/* * Copyright (C) 2006, 2007 XStream Committers. * All rights reserved. * * The software in this package is published under the terms of the BSD * style license a copy of which has been included with this distribution in * the LICENSE.txt file. * * Created on 24. March 2006 by Joerg Schaible */ package com.thoughtworks.acceptance; import com.thoughtworks.acceptance.objects.Software; import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider; import com.thoughtworks.xstream.core.JVM; import com.thoughtworks.xstream.io.xml.DomDriver; import com.thoughtworks.xstream.testutil.DynamicSecurityManager; import junit.framework.TestCase; import java.io.File; import java.io.FilePermission; import java.lang.reflect.ReflectPermission; import java.security.CodeSource; import java.security.Permission; import java.security.Policy; import java.security.cert.Certificate; import java.util.Iterator; import java.util.PropertyPermission; /** * Test XStream with an active SecurityManager. Note, that it is intentional, that this test is * not derived from AbstractAcceptanceTest to avoid loaded classes before the SecurityManager is * in action. Also run each fixture in its own to avoid side-effects. * * @author Jörg Schaible */ public class SecurityManagerTest extends TestCase { private XStream xstream; private DynamicSecurityManager securityManager; private CodeSource defaultCodeSource; private File mainClasses; private File testClasses; private File libs; private File libsJDK13; protected void setUp() throws Exception { super.setUp(); System.setSecurityManager(null); defaultCodeSource = new CodeSource(null, (Certificate[])null); mainClasses = new File(new File( new File(System.getProperty("user.dir"), "target"), "classes"), "-"); testClasses = new File(new File( new File(System.getProperty("user.dir"), "target"), "test-classes"), "-"); libs = new File(new File(System.getProperty("user.dir"), "lib"), "*"); if (!JVM.is14()) { libsJDK13 = new File(new File( new File(System.getProperty("user.dir"), "lib"), "jdk1.3"), "*"); } securityManager = new DynamicSecurityManager(); Policy policy = Policy.getPolicy(); securityManager.setPermissions(defaultCodeSource, policy .getPermissions(defaultCodeSource)); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "setSecurityManager")); } protected void tearDown() throws Exception { System.setSecurityManager(null); super.tearDown(); } protected void runTest() throws Throwable { try { super.runTest(); } catch(Throwable e) { for (final Iterator iter = securityManager.getFailedPermissions().iterator(); iter.hasNext();) { final Permission permission = (Permission)iter.next(); System.out.println("SecurityException: Permission " + permission.toString()); } throw e; } } public void testSerializeWithXpp3DriverAndSun14ReflectionProviderAndActiveSecurityManager() { if (JVM.is14()) { securityManager.addPermission(defaultCodeSource, new FilePermission(mainClasses .toString(), "read")); securityManager.addPermission(defaultCodeSource, new FilePermission(testClasses .toString(), "read")); securityManager.addPermission(defaultCodeSource, new FilePermission( libs.toString(), "read")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "accessDeclaredMembers")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "accessClassInPackage.sun.reflect")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "accessClassInPackage.sun.misc")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "createClassLoader")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "reflectionFactoryAccess")); securityManager.addPermission(defaultCodeSource, new ReflectPermission( "suppressAccessChecks")); // permissions necessary for CGLIBMapper securityManager.addPermission(defaultCodeSource, new PropertyPermission( "cglib.debugLocation", "read")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "getProtectionDomain")); securityManager.setReadOnly(); System.setSecurityManager(securityManager); // uses implicit Sun14ReflectionProvider in JDK >= 1.4, since it has the appropriate // rights xstream = new XStream(); assertBothWays(); } } public void testSerializeWithXpp3DriverAndPureJavaReflectionProviderAndActiveSecurityManager() { securityManager.addPermission(defaultCodeSource, new FilePermission(mainClasses .toString(), "read")); securityManager.addPermission(defaultCodeSource, new FilePermission(testClasses .toString(), "read")); securityManager.addPermission(defaultCodeSource, new FilePermission( libs.toString(), "read")); if (libsJDK13 != null) { securityManager.addPermission(defaultCodeSource, new FilePermission(libsJDK13 .toString(), "read")); } securityManager.addPermission(defaultCodeSource, new RuntimePermission( "accessDeclaredMembers")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "createClassLoader")); securityManager.addPermission(defaultCodeSource, new ReflectPermission( "suppressAccessChecks")); // permissions necessary for CGLIBMapper securityManager.addPermission(defaultCodeSource, new PropertyPermission( "cglib.debugLocation", "read")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "getProtectionDomain")); securityManager.setReadOnly(); System.setSecurityManager(securityManager); xstream = new XStream(new PureJavaReflectionProvider()); assertBothWays(); } public void testSerializeWithDomDriverAndPureJavaReflectionProviderAndActiveSecurityManager() { securityManager.addPermission(defaultCodeSource, new FilePermission(mainClasses .toString(), "read")); securityManager.addPermission(defaultCodeSource, new FilePermission(testClasses .toString(), "read")); securityManager.addPermission(defaultCodeSource, new FilePermission( libs.toString(), "read")); if (libsJDK13 != null) { securityManager.addPermission(defaultCodeSource, new FilePermission(libsJDK13 .toString(), "read")); } securityManager.addPermission(defaultCodeSource, new RuntimePermission( "accessDeclaredMembers")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "createClassLoader")); securityManager.addPermission(defaultCodeSource, new ReflectPermission( "suppressAccessChecks")); // permissions necessary for CGLIBMapper securityManager.addPermission(defaultCodeSource, new PropertyPermission( "cglib.debugLocation", "read")); securityManager.addPermission(defaultCodeSource, new RuntimePermission( "getProtectionDomain")); securityManager.setReadOnly(); System.setSecurityManager(securityManager); // uses implicit PureJavaReflectionProvider, since Sun14ReflectionProvider cannot be // loaded xstream = new XStream(new DomDriver()); assertBothWays(); } private void assertBothWays() { xstream.alias("software", Software.class); final Software sw = new Software("jw", "xstr"); final String xml = "\n" + " jw\n" + " xstr\n" + ""; String resultXml = xstream.toXML(sw); assertEquals(xml, resultXml); Object resultRoot = xstream.fromXML(resultXml); if (!sw.equals(resultRoot)) { assertEquals("Object deserialization failed", "DESERIALIZED OBJECT\n" + xstream.toXML(sw), "DESERIALIZED OBJECT\n" + xstream.toXML(resultRoot)); } } }