]> source.dussan.org Git - archiva.git/blob
projects / archiva.git / blob
? search:


9066331de60ce78583b224b45c833060a40e0e96
[archiva.git] /
1 package org.apache.maven.archiva.webdav;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import java.io.File;
23 import java.io.IOException;
24 import java.io.InputStream;
25
26 import javax.servlet.http.HttpServletResponse;
27
28 import net.sf.ehcache.CacheManager;
29
30 import org.apache.commons.io.FileUtils;
31 import org.apache.jackrabbit.webdav.DavSessionProvider;
32 import org.apache.maven.archiva.configuration.ArchivaConfiguration;
33 import org.apache.maven.archiva.configuration.Configuration;
34 import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
35 import org.apache.maven.archiva.security.ArchivaRoleConstants;
36 import org.apache.maven.archiva.security.ServletAuthenticator;
37 import org.codehaus.plexus.redback.authentication.AuthenticationException;
38 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
39 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
40 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
41 import org.codehaus.plexus.redback.system.SecuritySession;
42 import org.codehaus.plexus.redback.users.memory.SimpleUser;
43 import org.codehaus.plexus.spring.PlexusInSpringTestCase;
44 import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;
45 import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
46 import org.easymock.MockControl;
47 import org.easymock.classextension.MockClassControl;
48
49 import com.meterware.httpunit.GetMethodWebRequest;
50 import com.meterware.httpunit.HttpUnitOptions;
51 import com.meterware.httpunit.PutMethodWebRequest;
52 import com.meterware.httpunit.WebRequest;
53 import com.meterware.httpunit.WebResponse;
54 import com.meterware.servletunit.InvocationContext;
55 import com.meterware.servletunit.ServletRunner;
56 import com.meterware.servletunit.ServletUnitClient;
57
58 /**
59  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
60  * perform redback security checking.
61  * 
62  * @version $Id$
63  */
64 public class RepositoryServletSecurityTest
65     extends PlexusInSpringTestCase
66 {
67     protected static final String REPOID_INTERNAL = "internal";
68
69     protected ServletUnitClient sc;
70
71     protected File repoRootInternal;
72
73     private ServletRunner sr;
74
75     protected ArchivaConfiguration archivaConfiguration;
76
77     private DavSessionProvider davSessionProvider;
78
79     private MockControl servletAuthControl;
80
81     private ServletAuthenticator servletAuth;
82
83     private MockClassControl httpAuthControl;
84
85     private HttpAuthenticator httpAuth;
86
87     private RepositoryServlet servlet;
88
89     public void setUp()
90         throws Exception
91     {
92         super.setUp();
93
94         String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
95         System.setProperty( "appserver.base", appserverBase );
96
97         File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
98         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
99         FileUtils.copyFile( testConf, testConfDest );
100
101         archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
102         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
103         Configuration config = archivaConfiguration.getConfiguration();
104
105         config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
106         saveConfiguration( archivaConfiguration );
107
108         CacheManager.getInstance().removeCache( "url-failures-cache" );
109
110         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
111
112         sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
113         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
114         sc = sr.newClient();
115
116         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
117         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
118         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
119
120         httpAuthControl =
121             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
122         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
123         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
124
125         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
126     }
127
128     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
129     {
130         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
131         repo.setId( id );
132         repo.setName( name );
133         repo.setLocation( location.getAbsolutePath() );
134         return repo;
135     }
136
137     protected void saveConfiguration()
138         throws Exception
139     {
140         saveConfiguration( archivaConfiguration );
141     }
142
143     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
144         throws Exception
145     {
146         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
147     }
148
149     protected void setupCleanRepo( File repoRootDir )
150         throws IOException
151     {
152         FileUtils.deleteDirectory( repoRootDir );
153         if ( !repoRootDir.exists() )
154         {
155             repoRootDir.mkdirs();
156         }
157     }
158
159     @Override
160     protected String getPlexusConfigLocation()
161     {
162         return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
163     }
164
165     @Override
166     protected void tearDown()
167         throws Exception
168     {
169         if ( sc != null )
170         {
171             sc.clearContents();
172         }
173
174         if ( sr != null )
175         {
176             sr.shutDown();
177         }
178
179         if ( repoRootInternal.exists() )
180         {
181             FileUtils.deleteDirectory( repoRootInternal );
182         }
183
184         servlet = null;
185
186         super.tearDown();
187     }
188
189     // test deploy with invalid user, and guest has no write access to repo
190     // 401 must be returned
191     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
192         throws Exception
193     {
194         setupCleanRepo( repoRootInternal );
195
196         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
197         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
198         assertNotNull( "artifact.jar inputstream", is );
199
200         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
201         InvocationContext ic = sc.newInvocation( request );
202         servlet = (RepositoryServlet) ic.getServlet();
203         servlet.setDavSessionProvider( davSessionProvider );
204
205         AuthenticationResult result = new AuthenticationResult();
206         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
207         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
208                                            new AuthenticationException( "Authentication error" ) );
209
210         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
211         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
212         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
213
214         httpAuthControl.replay();
215         servletAuthControl.replay();
216
217         servlet.service( ic.getRequest(), ic.getResponse() );
218
219         httpAuthControl.verify();
220         servletAuthControl.verify();
221
222         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
223     }
224
225     // test deploy with invalid user, but guest has write access to repo
226     public void testPutWithInvalidUserAndGuestHasWriteAccess()
227         throws Exception
228     {
229         setupCleanRepo( repoRootInternal );
230
231         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
232         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
233         assertNotNull( "artifact.jar inputstream", is );
234
235         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
236
237         InvocationContext ic = sc.newInvocation( request );
238         servlet = (RepositoryServlet) ic.getServlet();
239         servlet.setDavSessionProvider( davSessionProvider );
240
241         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
242         archivaDavResourceFactory.setHttpAuth( httpAuth );
243         archivaDavResourceFactory.setServletAuth( servletAuth );
244
245         servlet.setResourceFactory( archivaDavResourceFactory );
246
247         AuthenticationResult result = new AuthenticationResult();
248         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
249         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
250                                            new AuthenticationException( "Authentication error" ) );
251
252         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
253         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
254         servletAuthControl.setReturnValue( true );
255
256         // ArchivaDavResourceFactory#isAuthorized()
257         SecuritySession session = new DefaultSecuritySession();
258         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
259         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
260         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
261                                            new AuthenticationException( "Authentication error" ) );
262
263         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
264
265         // check if guest has write access
266         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
267         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
268         servletAuthControl.setReturnValue( true );
269
270         httpAuthControl.replay();
271         servletAuthControl.replay();
272
273         servlet.service( ic.getRequest(), ic.getResponse() );
274
275         httpAuthControl.verify();
276         servletAuthControl.verify();
277
278         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
279     }
280
281     // test deploy with a valid user with no write access
282     public void testPutWithValidUserWithNoWriteAccess()
283         throws Exception
284     {
285         setupCleanRepo( repoRootInternal );
286
287         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
288         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
289         assertNotNull( "artifact.jar inputstream", is );
290
291         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
292
293         InvocationContext ic = sc.newInvocation( request );
294         servlet = (RepositoryServlet) ic.getServlet();
295         servlet.setDavSessionProvider( davSessionProvider );
296
297         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
298         archivaDavResourceFactory.setHttpAuth( httpAuth );
299         archivaDavResourceFactory.setServletAuth( servletAuth );
300         servlet.setResourceFactory( archivaDavResourceFactory );
301
302         AuthenticationResult result = new AuthenticationResult();
303         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
304         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
305
306         // ArchivaDavResourceFactory#isAuthorized()
307         SecuritySession session = new DefaultSecuritySession();
308         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
309         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
310         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
311         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
312         servletAuthControl.expectAndThrow(
313                                            servletAuth.isAuthorized( null, session, "internal",
314                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
315                                            new UnauthorizedException( "User not authorized" ) );
316
317         httpAuthControl.replay();
318         servletAuthControl.replay();
319
320         servlet.service( ic.getRequest(), ic.getResponse() );
321
322         httpAuthControl.verify();
323         servletAuthControl.verify();
324
325         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
326     }
327
328     // test deploy with a valid user with write access
329     public void testPutWithValidUserWithWriteAccess()
330         throws Exception
331     {
332         setupCleanRepo( repoRootInternal );
333         assertTrue( repoRootInternal.exists() );
334
335         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
336         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
337         assertNotNull( "artifact.jar inputstream", is );
338
339         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
340
341         InvocationContext ic = sc.newInvocation( request );
342         servlet = (RepositoryServlet) ic.getServlet();
343         servlet.setDavSessionProvider( davSessionProvider );
344
345         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
346         archivaDavResourceFactory.setHttpAuth( httpAuth );
347         archivaDavResourceFactory.setServletAuth( servletAuth );
348
349         servlet.setResourceFactory( archivaDavResourceFactory );
350
351         AuthenticationResult result = new AuthenticationResult();
352         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
353         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
354
355         // ArchivaDavResourceFactory#isAuthorized()
356         SecuritySession session = new DefaultSecuritySession();
357         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
358         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
359         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
360         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
361         servletAuthControl.expectAndReturn(
362                                             servletAuth.isAuthorized( null, session, "internal",
363                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
364                                             true );
365
366         httpAuthControl.replay();
367         servletAuthControl.replay();
368
369         servlet.service( ic.getRequest(), ic.getResponse() );
370
371         httpAuthControl.verify();
372         servletAuthControl.verify();
373
374         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
375     }
376
377     // test get with invalid user, and guest has read access to repo
378     public void testGetWithInvalidUserAndGuestHasReadAccess()
379         throws Exception
380     {
381         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
382         String expectedArtifactContents = "dummy-commons-lang-artifact";
383
384         File artifactFile = new File( repoRootInternal, commonsLangJar );
385         artifactFile.getParentFile().mkdirs();
386
387         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
388
389         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
390         InvocationContext ic = sc.newInvocation( request );
391         servlet = (RepositoryServlet) ic.getServlet();
392         servlet.setDavSessionProvider( davSessionProvider );
393
394         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
395         archivaDavResourceFactory.setHttpAuth( httpAuth );
396         archivaDavResourceFactory.setServletAuth( servletAuth );
397
398         servlet.setResourceFactory( archivaDavResourceFactory );
399
400         AuthenticationResult result = new AuthenticationResult();
401         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
402         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
403                                            new AuthenticationException( "Authentication error" ) );
404         servletAuthControl.expectAndReturn(
405                                             servletAuth.isAuthorized( "guest", "internal",
406                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
407                                             true );
408
409         // ArchivaDavResourceFactory#isAuthorized()
410         SecuritySession session = new DefaultSecuritySession();
411         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
412         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
413         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
414         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
415         servletAuthControl.expectAndReturn(
416                                             servletAuth.isAuthorized( null, session, "internal",
417                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
418                                             true );
419
420         httpAuthControl.replay();
421         servletAuthControl.replay();
422
423         WebResponse response = sc.getResponse( request );
424
425         httpAuthControl.verify();
426         servletAuthControl.verify();
427
428         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
429         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
430     }
431
432     // test get with invalid user, and guest has no read access to repo
433     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
434         throws Exception
435     {
436         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
437         String expectedArtifactContents = "dummy-commons-lang-artifact";
438
439         File artifactFile = new File( repoRootInternal, commonsLangJar );
440         artifactFile.getParentFile().mkdirs();
441
442         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
443
444         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
445         InvocationContext ic = sc.newInvocation( request );
446         servlet = (RepositoryServlet) ic.getServlet();
447         servlet.setDavSessionProvider( davSessionProvider );
448
449         AuthenticationResult result = new AuthenticationResult();
450         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
451         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
452                                            new AuthenticationException( "Authentication error" ) );
453         servletAuthControl.expectAndReturn(
454                                             servletAuth.isAuthorized( "guest", "internal",
455                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
456                                             false );
457
458         httpAuthControl.replay();
459         servletAuthControl.replay();
460
461         WebResponse response = sc.getResponse( request );
462
463         httpAuthControl.verify();
464         servletAuthControl.verify();
465
466         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
467     }
468
469     // test get with valid user with read access to repo
470     public void testGetWithAValidUserWithReadAccess()
471         throws Exception
472     {
473         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
474         String expectedArtifactContents = "dummy-commons-lang-artifact";
475
476         File artifactFile = new File( repoRootInternal, commonsLangJar );
477         artifactFile.getParentFile().mkdirs();
478
479         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
480
481         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
482         InvocationContext ic = sc.newInvocation( request );
483         servlet = (RepositoryServlet) ic.getServlet();
484         servlet.setDavSessionProvider( davSessionProvider );
485
486         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
487         archivaDavResourceFactory.setHttpAuth( httpAuth );
488         archivaDavResourceFactory.setServletAuth( servletAuth );
489
490         servlet.setResourceFactory( archivaDavResourceFactory );
491
492         AuthenticationResult result = new AuthenticationResult();
493         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
494         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
495
496         // ArchivaDavResourceFactory#isAuthorized()
497         SecuritySession session = new DefaultSecuritySession();
498         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
499         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
500         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
501         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
502         servletAuthControl.expectAndReturn(
503                                             servletAuth.isAuthorized( null, session, "internal",
504                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
505                                             true );
506
507         httpAuthControl.replay();
508         servletAuthControl.replay();
509
510         WebResponse response = sc.getResponse( request );
511
512         httpAuthControl.verify();
513         servletAuthControl.verify();
514
515         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
516         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
517     }
518
519     // test get with valid user with no read access to repo
520     public void testGetWithAValidUserWithNoReadAccess()
521         throws Exception
522     {
523         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
524         String expectedArtifactContents = "dummy-commons-lang-artifact";
525
526         File artifactFile = new File( repoRootInternal, commonsLangJar );
527         artifactFile.getParentFile().mkdirs();
528
529         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
530
531         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
532         InvocationContext ic = sc.newInvocation( request );
533         servlet = (RepositoryServlet) ic.getServlet();
534         servlet.setDavSessionProvider( davSessionProvider );
535
536         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
537         archivaDavResourceFactory.setHttpAuth( httpAuth );
538         archivaDavResourceFactory.setServletAuth( servletAuth );
539
540         servlet.setResourceFactory( archivaDavResourceFactory );
541
542         AuthenticationResult result = new AuthenticationResult();
543         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
544         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
545
546         // ArchivaDavResourceFactory#isAuthorized()
547         SecuritySession session = new DefaultSecuritySession();
548         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
549         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
550         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
551         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
552         servletAuthControl.expectAndThrow(
553                                            servletAuth.isAuthorized( null, session, "internal",
554                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
555                                            new UnauthorizedException( "User not authorized to read repository." ) );
556
557         httpAuthControl.replay();
558         servletAuthControl.replay();
559
560         WebResponse response = sc.getResponse( request );
561
562         httpAuthControl.verify();
563         servletAuthControl.verify();
564
565         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
566     }
567 }
Apache Archiva Repository: https://github.com/apache/archiva