1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.commons.logging.security;
19
20 import static org.junit.Assert.assertNotEquals;
21
22 import java.io.PrintWriter;
23 import java.io.StringWriter;
24 import java.lang.reflect.Field;
25 import java.lang.reflect.Method;
26 import java.util.Hashtable;
27
28 import org.apache.commons.logging.Log;
29 import org.apache.commons.logging.LogFactory;
30 import org.apache.commons.logging.PathableClassLoader;
31 import org.apache.commons.logging.PathableTestSuite;
32
33 import junit.framework.Test;
34 import junit.framework.TestCase;
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49 public class SecurityForbiddenTestCase extends TestCase {
50
51
52
53 public static class CustomHashtable extends Hashtable {
54
55
56
57
58 private static final long serialVersionUID = 7224652794746236024L;
59 }
60
61
62
63 public static Test suite() throws Exception {
64 final PathableClassLoader parent = new PathableClassLoader(null);
65 parent.useExplicitLoader("junit.", Test.class.getClassLoader());
66 parent.useExplicitLoader("org.junit.", Test.class.getClassLoader());
67 parent.addLogicalLib("commons-logging");
68 parent.addLogicalLib("testclasses");
69
70 final Class testClass = parent.loadClass(
71 "org.apache.commons.logging.security.SecurityForbiddenTestCase");
72 return new PathableTestSuite(testClass, parent);
73 }
74
75 private SecurityManager oldSecMgr;
76
77 private ClassLoader otherClassLoader;
78
79
80
81
82 private Object loadClass(final String name, final ClassLoader classLoader) {
83 try {
84 final Class clazz = classLoader.loadClass(name);
85 return clazz.getConstructor().newInstance();
86 } catch (final Exception e) {
87 final StringWriter sw = new StringWriter();
88 final PrintWriter pw = new PrintWriter(sw);
89 e.printStackTrace(pw);
90 fail("Unexpected exception:" + e.getMessage() + ":" + sw.toString());
91 }
92 return null;
93 }
94
95 @Override
96 public void setUp() {
97
98 oldSecMgr = System.getSecurityManager();
99
100 final PathableClassLoader classLoader = new PathableClassLoader(null);
101 classLoader.addLogicalLib("commons-logging");
102 classLoader.addLogicalLib("testclasses");
103
104 otherClassLoader = classLoader;
105 }
106
107 @Override
108 public void tearDown() {
109
110
111 System.setSecurityManager(oldSecMgr);
112 }
113
114
115
116
117
118
119 public void testAllForbidden() {
120
121 if (System.getProperty("java.version").startsWith("21.")) {
122 return;
123 }
124 System.setProperty(
125 LogFactory.HASHTABLE_IMPLEMENTATION_PROPERTY,
126 CustomHashtable.class.getName());
127 final MockSecurityManager mySecurityManager = new MockSecurityManager();
128
129 System.setSecurityManager(mySecurityManager);
130
131 try {
132
133
134 final Class c = this.getClass().getClassLoader().loadClass(
135 "org.apache.commons.logging.LogFactory");
136 final Method m = c.getMethod("getLog", Class.class);
137 final Log log = (Log) m.invoke(null, this.getClass());
138 log.info("testing");
139
140
141
142
143
144
145 System.setSecurityManager(oldSecMgr);
146 final Field factoryField = c.getDeclaredField("factories");
147 factoryField.setAccessible(true);
148 final Object factoryTable = factoryField.get(null);
149 assertNotNull(factoryTable);
150 final String ftClassName = factoryTable.getClass().getName();
151 assertNotEquals("Custom hashtable unexpectedly used",
152 CustomHashtable.class.getName(), ftClassName);
153
154 assertEquals(0, mySecurityManager.getUntrustedCodeCount());
155 } catch (final Throwable t) {
156
157
158
159 System.setSecurityManager(oldSecMgr);
160 final StringWriter sw = new StringWriter();
161 final PrintWriter pw = new PrintWriter(sw);
162 t.printStackTrace(pw);
163 fail("Unexpected exception:" + t.getMessage() + ":" + sw.toString());
164 }
165 }
166
167
168
169
170
171
172 public void testContextClassLoader() {
173
174 if (System.getProperty("java.version").startsWith("21.")) {
175 return;
176 }
177 System.setProperty(
178 LogFactory.HASHTABLE_IMPLEMENTATION_PROPERTY,
179 CustomHashtable.class.getName());
180 final MockSecurityManager mySecurityManager = new MockSecurityManager();
181
182 System.setSecurityManager(mySecurityManager);
183
184 try {
185
186
187
188 loadClass("org.apache.commons.logging.security.DummyClass", otherClassLoader);
189
190 System.setSecurityManager(oldSecMgr);
191 assertEquals(0, mySecurityManager.getUntrustedCodeCount());
192 } catch (final Throwable t) {
193
194
195
196 System.setSecurityManager(oldSecMgr);
197 final StringWriter sw = new StringWriter();
198 final PrintWriter pw = new PrintWriter(sw);
199 t.printStackTrace(pw);
200 fail("Unexpected exception:" + t.getMessage() + ":" + sw.toString());
201 }
202 }
203 }