Fixes to samples and improved test workout script

samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -9,14 +9,14 @@
         <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" requires-channel="https"/>
         <sec:intercept-url pattern="/secure/**" access="ROLE_USER" />
         <sec:logout logout-success-url="/cas-logout.jsp"/>
-        <sec:custom-filter ref="casProcessingFilter" after="CAS_PROCESSING_FILTER"/>        
+        <sec:custom-filter ref="casAuthenticationFilter" after="CAS_FILTER"/>
     </sec:http>
 
     <sec:authentication-manager alias="authenticationManager">
         <sec:authentication-provider ref="casAuthenticationProvider"/>
     </sec:authentication-manager>
 
-    <bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
+    <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
         <property name="authenticationManager" ref="authenticationManager"/>
         <property name="authenticationFailureHandler">
             <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">

samples/ldap/pom.xml

@@ -42,14 +42,16 @@
         <dependency>
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-core</artifactId>
-            <version>1.0.2</version>
-            <scope>runtime</scope>
+            <version>1.5.5</version>
+            <scope>compile</scope>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-server-jndi</artifactId>
-            <version>1.0.2</version>
-            <scope>runtime</scope>
+            <version>1.5.5</version>
+            <scope>compile</scope>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

samples/ldap/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -1,8 +1,8 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
     xmlns:s="http://www.springframework.org/schema/security"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
     <s:http>
         <s:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
@@ -19,12 +19,16 @@
 
     <s:ldap-server ldif="classpath:users.ldif" port="33389"/>
 
-    <s:ldap-authentication-provider
-        group-search-filter="member={0}"
-        group-search-base="ou=groups"
-        user-search-base="ou=people"
-        user-search-filter="uid={0}"
-    />
+    <s:authentication-manager>
+        <s:ldap-authentication-provider
+            group-search-filter="member={0}"
+            group-search-base="ou=groups"
+            user-search-base="ou=people"
+            user-search-filter="uid={0}"
+        />
+        <s:authentication-provider ref='secondLdapProvider' />
+    </s:authentication-manager>
+
 
     <!-- Traditional Bean version of the same configuration -->
 
@@ -34,7 +38,6 @@
     </bean>
 
     <bean id="secondLdapProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
-        <s:custom-authentication-provider />
         <constructor-arg>
             <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                 <constructor-arg ref="contextSource" />

samples/preauth/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -88,8 +88,6 @@
 
     <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
 
-    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
-        <property name="wrapperClass" value="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper"/>
-    </bean>
+    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"/>
 
 </beans>

samples/runall.sh

@@ -1,6 +1,19 @@
 #! /bin/sh
+# $Id$
+#
+# See http://curl.netmirror.org/docs/httpscripting.html
+#
+
+set -o nounset
+set -o errexit
+
+ROOT_URL="http://localhost:8080"
+CONTENT=response.txt
+servlet_path=""
 
 cleanup() {
+  find . -name cookies.txt | xargs rm
+  find . -name $CONTENT | xargs rm  
   find . -name runall.log | xargs rm
 }
 
@@ -9,7 +22,7 @@ start_jetty()
   mvn -o jetty:run > runall.log &
   until (grep "Started Jetty Server" runall.log)
   do
-    echo "Waiting for server to start..."
+    echo "- Waiting for server to start... -"
     sleep 3    
   done
 }
@@ -18,41 +31,177 @@ stop_jetty() {
   kill $!
   until (grep "Jetty server exiting" runall.log)
   do
-    echo "Waiting for server to stop..."
+    echo "- Waiting for server to stop... -"
     sleep 2    
   done  
 }
 
+
+get() {
+    if [ -z "$1" ]                           # Is parameter #1 zero length?
+    then
+      echo "- URL argument is required -"
+      exit -1
+    else
+      echo "- GET \"$servlet_path$1\" -"
+    fi
+    
+    curl -b cookies.txt -c cookies.txt -i -o $CONTENT "$servlet_path$1"
+# We don't expect any 50x errors
+    if grep -q "HTTP/1.1 50" $CONTENT
+    then
+      echo "$CONTENT"
+      exit -1
+    fi
+    
+    echo "- Done -"
+}
+
+post() {
+    if [ $# -ne 2 ]                           # Is parameter #1 zero length?
+    then
+      echo "- Parameters and URL argument required -"
+      exit -1
+    else
+      echo "- POST \"$servlet_path$2\" -"
+    fi
+    curl -b cookies.txt -c cookies.txt -i -o $CONTENT -d $1 "$servlet_path$2"
+    echo "- Done -"    
+}
+
+assert() {
+    if [ -z "$1" ]
+    then
+      echo "-'Expected text' argument is required.-"
+      exit -1      
+    fi
+    
+    if ! grep -q "$1" $CONTENT
+    then
+      echo "- '$1' was not found in response... -"
+      exit -1
+    fi
+}
+
 cleanup
 
+#
+# Run the tests
+# 
+
 cd tutorial
-echo "Running tutorial app..."
+servlet_path="$ROOT_URL/tutorial"
+echo "- Running tutorial app... -"
 start_jetty
-curl http://localhost:8080/tutorial/
+get /index.jsp
+assert "Home Page"
+assert "Your principal object is....: null"
+get /secure/index.jsp
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/spring_security_login"
+get /spring_security_login
+assert "Login with Username and Password"
+get "/j_spring_security_check?j_username=rod&j_password=koala"
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/spring_security_login?login_error"
+get /spring_security_login?login_error
+assert "Authentication method not supported: GET"
+echo "- Logging in as Rod -"
+post "j_username=rod&j_password=koala" "/j_spring_security_check"
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/secure/index.jsp"
+get /secure/index.jsp
+assert "Secure Page"
+assert "You are a supervisor!"
+get "/listAccounts.html"
+assert "Accounts" 
+# Rod can break his overdraft limit
+get "/post.html?id=1&amount=-200.00"
+assert "Accounts"
+get "/j_spring_security_logout"
+echo "- Logging in as Peter -"
+post "j_username=peter&j_password=opal" "/j_spring_security_check"
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/tutorial/"
+# Peter can't do anything
+get "/post.html?id=4&amount=-20.00"
+assert "HTTP/1.1 403 Access is denied"
+get "/j_spring_security_logout"
+echo "- Logging in as Dianne -"
+post "j_username=dianne&j_password=emu" "/j_spring_security_check"
+# Dianne can't exceed overdraft
+get "/post.html?id=4&amount=-100.00"
+assert "Accounts"
+get "/post.html?id=4&amount=-20.00"
+assert "HTTP/1.1 403 Access is denied"
+get "/j_spring_security_logout"
 stop_jetty
 
-echo "Running contacts app..."
+echo "- Running contacts app... -"
 cd ../contacts
+servlet_path="$ROOT_URL/contacts"
 start_jetty
-curl http://localhost:8080/contacts/
+servlet_path="$ROOT_URL/contacts"
+get /hello.htm
+assert "Contacts Security Demo"
+get /secure/index.htm
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/login.jsp"
+echo "- Logging in as Rod -"
+post "j_username=rod&j_password=koala" "/j_spring_security_check"
+assert "HTTP/1.1 302 Found"
+get /secure/index.htm
+assert "rod's Contacts"
+assert "John Smith"
+get "/secure/del.htm?contactId=1"
+assert "Deleted"
+assert "john@somewhere.com"
+get /secure/index.htm
+get "/secure/adminPermission.htm?contactId=4"
+assert "Administer Permissions"
+get "/secure/addPermission.htm?contactId=4"
+assert "Add Permission"
+post "recipient=bill&permission=16" "/secure/addPermission.htm?contactId=4"
+get "/secure/adminPermission.htm?contactId=4"
+assert "PrincipalSid\[bill\].*A....=16\]"
+get /secure/index.htm
+get "/j_spring_security_logout"
 stop_jetty
 
-echo "Running ldap app..."
+echo "- Running ldap app... -"
 cd ../ldap
 start_jetty
-curl http://localhost:8080/ldap/
+servlet_path="$ROOT_URL/ldap"
+get "/"
+assert "Home Page"
+get "/secure/"
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/spring_security_login"
+echo "- Logging in as Rod -"
+post "j_username=rod&j_password=koala" "/j_spring_security_check"
+assert "HTTP/1.1 302 Found"
+assert "Location:.*/secure"
+get "/secure/"
+assert "Secure Page"
+get "/j_spring_security_logout"
 stop_jetty
 
-echo "Running preauth app..."
+echo "- Running preauth app... -"
 cd ../preauth
+servlet_path="$ROOT_URL/preauth"
 start_jetty
-curl http://localhost:8080/preauth/
+get "/"
+assert "HTTP/1.1 401 Unauthorized"
+assert "WWW-Authenticate: Basic realm=\"Preauth Realm\""
+curl -b cookies.txt -c cookies.txt -u rod:koala -i -o $CONTENT "$servlet_path/"
+assert "Home Page"
+get "/j_spring_security_logout"
 stop_jetty
 
 
 cd ../cas
 
-if [[ -e ./server/cas-server-webapp-3.3.1.war ]]
+if [[ -e ./server/cas-server-webapp-3.3.3.war ]]
 then
    echo "Found cas server war. Running cas sample"
    cd server
@@ -60,7 +209,12 @@ then
    SERVERPID=$!
    cd ../client
    start_jetty
-   curl http://localhost:8080/cas-sample/
+   get "/"
+   assert "Home Page"
+   get "/secure/index.jsp"
+   assert "HTTP/1.1 302 Found"
+   assert "Location: https://localhost:9443/cas/login?service=https%3A%2F%2Flocalhost%3A8443%2Fcas-sample%2Fj_spring_cas_security_check"
+   get "https://localhost:9443/cas/login?service=https%3A%2F%2Flocalhost%3A8443%2Fcas-sample%2Fj_spring_cas_security_check"
    kill $SERVERPID
    stop_jetty
 fi