diff -r 4ebc2e2fb97c -r 71c04702a3d5 test/jdk/java/net/URLPermission/URLTest.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/java/net/URLPermission/URLTest.java Tue Sep 12 19:03:39 2017 +0200 @@ -0,0 +1,289 @@ +/* + * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.net.URLPermission; +/* + * @test + * @bug 8010464 + * @modules jdk.httpserver + * @library /lib/testlibrary/ + * @build jdk.testlibrary.SimpleSSLContext + * @run main/othervm URLTest + * @summary check URLPermission with Http(s)URLConnection + */ + +import java.net.*; +import java.io.*; +import java.security.*; +import java.util.concurrent.*; +import com.sun.net.httpserver.*; +import javax.net.ssl.*; +import jdk.testlibrary.SimpleSSLContext; + +public class URLTest { + + static boolean failed; + + public static void main (String[] args) throws Exception { + createServers(); + + try { + // Verify without a Security Manager + test1(); + test2(); + test3(); + + // Set the security manager. Each test will set its own policy. + Policy.setPolicy(new CustomPolicy()); + System.setSecurityManager(new SecurityManager()); + System.out.println("\n Security Manager has been set."); + + test1(); + test2(); + test3(); + + if (failed) + throw new RuntimeException("Test failed"); + } finally { + shutdown(); + } + } + + static void test1() throws IOException { + System.out.println("\n--- Test 1 ---"); + + boolean expectException = false; + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + expectException = true; + Policy.setPolicy(new CustomPolicy( + new URLPermission("http://127.0.0.1:"+httpPort+"/foo.html", "GET:X-Foo,Z-Bar"), + new URLPermission("https://127.0.0.1:"+httpsPort+"/foo.html", "POST:X-Fob,T-Bar"))); + } + + String url1 = "http://127.0.0.1:"+httpPort+"/foo.html"; + String url2 = "https://127.0.0.1:"+httpsPort+"/foo.html"; + String url3 = "http://127.0.0.1:"+httpPort+"/bar.html"; + String url4 = "https://127.0.0.1:"+httpsPort+"/bar.html"; + + // simple positive test. Should succeed + test(url1, "GET", "X-Foo"); + test(url1, "GET", "Z-Bar", "X-Foo"); + test(url1, "GET", "X-Foo", "Z-Bar"); + test(url1, "GET", "Z-Bar"); + test(url2, "POST", "X-Fob"); + + // reverse the methods, should fail + test(url1, "POST", "X-Foo", expectException); + test(url2, "GET", "X-Fob", expectException); + + // different URLs, should fail + test(url3, "GET", "X-Foo", expectException); + test(url4, "POST", "X-Fob", expectException); + } + + static void test2() throws IOException { + System.out.println("\n--- Test 2 ---"); + + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + Policy.setPolicy(new CustomPolicy( + new URLPermission("http://127.0.0.1:"+httpPort+"/*", "GET:X-Foo"), + new URLPermission("https://127.0.0.1:"+httpsPort+"/*", "POST:X-Fob"))); + } + + String url1 = "http://127.0.0.1:"+httpPort+"/foo.html"; + String url2 = "https://127.0.0.1:"+httpsPort+"/foo.html"; + String url3 = "http://127.0.0.1:"+httpPort+"/bar.html"; + String url4 = "https://127.0.0.1:"+httpsPort+"/bar.html"; + + // simple positive test. Should succeed + test(url1, "GET", "X-Foo"); + test(url2, "POST", "X-Fob"); + test(url3, "GET", "X-Foo"); + test(url4, "POST", "X-Fob"); + } + + static void test3() throws IOException { + System.out.println("\n--- Test 3 ---"); + + boolean expectException = false; + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + expectException = true; + Policy.setPolicy(new CustomPolicy( + new URLPermission("http://127.0.0.1:"+httpPort+"/a/b/-", "DELETE,GET:X-Foo,Y-Foo"), + new URLPermission("https://127.0.0.1:"+httpsPort+"/a/c/-", "POST:*"))); + } + + String url1 = "http://127.0.0.1:"+httpPort+"/foo.html"; + String url2 = "https://127.0.0.1:"+httpsPort+"/a/c/d/e/foo.html"; + String url3 = "http://127.0.0.1:"+httpPort+"/a/b/c"; + String url4 = "https://127.0.0.1:"+httpsPort+"/a/b/c"; + + test(url1, "GET", "X-Foo", expectException); + test(url2, "POST", "X-Zxc"); + test(url3, "DELETE", "Y-Foo"); + test(url4, "POST", "Y-Foo", expectException); + } + + // Convenience methods to simplify previous explicit test scenarios. + static void test(String u, String method, String header) throws IOException { + test(u, method, header, null, false); + } + + static void test(String u, String method, String header, boolean expectException) + throws IOException + { + test(u, method, header, null, expectException); + } + + static void test(String u, String method, String header1, String header2) + throws IOException + { + test(u, method, header1, header2, false); + } + + static void test(String u, + String method, + String header1, + String header2, + boolean expectException) + throws IOException + { + URL url = new URL(u); + System.out.println("url=" + u + " method=" + method + + " header1=" + header1 + " header2=" + header2 + + " expectException=" + expectException); + HttpURLConnection urlc = (HttpURLConnection)url.openConnection(); + if (urlc instanceof HttpsURLConnection) { + HttpsURLConnection ssl = (HttpsURLConnection)urlc; + ssl.setHostnameVerifier((host, sess) -> true); + ssl.setSSLSocketFactory(ctx.getSocketFactory()); + } + urlc.setRequestMethod(method); + if (header1 != null) + urlc.addRequestProperty(header1, "foo"); + if (header2 != null) + urlc.addRequestProperty(header2, "bar"); + + try { + int code = urlc.getResponseCode(); + if (expectException) { + failed = true; + System.out.println("FAIL"); + return; + } + if (code != 200) + throw new RuntimeException("Unexpected response " + code); + + InputStream is = urlc.getInputStream(); + is.readAllBytes(); + is.close(); + } catch (RuntimeException e) { + if (!expectException || !(e.getCause() instanceof SecurityException)) { + System.out.println ("FAIL. Unexpected: " + e.getMessage()); + e.printStackTrace(); + failed = true; + return; + } else { + System.out.println("Got expected exception: " + e.getMessage()); + } + } + System.out.println ("PASS"); + } + + static HttpServer httpServer; + static HttpsServer httpsServer; + static HttpContext c, cs; + static ExecutorService e, es; + static SSLContext ctx; + static int httpPort; + static int httpsPort; + + static void createServers() throws Exception { + InetSocketAddress any = new InetSocketAddress(0); + httpServer = HttpServer.create(any, 0); + httpsServer = HttpsServer.create(any, 0); + + OkHandler h = new OkHandler(); + + c = httpServer.createContext("/", h); + cs = httpsServer.createContext("/", h); + e = Executors.newCachedThreadPool(); + es = Executors.newCachedThreadPool(); + httpServer.setExecutor(e); + httpsServer.setExecutor(es); + + ctx = new SimpleSSLContext().get(); + httpsServer.setHttpsConfigurator(new HttpsConfigurator (ctx)); + + httpServer.start(); + httpsServer.start(); + + httpPort = httpServer.getAddress().getPort(); + httpsPort = httpsServer.getAddress().getPort(); + } + + static void shutdown() { + httpServer.stop(1); + httpsServer.stop(1); + e.shutdown(); + es.shutdown(); + } + + static class OkHandler implements HttpHandler { + public void handle(HttpExchange x) throws IOException { + x.sendResponseHeaders(200, -1); + x.close(); + } + } + + static class CustomPolicy extends Policy { + final PermissionCollection perms = new Permissions(); + CustomPolicy(Permission... permissions) { + java.util.Arrays.stream(permissions).forEach(perms::add); + + // needed for the HTTP(S) server + perms.add(new SocketPermission("localhost:1024-", "listen,resolve,accept")); + // needed by the test to reset the policy, per testX method + perms.add(new SecurityPermission("setPolicy")); + // needed to shutdown the ThreadPoolExecutor ( used by the servers ) + perms.add(new RuntimePermission("modifyThread")); + // needed by the client code forHttpsURLConnection.setSSLSocketFactory + perms.add(new RuntimePermission("setFactory")); + } + + public PermissionCollection getPermissions(ProtectionDomain domain) { + return perms; + } + + public PermissionCollection getPermissions(CodeSource codesource) { + return perms; + } + + public boolean implies(ProtectionDomain domain, Permission perm) { + return perms.implies(perm); + } + } +}