Java ESAPI.authenticator方法代码示例

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
public void setUp() throws Exception {
    // setup the user in session
	
	if ( user == null ) {
		String accountName = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
		Authenticator instance = ESAPI.authenticator();
		String password = instance.generateStrongPassword();
		instance.setCurrentUser(user);
		user = instance.createUser(accountName, password, password);
		user.enable();
	}
	
	request = new MockHttpServletRequest( new URL( "http://www.example.com/index" ) );
       response = new MockHttpServletResponse();
       waf = new ESAPIWebApplicationFirewallFilter();
       
       WAFTestUtility.setWAFPolicy(waf, "/waf-policy.xml");
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
* Test of update method, of class org.owasp.esapi.AccessReferenceMap.
* 
* @throws AuthenticationException
   *             the authentication exception
   * @throws EncryptionException
*/
  public void testUpdate() throws AuthenticationException, EncryptionException {
      System.out.println("update");
  	IntegerAccessReferenceMap arm = new IntegerAccessReferenceMap();
  	Authenticator auth = ESAPI.authenticator();
  	
  	String pass = auth.generateStrongPassword();
  	User u = auth.createUser( "armUpdate", pass, pass );
  	
  	// test to make sure update returns something
arm.update(auth.getUserNames());
String indirect = arm.getIndirectReference( u.getAccountName() );
if ( indirect == null ) fail();

// test to make sure update removes items that are no longer in the list
auth.removeUser( u.getAccountName() );
arm.update(auth.getUserNames());
indirect = arm.getIndirectReference( u.getAccountName() );
if ( indirect != null ) fail();

// test to make sure old indirect reference is maintained after an update
arm.update(auth.getUserNames());
String newIndirect = arm.getIndirectReference( u.getAccountName() );
assertEquals(indirect, newIndirect);
  }
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of isSessionAbsoluteTimeout method, of class
 * org.owasp.esapi.IntrusionDetector.
 * 
 * @throws AuthenticationException
 *             the authentication exception
 */
public void testIsSessionAbsoluteTimeout() throws AuthenticationException {
	System.out.println("isSessionAbsoluteTimeout");
	Authenticator instance = ESAPI.authenticator();
	String oldPassword = instance.generateStrongPassword();
	DefaultUser user = createTestUser(oldPassword);
	long now = System.currentTimeMillis();
	// setup request and response
	MockHttpServletRequest request = new MockHttpServletRequest();
	MockHttpServletResponse response = new MockHttpServletResponse();
	ESAPI.httpUtilities().setCurrentHTTP(request, response);
	MockHttpSession session = (MockHttpSession)request.getSession();
			
	// set session creation -3 hours (default is 2 hour timeout)		
	session.setCreationTime( now - (1000 * 60 * 60 * 3) );
	assertTrue(user.isSessionAbsoluteTimeout());
	
	// set session creation -1 hour (default is 2 hour timeout)
	session.setCreationTime( now - (1000 * 60 * 60 * 1) );
	assertFalse(user.isSessionAbsoluteTimeout());
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of isSessionTimeout method, of class
 * org.owasp.esapi.IntrusionDetector.
 * 
 * @throws AuthenticationException
 *             the authentication exception
 */
public void testIsSessionTimeout() throws AuthenticationException {
	System.out.println("isSessionTimeout");
	Authenticator instance = ESAPI.authenticator();
	String oldPassword = instance.generateStrongPassword();
	DefaultUser user = createTestUser(oldPassword);
	long now = System.currentTimeMillis();
	// setup request and response
	MockHttpServletRequest request = new MockHttpServletRequest();
	MockHttpServletResponse response = new MockHttpServletResponse();
	ESAPI.httpUtilities().setCurrentHTTP(request, response);
	MockHttpSession session = (MockHttpSession)request.getSession();
	
	// set creation -30 mins (default is 20 min timeout)
	session.setAccessedTime( now - 1000 * 60 * 30 );
	assertTrue(user.isSessionTimeout());
	
	// set creation -1 hour (default is 20 min timeout)
	session.setAccessedTime( now - 1000 * 60 * 10 );
	assertFalse(user.isSessionTimeout());
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
    *
    * @throws org.owasp.esapi.errors.AuthenticationException
    */
   public void testGetSessions() throws AuthenticationException {
       System.out.println("getSessions");
       Authenticator instance = ESAPI.authenticator();
       String accountName = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
       String password = ESAPI.authenticator().generateStrongPassword();
       User user = instance.createUser(accountName, password, password);
       HttpSession session1 = new MockHttpSession();
       user.addSession( session1 );
       HttpSession session2 = new MockHttpSession();
       user.addSession( session2 );
       HttpSession session3 = new MockHttpSession();
       user.addSession( session3 );
       Set sessions = user.getSessions();
       Iterator i = sessions.iterator();
       while ( i.hasNext() ) {
           HttpSession s = (HttpSession)i.next();
           System.out.println( ">>>" + s.getId() );
       }
       assertTrue(sessions.size() == 3);
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of main method, of class org.owasp.esapi.Authenticator.
 * @throws Exception
 */
public void testMain() throws Exception {
    System.out.println("Authenticator Main");
    Authenticator instance = ESAPI.authenticator();
    String accountName = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
    String password = instance.generateStrongPassword();
    String role = "test";
    
    // test wrong parameters - missing role parameter
    String[] badargs = { accountName, password };
    FileBasedAuthenticator.main( badargs );
    // load users since the new user was added in another instance
    ((FileBasedAuthenticator)instance).loadUsersImmediately();
    User u1 = instance.getUser(accountName);
    assertNull( u1 );

    // test good parameters
    String[] args = { accountName, password, role };
    FileBasedAuthenticator.main(args);
    // load users since the new user was added in another instance
    ((FileBasedAuthenticator)instance).loadUsersImmediately();
    DefaultUser u2 = (DefaultUser) instance.getUser(accountName);
    assertNotNull( u2 );
    assertTrue( u2.isInRole(role));
    assertEquals( instance.hashPassword(password, accountName), ((FileBasedAuthenticator)instance).getHashedPassword(u2) );
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of logout method, of class org.owasp.esapi.User.
 * 
 * @throws AuthenticationException
 *             the authentication exception
 */
public void testLogout() throws AuthenticationException {
	System.out.println("logout");
	MockHttpServletRequest request = new MockHttpServletRequest();
	MockHttpServletResponse response = new MockHttpServletResponse();
	MockHttpSession session = (MockHttpSession) request.getSession();
	assertFalse(session.getInvalidated());
	Authenticator instance = ESAPI.authenticator();
	ESAPI.httpUtilities().setCurrentHTTP(request, response);
	String oldPassword = instance.generateStrongPassword();
	DefaultUser user = createTestUser(oldPassword);
	user.enable();
	System.out.println(user.getLastLoginTime());
	user.loginWithPassword(oldPassword);
	assertTrue(user.isLoggedIn());
	// get new session after user logs in
	session = (MockHttpSession) request.getSession();
	assertFalse(session.getInvalidated());
	user.logout();
	assertFalse(user.isLoggedIn());
	assertTrue(session.getInvalidated());
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
* Test of update method, of class org.owasp.esapi.AccessReferenceMap.
* 
* @throws AuthenticationException
   *             the authentication exception
   * @throws EncryptionException
*/
  public void testUpdate() throws AuthenticationException, EncryptionException {
      System.out.println("update");
  	RandomAccessReferenceMap arm = new RandomAccessReferenceMap();
  	Authenticator auth = ESAPI.authenticator();
  	
  	String pass = auth.generateStrongPassword();
  	User u = auth.createUser( "armUpdate", pass, pass );
  	
  	// test to make sure update returns something
arm.update(auth.getUserNames());
String indirect = arm.getIndirectReference( u.getAccountName() );
if ( indirect == null ) fail();

// test to make sure update removes items that are no longer in the list
auth.removeUser( u.getAccountName() );
arm.update(auth.getUserNames());
indirect = arm.getIndirectReference( u.getAccountName() );
if ( indirect != null ) fail();

// test to make sure old indirect reference is maintained after an update
arm.update(auth.getUserNames());
String newIndirect = arm.getIndirectReference( u.getAccountName() );
assertEquals(indirect, newIndirect);
  }
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of addRoles method, of class org.owasp.esapi.User.
 * 
 * @throws AuthenticationException
 *             the authentication exception
 */
public void testAddRoles() throws AuthenticationException {
	System.out.println("addRoles");
	Authenticator instance = ESAPI.authenticator();
	String oldPassword = instance.generateStrongPassword();
	DefaultUser user = createTestUser(oldPassword);
	Set set = new HashSet();
	set.add("rolea");
	set.add("roleb");
	user.addRoles(set);
	assertTrue(user.isInRole("rolea"));
	assertTrue(user.isInRole("roleb"));
	assertFalse(user.isInRole("ridiculous"));
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test get last login time.
 * 
 * @throws Exception
 *             the exception
 */
public void testGetLastLoginTime() throws Exception {
	System.out.println("getLastLoginTime");
	Authenticator instance = ESAPI.authenticator();
	String oldPassword = instance.generateStrongPassword();
	DefaultUser user = createTestUser(oldPassword);
	user.verifyPassword(oldPassword);
	Date llt1 = user.getLastLoginTime();
	Thread.sleep(10); // need a short delay to separate attempts
	user.verifyPassword(oldPassword);
	Date llt2 = user.getLastLoginTime();
	assertTrue(llt1.before(llt2));
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of isAuthorizedForFile method, of class
 * org.owasp.esapi.AccessController.
 */
public void testIsAuthorizedForFile() {
	System.out.println("isAuthorizedForFile");
	AccessController instance = ESAPI.accessController();
	Authenticator auth = ESAPI.authenticator();
	
	auth.setCurrentUser( auth.getUser("testuser1") );
	assertTrue(instance.isAuthorizedForFile("/Dir/File1"));
	assertFalse(instance.isAuthorizedForFile("/Dir/File2"));
	assertTrue(instance.isAuthorizedForFile("/Dir/File3"));
	assertFalse(instance.isAuthorizedForFile("/Dir/ridiculous"));

	auth.setCurrentUser( auth.getUser("testuser2") );
	assertFalse(instance.isAuthorizedForFile("/Dir/File1"));
	assertTrue(instance.isAuthorizedForFile("/Dir/File2"));
	assertTrue(instance.isAuthorizedForFile("/Dir/File4"));
	assertFalse(instance.isAuthorizedForFile("/Dir/ridiculous"));

	auth.setCurrentUser( auth.getUser("testuser3") );
	assertTrue(instance.isAuthorizedForFile("/Dir/File1"));
	assertTrue(instance.isAuthorizedForFile("/Dir/File2"));
	assertFalse(instance.isAuthorizedForFile("/Dir/File5"));
	assertFalse(instance.isAuthorizedForFile("/Dir/ridiculous"));

	try {
		instance.assertAuthorizedForFile("/Dir/File1");
		instance.assertAuthorizedForFile( "/Dir/File6" );
		fail();
	} catch ( AccessControlException e ) {
		// expected
	}
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of getRoles method, of class org.owasp.esapi.User.
    *
    * @throws Exception
    */
public void testGetRoles() throws Exception {
	System.out.println("getRoles");
	Authenticator instance = ESAPI.authenticator();
	String accountName = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
	String password = ESAPI.authenticator().generateStrongPassword();
	String role = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_LOWERS);
	User user = instance.createUser(accountName, password, password);
	user.addRole(role);
	Set roles = user.getRoles();
	assertTrue(roles.size() > 0);
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of login method, of class org.owasp.esapi.Authenticator.
 * 
 * @throws AuthenticationException
 *             the authentication exception
 */
public void testLogin() throws AuthenticationException {
	System.out.println("login");
       Authenticator instance = ESAPI.authenticator();
       String username = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
	String password = instance.generateStrongPassword();
	User user = instance.createUser(username, password, password);
	user.enable();
	MockHttpServletRequest request = new MockHttpServletRequest();
	request.addParameter("username", username);
	request.addParameter("password", password);
	MockHttpServletResponse response = new MockHttpServletResponse();
	User test = instance.login( request, response);
	assertTrue( test.isLoggedIn() );
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of removeAccount method, of class org.owasp.esapi.Authenticator.
 * 
 * @throws Exception
 *             the exception
 */
public void testRemoveUser() throws Exception {
	System.out.println("removeUser");
	String accountName = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
       Authenticator instance = ESAPI.authenticator();
	String password = instance.generateStrongPassword();
	instance.createUser(accountName, password, password);
	assertTrue( instance.exists(accountName));
	instance.removeUser(accountName);
	assertFalse( instance.exists(accountName));
}
 

import org.owasp.esapi.ESAPI; //导入方法依赖的package包/类
/**
 * Test of saveUsers method, of class org.owasp.esapi.Authenticator.
 * 
 * @throws Exception
 *             the exception
 */
public void testSaveUsers() throws Exception {
	System.out.println("saveUsers");
	String accountName = ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
       FileBasedAuthenticator instance = (FileBasedAuthenticator)ESAPI.authenticator();
	String password = instance.generateStrongPassword();
	instance.createUser(accountName, password, password);
	instance.saveUsers();
	assertNotNull( instance.getUser(accountName) );
	instance.removeUser(accountName);
	assertNull( instance.getUser(accountName) );
}