4

In the project I'm working on, we are using OpenEJB as a framework to test our EJB. We construct an InitialContext programatically, and use it to get the transaction manager and the various EJB.

However, the EJB I have to test now has the @RolesAllowed annotation, and so OpenEJB refuses to get that EJB, arguing I don't have the permissions required.

How can I specify to OpenEJB the user this test is supposed to simulate, and the role associated with him?

Mat
  • 202,337
  • 40
  • 393
  • 406
Valentin Rocher
  • 11,667
  • 45
  • 59

2 Answers2

6

The @RunAs suggestion bkail mentions is definitely a good way to go. The second approach that doesn't involve inner classes is to login in the testcase.

Login approach

When you bootstrap OpenEJB, specify the user/pass in the InitialContext properties as follows:

public void testAsManager() throws Exception {
    Properties p = new Properties();
    p.put(Context.INITIAL_CONTEXT_FACTORY, "org.apache.openejb.client.LocalInitialContextFactory");
    p.put(Context.SECURITY_PRINCIPAL, "jane");
    p.put(Context.SECURITY_CREDENTIALS, "waterfall");

    InitialContext context = new InitialContext(p);

    try {
        movies.addMovie(new Movie("Quentin Tarantino", "Reservoir Dogs", 1992));
        movies.addMovie(new Movie("Joel Coen", "Fargo", 1996));
        movies.addMovie(new Movie("Joel Coen", "The Big Lebowski", 1998));

        List<Movie> list = movies.getMovies();
        assertEquals("List.size()", 3, list.size());

        for (Movie movie : list) {
            movies.deleteMovie(movie);
        }

        assertEquals("Movies.getMovies()", 0, movies.getMovies().size());
    } finally {
        context.close();
    }
}

Then perhaps test again as a different user:

public void testAsEmployee() throws Exception {
    Properties p = new Properties();
    p.put(Context.INITIAL_CONTEXT_FACTORY, "org.apache.openejb.client.LocalInitialContextFactory");
    p.put(Context.SECURITY_PRINCIPAL, "joe");
    p.put(Context.SECURITY_CREDENTIALS, "cool");

    InitialContext context = new InitialContext(p);

    try {
        movies.addMovie(new Movie("Quentin Tarantino", "Reservoir Dogs", 1992));
        movies.addMovie(new Movie("Joel Coen", "Fargo", 1996));
        movies.addMovie(new Movie("Joel Coen", "The Big Lebowski", 1998));

        List<Movie> list = movies.getMovies();
        assertEquals("List.size()", 3, list.size());

        for (Movie movie : list) {
            try {
                movies.deleteMovie(movie);
                fail("Employees should not be allowed to delete");
            } catch (EJBAccessException e) {
                // Good, Employees cannot delete things
            }
        }

        // The list should still be three movies long
        assertEquals("Movies.getMovies()", 3, movies.getMovies().size());
    } finally {
        context.close();
    }
}

Test users and groups

You can configure test users and groups by putting a users.properties and groups.properties file in the classpath of the testcase. In maven that'd be at the following locations:

  • src/test/resources/users.properties
  • src/test/resources/groups.properties

The users.properties file might look like this

joe=cool
jane=waterfall

And groups.properties like so

Manager=jane
Employee=jane,joe
David Blevins
  • 19,178
  • 3
  • 53
  • 68
  • So, creating the LocalInitialContextFactory establishes a thread security context, and closing it will end it? Interesting. Well, I guess it belongs on the OpenEJB examples page ;-). – Brett Kail Oct 09 '11 at 14:28
  • Seems like a good idea. I'll try that at work, and give you the bounty if it solves my problem :) – Valentin Rocher Oct 09 '11 at 14:28
  • @bkail It definitely should go on the examples page. We have a bit of a problem with the sheer number of examples we have and are trying to hack a tool to make them easier to find. See that [here](http://ci.apache.org/projects/openejb/examples-generated/). It's somewhat stackoverflow inspired. Any and all help with it would be incredibly welcome. – David Blevins Oct 12 '11 at 04:51
1

See the OpenEJB Testing Security Example. Basically, you indirect through a test bean that has no @RolesAllowed, but uses @RunAs to switch roles before calling the second bean.

Brett Kail
  • 33,593
  • 2
  • 85
  • 90
  • I'll try these examples as well, but @David's answer seems quite interesting in order to test the auth mechanism in the same test. I'll upvote both of your answers :) – Valentin Rocher Oct 09 '11 at 14:31
  • Well, thanks. David's answer covers programmatic login, which was your question, so picking his makes sense. – Brett Kail Oct 09 '11 at 14:33