summaryrefslogtreecommitdiff
path: root/tests/UnitTests/simpletest/docs/en/authentication_documentation.html
diff options
context:
space:
mode:
authorxue <>2006-07-07 14:54:15 +0000
committerxue <>2006-07-07 14:54:15 +0000
commit61bb16ee2e5f0a66234e1575242169a10fde47b5 (patch)
tree3ee24dcc36ceae2c213130df1ea3d5c9fc110a27 /tests/UnitTests/simpletest/docs/en/authentication_documentation.html
parent7b84938b1b5964f2274d66e28ba17435924ffe35 (diff)
Merge from 3.0 branch till 1253.
Diffstat (limited to 'tests/UnitTests/simpletest/docs/en/authentication_documentation.html')
-rw-r--r--tests/UnitTests/simpletest/docs/en/authentication_documentation.html320
1 files changed, 0 insertions, 320 deletions
diff --git a/tests/UnitTests/simpletest/docs/en/authentication_documentation.html b/tests/UnitTests/simpletest/docs/en/authentication_documentation.html
deleted file mode 100644
index a83f448b..00000000
--- a/tests/UnitTests/simpletest/docs/en/authentication_documentation.html
+++ /dev/null
@@ -1,320 +0,0 @@
-<html>
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<title>SimpleTest documentation for testing log-in and authentication</title>
-<link rel="stylesheet" type="text/css" href="docs.css" title="Styles">
-</head>
-<body>
-<div class="menu_back">
-<div class="menu">
-<h2>
-<a href="index.html">SimpleTest</a>
-</h2>
-<ul>
-<li>
-<a href="overview.html">Overview</a>
-</li>
-<li>
-<a href="unit_test_documentation.html">Unit tester</a>
-</li>
-<li>
-<a href="group_test_documentation.html">Group tests</a>
-</li>
-<li>
-<a href="server_stubs_documentation.html">Server stubs</a>
-</li>
-<li>
-<a href="mock_objects_documentation.html">Mock objects</a>
-</li>
-<li>
-<a href="partial_mocks_documentation.html">Partial mocks</a>
-</li>
-<li>
-<a href="reporter_documentation.html">Reporting</a>
-</li>
-<li>
-<a href="expectation_documentation.html">Expectations</a>
-</li>
-<li>
-<a href="web_tester_documentation.html">Web tester</a>
-</li>
-<li>
-<a href="form_testing_documentation.html">Testing forms</a>
-</li>
-<li>
-<span class="chosen">Authentication</span>
-</li>
-<li>
-<a href="browser_documentation.html">Scriptable browser</a>
-</li>
-</ul>
-</div>
-</div>
-<h1>Authentication documentation</h1>
-<div class="content">
-
- <p>
- One of the trickiest, and yet most important, areas
- of testing web sites is the security.
- Testing these schemes is one of the core goals of
- the SimpleTest web tester.
- </p>
-
- <p>
-<a class="target" name="basic">
-<h2>Basic HTTP authentication</h2>
-</a>
-</p>
- <p>
- If you fetch a page protected by basic authentication then
- rather than receiving content, you will instead get a 401
- header.
- We can illustrate this with this test...
-<pre>
-class AuthenticationTest extends WebTestCase {<strong>
- function test401Header() {
- $this-&gt;get('http://www.lastcraft.com/protected/');
- $this-&gt;showHeaders();
- }</strong>
-}
-</pre>
- This allows us to see the challenge header...
- <div class="demo">
- <h1>File test</h1>
-<pre style="background-color: lightgray; color: black">
-HTTP/1.1 401 Authorization Required
-Date: Sat, 18 Sep 2004 19:25:18 GMT
-Server: Apache/1.3.29 (Unix) PHP/4.3.4
-WWW-Authenticate: Basic realm="SimpleTest basic authentication"
-Connection: close
-Content-Type: text/html; charset=iso-8859-1
-</pre>
- <div style="padding: 8px; margin-top: 1em; background-color: green; color: white;">1/1 test cases complete.
- <strong>0</strong> passes, <strong>0</strong> fails and <strong>0</strong> exceptions.</div>
- </div>
- We are trying to get away from visual inspection though, and so SimpleTest
- allows to make automated assertions against the challenge.
- Here is a thorough test of our header...
-<pre>
-class AuthenticationTest extends WebTestCase {
- function test401Header() {
- $this-&gt;get('http://www.lastcraft.com/protected/');<strong>
- $this-&gt;assertAuthentication('Basic');
- $this-&gt;assertResponse(401);
- $this-&gt;assertRealm('SimpleTest basic authentication');</strong>
- }
-}
-</pre>
- Any one of these tests would normally do on it's own depending
- on the amount of detail you want to see.
- </p>
- <p>
- Most of the time we are not interested in testing the
- authentication itself, but want to get past it to test
- the pages underneath.
- As soon as the challenge has been issued we can reply with
- an authentication response...
-<pre>
-class AuthenticationTest extends WebTestCase {
- function testAuthentication() {
- $this-&gt;get('http://www.lastcraft.com/protected/');<strong>
- $this-&gt;authenticate('Me', 'Secret');</strong>
- $this-&gt;assertTitle(...);
- }
-}
-</pre>
- The username and password will now be sent with every
- subsequent request to that directory and subdirectories.
- You will have to authenticate again if you step outside
- the authenticated directory, but SimpleTest is smart enough
- to merge subdirectories into a common realm.
- </p>
- <p>
- You can shortcut this step further by encoding the log in
- details straight into the URL...
-<pre>
-class AuthenticationTest extends WebTestCase {
- function testCanReadAuthenticatedPages() {
- $this-&gt;get('http://<strong>Me:Secret@</strong>www.lastcraft.com/protected/');
- $this-&gt;assertTitle(...);
- }
-}
-</pre>
- If your username or password has special characters, then you
- will have to URL encode them or the request will not be parsed
- correctly.
- Also this header will not be sent on subsequent requests if
- you request a page with a fully qualified URL.
- If you navigate with relative URLs though, the authentication
- information will be preserved.
- </p>
- <p>
- Only basic authentication is currently supported and this is
- only really secure in tandem with HTTPS connections.
- This is usually enough to protect test server from prying eyes,
- however.
- Digest authentication and NTLM authentication may be added
- in the future.
- </p>
-
- <p>
-<a class="target" name="cookies">
-<h2>Cookies</h2>
-</a>
-</p>
- <p>
- Basic authentication doesn't give enough control over the
- user interface for web developers.
- More likely this functionality will be coded directly into
- the web architecture using cookies and complicated timeouts.
- </p>
- <p>
- Starting with a simple log-in form...
-<pre>
-&lt;form&gt;
- Username:
- &lt;input type="text" name="u" value="" /&gt;&lt;br /&gt;
- Password:
- &lt;input type="password" name="p" value="" /&gt;&lt;br /&gt;
- &lt;input type="submit" value="Log in" /&gt;
-&lt;/form&gt;
-</pre>
- Which looks like...
- </p>
- <p>
- <form class="demo">
- Username:
- <input type="text" name="u" value="">
-<br>
- Password:
- <input type="password" name="p" value="">
-<br>
- <input type="submit" value="Log in">
- </form>
- </p>
- <p>
- Let's suppose that in fetching this page a cookie has been
- set with a session ID.
- We are not going to fill the form in yet, just test that
- we are tracking the user.
- Here is the test...
-<pre>
-class LogInTest extends WebTestCase {
- function testSessionCookieSetBeforeForm() {
- $this-&gt;get('http://www.my-site.com/login.php');<strong>
- $this-&gt;assertCookie('SID');</strong>
- }
-}
-</pre>
- All we are doing is confirming that the cookie is set.
- As the value is likely to be rather cryptic it's not
- really worth testing this.
- </p>
- <p>
- The rest of the test would be the same as any other form,
- but we might want to confirm that we still have the same
- cookie after log-in as before we entered.
- We wouldn't want to lose track of this after all.
- Here is a possible test for this...
-<pre>
-class LogInTest extends WebTestCase {
- ...
- function testSessionCookieSameAfterLogIn() {
- $this-&gt;get('http://www.my-site.com/login.php');<strong>
- $session = $this-&gt;getCookie('SID');
- $this-&gt;setField('u', 'Me');
- $this-&gt;setField('p', 'Secret');
- $this-&gt;clickSubmit('Log in');
- $this-&gt;assertWantedPattern('/Welcome Me/');
- $this-&gt;assertCookie('SID', $session);</strong>
- }
-}
-</pre>
- This confirms that the session identifier is maintained
- afer log-in.
- </p>
- <p>
- We could even attempt to spoof our own system by setting
- arbitrary cookies to gain access...
-<pre>
-class LogInTest extends WebTestCase {
- ...
- function testSessionCookieSameAfterLogIn() {
- $this-&gt;get('http://www.my-site.com/login.php');<strong>
- $this-&gt;setCookie('SID', 'Some other session');
- $this-&gt;get('http://www.my-site.com/restricted.php');</strong>
- $this-&gt;assertWantedPattern('/Access denied/');
- }
-}
-</pre>
- Is your site protected from this attack?
- </p>
-
- <p>
-<a class="target" name="session">
-<h2>Browser sessions</h2>
-</a>
-</p>
- <p>
- If you are testing an authentication system a critical piece
- of behaviour is what happens when a user logs back in.
- We would like to simulate closing and reopening a browser...
-<pre>
-class LogInTest extends WebTestCase {
- ...
- function testLoseAuthenticationAfterBrowserClose() {
- $this-&gt;get('http://www.my-site.com/login.php');
- $this-&gt;setField('u', 'Me');
- $this-&gt;setField('p', 'Secret');
- $this-&gt;clickSubmit('Log in');
- $this-&gt;assertWantedPattern('/Welcome Me/');<strong>
-
- $this-&gt;restart();
- $this-&gt;get('http://www.my-site.com/restricted.php');
- $this-&gt;assertWantedPattern('/Access denied/');</strong>
- }
-}
-</pre>
- The <span class="new_code">WebTestCase::restart()</span> method will
- preserve cookies that have unexpired timeouts, but throw away
- those that are temporary or expired.
- You can optionally specify the time and date that the restart
- happened.
- </p>
- <p>
- Expiring cookies can be a problem.
- After all, if you have a cookie that expires after an hour,
- you don't want to stall the test for an hour while the
- cookie passes it's timeout.
- </p>
- <p>
- To push the cookies over the hour limit you can age them
- before you restart the session...
-<pre>
-class LogInTest extends WebTestCase {
- ...
- function testLoseAuthenticationAfterOneHour() {
- $this-&gt;get('http://www.my-site.com/login.php');
- $this-&gt;setField('u', 'Me');
- $this-&gt;setField('p', 'Secret');
- $this-&gt;clickSubmit('Log in');
- $this-&gt;assertWantedPattern('/Welcome Me/');
- <strong>
- $this-&gt;ageCookies(3600);</strong>
- $this-&gt;restart();
- $this-&gt;get('http://www.my-site.com/restricted.php');
- $this-&gt;assertWantedPattern('/Access denied/');
- }
-}
-</pre>
- After the restart it will appear that cookies are an
- hour older and any that pass their expiry will have
- disappeared.
- </p>
-
- </div>
-<div class="copyright">
- Copyright<br>Marcus Baker, Jason Sweat, Perrick Penet 2004
- </div>
-</body>
-</html>