Store the DistinguishedPrincipalCredential in the Subject principals

This is needed since for SSO the Subject is serialized and restored at
another node. But, the credential collection is transient, so it wont be
saved/restored.

The effect is that when using SSO the roles would be missing on the
other node.

Signed-off-by: Arjan Tijms <arjan.tijms@omnifish.ee>

appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java

@@ -1428,7 +1428,12 @@ private boolean validate(HttpRequest request, HttpResponse response, LoginConfig
                     Principal glassFishCallerPrincipal = getGlassFishCallerPrincipal(caller);
 
                     toSubject(subject, glassFishCallerPrincipal);
-                    toSubjectCredential(subject, new DistinguishedPrincipalCredential(glassFishCallerPrincipal));
+                    DistinguishedPrincipalCredential distinguishedPrincipal = new DistinguishedPrincipalCredential(glassFishCallerPrincipal);
+
+                    // Credentials don't serialize, so for now, also add to the subject principals
+                    // For next version, see if we can only use principals
+                    toSubject(subject, distinguishedPrincipal);
+                    toSubjectCredential(subject, distinguishedPrincipal);
 
                     for (String group : caller.getGroups()) {
                         toSubject(subject, new Group(group));
@@ -1617,6 +1622,18 @@ public Subject run() {
                     }
                 }
 
+                if (!hasObject) {
+                    Set<DistinguishedPrincipalCredential> distinguishedPrincipals = securityContextSubject.getPrincipals(DistinguishedPrincipalCredential.class);
+                    if (distinguishedPrincipals.size() == 1) {
+                        for (DistinguishedPrincipalCredential cred : distinguishedPrincipals) {
+                            if (cred.getPrincipal().equals(callerPrincipal)) {
+                                hasObject = true;
+                            }
+                        }
+                    }
+                }
+
+
                 /**
                  * 2. Subject within SecurityContext must contain a single DistinguishedPrincipalCredential that identifies the Caller Principal
                  */

nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2022 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -131,6 +131,16 @@ public Principal run() {
                     }
                 }
 
+                if (principal == null) {
+                    for (Principal publicCredential : finalSubject.getPrincipals()) {
+                        if (publicCredential instanceof DistinguishedPrincipalCredential) {
+                            DistinguishedPrincipalCredential distinguishedPrincipalCredential = (DistinguishedPrincipalCredential) publicCredential;
+                            principal = distinguishedPrincipalCredential.getPrincipal();
+                            break;
+                        }
+                    }
+                }
+
                 // for old auth module
                 if (principal == null) {
                     Iterator<Principal> prinIter = finalSubject.getPrincipals().iterator();

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/login/DistinguishedPrincipalCredential.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -17,9 +17,12 @@
 
 package com.sun.enterprise.security.auth.login;
 
+import java.io.Serializable;
 import java.security.Principal;
 
-public class DistinguishedPrincipalCredential {
+public class DistinguishedPrincipalCredential implements Principal, Serializable {
+
+    private static final long serialVersionUID = 1L;
 
     private final Principal principal;
 
@@ -35,4 +38,13 @@ public Principal getPrincipal() {
     public String toString() {
         return "DistingushedPrincipal[" + principal + "]";
     }
+
+    @Override
+    public String getName() {
+        if (principal == null) {
+            return null;
+        }
+
+        return principal.getName();
+    }
 }

nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -139,7 +139,9 @@ public void authenticate(Subject subject, X500Principal principal) {
         }
 
         if (!subject.getPrincipals().isEmpty()) {
-            subject.getPublicCredentials().add(new DistinguishedPrincipalCredential(principal));
+            DistinguishedPrincipalCredential distinguishedPrincipal = new DistinguishedPrincipalCredential(principal);
+            subject.getPrincipals().add(distinguishedPrincipal);
+            subject.getPublicCredentials().add(distinguishedPrincipal);
         }
 
         SecurityContext.setCurrent(new SecurityContext(name, subject));