Merge pull request #20 from Altenfrost/master

Fix for #19
wttech · Jul 25, 2017 · e91e03a · e91e03a
2 parents 4c4829d + 59eef29
commit e91e03a
Showing 1 changed file with 32 additions and 12 deletions.
diff --git a/src/main/java/com/cognifide/secureaem/tests/DefaultPasswordsTest.java b/src/main/java/com/cognifide/secureaem/tests/DefaultPasswordsTest.java
@@ -4,13 +4,16 @@
 import java.net.HttpURLConnection;
 import java.net.URISyntaxException;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
 import org.apache.http.auth.AuthenticationException;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.client.methods.HttpUriRequest;
-import org.apache.http.impl.auth.BasicScheme;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpPost;
 import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.message.BasicNameValuePair;
 import org.apache.http.util.EntityUtils;
 
 import com.cognifide.secureaem.AbstractTest;
@@ -21,23 +24,28 @@
 
 /**
  * Check if user with given login and password exists on given instance.
- * 
- * @author trekawek
  *
+ * @author trekawek
  */
 public class DefaultPasswordsTest extends AbstractTest implements AuthorTest, PublishTest {
 
+	private static final String LOGIN_PATH = "/libs/granite/core/content/login.html/j_security_check";
+	private static final String USERNAME_FORM_PARAM_NAME = "j_username";
+	private static final String PASSWORD_FORM_PARAM_NAME = "j_password";
+	private static final String IS_VALIDATE_FORM_PARAM_NAME = "j_validate";
+
 	public DefaultPasswordsTest(Configuration config) {
 		super(config);
 	}
 
 	@Override
 	public boolean doTest(String url, String instanceName) throws Exception {
+		String loginUrl = url + LOGIN_PATH;
 		boolean ok = true;
 		String[] users = config.getStringList("users");
 		for (String user : users) {
 			String[] split = UserHelper.splitUser(user);
-			if (split[1] != null && remoteUserExists(split, url)) {
+			if (split[1] != null && remoteUserExists(split, loginUrl)) {
 				addErrorMessage("User %s exists on %s", user, instanceName);
 				ok = false;
 			} else {
@@ -49,14 +57,26 @@ public boolean doTest(String url, String instanceName) throws Exception {
 
 	private boolean remoteUserExists(String[] user, String url) throws URISyntaxException,
 			IOException, AuthenticationException {
-		UsernamePasswordCredentials creds = new UsernamePasswordCredentials(user[0], user[1]);
 		DefaultHttpClient authorizedClient = new DefaultHttpClient();
-		HttpUriRequest request = new HttpGet(url);
-		request.addHeader(new BasicScheme().authenticate(creds, request, null));
-		HttpResponse response = authorizedClient.execute(request);
+
+		HttpPost httpPost = new HttpPost(url);
+		List<NameValuePair> params = getPostParamsList(user);
+		httpPost.setEntity(new UrlEncodedFormEntity(params));
+
+		HttpResponse response = authorizedClient.execute(httpPost);
 		EntityUtils.consume(response.getEntity());
 		int code = response.getStatusLine().getStatusCode();
-		return code != HttpURLConnection.HTTP_UNAUTHORIZED;
+		return code != HttpURLConnection.HTTP_FORBIDDEN;
+	}
+
+	private List<NameValuePair> getPostParamsList(String[] user) {
+		List<NameValuePair> params = new ArrayList<>();
+
+		params.add(new BasicNameValuePair(USERNAME_FORM_PARAM_NAME, user[0]));
+		params.add(new BasicNameValuePair(PASSWORD_FORM_PARAM_NAME, user[1]));
+		params.add(new BasicNameValuePair(IS_VALIDATE_FORM_PARAM_NAME, "true"));
+
+		return params;
 	}
 
 }