Skip to content

Commit

Permalink
Integrate Eleos
Browse files Browse the repository at this point in the history 
This is the GlassFish code for Jakarta Authentication, extracted to a
separate project and refactored.

Eleos currently lives in an OmniFish repo, but should be transfered to
Eclipse soon.

See https://projects.eclipse.org/projects/ee4j.glassfish/reviews/eclipse-eleos-creation-review
  • Loading branch information
@arjantijms
arjantijms committed Aug 2, 2023
1 parent 352e0fd commit 978ccba
Show file tree
Hide file tree
Showing 58 changed files with 525 additions and 8,125 deletions.
12 changes: 11 additions & 1 deletion appserver/featuresets/web/pom.xml
View file
Expand Up @@ -672,8 +672,18 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.omnifaces</groupId>
<artifactId>eleos</artifactId>
<exclusions>
<exclusion>
<groupId>*</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>

<!-- Jakarta Athorization -->
<!-- Jakarta Authorization -->
<dependency>
<groupId>jakarta.authorization</groupId>
<artifactId>jakarta.authorization-api</artifactId>
Expand Down
5 changes: 5 additions & 0 deletions appserver/pom.xml
View file
Expand Up @@ -266,6 +266,11 @@
<artifactId>exousia</artifactId>
<version>${exousia.version}</version>
</dependency>
<dependency>
<groupId>org.omnifaces</groupId>
<artifactId>eleos</artifactId>
<version>3.0.1-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
Expand Down
4 changes: 2 additions & 2 deletions ...curity/src/main/java/com/sun/enterprise/security/appclient/AppClientSecurityInfoImpl.java
View file
Expand Up @@ -25,7 +25,6 @@
import com.sun.enterprise.security.common.ClientSecurityContext;
import com.sun.enterprise.security.common.SecurityConstants;
import com.sun.enterprise.security.common.Util;
import com.sun.enterprise.security.jmac.config.GFAuthConfigFactory;
import com.sun.enterprise.security.integration.AppClientSSL;
import com.sun.enterprise.security.ssl.SSLUtils;
import com.sun.logging.LogDomains;
Expand All @@ -41,6 +40,7 @@
import org.glassfish.appclient.client.acc.config.Ssl;
import org.glassfish.appclient.client.acc.config.TargetServer;
import org.jvnet.hk2.annotations.Service;
import org.omnifaces.eleos.config.factory.file.AuthConfigFileFactory;
import org.glassfish.enterprise.iiop.api.IIOPSSLUtil;

/**
Expand Down Expand Up @@ -120,7 +120,7 @@ public void initializeSecurity(
if (defaultFactory == null) {
java.security.Security.setProperty
(AuthConfigFactory.DEFAULT_FACTORY_SECURITY_PROPERTY,
GFAuthConfigFactory.class.getName());
AuthConfigFileFactory.class.getName());
}

} catch (Exception e) {
Expand Down
24 changes: 13 additions & 11 deletions ...pclient.security/src/main/java/com/sun/enterprise/security/appclient/ConfigXMLParser.java
View file
Expand Up @@ -40,11 +40,13 @@
import org.glassfish.appclient.client.acc.config.RequestPolicy;
import org.glassfish.appclient.client.acc.config.ResponsePolicy;
import org.glassfish.internal.api.Globals;
import org.omnifaces.eleos.config.factory.ConfigParser;
import org.omnifaces.eleos.config.helper.AuthMessagePolicy;
import org.omnifaces.eleos.config.module.configprovider.GFServerConfigProvider;
import org.omnifaces.eleos.data.AuthModuleConfig;
import org.omnifaces.eleos.data.AuthModulesLayerConfig;

import com.sun.enterprise.security.common.Util;
import com.sun.enterprise.security.jmac.AuthMessagePolicy;
import com.sun.enterprise.security.jmac.config.ConfigParser;
import com.sun.enterprise.security.jmac.config.GFServerConfigProvider;
import com.sun.logging.LogDomains;

import jakarta.security.auth.message.MessagePolicy;
Expand Down Expand Up @@ -93,7 +95,7 @@ private void processClientConfigContext(Map newConfig) throws IOException {
}

@Override
public Map getConfigMap() {
public Map getAuthModuleLayers() {
return configMap;
}

Expand All @@ -120,13 +122,13 @@ private String parseInterceptEntry(MessageSecurityConfig msgConfig, Map newConfi
layersWithDefault.add(intercept);
}

GFServerConfigProvider.InterceptEntry intEntry = (GFServerConfigProvider.InterceptEntry) newConfig.get(intercept);
AuthModulesLayerConfig intEntry = (AuthModulesLayerConfig) newConfig.get(intercept);
if (intEntry != null) {
throw new IOException("found multiple MessageSecurityConfig " + "entries with the same auth-layer");
}

// create new intercept entry
intEntry = new GFServerConfigProvider.InterceptEntry(defaultClientID, defaultServerID, null);
intEntry = new AuthModulesLayerConfig(defaultClientID, defaultServerID, null);
newConfig.put(intercept, intEntry);
return intercept;
}
Expand All @@ -141,7 +143,7 @@ private void parseIDEntry(ProviderConfig pConfig, Map newConfig, String intercep

// get the module options

Map<String, String> options = new HashMap();
Map<String, Object> options = new HashMap<>();
List<Property> props = pConfig.getProperty();
for (Property prop : props) {
try {
Expand All @@ -161,20 +163,20 @@ private void parseIDEntry(ProviderConfig pConfig, Map newConfig, String intercep

// create ID entry

GFServerConfigProvider.IDEntry idEntry = new GFServerConfigProvider.IDEntry(type, moduleClass, requestPolicy, responsePolicy,
AuthModuleConfig idEntry = new AuthModuleConfig(type, moduleClass, requestPolicy, responsePolicy,
options);

GFServerConfigProvider.InterceptEntry intEntry = (GFServerConfigProvider.InterceptEntry) newConfig.get(intercept);
AuthModulesLayerConfig intEntry = (AuthModulesLayerConfig) newConfig.get(intercept);
if (intEntry == null) {
throw new IOException("intercept entry for " + intercept + " must be specified before ID entries");
}

if (intEntry.getIdMap() == null) {
if (intEntry.getAuthModules() == null) {
intEntry.setIdMap(new HashMap());
}

// map id to Intercept
intEntry.getIdMap().put(id, idEntry);
intEntry.getAuthModules().put(id, idEntry);
}

private String expand(String rawProperty) {
Expand Down
5 changes: 2 additions & 3 deletions appserver/security/core-ee/pom.xml
View file
Expand Up @@ -107,9 +107,8 @@
<artifactId>exousia</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.main.security</groupId>
<artifactId>jaspic.provider.framework</artifactId>
<version>${project.version}</version>
<groupId>org.omnifaces</groupId>
<artifactId>eleos</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.main.common</groupId>
Expand Down
40 changes: 22 additions & 18 deletions ...ecurity/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java
View file
Expand Up @@ -17,19 +17,20 @@

package com.sun.enterprise.security.ee;

import static jakarta.security.auth.message.config.AuthConfigFactory.DEFAULT_FACTORY_SECURITY_PROPERTY;
import static java.util.logging.Level.WARNING;

import java.security.Security;
import java.util.logging.Level;
import java.util.logging.Logger;

import org.glassfish.hk2.api.PostConstruct;
import org.jvnet.hk2.annotations.Service;
import org.omnifaces.eleos.config.factory.file.AuthConfigFileFactory;

import com.sun.enterprise.security.ContainerSecurityLifecycle;
import com.sun.enterprise.security.jmac.config.GFAuthConfigFactory;
import com.sun.logging.LogDomains;

import jakarta.inject.Singleton;
import jakarta.security.auth.message.config.AuthConfigFactory;

/**
* @author vbkumarjayanti
Expand All @@ -40,36 +41,39 @@ public class JavaEESecurityLifecycle implements ContainerSecurityLifecycle, Post

private static final Logger LOG = LogDomains.getLogger(JavaEESecurityLifecycle.class, LogDomains.SECURITY_LOGGER, false);

@Override
public void postConstruct() {
onInitialization();
}

@Override
public void onInitialization() {
java.lang.SecurityManager secMgr = System.getSecurityManager();
SecurityManager securityManager = System.getSecurityManager();

// TODO: need someway to not override the SecMgr if the EmbeddedServer was
// run with a different non-default SM.
// right now there seems no way to find out if the SM is the VM's default SM.
if (secMgr != null && !J2EESecurityManager.class.equals(secMgr.getClass())) {
J2EESecurityManager mgr = new J2EESecurityManager();
if (securityManager != null && !J2EESecurityManager.class.equals(securityManager.getClass())) {
try {
System.setSecurityManager(mgr);
System.setSecurityManager(new J2EESecurityManager());
} catch (SecurityException ex) {
LOG.log(Level.WARNING, "Could not override SecurityManager");
LOG.log(WARNING, "Could not override SecurityManager");
}
}
initializeJMAC();

initializeJakartaAuthentication();
}

private void initializeJMAC() {
private void initializeJakartaAuthentication() {

// define default factory if it is not already defined
// factory will be constructed on first getFactory call.
// Define default factory if it is not already defined.
// The factory will be constructed on first getFactory call.

String defaultFactory = Security.getProperty(AuthConfigFactory.DEFAULT_FACTORY_SECURITY_PROPERTY);
String defaultFactory = Security.getProperty(DEFAULT_FACTORY_SECURITY_PROPERTY);
if (defaultFactory == null) {
Security.setProperty(AuthConfigFactory.DEFAULT_FACTORY_SECURITY_PROPERTY, GFAuthConfigFactory.class.getName());
Security.setProperty(DEFAULT_FACTORY_SECURITY_PROPERTY, AuthConfigFileFactory.class.getName());
}
}

@Override
public void postConstruct() {
onInitialization();
}

}
38 changes: 20 additions & 18 deletions appserver/security/core-ee/src/main/java/com/sun/enterprise/security/jauth/ConfigFile.java
View file
Expand Up @@ -29,8 +29,10 @@
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;

import com.sun.enterprise.security.jmac.config.ConfigParser;
import com.sun.enterprise.security.jmac.config.GFServerConfigProvider;
import org.omnifaces.eleos.config.factory.ConfigParser;
import org.omnifaces.eleos.data.AuthModuleConfig;
import org.omnifaces.eleos.data.AuthModulesLayerConfig;

import com.sun.logging.LogDomains;

/**
Expand All @@ -48,15 +50,15 @@ class ConfigFile extends AuthConfig {
private String parserClassName;

// parser
private ConfigParser parser;
private org.omnifaces.eleos.config.factory.ConfigParser parser;

// package private for ConfigFileParser
static final String CLIENT = "client";
static final String SERVER = "server";

private static final String DEFAULT_HANDLER_CLASS = "com.sun.enterprise.security.jmac.callback.ContainerCallbackHandler";
private static final String DEFAULT_HANDLER_CLASS = "com.sun.enterprise.security.jmac.ContainerCallbackHandler";

private static final String DEFAULT_PARSER_CLASS = "com.sun.enterprise.security.jmac.config.ConfigDomainParser";
private static final String DEFAULT_PARSER_CLASS = "com.sun.enterprise.security.jmac.ConfigDomainParser";

private static final Logger logger = LogDomains.getLogger(ConfigFile.class, LogDomains.SECURITY_LOGGER);

Expand Down Expand Up @@ -152,7 +154,7 @@ private ConfigFile.Entry[] getEntries(String intercept, String id, AuthPolicy re
Map configMap;

synchronized (parser) {
configMap = parser.getConfigMap();
configMap = parser.getAuthModuleLayers();
}

if (configMap == null) {
Expand All @@ -161,8 +163,8 @@ private ConfigFile.Entry[] getEntries(String intercept, String id, AuthPolicy re

// get the module config info for this intercept

GFServerConfigProvider.InterceptEntry intEntry = (GFServerConfigProvider.InterceptEntry) configMap.get(intercept);
if (intEntry == null || intEntry.getIdMap() == null) {
AuthModulesLayerConfig intEntry = (AuthModulesLayerConfig) configMap.get(intercept);
if (intEntry == null || intEntry.getAuthModules() == null) {
if (logger != null && logger.isLoggable(Level.FINE)) {
logger.fine("module config has no IDs configured for [" + intercept + "]");
}
Expand All @@ -171,8 +173,8 @@ private ConfigFile.Entry[] getEntries(String intercept, String id, AuthPolicy re

// look up the DD's provider ID in the module config

GFServerConfigProvider.IDEntry idEntry = null;
if (id == null || (idEntry = (GFServerConfigProvider.IDEntry) intEntry.getIdMap().get(id)) == null) {
AuthModuleConfig idEntry = null;
if (id == null || (idEntry = intEntry.getAuthModules().get(id)) == null) {

// either the DD did not specify a provider ID,
// or the DD-specified provider ID was not found
Expand All @@ -187,19 +189,20 @@ private ConfigFile.Entry[] getEntries(String intercept, String id, AuthPolicy re

String defaultID;
if (CLIENT.equals(type)) {
defaultID = intEntry.getDefaultClientID();
defaultID = intEntry.getDefaultClientModuleId();
} else {
defaultID = intEntry.getDefaultServerID();
defaultID = intEntry.getDefaultServerModuleId();
}

idEntry = (GFServerConfigProvider.IDEntry) intEntry.getIdMap().get(defaultID);
idEntry = intEntry.getAuthModules().get(defaultID);
if (idEntry == null) {

// did not find a default provider ID

if (logger != null && logger.isLoggable(Level.FINE)) {
logger.fine("no default config ID for [" + intercept + "]");
}

return null;
}
}
Expand Down Expand Up @@ -263,17 +266,16 @@ private ConfigFile.Entry[] getEntries(String intercept, String id, AuthPolicy re
*
* XXX custom file that can be used in place of [domain|sun-acc].xml
*/
private static ConfigParser loadParser(String className) throws IOException {
private static org.omnifaces.eleos.config.factory.ConfigParser loadParser(String className) throws IOException {
try {

final String finalClassName = className;
final ClassLoader finalLoader = AuthConfig.getClassLoader();

return (ConfigParser) java.security.AccessController.doPrivileged(new java.security.PrivilegedExceptionAction() {
return java.security.AccessController.doPrivileged(new java.security.PrivilegedExceptionAction<org.omnifaces.eleos.config.factory.ConfigParser>() {
@Override
public Object run() throws Exception {
Class c = Class.forName(finalClassName, true, finalLoader);
return c.newInstance();
public org.omnifaces.eleos.config.factory.ConfigParser run() throws Exception {
return (org.omnifaces.eleos.config.factory.ConfigParser) Class.forName(finalClassName, true, finalLoader).newInstance();
}
});
} catch (java.security.PrivilegedActionException pae) {
Expand Down

0 comments on commit 978ccba

Please sign in to comment.