2 Replies Latest reply on Aug 17, 2011 2:57 PM by toepi

    JEE Security for Tests

    toepi Newbie

      Hi,

       

      I need an security context for some tests, I found a few older discussions about it. So I'll try to extend arquillian to support it. But have some problems to understand the big picture.

       

      My current understanding:

      Every Testmethod called over ContainerMethodExecutor.invoke - use the underlining protocol to call the testmethod on server. For Servlet it means it do a get request against the TestServlet? Now I can annotate a method with a 'RunAs' annotation, which contains a userid and password? With this Information I can create a Request again the TestServlet with autentification (Base64) - right?

       

      Every Protocol has a Packager which put some needed classes and/or config files into the archive? But now I must pack some data for authentification e.g. a SecurityRole and the URL with should be secured, right? And than I must told the appserver which user(s) have this roles - but this is appserver specific? Mapping should not big problem - but how get appserver stuff into archive - must every container have a method to do it? Or exists a way to do mapping appserver unspecific - not found a spec. for it.

       

      Please give me some hints how can I create a first prototype for it (extends ServletProtocol). The manual way descripted in a sample from ALR need knowlage about the target container and I must implement it for all containers, how the ejbenrichter is does.

       

      I open for all

       

      Kind regards,

      Sebastian

        • 1. Re: JEE Security for Tests
          Aslak Knutsen Master

          your understanding of the Arquillian internals are spot on btw..

           

          hmm.. interesting

           

          The simples of course is to not test incontainer in this case, by using @Deployment.testable=fasle and use the @ArquillianResource URL injection point to get a hold of a Secure Servlet in your deployment, for so to make a Secure Request on the client against this. The receving end should then be whithin a security context.

           

          If you e.g. have a EJB that requires the security context, and you want to test that incontainer, you would need to write your Assertions in your 'SecuredServlet' for this to work..

          • 2. Re: JEE Security for Tests
            toepi Newbie

            Aslak Knutsen wrote:

             

            The simples of course is to not test incontainer in this case, by using @Deployment.testable=fasle and use the @ArquillianResource URL injection point to get a hold of a Secure Servlet in your deployment, for so to make a Secure Request on the client against this. The receving end should then be whithin a security context.

            I use this for tests some 'legacy' WebServices - which have a own war with basic authtification (yes very secure - very good webservice most of it use rpc-style ) It work like a charm, before arquillian we have do the test manual after a manuell deployment. But how can I use this for call a EJB method without creating a war for it?

             

            Aslak Knutsen wrote:

             

            If you e.g. have a EJB that requires the security context, and you want to test that incontainer, you would need to write your Assertions in your 'SecuredServlet' for this to work..

            Can you explain this in more detail?

            - What must I do? Write a own Protocol, Servlet ... both ... or you mean create manuall a security context on the server - it should be possible but for every conatiner? ... okay we only support one container (no jboss ) at this time but my target is to do write std jee apps run an nearly all containers.