]> source.dussan.org Git - archiva.git/blob
projects / archiva.git / blob
? search:


4d29198a67c15c176d2c88ff3fb7308d4f01f4b8
[archiva.git] /
1 package org.apache.maven.archiva.webdav;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import java.io.File;
23 import java.io.IOException;
24 import java.io.InputStream;
25
26 import javax.servlet.http.HttpServletResponse;
27
28 import net.sf.ehcache.CacheManager;
29
30 import org.apache.commons.io.FileUtils;
31 import org.apache.jackrabbit.webdav.DavSessionProvider;
32 import org.apache.maven.archiva.configuration.ArchivaConfiguration;
33 import org.apache.maven.archiva.configuration.Configuration;
34 import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
35 import org.apache.maven.archiva.security.ArchivaXworkUser;
36 import org.apache.maven.archiva.security.ServletAuthenticator;
37 import org.codehaus.plexus.redback.authentication.AuthenticationException;
38 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
39 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
40 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
41 import org.codehaus.plexus.redback.system.SecuritySession;
42 import org.codehaus.plexus.redback.users.memory.SimpleUser;
43 import org.codehaus.plexus.spring.PlexusInSpringTestCase;
44 import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;
45 import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
46 import org.easymock.MockControl;
47 import org.easymock.classextension.MockClassControl;
48
49 import com.meterware.httpunit.GetMethodWebRequest;
50 import com.meterware.httpunit.HttpUnitOptions;
51 import com.meterware.httpunit.PutMethodWebRequest;
52 import com.meterware.httpunit.WebRequest;
53 import com.meterware.httpunit.WebResponse;
54 import com.meterware.servletunit.InvocationContext;
55 import com.meterware.servletunit.ServletRunner;
56 import com.meterware.servletunit.ServletUnitClient;
57
58 /**
59  * RepositoryServletSecurityTest
60  * 
61  * Test the flow of the authentication and authorization checks. This does not necessarily
62  * perform redback security checking.
63  * 
64  * @version $Id$
65  */
66 public class RepositoryServletSecurityTest
67     extends PlexusInSpringTestCase
68 {
69     protected static final String REPOID_INTERNAL = "internal";
70
71     protected ServletUnitClient sc;
72
73     protected File repoRootInternal;
74
75     private ServletRunner sr;
76
77     protected ArchivaConfiguration archivaConfiguration;
78
79     private DavSessionProvider davSessionProvider;
80
81     private MockControl servletAuthControl;
82
83     private ServletAuthenticator servletAuth;
84
85     private MockClassControl httpAuthControl;
86
87     private HttpAuthenticator httpAuth;
88
89     private RepositoryServlet servlet;
90     
91     public void setUp()
92         throws Exception
93     {
94         super.setUp();
95
96         String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
97         System.setProperty( "appserver.base", appserverBase );
98
99         File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
100         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
101         FileUtils.copyFile( testConf, testConfDest );
102
103         archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
104         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
105         Configuration config = archivaConfiguration.getConfiguration();
106
107         config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
108         saveConfiguration( archivaConfiguration );
109
110         CacheManager.getInstance().removeCache( "url-failures-cache" );
111
112         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
113
114         sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
115         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
116         sc = sr.newClient();
117
118         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
119         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
120         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
121
122         httpAuthControl =
123             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
124         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
125         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
126
127         ArchivaXworkUser archivaXworkUser = (ArchivaXworkUser) lookup( ArchivaXworkUser.class );
128
129         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser );      
130     }
131
132     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
133     {
134         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
135         repo.setId( id );
136         repo.setName( name );
137         repo.setLocation( location.getAbsolutePath() );
138         return repo;
139     }
140
141     protected void saveConfiguration()
142         throws Exception
143     {
144         saveConfiguration( archivaConfiguration );
145     }
146
147     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
148         throws Exception
149     {
150         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
151     }
152
153     protected void setupCleanRepo( File repoRootDir )
154         throws IOException
155     {
156         FileUtils.deleteDirectory( repoRootDir );
157         if ( !repoRootDir.exists() )
158         {
159             repoRootDir.mkdirs();
160         }
161     }
162
163     @Override
164     protected String getPlexusConfigLocation()
165     {
166         return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
167     }
168
169     @Override
170     protected void tearDown()
171         throws Exception
172     {
173         if ( sc != null )
174         {
175             sc.clearContents();
176         }
177
178         if ( sr != null )
179         {
180             sr.shutDown();
181         }
182
183         if ( repoRootInternal.exists() )
184         {
185             FileUtils.deleteDirectory(repoRootInternal);
186         }
187
188         servlet = null;
189         
190         super.tearDown();
191     }
192
193     // test deploy with invalid user, and guest has no write access to repo
194     // 401 must be returned
195     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
196         throws Exception
197     {
198         setupCleanRepo( repoRootInternal );
199
200         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
201         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
202         assertNotNull( "artifact.jar inputstream", is );
203
204         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
205         InvocationContext ic = sc.newInvocation( request );
206         servlet = (RepositoryServlet) ic.getServlet();
207         servlet.setDavSessionProvider( davSessionProvider );
208
209         AuthenticationResult result = new AuthenticationResult();
210         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
211         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
212                            new AuthenticationException( "Authentication error" ) );
213         
214         servletAuth.isAuthorized( "guest", "internal", true );        
215         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
216         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
217
218         httpAuthControl.replay();
219         servletAuthControl.replay();
220         
221         servlet.service( ic.getRequest(), ic.getResponse() );
222         
223         httpAuthControl.verify();
224         servletAuthControl.verify();
225
226         //assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
227     }
228
229     // test deploy with invalid user, but guest has write access to repo
230     public void testPutWithInvalidUserAndGuestHasWriteAccess()
231         throws Exception
232     {
233         setupCleanRepo( repoRootInternal );
234
235         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
236         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
237         assertNotNull( "artifact.jar inputstream", is );
238
239         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
240
241         InvocationContext ic = sc.newInvocation( request );
242         servlet = (RepositoryServlet) ic.getServlet();
243         servlet.setDavSessionProvider( davSessionProvider );
244
245         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
246         archivaDavResourceFactory.setHttpAuth( httpAuth );
247         archivaDavResourceFactory.setServletAuth( servletAuth );
248
249         servlet.setResourceFactory( archivaDavResourceFactory );
250         
251         AuthenticationResult result = new AuthenticationResult();
252         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
253         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
254                                            new AuthenticationException( "Authentication error" ) );
255         
256         servletAuth.isAuthorized( "guest", "internal", true );
257         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
258         servletAuthControl.setReturnValue( true );
259                 
260      // ArchivaDavResourceFactory#isAuthorized()
261         SecuritySession session = new DefaultSecuritySession();
262         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
263         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true) ), session );
264         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
265                                            new AuthenticationException( "Authentication error" ) );
266         
267         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
268         
269         // check if guest has write access
270         servletAuth.isAuthorized( "guest", "internal", true );
271         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
272         servletAuthControl.setReturnValue( true );
273         
274         httpAuthControl.replay();
275         servletAuthControl.replay();
276
277         servlet.service( ic.getRequest(), ic.getResponse() );
278
279         httpAuthControl.verify();
280         servletAuthControl.verify();
281
282         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
283     }
284
285     // test deploy with a valid user with no write access
286     public void testPutWithValidUserWithNoWriteAccess()
287         throws Exception
288     {
289         setupCleanRepo( repoRootInternal );
290
291         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
292         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
293         assertNotNull( "artifact.jar inputstream", is );
294         
295         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
296         
297         InvocationContext ic = sc.newInvocation( request ); 
298         servlet = (RepositoryServlet) ic.getServlet();
299         servlet.setDavSessionProvider( davSessionProvider );
300         
301         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
302         archivaDavResourceFactory.setHttpAuth( httpAuth );
303         archivaDavResourceFactory.setServletAuth( servletAuth );
304         servlet.setResourceFactory( archivaDavResourceFactory );
305
306         AuthenticationResult result = new AuthenticationResult();
307         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
308         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
309         
310      // ArchivaDavResourceFactory#isAuthorized()
311         SecuritySession session = new DefaultSecuritySession();
312         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
313         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
314         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
315         servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
316                                            new UnauthorizedException( "User not authorized" ) );
317                 
318         httpAuthControl.replay();
319         servletAuthControl.replay();
320         
321         servlet.service( ic.getRequest(), ic.getResponse() );
322
323         httpAuthControl.verify();
324         servletAuthControl.verify();
325         
326         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
327     }
328
329     // test deploy with a valid user with write access
330     public void testPutWithValidUserWithWriteAccess()
331         throws Exception
332     {
333         setupCleanRepo( repoRootInternal );
334         assertTrue( repoRootInternal.exists() );
335
336         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
337         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
338         assertNotNull( "artifact.jar inputstream", is );
339
340         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
341
342         InvocationContext ic = sc.newInvocation( request );
343         servlet = (RepositoryServlet) ic.getServlet();
344         servlet.setDavSessionProvider( davSessionProvider );
345
346         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
347         archivaDavResourceFactory.setHttpAuth( httpAuth );
348         archivaDavResourceFactory.setServletAuth( servletAuth );
349
350         servlet.setResourceFactory( archivaDavResourceFactory );
351
352         AuthenticationResult result = new AuthenticationResult();
353         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
354         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
355
356         // ArchivaDavResourceFactory#isAuthorized()
357         SecuritySession session = new DefaultSecuritySession();
358         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
359         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
360         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
361         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
362         servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
363
364         httpAuthControl.replay();
365         servletAuthControl.replay();
366
367         servlet.service( ic.getRequest(), ic.getResponse() );
368
369         httpAuthControl.verify();
370         servletAuthControl.verify();
371
372         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
373     }
374
375     // test get with invalid user, and guest has read access to repo
376     public void testGetWithInvalidUserAndGuestHasReadAccess()
377         throws Exception
378     {
379         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
380         String expectedArtifactContents = "dummy-commons-lang-artifact";
381
382         File artifactFile = new File( repoRootInternal, commonsLangJar );
383         artifactFile.getParentFile().mkdirs();
384
385         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
386
387         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
388         InvocationContext ic = sc.newInvocation( request );
389         servlet = (RepositoryServlet) ic.getServlet();
390         servlet.setDavSessionProvider( davSessionProvider );
391         
392         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
393         archivaDavResourceFactory.setHttpAuth( httpAuth );
394         archivaDavResourceFactory.setServletAuth( servletAuth );
395
396         servlet.setResourceFactory( archivaDavResourceFactory );
397
398         AuthenticationResult result = new AuthenticationResult();
399         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
400         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
401                                            new AuthenticationException( "Authentication error" ) );
402         servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true );
403         
404      // ArchivaDavResourceFactory#isAuthorized()
405         SecuritySession session = new DefaultSecuritySession();
406         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
407         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
408         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
409         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
410         servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
411
412         httpAuthControl.replay();
413         servletAuthControl.replay();
414
415         WebResponse response = sc.getResponse( request );
416
417         httpAuthControl.verify();
418         servletAuthControl.verify();
419
420         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
421         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
422     }
423
424     // test get with invalid user, and guest has no read access to repo
425     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
426         throws Exception
427     {
428         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
429         String expectedArtifactContents = "dummy-commons-lang-artifact";
430
431         File artifactFile = new File( repoRootInternal, commonsLangJar );
432         artifactFile.getParentFile().mkdirs();
433
434         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
435
436         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
437         InvocationContext ic = sc.newInvocation( request );
438         servlet = (RepositoryServlet) ic.getServlet();
439         servlet.setDavSessionProvider( davSessionProvider );
440
441         AuthenticationResult result = new AuthenticationResult();
442         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
443         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
444                                            new AuthenticationException( "Authentication error" ) );
445         servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false );
446
447         httpAuthControl.replay();
448         servletAuthControl.replay();
449
450         WebResponse response = sc.getResponse( request );
451
452         httpAuthControl.verify();
453         servletAuthControl.verify();
454
455         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
456     }
457
458     // test get with valid user with read access to repo
459     public void testGetWithAValidUserWithReadAccess()
460         throws Exception
461     {
462         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
463         String expectedArtifactContents = "dummy-commons-lang-artifact";
464
465         File artifactFile = new File( repoRootInternal, commonsLangJar );
466         artifactFile.getParentFile().mkdirs();
467
468         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
469
470         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
471         InvocationContext ic = sc.newInvocation( request );
472         servlet = (RepositoryServlet) ic.getServlet();
473         servlet.setDavSessionProvider( davSessionProvider );
474
475         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
476         archivaDavResourceFactory.setHttpAuth( httpAuth );
477         archivaDavResourceFactory.setServletAuth( servletAuth );
478
479         servlet.setResourceFactory( archivaDavResourceFactory );
480         
481         AuthenticationResult result = new AuthenticationResult();
482         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
483         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
484         
485      // ArchivaDavResourceFactory#isAuthorized()
486         SecuritySession session = new DefaultSecuritySession();
487         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
488         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
489         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
490         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
491         servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
492         
493         httpAuthControl.replay();
494         servletAuthControl.replay();
495
496         WebResponse response = sc.getResponse( request );
497         
498         httpAuthControl.verify();
499         servletAuthControl.verify();
500
501         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
502         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
503     }
504
505     // test get with valid user with no read access to repo
506     public void testGetWithAValidUserWithNoReadAccess()
507         throws Exception
508     {
509         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
510         String expectedArtifactContents = "dummy-commons-lang-artifact";
511
512         File artifactFile = new File( repoRootInternal, commonsLangJar );
513         artifactFile.getParentFile().mkdirs();
514
515         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
516
517         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
518         InvocationContext ic = sc.newInvocation( request );
519         servlet = (RepositoryServlet) ic.getServlet();
520         servlet.setDavSessionProvider( davSessionProvider );
521
522         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
523         archivaDavResourceFactory.setHttpAuth( httpAuth );
524         archivaDavResourceFactory.setServletAuth( servletAuth );
525
526         servlet.setResourceFactory( archivaDavResourceFactory );
527         
528         AuthenticationResult result = new AuthenticationResult();
529         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
530         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
531
532      // ArchivaDavResourceFactory#isAuthorized()
533         SecuritySession session = new DefaultSecuritySession();
534         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
535         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
536         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
537         servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
538                                            new UnauthorizedException( "User not authorized to read repository." ) );
539         
540         httpAuthControl.replay();
541         servletAuthControl.replay();
542         
543         WebResponse response = sc.getResponse( request );
544
545         httpAuthControl.verify();
546         servletAuthControl.verify();
547         
548         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
549     }
550 }
Apache Archiva Repository: https://github.com/apache/archiva