-
1. Re: JSFUnit and Security
ssilvert Jul 27, 2007 7:54 AM (in response to mwringe)Can you send me a simple test app so I can take a look?
Stan Silvert
http://www.jsfunit.org -
2. Re: JSFUnit and Security
mwringe Jul 27, 2007 10:44 AM (in response to mwringe)I have added a SetRedirectorTest in a war here:
https://mwringe.108.redhat.com/files/documents/175/441/jboss-jsfunit-examples-hellojsf-jsfunit.war
Soure:
https://mwringe.108.redhat.com/files/documents/175/442/jboss-jsfunit-examples-hellojsf-secure.tar.gz
This follows the example set on the Cactus website for testing secure pages except that it doesn't actually require authentication, it just changes the ServletRedirector.
Test Code:package org.jboss.jsfunit.example.hellojsf; import org.apache.cactus.ServletTestCase; import org.apache.cactus.WebRequest; import org.jboss.jsfunit.facade.ClientFacade; public class SetRedirectorTest extends ServletTestCase { public void beginRedirection (WebRequest request) { request.setRedirectorName("ServletRedirectorSecure"); } public void testRedirection () throws Exception { ClientFacade client = new ClientFacade ("/index.faces"); } }
-
3. Re: JSFUnit and Security
ssilvert Jul 27, 2007 3:45 PM (in response to mwringe)I got your example to run. Is this the error you were getting?
Can not find HttpSession. Perhaps JSFUnitFilter has not run? java.lang.IllegalStateException: Can not find HttpSession. Perhaps JSFUnitFilter has not run? at org.jboss.jsfunit.framework.WebConversationFactory.makeWebConversation(WebConversationFactory.java:103) at org.jboss.jsfunit.facade.ClientFacade.<init>(ClientFacade.java:65) at org.jboss.jsfunit.example.hellojsf.SetRedirectorTest.testRedirection(SetRedirectorTest.java:17)
If so, the fix is just to add this declaration to your web.xml:<filter-mapping> <filter-name>JSFUnitFilter</filter-name> <servlet-name>ServletRedirectorSecure</servlet-name> </filter-mapping>
Stan Silvert
http://www.jsfunit.org -
4. Re: JSFUnit and Security
mwringe Jul 31, 2007 4:32 PM (in response to mwringe)I should have really know that I forget something simple. Unfortunately there exists problems below that in which httpunit is not being passed any security information when it tries to get the ClientFacade. I have an updated example here: http://mwringe.fedorapeople.org/jsfunit/jboss-jsfunit-examples-hellojsf-jsfunit.war
Source code:
http://mwringe.fedorapeople.org/jsfunit/jboss-jsfunit-examples-hellojsf-secure.tar.gz
A have a quick solution to this in which a new ClientFacade constructor is created that takes username and password parameters:public ClientFacade(String initialPage, String username, String password) throws MalformedURLException, IOException, SAXException { this.webConversation = WebConversationFactory.makeWebConversation(); WebRequest req = new GetMethodWebRequest(WebConversationFactory.getWARURL() + initialPage); webConversation.setAuthorization(username, password); this.webResponse = webConversation.getResponse(req); this.clientIDs = new ClientIDs(); }
This gets around my problem, but I am not sure if this is the best solution, it seems strange to be setting the security information in the ServletRedirector and in the ClientFacade. -
5. Re: JSFUnit and Security
ssilvert Jul 31, 2007 5:32 PM (in response to mwringe)Actually, what you did is correct and I think it does make sense to set the credentials in both places. Bear with me a second.
Note that a JSFUnit test is made up of several requests to the server. When you pass in the credentials in the beginBasicAuthentication() method, that is providing credentials for the request to the cactus redirector servlet. When you provide it in the ClientFacade constructor, you are providing the credentials for a request to the JSF servlet. Since the credentials are then stored in the WebConversation, they should be propagated to every request thereafter.
Can you create a Jira task for this? We need to make this change to the ClientFacade, plus add tests for Basic Authentication and Form Authentication. If you don't have time to write the code just assign it to me.
Stan -
6. Re: JSFUnit and Security
ssilvert Aug 1, 2007 9:25 AM (in response to mwringe)BTW, I'm not sure why the redirector would need to be secured in the first place. It should work just fine if the redirector is unsecured and then your JSFUnit tests access a secured JSF Servlet.
http://jira.jboss.com/jira/browse/JSFUNIT-13
Stan -
7. Re: JSFUnit and Security
mwringe Aug 1, 2007 9:56 AM (in response to mwringe)"stan.silvert@jboss.com" wrote:
BTW, I'm not sure why the redirector would need to be secured in the first place. It should work just fine if the redirector is unsecured and then your JSFUnit tests access a secured JSF Servlet.
Yeah, you don't need another redirector and it doesn't need to be secured, I figured that out last night and the example won't have it