Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
JMAC HTTPS test moved to application tests, disabled
- failed in Ant that is why it was probably excluded - fails here too, but I think it detected some bug Signed-off-by: David Matějček <david.matejcek@omnifish.ee>
- Loading branch information
Showing
11 changed files
with
379 additions
and
407 deletions.
There are no files selected for viewing
115 changes: 115 additions & 0 deletions
115
...on/src/main/java/org/glassfish/main/test/app/security/jmac/https/HttpsTestAuthModule.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
/* | ||
* Copyright (c) 2023 Contributors to the Eclipse Foundation | ||
* Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Eclipse Public License v. 2.0, which is available at | ||
* http://www.eclipse.org/legal/epl-2.0. | ||
* | ||
* This Source Code may also be made available under the following Secondary | ||
* Licenses when the conditions for such availability set forth in the | ||
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License, | ||
* version 2 with the GNU Classpath Exception, which is available at | ||
* https://www.gnu.org/software/classpath/license.html. | ||
* | ||
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 | ||
*/ | ||
|
||
package org.glassfish.main.test.app.security.jmac.https; | ||
|
||
import jakarta.security.auth.message.AuthException; | ||
import jakarta.security.auth.message.AuthStatus; | ||
import jakarta.security.auth.message.MessageInfo; | ||
import jakarta.security.auth.message.MessagePolicy; | ||
import jakarta.security.auth.message.callback.CallerPrincipalCallback; | ||
import jakarta.security.auth.message.module.ServerAuthModule; | ||
import jakarta.servlet.http.HttpServletRequest; | ||
import jakarta.servlet.http.HttpServletResponse; | ||
|
||
import java.lang.System.Logger; | ||
import java.lang.System.Logger.Level; | ||
import java.security.cert.X509Certificate; | ||
import java.util.Arrays; | ||
import java.util.Collections; | ||
import java.util.Map; | ||
|
||
import javax.security.auth.Subject; | ||
import javax.security.auth.callback.Callback; | ||
import javax.security.auth.callback.CallbackHandler; | ||
import javax.security.auth.x500.X500Principal; | ||
|
||
import static java.lang.System.Logger.Level.ERROR; | ||
import static java.lang.System.Logger.Level.INFO; | ||
|
||
public class HttpsTestAuthModule implements ServerAuthModule { | ||
|
||
private static final Logger LOG = System.getLogger(HttpsTestAuthModule.class.getName()); | ||
|
||
private CallbackHandler handler; | ||
|
||
@Override | ||
public void initialize(final MessagePolicy requestPolicy, final MessagePolicy responsePolicy, | ||
final CallbackHandler handler, final Map<String, Object> options) throws AuthException { | ||
this.handler = handler; | ||
} | ||
|
||
|
||
@Override | ||
public Class<?>[] getSupportedMessageTypes() { | ||
return new Class[] {HttpServletRequest.class, HttpServletResponse.class}; | ||
} | ||
|
||
|
||
@Override | ||
public AuthStatus validateRequest(final MessageInfo messageInfo, final Subject clientSubject, | ||
final Subject serviceSubject) throws AuthException { | ||
LOG.log(Level.INFO, "validateRequest(messageInfo={0}, clientSubject={1}, serviceSubject={2})", messageInfo, | ||
clientSubject, serviceSubject); | ||
if (!isMandatory(messageInfo)) { | ||
return AuthStatus.SUCCESS; | ||
} | ||
|
||
try { | ||
final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); | ||
// Should be set by Catalina or Grizly | ||
final X509Certificate[] certs = (X509Certificate[]) request | ||
.getAttribute("jakarta.servlet.request.X509Certificate"); | ||
LOG.log(INFO, "Request attributes: {0}", Collections.list(request.getAttributeNames())); | ||
LOG.log(INFO, "Certificates found in the request attribute: {0}", Arrays.toString(certs)); | ||
|
||
if (certs == null || certs.length == 0) { | ||
return AuthStatus.SEND_FAILURE; | ||
} | ||
final X500Principal x500Principal = certs[0].getSubjectX500Principal(); | ||
LOG.log(INFO, "User''s X500Principal={0}", x500Principal); | ||
final CallerPrincipalCallback cpCallback = new CallerPrincipalCallback(clientSubject, x500Principal); | ||
LOG.log(INFO, "Subject before invoking callbacks: {0}", clientSubject); | ||
handler.handle(new Callback[] {cpCallback}); | ||
LOG.log(INFO, "Subject after invoking callbacks: {0}", clientSubject); | ||
|
||
request.setAttribute("MY_NAME", getClass().getName()); | ||
LOG.log(INFO, "Login success: {0}", x500Principal); | ||
return AuthStatus.SUCCESS; | ||
} catch (final Exception e) { | ||
LOG.log(ERROR, "Login failed.", e); | ||
return AuthStatus.SEND_FAILURE; | ||
} | ||
} | ||
|
||
|
||
@Override | ||
public AuthStatus secureResponse(final MessageInfo messageInfo, final Subject serviceSubject) throws AuthException { | ||
return AuthStatus.SUCCESS; | ||
} | ||
|
||
|
||
@Override | ||
public void cleanSubject(final MessageInfo messageInfo, final Subject subject) throws AuthException { | ||
} | ||
|
||
|
||
private boolean isMandatory(final MessageInfo messageInfo) { | ||
return Boolean | ||
.parseBoolean((String) messageInfo.getMap().get("jakarta.security.auth.message.MessagePolicy.isMandatory")); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
...ts/application/src/main/resources/org/glassfish/main/test/app/security/jmac/https/web.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN' 'http://java.sun.com/j2ee/dtds/web-app_2_2.dtd'> | ||
<!-- | ||
Copyright (c) 2023 Contributors to the Eclipse Foundation. | ||
Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved. | ||
This program and the accompanying materials are made available under the | ||
terms of the Eclipse Public License v. 2.0, which is available at | ||
http://www.eclipse.org/legal/epl-2.0. | ||
This Source Code may also be made available under the following Secondary | ||
Licenses when the conditions for such availability set forth in the | ||
Eclipse Public License v. 2.0 are satisfied: GNU General Public License, | ||
version 2 with the GNU Classpath Exception, which is available at | ||
https://www.gnu.org/software/classpath/license.html. | ||
SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 | ||
--> | ||
<web-app> | ||
<display-name>HttpServlet Provider test</display-name> | ||
<servlet> | ||
<servlet-name>indexJsp</servlet-name> | ||
<jsp-file>/index.jsp</jsp-file> | ||
<load-on-startup>0</load-on-startup> | ||
</servlet> | ||
<security-constraint> | ||
<web-resource-collection> | ||
<web-resource-name>MySecureBit</web-resource-name> | ||
<url-pattern>/index.jsp</url-pattern> | ||
<http-method>GET</http-method> | ||
<http-method>POST</http-method> | ||
</web-resource-collection> | ||
<auth-constraint> | ||
<role-name>myrole</role-name> | ||
</auth-constraint> | ||
<user-data-constraint> | ||
<transport-guarantee>CONFIDENTIAL</transport-guarantee> | ||
</user-data-constraint> | ||
</security-constraint> | ||
|
||
<login-config> | ||
<auth-method>CLIENT-CERT</auth-method> | ||
</login-config> | ||
|
||
<security-role> | ||
<role-name>myrole</role-name> | ||
</security-role> | ||
</web-app> | ||
|
Oops, something went wrong.