Fix programmatically declared roles not taken into account for authz.

Signed-off-by: Arjan Tijms <arjan.tijms@gmail.com>
eclipse-ee4j · Nov 8, 2022 · 996d539 · 996d539
1 parent 921e44c
commit 996d539
Show file tree

Hide file tree

Showing 2 changed files with 91 additions and 66 deletions.
diff --git a/appserver/web/web-core/src/main/java/org/apache/catalina/core/StandardContext.java b/appserver/web/web-core/src/main/java/org/apache/catalina/core/StandardContext.java
@@ -127,6 +127,7 @@
 import java.util.TreeMap;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.logging.Level;
 
 import javax.management.MBeanRegistrationException;
 import javax.management.MalformedObjectNameException;
@@ -197,6 +198,7 @@
 import org.glassfish.grizzly.http.util.CharChunk;
 import org.glassfish.grizzly.http.util.MessageBytes;
 import org.glassfish.hk2.classmodel.reflect.Types;
+import org.glassfish.web.loader.ServletContainerInitializerUtil;
 import org.glassfish.web.loader.WebappClassLoader;
 import org.glassfish.web.valve.GlassFishValve;
 
@@ -225,8 +227,6 @@
 import jakarta.servlet.http.HttpSessionIdListener;
 import jakarta.servlet.http.HttpSessionListener;
 import jakarta.servlet.http.HttpUpgradeHandler;
-import java.util.logging.Level;
-import org.glassfish.web.loader.ServletContainerInitializerUtil;
 
 /**
  * Standard implementation of the <b>Context</b> interface. Each child container must be a Wrapper implementation to
@@ -6799,6 +6799,14 @@ private Set<String> getResourcePathsInternal(DirContext resources, String path)
         return Collections.unmodifiableSet(set);
     }
 
+    /**
+     * Return all the security roles
+     * @return all the security roles
+     */
+    public List<String> getSecurityRoles() {
+        return securityRoles;
+    }
+
     /**
      * Return a <code>RequestDispatcher</code> instance that acts as a wrapper for the resource at the given path. The path
      * must begin with a "/" and is interpreted as relative to the current context root.

diff --git a/appserver/web/web-glue/src/main/java/com/sun/enterprise/web/WebModule.java b/appserver/web/web-glue/src/main/java/com/sun/enterprise/web/WebModule.java
@@ -16,42 +16,35 @@
  */
 
 package com.sun.enterprise.web;
-import com.sun.enterprise.config.serverbeans.Application;
-import com.sun.enterprise.config.serverbeans.ConfigBeansUtilities;
-import com.sun.enterprise.container.common.spi.util.JavaEEIOUtils;
-import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
-import com.sun.enterprise.deployment.WebBundleDescriptor;
-import com.sun.enterprise.deployment.WebComponentDescriptor;
-import com.sun.enterprise.deployment.WebServiceEndpoint;
-import com.sun.enterprise.deployment.WebServicesDescriptor;
-import com.sun.enterprise.deployment.runtime.web.SunWebApp;
-import com.sun.enterprise.deployment.web.LoginConfiguration;
-import com.sun.enterprise.deployment.web.SecurityConstraint;
-import com.sun.enterprise.deployment.web.ServletFilterMapping;
-import com.sun.enterprise.deployment.web.UserDataConstraint;
-import com.sun.enterprise.deployment.web.WebResourceCollection;
-import com.sun.enterprise.security.integration.RealmInitializer;
-import com.sun.enterprise.universal.GFBase64Decoder;
-import com.sun.enterprise.universal.GFBase64Encoder;
-import com.sun.enterprise.util.Utility;
-import com.sun.enterprise.web.deploy.LoginConfigDecorator;
-import com.sun.enterprise.web.pwc.PwcWebModule;
-import com.sun.enterprise.web.session.PersistenceType;
-import com.sun.enterprise.web.session.SessionCookieConfig;
-import com.sun.web.security.RealmAdapter;
-
-import jakarta.annotation.security.DeclareRoles;
-import jakarta.annotation.security.RunAs;
-import jakarta.servlet.Filter;
-import jakarta.servlet.HttpMethodConstraintElement;
-import jakarta.servlet.Servlet;
-import jakarta.servlet.ServletContext;
-import jakarta.servlet.ServletContextListener;
-import jakarta.servlet.ServletSecurityElement;
-import jakarta.servlet.annotation.MultipartConfig;
-import jakarta.servlet.annotation.ServletSecurity;
-import jakarta.servlet.http.HttpSession;
-import jakarta.servlet.http.HttpUpgradeHandler;
+import static com.sun.enterprise.config.serverbeans.ServerTags.DIRECTORY_DEPLOYED;
+import static com.sun.enterprise.deployment.web.UserDataConstraint.CONFIDENTIAL_TRANSPORT;
+import static com.sun.enterprise.deployment.web.UserDataConstraint.NONE_TRANSPORT;
+import static com.sun.enterprise.util.Utility.isAnyNull;
+import static com.sun.enterprise.util.Utility.isEmpty;
+import static com.sun.enterprise.web.Constants.DEPLOYMENT_CONTEXT_ATTRIBUTE;
+import static com.sun.enterprise.web.Constants.ENABLE_HA_ATTRIBUTE;
+import static com.sun.enterprise.web.Constants.IS_DISTRIBUTABLE_ATTRIBUTE;
+import static java.text.MessageFormat.format;
+import static java.util.Collections.emptyMap;
+import static java.util.logging.Level.FINE;
+import static java.util.logging.Level.FINEST;
+import static java.util.logging.Level.SEVERE;
+import static java.util.logging.Level.WARNING;
+import static java.util.stream.Collectors.toSet;
+import static org.glassfish.embeddable.web.config.TransportGuarantee.CONFIDENTIAL;
+import static org.glassfish.web.LogFacade.ALTERNATE_DOC_BASE_NULL_PROPERTY_NAME_VALVE;
+import static org.glassfish.web.LogFacade.ALT_DD_NAME;
+import static org.glassfish.web.LogFacade.CONFIGURE_SESSION_MANAGER;
+import static org.glassfish.web.LogFacade.CREATE_CUSTOM_BOJECT_OUTPUT_STREAM_ERROR;
+import static org.glassfish.web.LogFacade.NULL_WEB_MODULE_PROPERTY;
+import static org.glassfish.web.LogFacade.PERSISTENCE_STRATEGY_BUILDER;
+import static org.glassfish.web.LogFacade.UNABLE_TO_LOAD_EXTENSION;
+import static org.glassfish.web.LogFacade.VALVE_MISSING_PROPERTY_NAME;
+import static org.glassfish.web.LogFacade.VALVE_SETTER_CAUSED_EXCEPTION;
+import static org.glassfish.web.LogFacade.VALVE_SPECIFIED_METHOD_MISSING;
+import static org.glassfish.web.deployment.annotation.handlers.ServletSecurityHandler.createSecurityConstraint;
+import static org.glassfish.web.deployment.annotation.handlers.ServletSecurityHandler.getUrlPatternsWithoutSecurityConstraint;
+import static org.glassfish.web.loader.ServletContainerInitializerUtil.getServletContainerInitializers;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -139,34 +132,42 @@
 import org.glassfish.web.valve.GlassFishValve;
 import org.jvnet.hk2.config.types.Property;
 
-import static com.sun.enterprise.config.serverbeans.ServerTags.DIRECTORY_DEPLOYED;
-import static com.sun.enterprise.deployment.web.UserDataConstraint.CONFIDENTIAL_TRANSPORT;
-import static com.sun.enterprise.deployment.web.UserDataConstraint.NONE_TRANSPORT;
-import static com.sun.enterprise.util.Utility.isAnyNull;
-import static com.sun.enterprise.util.Utility.isEmpty;
-import static com.sun.enterprise.web.Constants.DEPLOYMENT_CONTEXT_ATTRIBUTE;
-import static com.sun.enterprise.web.Constants.ENABLE_HA_ATTRIBUTE;
-import static com.sun.enterprise.web.Constants.IS_DISTRIBUTABLE_ATTRIBUTE;
-import static java.text.MessageFormat.format;
-import static java.util.Collections.emptyMap;
-import static java.util.logging.Level.FINE;
-import static java.util.logging.Level.FINEST;
-import static java.util.logging.Level.SEVERE;
-import static java.util.logging.Level.WARNING;
-import static org.glassfish.embeddable.web.config.TransportGuarantee.CONFIDENTIAL;
-import static org.glassfish.web.LogFacade.ALTERNATE_DOC_BASE_NULL_PROPERTY_NAME_VALVE;
-import static org.glassfish.web.LogFacade.ALT_DD_NAME;
-import static org.glassfish.web.LogFacade.CONFIGURE_SESSION_MANAGER;
-import static org.glassfish.web.LogFacade.CREATE_CUSTOM_BOJECT_OUTPUT_STREAM_ERROR;
-import static org.glassfish.web.LogFacade.NULL_WEB_MODULE_PROPERTY;
-import static org.glassfish.web.LogFacade.PERSISTENCE_STRATEGY_BUILDER;
-import static org.glassfish.web.LogFacade.UNABLE_TO_LOAD_EXTENSION;
-import static org.glassfish.web.LogFacade.VALVE_MISSING_PROPERTY_NAME;
-import static org.glassfish.web.LogFacade.VALVE_SETTER_CAUSED_EXCEPTION;
-import static org.glassfish.web.LogFacade.VALVE_SPECIFIED_METHOD_MISSING;
-import static org.glassfish.web.deployment.annotation.handlers.ServletSecurityHandler.createSecurityConstraint;
-import static org.glassfish.web.deployment.annotation.handlers.ServletSecurityHandler.getUrlPatternsWithoutSecurityConstraint;
-import static org.glassfish.web.loader.ServletContainerInitializerUtil.getServletContainerInitializers;
+import com.sun.enterprise.config.serverbeans.Application;
+import com.sun.enterprise.config.serverbeans.ConfigBeansUtilities;
+import com.sun.enterprise.container.common.spi.util.JavaEEIOUtils;
+import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
+import com.sun.enterprise.deployment.WebBundleDescriptor;
+import com.sun.enterprise.deployment.WebComponentDescriptor;
+import com.sun.enterprise.deployment.WebServiceEndpoint;
+import com.sun.enterprise.deployment.WebServicesDescriptor;
+import com.sun.enterprise.deployment.runtime.web.SunWebApp;
+import com.sun.enterprise.deployment.web.LoginConfiguration;
+import com.sun.enterprise.deployment.web.SecurityConstraint;
+import com.sun.enterprise.deployment.web.ServletFilterMapping;
+import com.sun.enterprise.deployment.web.UserDataConstraint;
+import com.sun.enterprise.deployment.web.WebResourceCollection;
+import com.sun.enterprise.security.integration.RealmInitializer;
+import com.sun.enterprise.universal.GFBase64Decoder;
+import com.sun.enterprise.universal.GFBase64Encoder;
+import com.sun.enterprise.util.Utility;
+import com.sun.enterprise.web.deploy.LoginConfigDecorator;
+import com.sun.enterprise.web.pwc.PwcWebModule;
+import com.sun.enterprise.web.session.PersistenceType;
+import com.sun.enterprise.web.session.SessionCookieConfig;
+import com.sun.web.security.RealmAdapter;
+
+import jakarta.annotation.security.DeclareRoles;
+import jakarta.annotation.security.RunAs;
+import jakarta.servlet.Filter;
+import jakarta.servlet.HttpMethodConstraintElement;
+import jakarta.servlet.Servlet;
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletContextListener;
+import jakarta.servlet.ServletSecurityElement;
+import jakarta.servlet.annotation.MultipartConfig;
+import jakarta.servlet.annotation.ServletSecurity;
+import jakarta.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpUpgradeHandler;
 
 /**
  * Class representing a web module for use by the Application Server.
@@ -612,6 +613,14 @@ protected void contextListenerStart() {
             }
         }
 
+        Set<String> bundleRoles = getBundleRoles(webBundleDescriptor);
+
+        for (String role : getSecurityRoles()) {
+            if (!bundleRoles.contains(role)) {
+                webBundleDescriptor.addRole(new Role(role));
+            }
+        }
+
         webContainer.afterServletContextInitializedEvent(webBundleDescriptor);
     }
 
@@ -855,6 +864,13 @@ void removeAdHocPath(String path) {
         }
     }
 
+    private Set<String> getBundleRoles(WebBundleDescriptor webBundleDescriptor) {
+        return
+            webBundleDescriptor.getRoles()
+                               .stream().map(e -> e.getName())
+                               .collect(toSet());
+    }
+
     /*
      * Removes the given ad-hoc path from this web module.
      *
@@ -1165,6 +1181,7 @@ boolean isStandalone() {
         return isStandalone;
     }
 
+    @Override
     protected boolean isStandaloneModule() {
         return isStandalone;
     }