by mwringe

    JSFUnit and Security

    mwringe

      I am trying to use JSFUnit with a secured web page, I followed the directions on the cactus web page http://jakarta.apache.org/cactus/writing/howto_security.html but this does not work.

      The session object is specified using a threadlocal variable in org.jboss.jsfunit.framework.WebConversationFactory, this variable gets set when under the normal test redirector, but the secure redirector is in another thread and so the value is null and the tests cannot be run.

      Should the cactus way of running secure tests be followed, or is there some special JSFUnit way of doing it?

        • 1. Re: JSFUnit and Security
          ssilvert

          Can you send me a simple test app so I can take a look?

          Stan Silvert
          http://www.jsfunit.org

          • 2. Re: JSFUnit and Security
            mwringe

            I have added a SetRedirectorTest in a war here:
            https://mwringe.108.redhat.com/files/documents/175/441/jboss-jsfunit-examples-hellojsf-jsfunit.war
            Soure:
            https://mwringe.108.redhat.com/files/documents/175/442/jboss-jsfunit-examples-hellojsf-secure.tar.gz

            This follows the example set on the Cactus website for testing secure pages except that it doesn't actually require authentication, it just changes the ServletRedirector.

            Test Code:

            package org.jboss.jsfunit.example.hellojsf;
            
            import org.apache.cactus.ServletTestCase;
            import org.apache.cactus.WebRequest;
            import org.jboss.jsfunit.facade.ClientFacade;
            
            public class SetRedirectorTest extends ServletTestCase
            {
            
             public void beginRedirection (WebRequest request)
             {
             request.setRedirectorName("ServletRedirectorSecure");
             }
            
             public void testRedirection () throws Exception
             {
             ClientFacade client = new ClientFacade ("/index.faces");
             }
            }



            • 3. Re: JSFUnit and Security
              ssilvert

              I got your example to run. Is this the error you were getting?

              Can not find HttpSession. Perhaps JSFUnitFilter has not run?
              
              java.lang.IllegalStateException: Can not find HttpSession. Perhaps JSFUnitFilter has not run?
              at org.jboss.jsfunit.framework.WebConversationFactory.makeWebConversation(WebConversationFactory.java:103)
              at org.jboss.jsfunit.facade.ClientFacade.<init>(ClientFacade.java:65)
              at org.jboss.jsfunit.example.hellojsf.SetRedirectorTest.testRedirection(SetRedirectorTest.java:17)


              If so, the fix is just to add this declaration to your web.xml:
              <filter-mapping>
               <filter-name>JSFUnitFilter</filter-name>
               <servlet-name>ServletRedirectorSecure</servlet-name>
              </filter-mapping>


              Stan Silvert
              http://www.jsfunit.org


              • 4. Re: JSFUnit and Security
                mwringe

                I should have really know that I forget something simple. Unfortunately there exists problems below that in which httpunit is not being passed any security information when it tries to get the ClientFacade. I have an updated example here: http://mwringe.fedorapeople.org/jsfunit/jboss-jsfunit-examples-hellojsf-jsfunit.war
                Source code:
                http://mwringe.fedorapeople.org/jsfunit/jboss-jsfunit-examples-hellojsf-secure.tar.gz

                A have a quick solution to this in which a new ClientFacade constructor is created that takes username and password parameters:

                public ClientFacade(String initialPage, String username, String password) throws MalformedURLException, IOException, SAXException
                 {
                 this.webConversation = WebConversationFactory.makeWebConversation();
                 WebRequest req = new GetMethodWebRequest(WebConversationFactory.getWARURL() + initialPage);
                 webConversation.setAuthorization(username, password);
                 this.webResponse = webConversation.getResponse(req);
                 this.clientIDs = new ClientIDs();
                 }


                This gets around my problem, but I am not sure if this is the best solution, it seems strange to be setting the security information in the ServletRedirector and in the ClientFacade.

                • 5. Re: JSFUnit and Security
                  ssilvert

                  Actually, what you did is correct and I think it does make sense to set the credentials in both places. Bear with me a second.

                  Note that a JSFUnit test is made up of several requests to the server. When you pass in the credentials in the beginBasicAuthentication() method, that is providing credentials for the request to the cactus redirector servlet. When you provide it in the ClientFacade constructor, you are providing the credentials for a request to the JSF servlet. Since the credentials are then stored in the WebConversation, they should be propagated to every request thereafter.

                  Can you create a Jira task for this? We need to make this change to the ClientFacade, plus add tests for Basic Authentication and Form Authentication. If you don't have time to write the code just assign it to me.

                  Stan

                  • 6. Re: JSFUnit and Security
                    ssilvert

                    BTW, I'm not sure why the redirector would need to be secured in the first place. It should work just fine if the redirector is unsecured and then your JSFUnit tests access a secured JSF Servlet.

                    http://jira.jboss.com/jira/browse/JSFUNIT-13

                    Stan

                    • 7. Re: JSFUnit and Security
                      mwringe

                       

                      "stan.silvert@jboss.com" wrote:
                      BTW, I'm not sure why the redirector would need to be secured in the first place. It should work just fine if the redirector is unsecured and then your JSFUnit tests access a secured JSF Servlet.


                      Yeah, you don't need another redirector and it doesn't need to be secured, I figured that out last night and the example won't have it