Start with integrate Authorization 3.0 API and Exousia 3.0

Signed-off-by: Arjan Tijms <arjan.tijms@omnifish.ee>

appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java

@@ -161,8 +161,6 @@ public EJBSecurityManager(EjbDescriptor ejbDescriptor, InvocationManager invMgr,
             () -> SecurityContext.getCurrent().getSubject(),
             null);
 
-        authorizationService.setProtectionDomainCreator(principalSet -> getCachedProtectionDomain(principalSet, true));
-
         authorizationService.addPermissionsToPolicy(
             convertEJBMethodPermissions(ejbDescriptor, contextId));
 

appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/startup/EjbApplication.java

@@ -21,17 +21,15 @@
 import com.sun.ejb.ContainerFactory;
 import com.sun.ejb.containers.AbstractSingletonContainer;
 import com.sun.enterprise.deployment.Application;
-import com.sun.enterprise.security.PolicyLoader;
+import com.sun.enterprise.security.ee.authorize.PolicyLoader;
 import com.sun.enterprise.util.LocalStringManagerImpl;
 import com.sun.logging.LogDomains;
-
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Properties;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-
 import org.glassfish.api.deployment.ApplicationContainer;
 import org.glassfish.api.deployment.ApplicationContext;
 import org.glassfish.api.deployment.DeployCommandParameters;

appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/startup/EjbDeployer.java

@@ -17,6 +17,9 @@
 
 package org.glassfish.ejb.startup;
 
+import static java.util.logging.Level.FINE;
+import static java.util.logging.Level.WARNING;
+
 import com.sun.ejb.codegen.StaticRmiStubGenerator;
 import com.sun.ejb.containers.EJBTimerService;
 import com.sun.ejb.containers.EjbContainerUtilImpl;
@@ -27,23 +30,20 @@
 import com.sun.enterprise.deployment.Application;
 import com.sun.enterprise.deployment.WebBundleDescriptor;
 import com.sun.enterprise.module.bootstrap.StartupContext;
-import com.sun.enterprise.security.PolicyLoader;
 import com.sun.enterprise.security.ee.SecurityUtil;
+import com.sun.enterprise.security.ee.authorize.PolicyLoader;
 import com.sun.enterprise.security.util.IASSecurityException;
 import com.sun.enterprise.util.LocalStringManagerImpl;
 import com.sun.logging.LogDomains;
-
 import jakarta.inject.Inject;
 import jakarta.inject.Provider;
-
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-
 import org.glassfish.api.admin.config.ReferenceContainer;
 import org.glassfish.api.deployment.DeployCommandParameters;
 import org.glassfish.api.deployment.DeploymentContext;
@@ -71,9 +71,6 @@
 import org.glassfish.javaee.core.deployment.JavaEEDeployer;
 import org.jvnet.hk2.annotations.Service;
 
-import static java.util.logging.Level.FINE;
-import static java.util.logging.Level.WARNING;
-
 /**
  * Ejb module deployer.
  *

appserver/pom.xml

@@ -97,7 +97,7 @@
 
         <!-- Jakarta Security + Authentication/Authorization -->
         <soteria.version>3.0.3</soteria.version>
-        <exousia.version>2.1.1</exousia.version>
+        <exousia.version>3.0.0-SNAPSHOT</exousia.version>
         <epicyro.version>3.0.0</epicyro.version>
         <nimbus.version>9.37</nimbus.version>
         <jcip.version>1.0.2</jcip.version>

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java

@@ -35,11 +35,12 @@
 import org.glassfish.epicyro.config.module.configprovider.GFServerConfigProvider;
 
 import com.sun.enterprise.security.ContainerSecurityLifecycle;
+import com.sun.enterprise.security.ee.authorize.PolicyLoader;
 import com.sun.enterprise.security.ee.jmac.AuthMessagePolicy;
 import com.sun.enterprise.security.ee.jmac.ConfigDomainParser;
 import com.sun.enterprise.security.ee.jmac.WebServicesDelegate;
 import com.sun.logging.LogDomains;
-
+import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
 import jakarta.security.auth.message.MessageInfo;
 import jakarta.security.auth.message.MessagePolicy;
@@ -53,6 +54,9 @@ public class JavaEESecurityLifecycle implements ContainerSecurityLifecycle, Post
 
     private static final Logger LOG = LogDomains.getLogger(JavaEESecurityLifecycle.class, LogDomains.SECURITY_LOGGER, false);
 
+    @Inject
+    PolicyLoader policyLoader;
+
     @Override
     public void postConstruct() {
         onInitialization();
@@ -74,6 +78,8 @@ public void onInitialization() {
         }
 
         initializeJakartaAuthentication();
+
+        policyLoader.loadPolicy();
     }
 
     private void initializeJakartaAuthentication() {

nucleus/security/core/src/main/java/com/sun/enterprise/security/PolicyLoader.java → appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/PolicyLoader.java

@@ -15,7 +15,7 @@
  * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
  */
 
-package com.sun.enterprise.security;
+package com.sun.enterprise.security.ee.authorize;
 
 import static com.sun.enterprise.security.SecurityLoggerInfo.policyConfigFactoryNotDefined;
 import static com.sun.enterprise.security.SecurityLoggerInfo.policyFactoryOverride;
@@ -28,36 +28,23 @@
 import static java.util.logging.Level.INFO;
 import static java.util.logging.Level.SEVERE;
 import static java.util.logging.Level.WARNING;
-import static javassist.Modifier.PUBLIC;
 
-import java.lang.reflect.Method;
-import java.security.Permission;
-import java.security.Policy;
-import java.security.ProtectionDomain;
-import java.util.Arrays;
-import java.util.List;
-import java.util.logging.Logger;
-
-import org.glassfish.api.admin.ServerEnvironment;
-//V3:Commented import com.sun.enterprise.config.serverbeans.ElementProperty;
-//V3:Commented import com.sun.enterprise.config.ConfigContext;
-import org.glassfish.hk2.api.IterableProvider;
-import org.jvnet.hk2.annotations.Service;
-import org.jvnet.hk2.config.types.Property;
-
-//V3:Commented import com.sun.enterprise.server.ApplicationServer;
 import com.sun.enterprise.config.serverbeans.JaccProvider;
 import com.sun.enterprise.config.serverbeans.SecurityService;
+import com.sun.enterprise.security.SecurityLoggerInfo;
 import com.sun.enterprise.util.i18n.StringManager;
-
 import jakarta.inject.Inject;
 import jakarta.inject.Named;
 import jakarta.inject.Singleton;
-import javassist.ClassPool;
-import javassist.CtClass;
-import javassist.util.proxy.MethodHandler;
-import javassist.util.proxy.ProxyFactory;
-import javassist.util.proxy.ProxyObject;
+import java.util.List;
+import java.util.logging.Logger;
+import jakarta.security.jacc.Policy;
+import jakarta.security.jacc.PolicyFactory;
+import org.glassfish.api.admin.ServerEnvironment;
+import org.glassfish.exousia.modules.def.DefaultPolicyFactory;
+import org.glassfish.hk2.api.IterableProvider;
+import org.jvnet.hk2.annotations.Service;
+import org.jvnet.hk2.config.types.Property;
 
 /**
  * Loads the Default Policy File into the system.
@@ -83,7 +70,6 @@ public class PolicyLoader {
     private static final String POLICY_PROVIDER = "jakarta.security.jacc.policy.provider";
     private static final String POLICY_CONF_FACTORY = "jakarta.security.jacc.PolicyConfigurationFactory.provider";
     private static final String POLICY_PROP_PREFIX = "com.sun.enterprise.jaccprovider.property.";
-    private static final String POLICY_PROXY = "com.sun.enterprise.jaccprovider.proxy";
     private boolean isPolicyInstalled;
 
     /**
@@ -115,6 +101,8 @@ public void loadPolicy() {
             javaPolicyClassName = authorizationModule.getPolicyProvider();
         }
 
+        // Set the role mapper
+        // TODO: replace with standard version
         if (System.getProperty("simple.jacc.provider.JACCRoleMapper.class") == null) {
             System.setProperty("simple.jacc.provider.JACCRoleMapper.class",
                 "com.sun.enterprise.security.ee.web.integration.GlassfishRoleMapper");
@@ -126,25 +114,9 @@ public void loadPolicy() {
             try {
                 LOGGER.log(INFO, policyLoading, javaPolicyClassName);
 
-                boolean usePolicyProxy = Boolean.parseBoolean(System.getProperty(POLICY_PROXY, "true"));
-
-                Policy policy = null;
-                if (usePolicyProxy && System.getSecurityManager() != null) {
-                    policy = loadPolicyAsProxy(javaPolicyClassName);
-                } else {
-                    policy = loadPolicy(javaPolicyClassName);
-                }
-
-                Policy.setPolicy(policy);
-
-                // TODO: causing ClassCircularity error when SM ON and
-                // deployment use library feature and ApplibClassLoader
-                // it is likely a problem caused by the way classloading is done
-                // in this case.
-                if (System.getSecurityManager() == null) {
-                    policy.refresh();
-                }
-
+                Policy policy = loadPolicy(javaPolicyClassName);
+                PolicyFactory.setPolicyFactory(new DefaultPolicyFactory()); // TMP!!!
+                PolicyFactory.getPolicyFactory().setPolicy(policy);
             } catch (Exception e) {
                 LOGGER.log(SEVERE, policyInstallError, e.getLocalizedMessage());
                 throw new RuntimeException(e);
@@ -160,58 +132,6 @@ public void loadPolicy() {
         }
     }
 
-    @SuppressWarnings("unchecked")
-    public static <T> T createPolicyProxy(Class<T> targetClass) throws Exception {
-        ProxyFactory factory = new ProxyFactory();
-        factory.setSuperclass(targetClass);
-
-        ProxyObject instance = (ProxyObject) factory.createClass().getDeclaredConstructor().newInstance();
-        instance.setHandler(new JakartaAuthenticationGuardHandler(Policy.getPolicy()));
-
-        return (T) instance;
-    }
-
-    private static class JakartaAuthenticationGuardHandler implements MethodHandler {
-
-        public final static Method impliesMethod = getMethod(
-            Policy.class, "implies", ProtectionDomain.class, Permission.class);
-
-        private final Policy javaSePolicy;
-
-        public JakartaAuthenticationGuardHandler(Policy javaSePolicy) {
-            this.javaSePolicy = javaSePolicy;
-        }
-
-        @Override
-        public Object invoke(Object self, Method overridden, Method forwarder, Object[] args) throws Throwable {
-            if (isImplementationOf(overridden, impliesMethod)) {
-                Permission permission = (Permission) args[1];
-                if (!permission.getClass().getName().startsWith("jakarta.")) {
-                    return javaSePolicy.implies((ProtectionDomain)args[0], permission);
-                }
-            }
-
-            return forwarder.invoke(self, args);
-        }
-
-        public static boolean isImplementationOf(Method implementationMethod, Method interfaceMethod) {
-            return
-                interfaceMethod.getDeclaringClass().isAssignableFrom(implementationMethod.getDeclaringClass()) &&
-                interfaceMethod.getName().equals(implementationMethod.getName()) &&
-                Arrays.equals(interfaceMethod.getParameterTypes(), implementationMethod.getParameterTypes());
-        }
-
-       public static Method getMethod(Class<?> base, String name, Class<?>... parameterTypes) {
-            try {
-                // Method literals in Java would be nice
-                return base.getMethod(name, parameterTypes);
-            } catch (NoSuchMethodException | SecurityException e) {
-                throw new IllegalStateException(e);
-            }
-        }
-
-    }
-
     private Policy loadPolicy(String javaPolicyClassName) throws ReflectiveOperationException, SecurityException {
         Object javaPolicyInstance =
                 Thread.currentThread()
@@ -227,28 +147,6 @@ private Policy loadPolicy(String javaPolicyClassName) throws ReflectiveOperation
         return (Policy) javaPolicyInstance;
     }
 
-    private Policy loadPolicyAsProxy(String javaPolicyClassName) throws Exception {
-        ClassPool pool = ClassPool.getDefault();
-        CtClass clazz = pool.get(javaPolicyClassName);
-        clazz.defrost();
-        clazz.setModifiers(PUBLIC);
-
-        Object javaPolicyInstance =
-            createPolicyProxy(
-                clazz.toClass(
-                    Thread.currentThread()
-                          .getContextClassLoader()
-                          .loadClass(System.getProperty(POLICY_CONF_FACTORY))));
-
-        if (!(javaPolicyInstance instanceof Policy)) {
-            throw new RuntimeException(SM.getString("enterprise.security.plcyload.not14"));
-        }
-
-        javaPolicyInstance.toString();
-
-        return (Policy) javaPolicyInstance;
-    }
-
     /**
      * Returns an authorization module object representing the jacc element from domain.xml which is configured in security-service.
      *

nucleus/parent/pom.xml

@@ -115,7 +115,7 @@
         <jakarta.annotation-api.version>2.1.1</jakarta.annotation-api.version>
 
         <jakarta.security-api.version>3.0.0</jakarta.security-api.version>
-        <jakarta.authorization-api.version>2.1.0</jakarta.authorization-api.version>
+        <jakarta.authorization-api.version>3.0.0-SNAPSHOT</jakarta.authorization-api.version>
         <jakarta.authentication-api.version>3.0.0</jakarta.authentication-api.version>
 
 

nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityLifecycle.java

@@ -58,9 +58,6 @@ public class SecurityLifecycle implements PostConstruct, PreDestroy {
     @Inject
     private ServerContext serverContext;
 
-    @Inject
-    private PolicyLoader policyLoader;
-
     @Inject
     private SecurityServicesUtil securityServicesUtil;
 
@@ -123,9 +120,6 @@ public void onInitialization() {
             // And since LoginContextDriver has too many static methods that use BaseAuditManager
             // we have to make this workaround here.
 
-            // Init Jakarta Authorization
-            policyLoader.loadPolicy();
-
             realmsManager.createRealms();
 
             // Start the audit mechanism