Merge pull request #24899 from arjantijms/8.0

8.0

appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/ConnectorRuntime.java

@@ -61,7 +61,7 @@
 import com.sun.enterprise.resource.pool.monitor.ConnectionPoolProbeProviderUtil;
 import com.sun.enterprise.resource.pool.monitor.PoolMonitoringLevelListener;
 import com.sun.enterprise.security.SecurityServicesUtil;
-import com.sun.enterprise.security.ee.jmac.callback.ContainerCallbackHandler;
+import com.sun.enterprise.security.ee.authentication.jakarta.callback.ContainerCallbackHandler;
 import com.sun.enterprise.transaction.api.JavaEETransactionManager;
 import com.sun.logging.LogDomains;
 

appserver/ejb/ejb-container/src/main/java/com/sun/ejb/InvocationInfo.java

@@ -19,7 +19,7 @@
 import java.lang.reflect.Method;
 
 import com.sun.ejb.containers.interceptors.InterceptorManager;
-import com.sun.enterprise.security.ee.authorize.cache.CachedPermission;
+import com.sun.enterprise.security.ee.authorization.cache.CachedPermission;
 import org.glassfish.ejb.deployment.descriptor.EjbRemovalInfo;
 
 /**

appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java

@@ -16,23 +16,30 @@
 
 package org.glassfish.ejb.security.application;
 
+import static java.lang.System.getSecurityManager;
+import static java.util.Collections.synchronizedMap;
+import static java.util.logging.Level.FINE;
+import static java.util.logging.Level.SEVERE;
+import static java.util.logging.Level.WARNING;
+import static java.util.stream.Collectors.toSet;
+import static org.glassfish.ejb.security.application.GlassFishToExousiaConverter.convertEJBMethodPermissions;
+import static org.glassfish.ejb.security.application.GlassFishToExousiaConverter.getSecurityRoleRefsFromBundle;
+import static org.glassfish.exousia.permissions.RolesToPermissionsTransformer.createEnterpriseBeansRoleRefPermission;
+
 import com.sun.ejb.EjbInvocation;
 import com.sun.enterprise.deployment.EjbIORConfigurationDescriptor;
 import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
 import com.sun.enterprise.security.SecurityContext;
 import com.sun.enterprise.security.SecurityManager;
 import com.sun.enterprise.security.auth.login.LoginContextDriver;
 import com.sun.enterprise.security.common.AppservAccessController;
-import com.sun.enterprise.security.ee.SecurityUtil;
 import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
-import com.sun.enterprise.security.ee.authorize.PolicyContextHandlerImpl;
-import com.sun.enterprise.security.ee.authorize.cache.PermissionCache;
-import com.sun.enterprise.security.ee.authorize.cache.PermissionCacheFactory;
+import com.sun.enterprise.security.ee.authorization.AuthorizationUtil;
+import com.sun.enterprise.security.ee.authorization.cache.PermissionCache;
+import com.sun.enterprise.security.ee.authorization.cache.PermissionCacheFactory;
 import com.sun.logging.LogDomains;
-
 import jakarta.security.jacc.EJBMethodPermission;
 import jakarta.security.jacc.PolicyContext;
-
 import java.lang.reflect.Method;
 import java.net.MalformedURLException;
 import java.net.URI;
@@ -52,10 +59,8 @@
 import java.util.WeakHashMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-
 import javax.security.auth.Subject;
 import javax.security.auth.SubjectDomainCombiner;
-
 import org.glassfish.api.invocation.ComponentInvocation;
 import org.glassfish.api.invocation.InvocationException;
 import org.glassfish.api.invocation.InvocationManager;
@@ -66,16 +71,6 @@
 import org.glassfish.external.probe.provider.PluginPoint;
 import org.glassfish.external.probe.provider.StatsProviderManager;
 
-import static java.lang.System.getSecurityManager;
-import static java.util.Collections.synchronizedMap;
-import static java.util.logging.Level.FINE;
-import static java.util.logging.Level.SEVERE;
-import static java.util.logging.Level.WARNING;
-import static java.util.stream.Collectors.toSet;
-import static org.glassfish.ejb.security.application.GlassFishToExousiaConverter.convertEJBMethodPermissions;
-import static org.glassfish.ejb.security.application.GlassFishToExousiaConverter.getSecurityRoleRefsFromBundle;
-import static org.glassfish.exousia.permissions.RolesToPermissionsTransformer.createEnterpriseBeansRoleRefPermission;
-
 /**
  * This class is used by the Enterprise Beans server to manage security. All the container object only call into this object for managing
  * security. This class cannot be subclassed.
@@ -89,8 +84,6 @@ public final class EJBSecurityManager implements SecurityManager {
 
     private static final Logger _logger = LogDomains.getLogger(EJBSecurityManager.class, LogDomains.EJB_LOGGER);
 
-    private static final PolicyContextHandlerImpl pcHandlerImpl = PolicyContextHandlerImpl.getInstance();
-
     // We use two protection domain caches until we decide how to
     // set the applicationCodeSource in the protection domain of system apps.
     //
@@ -134,7 +127,7 @@ public EJBSecurityManager(EjbDescriptor ejbDescriptor, InvocationManager invMgr,
         this.deploymentDescriptor = ejbDescriptor;
         this.invocationManager = invMgr;
         this.ejbSecurityManagerFactory = ejbSecurityManagerFactory;
-        roleMapperFactory = SecurityUtil.getRoleMapperFactory();
+        roleMapperFactory = AuthorizationUtil.getRoleMapperFactory();
 
         runAs = getRunAs(deploymentDescriptor);
 
@@ -176,7 +169,7 @@ public EJBSecurityManager(EjbDescriptor ejbDescriptor, InvocationManager invMgr,
     }
 
     public static String getContextID(EjbDescriptor ejbDescriptor) {
-        return SecurityUtil.getContextID(ejbDescriptor.getEjbBundleDescriptor());
+        return AuthorizationUtil.getContextID(ejbDescriptor.getEjbBundleDescriptor());
     }
 
     /**
@@ -196,8 +189,6 @@ public boolean authorize(ComponentInvocation componentInvocation) {
             return ejbInvocation.getAuth().booleanValue();
         }
 
-        pcHandlerImpl.getHandlerData().setInvocation(ejbInvocation);
-
         SecurityContext securityContext = SecurityContext.getCurrent();
 
         boolean authorized = false;
@@ -379,7 +370,7 @@ public void destroy() {
         probeProvider.securityManagerDestructionEvent(ejbName);
     }
 
-    /* This method is used by SecurityUtil runMethod to run the
+    /* This method is used by AuthorizationUtil runMethod to run the
      * action as the subject encapsulated in the current
      * SecurityContext.
      */
@@ -546,31 +537,7 @@ public Object run() {
 
     @Override
     public void resetPolicyContext() {
-        if (System.getSecurityManager() == null) {
-            PolicyContextHandlerImpl.getInstance().reset();
-            PolicyContext.setContextID(null);
-            return;
-        }
-
-        try {
-            AppservAccessController.doPrivileged(new PrivilegedExceptionAction<>() {
-                @Override
-                public Object run() throws Exception {
-                    PolicyContextHandlerImpl.getInstance().reset();
-                    PolicyContext.setContextID(null);
-                    return null;
-                }
-            });
-        } catch (PrivilegedActionException pae) {
-            Throwable cause = pae.getCause();
-            if (cause instanceof java.security.AccessControlException) {
-                _logger.log(SEVERE, "jacc_policy_context_security_exception", cause);
-            } else {
-                _logger.log(SEVERE, "jacc_policy_context_exception", cause);
-            }
-
-            throw new RuntimeException(cause);
-        }
+        PolicyContext.setContextID(null);
     }
 
     private SecurityContext getSecurityContext() {
@@ -582,7 +549,7 @@ private SecurityContext getSecurityContext() {
         ComponentInvocation componentInvocation = invocationManager.getCurrentInvocation();
 
         if (componentInvocation == null) {
-            throw new InvocationException(); // 4646060
+            throw new InvocationException();
         }
 
         return (SecurityContext) componentInvocation.getOldSecurityContext();

appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/startup/EjbApplication.java

@@ -21,7 +21,7 @@
 import com.sun.ejb.ContainerFactory;
 import com.sun.ejb.containers.AbstractSingletonContainer;
 import com.sun.enterprise.deployment.Application;
-import com.sun.enterprise.security.ee.authorize.PolicyLoader;
+import com.sun.enterprise.security.ee.authorization.PolicyLoader;
 import com.sun.enterprise.util.LocalStringManagerImpl;
 import com.sun.logging.LogDomains;
 import java.util.ArrayList;

appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/startup/EjbDeployer.java

@@ -30,8 +30,8 @@
 import com.sun.enterprise.deployment.Application;
 import com.sun.enterprise.deployment.WebBundleDescriptor;
 import com.sun.enterprise.module.bootstrap.StartupContext;
-import com.sun.enterprise.security.ee.SecurityUtil;
-import com.sun.enterprise.security.ee.authorize.PolicyLoader;
+import com.sun.enterprise.security.ee.authorization.AuthorizationUtil;
+import com.sun.enterprise.security.ee.authorization.PolicyLoader;
 import com.sun.enterprise.security.util.IASSecurityException;
 import com.sun.enterprise.util.LocalStringManagerImpl;
 import com.sun.logging.LogDomains;
@@ -355,7 +355,7 @@ public void clean(DeploymentContext dc) {
                         //TODO:appName is not correct, we need the module name
                         //from the descriptor.
                         probeProvider.policyDestructionStartedEvent(contextId);
-                        SecurityUtil.removePolicy(contextId);
+                        AuthorizationUtil.removePolicy(contextId);
                         probeProvider.policyDestructionEndedEvent(contextId);
                         probeProvider.policyDestructionEvent(contextId);
                     } catch (IASSecurityException ex) {
@@ -371,7 +371,7 @@ public void clean(DeploymentContext dc) {
                 }
             }
             //Removing the RoleMapper
-            SecurityUtil.removeRoleMapper(dc);
+            AuthorizationUtil.removeRoleMapper(dc);
         }
 
     }

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -21,10 +21,10 @@
 import static org.glassfish.epicyro.config.factory.file.AuthConfigFileFactory.DEFAULT_FACTORY_DEFAULT_PROVIDERS;
 
 import com.sun.enterprise.security.ContainerSecurityLifecycle;
-import com.sun.enterprise.security.ee.authorize.PolicyLoader;
-import com.sun.enterprise.security.ee.jmac.AuthMessagePolicy;
-import com.sun.enterprise.security.ee.jmac.ConfigDomainParser;
-import com.sun.enterprise.security.ee.jmac.WebServicesDelegate;
+import com.sun.enterprise.security.ee.authentication.jakarta.AuthMessagePolicy;
+import com.sun.enterprise.security.ee.authentication.jakarta.ConfigDomainParser;
+import com.sun.enterprise.security.ee.authentication.jakarta.WebServicesDelegate;
+import com.sun.enterprise.security.ee.authorization.PolicyLoader;
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
 import jakarta.security.auth.message.MessageInfo;
@@ -58,8 +58,7 @@ public void postConstruct() {
     @Override
     public void onInitialization() {
         initializeJakartaAuthentication();
-
-        policyLoader.loadPolicy();
+        initializeJakartaAuthorization();
     }
 
     private void initializeJakartaAuthentication() {
@@ -103,4 +102,8 @@ private void initializeJakartaAuthentication() {
         System.setProperty("config.parser", ConfigDomainParser.class.getName());
     }
 
+    private void initializeJakartaAuthorization() {
+        policyLoader.loadPolicy();
+    }
+
 }

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/SecurityContainer.java

@@ -63,12 +63,12 @@ public String getName() {
     private static void initRoleMapperFactory() {
         // This should never ever fail.
         try {
-            Class<?> c = Class.forName("com.sun.enterprise.security.ee.acl.RoleMapperFactory");
-            if (c != null) {
-                Object o = c.getDeclaredConstructor().newInstance();
-                if (o != null && o instanceof SecurityRoleMapperFactory) {
-                    SecurityRoleMapperFactoryMgr.registerFactory((SecurityRoleMapperFactory) o);
-                }
+            Object o = Class.forName("com.sun.enterprise.security.ee.acl.RoleMapperFactory")
+                            .getDeclaredConstructor()
+                            .newInstance();
+
+            if (o instanceof SecurityRoleMapperFactory securityRoleMapperFactory) {
+                SecurityRoleMapperFactoryMgr.registerFactory(securityRoleMapperFactory);
             }
         } catch (Exception cnfe) {
             LOGGER.log(Level.SEVERE, "The impossible has happened.", cnfe);