Upgrade authentication-api.version from 2.0.0 to 3.0.0-RC2

wsit/boms/bom-ext/pom.xml

@@ -28,7 +28,7 @@
     <description>Metro Web Services Stack Dependency POM for Metro-CS</description>
 
     <properties>
-        <authentication-api.version>2.0.0</authentication-api.version>
+        <authentication-api.version>3.0.0-RC2</authentication-api.version>
         <connector-api.version>2.1.0-RC1</connector-api.version>
         <ejb-api.version>4.0.0</ejb-api.version>
         <transaction-api.version>2.0.1-RC1</transaction-api.version>

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/RealmAuthenticationAdapter.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -24,13 +25,10 @@
  * The SPI implementation class needs to 
  * specified as a META-INF/services entry with name "com.sun.xml.xwss.RealmAuthenticator". 
  * A default implementation of this SPI is returned if no entry is configured.
- *
- * 
  */
 public abstract class RealmAuthenticationAdapter {
 
     public static final String UsernameAuthenticator = "com.sun.xml.xwss.RealmAuthenticator";
-    private static final String SERVLET_CONTEXT_CLASSNAME = "jakarta.servlet.ServletContext";
     // Prefixing with META-INF/ instead of /META-INF/. /META-INF/ is working fine
     // when loading from a JAR file but not when loading from a plain directory.
     private static final String JAR_PREFIX = "META-INF/";

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/impl/misc/SecurityUtil.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -55,8 +56,8 @@
 import com.sun.xml.ws.api.security.secconv.client.SCTokenConfiguration;
 import com.sun.xml.ws.api.security.trust.WSTrustException;
 import com.sun.xml.ws.api.security.trust.client.IssuedTokenManager;
-
-
+import com.sun.xml.ws.api.server.Container;
+import com.sun.xml.ws.api.server.WSEndpoint;
 import com.sun.xml.ws.security.impl.IssuedTokenContextImpl;
 import com.sun.xml.ws.security.IssuedTokenContext;
 import com.sun.xml.wss.core.SecurityContextTokenImpl;
@@ -66,6 +67,9 @@
 import com.sun.xml.ws.security.SecurityTokenReference;
 
 import org.w3c.dom.Node;
+
+import static com.sun.xml.wss.provider.wsit.logging.LogStringsMessages.WSITPVD_0066_SERVLET_CONTEXT_NOTFOUND;
+
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Document;
@@ -628,6 +632,49 @@ public static String getDataEncryptionAlgo(JAXBFilterProcessingContext context){
     public static URL loadFromContext(final String configFileName, final Object context) {
         return ReflectionUtil.invoke(context, "getResource", URL.class, configFileName);
     }
+
+
+    /**
+     * @param endpoint
+     * @return null or the ServletContext instance bound to this endpoint
+     */
+    public static Object getServletContext(final WSEndpoint<?> endpoint) {
+        Container container = endpoint.getContainer();
+        if (container == null) {
+            return null;
+        }
+        final Class<?> contextClass = findServletContextClass();
+        if (contextClass == null) {
+            log.log(Level.WARNING, WSITPVD_0066_SERVLET_CONTEXT_NOTFOUND());
+            return null;
+        }
+        return container.getSPI(contextClass);
+    }
+
+
+    /**
+     * Tries to load the ServletContext class by the thread's context loader
+     * or by the loader which was used to load this class.
+     *
+     * @return ServletContext class or null
+     */
+    public static Class<?> findServletContextClass() {
+        String className = "jakarta.servlet.ServletContext";
+        ClassLoader loader = Thread.currentThread().getContextClassLoader();
+        if (loader != null) {
+            try {
+                return loader.loadClass(className);
+            } catch (ClassNotFoundException e) {
+                // ignore
+            }
+        }
+        loader = SecurityUtil.class.getClassLoader();
+        try {
+            return loader.loadClass(className);
+        } catch (ClassNotFoundException e) {
+            return null;
+        }
+    }
 
     /**
      * Returns a URL pointing to the given config file. The file is looked up as

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/jaxws/impl/SecurityServerTube.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -54,6 +55,7 @@
 import com.sun.xml.ws.security.opt.impl.util.SOAPUtil;
 import com.sun.xml.ws.security.secconv.WSSecureConversationException;
 import com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl;
+import com.sun.xml.wss.impl.misc.SecurityUtil;
 
 import java.lang.reflect.InvocationTargetException;
 import java.util.List;
@@ -863,39 +865,16 @@ private CallbackHandler configureServerHandler(Set<PolicyAssertion> configAssert
         }
     }
 
-    @SuppressWarnings("unchecked")
     private RealmAuthenticationAdapter getRealmAuthenticationAdapter(WSEndpoint wSEndpoint) {
-        String className = "jakarta.servlet.ServletContext";
-        Class ret = null;
-        ClassLoader loader = Thread.currentThread().getContextClassLoader();
-        if (loader != null) {
-            try {
-                ret = loader.loadClass(className);
-            } catch (ClassNotFoundException e) {
-                return null;
-            }
-        }
-        if (ret == null) {
-            // if context classloader didnt work, try this
-            loader = this.getClass().getClassLoader();
-            try {
-                ret = loader.loadClass(className);
-            } catch (ClassNotFoundException e) {
-                return null;
-            }
-        }
-        if (ret != null) {
-            Object obj = wSEndpoint.getContainer().getSPI(ret);
-            if (obj != null) {
-                return RealmAuthenticationAdapter.newInstance(obj);
-            }
+        Object obj = SecurityUtil.getServletContext(wSEndpoint);
+        if (obj != null) {
+            return RealmAuthenticationAdapter.newInstance(obj);
         }
         return null;
     }
 
     //doing this here becuase doing inside keyselector of optimized security would
     //mean doing it twice (if SCT was used for sign and encrypt) which can impact performance
-    @SuppressWarnings("unchecked")
     private void updateSCBootstrapCredentials(Packet packet, ProcessingContext ctx) {
         SecurityContextToken sct =
                 (SecurityContextToken) packet.invocationProperties.get(MessageConstants.INCOMING_SCT);

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/provider/wsit/ClientPipeCreator.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -34,7 +35,7 @@ public ClientPipeCreator(){
     @Override
     public Pipe createSecurityPipe(PolicyMap map, 
             ClientPipeAssemblerContext ctxt, Pipe tail) {
-        HashMap<Object, Object> propBag = new HashMap<>();
+        HashMap<String, Object> propBag = new HashMap<>();
         propBag.put(PipeConstants.POLICY, map);
         propBag.put(PipeConstants.WSDL_MODEL, ctxt.getWsdlModel());
         propBag.put(PipeConstants.SERVICE, ctxt.getService());
@@ -50,7 +51,7 @@ public Pipe createSecurityPipe(PolicyMap map,
 
     @Override
     public @NotNull Tube createSecurityTube(ClientTubelineAssemblyContext context) {
-        HashMap<Object, Object> propBag = new HashMap<>();
+        HashMap<String, Object> propBag = new HashMap<>();
         propBag.put(PipeConstants.POLICY, context.getPolicyMap());
         propBag.put(PipeConstants.WSDL_MODEL, context.getWrappedContext().getWsdlModel());
         propBag.put(PipeConstants.SERVICE, context.getService());

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/provider/wsit/ClientSecurityPipe.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -47,7 +48,7 @@ public class ClientSecurityPipe extends AbstractFilterPipeImpl
             LogDomainConstants.WSIT_PVD_DOMAIN,
             LogDomainConstants.WSIT_PVD_DOMAIN_BUNDLE);
 
-    public ClientSecurityPipe(Map<Object, Object> props, Pipe next) {
+    public ClientSecurityPipe(Map<String, Object> props, Pipe next) {
 
         super(next);
 	props.put(PipeConstants.SECURITY_PIPE,this);
@@ -218,7 +219,7 @@ public JAXBElement startSecureConversation(Packet packet)
 
 	    // put MessageInfo in properties map, since MessageInfo 
 	    // is not passed to getAuthContext, key idicates function
-	    HashMap<Object, Object> map = new HashMap<>();
+	    HashMap<String, Object> map = new HashMap<>();
 	    map.put(PipeConstants.SECURITY_TOKEN,info);
 
 	    helper.getSessionToken(map,info,clientSubject);

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/provider/wsit/ClientSecurityTube.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -60,7 +61,7 @@ public ClientSecurityTube(TubeConfiguration config, Tube nextTube) {
         super(nextTube);  
     }
 
-    public ClientSecurityTube(Map<Object, Object> props, Tube next) {
+    public ClientSecurityTube(Map<String, Object> props, Tube next) {
 
         super(next);
         props.put(PipeConstants.SECURITY_PIPE, this);
@@ -249,7 +250,7 @@ public JAXBElement startSecureConversation(Packet packet) throws WSSecureConvers
 	    Subject clientSubject = getClientSubject(packet);
 	    // put MessageInfo in properties map, since MessageInfo 
 	    // is not passed to getAuthContext, key idicates function
-	    HashMap<Object, Object> map = new HashMap<>();
+	    HashMap<String, Object> map = new HashMap<>();
 	    map.put(PipeConstants.SECURITY_TOKEN,info);
 	    helper.getSessionToken(map,info,clientSubject);
 	    // helper returns token in map of msgInfo, using same key

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/provider/wsit/ConfigHelper.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -61,12 +62,12 @@ public abstract class ConfigHelper /*implements RegistrationListener*/ {
 
     protected String layer;
     protected String appCtxt;
-    protected Map<Object, Object> map;
+    protected Map<String, Object> map;
     protected CallbackHandler cbh;
     protected AuthConfigRegistrationWrapper listenerWrapper = null;
 
     protected void init(String layer, String appContext,
-            Map<Object, Object> map, CallbackHandler cbh) {
+            Map<String, Object> map, CallbackHandler cbh) {
 
         factory = AuthConfigFactory.getFactory();
 	this.layer = layer;

wsit/ws-sx/wssx-impl/src/main/java/com/sun/xml/wss/provider/wsit/JMACAuthConfigFactory.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2022 Contributors to the Eclipse Foundation
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
@@ -10,6 +11,7 @@
 
 package com.sun.xml.wss.provider.wsit;
 
+import com.sun.xml.wss.impl.misc.SecurityUtil;
 import com.sun.xml.wss.provider.wsit.logging.LogDomainConstants;
 import com.sun.xml.wss.provider.wsit.logging.LogStringsMessages;
 import java.io.ByteArrayOutputStream;
@@ -33,14 +35,17 @@
 import jakarta.security.auth.message.config.AuthConfigFactory;
 import jakarta.security.auth.message.config.AuthConfigProvider;
 import jakarta.security.auth.message.config.RegistrationListener;
+import jakarta.security.auth.message.module.ServerAuthModule;
 import jakarta.xml.ws.WebServiceException;
-    
+
 /**
  * This class implements methods in the abstract class AuthConfigFactory.
  * @author  Shing Wai Chan
  */
 public class JMACAuthConfigFactory extends AuthConfigFactory {
 
+    private static final String CONTEXT_REGISTRATION_ID = "com.sun.xml.wss.provider.wsit.contextRegistrationId";
+
     private static Logger logger =Logger.getLogger(
             LogDomainConstants.WSIT_PVD_DOMAIN,
             LogDomainConstants.WSIT_PVD_DOMAIN_BUNDLE);
@@ -235,24 +240,71 @@ public JMACAuthConfigFactory(ClassLoader loader) {
      *		permission to register a provider at the factory.
      */
     @Override
-    @SuppressWarnings("unchecked")
     public String registerConfigProvider(String className,
-					 Map properties, 
-					 String layer, String appContext, 
-					 String description) { 
+					 Map<String, String> properties,
+					 String layer, String appContext,
+					 String description) {
         //XXX do we need doPrivilege here
-        AuthConfigProvider provider =
-            _constructProvider(className, properties, null);
-        return _register(provider,properties,
-            layer,appContext,description,true);
+        AuthConfigProvider provider = _constructProvider(className, properties, null);
+        return _register(provider, properties, layer, appContext, description, true);
     }
 
     @Override
     public String registerConfigProvider(AuthConfigProvider provider,
-                                         String layer, String appContext, String description) {
-	return _register(provider,null,layer,appContext,description,false);
+        String layer, String appContext, String description) {
+        return _register(provider, null, layer, appContext, description, false);
+    }
+
+
+    @Override
+    public String registerServerAuthModule(ServerAuthModule serverAuthModule, Object context) {
+        if (context instanceof RegistrationContext) {
+            RegistrationContext ctx = (RegistrationContext) context;
+            SAMConfigProvider provider = new SAMConfigProvider(serverAuthModule);
+            return registerConfigProvider(provider, ctx.getMessageLayer(), ctx.getAppContext(), ctx.getDescription());
+        }
+        final Class<?> contextClass = SecurityUtil.findServletContextClass();
+        if (contextClass == null) {
+            return null;
+        }
+        if (contextClass.isInstance(context)) {
+            // don't put to imports as this class is supported but not required
+            jakarta.servlet.ServletContext servletContext = (jakarta.servlet.ServletContext) context;
+            String registrationId = registerConfigProvider(
+                    new SAMConfigProvider(serverAuthModule),
+                    "HttpServlet",
+                    servletContext.getVirtualServerName() + " " + servletContext.getContextPath(),
+                    "SAMConfigProvider for " + serverAuthModule.getClass()
+            );
+            servletContext.setAttribute(CONTEXT_REGISTRATION_ID, registrationId);
+            return registrationId;
+        }
+        return null;
     }
 
+
+    @Override
+    public void removeServerAuthModule(Object context) {
+        if (context instanceof RegistrationContext) {
+            RegistrationContext ctx = (RegistrationContext) context;
+            String registrationId = getRegistrationID(ctx.getMessageLayer(), ctx.getAppContext());
+            removeRegistration(registrationId);
+            return;
+        }
+        final Class<?> contextClass = SecurityUtil.findServletContextClass();
+        if (contextClass == null) {
+            return;
+        }
+        // don't put to imports as this class is supported but not required
+        jakarta.servlet.ServletContext servletContext = (jakarta.servlet.ServletContext) context;
+        String registrationId = (String) servletContext.getAttribute(CONTEXT_REGISTRATION_ID);
+        if (registrationId == null) {
+            return;
+        }
+        removeRegistration(registrationId);
+    }
+
+
     /**
      * Remove the identified provider registration from the factory
      * and invoke any listeners associated with the removed registration.
@@ -498,10 +550,9 @@ private static String[] decomposeRegisID(String regisID) {
         return new String[] { layer, appContext };
     }
 
-    @SuppressWarnings("unchecked")
-    private AuthConfigProvider _constructProvider
-    (String className, Map properties, AuthConfigFactory factory) {
-        //XXX do we need doPrivilege here
+
+    private AuthConfigProvider _constructProvider(String className, Map<String, String> properties, AuthConfigFactory factory) {
+        // XXX do we need doPrivilege here
         AuthConfigProvider provider = null;
 	if (className != null) {
 	    try {