jakartaee · arjantijms · Mar 11, 2024 · Mar 8, 2024
diff --git a/tck/.mvn/keepme b/tck/.mvn/keepme
diff --git a/tck/app-policy/pom.xml b/tck/app-policy/pom.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Contributors to Eclipse Foundation.
+    Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+        <groupId>org.eclipse.ee4j.authorization.tck</groupId>
+        <artifactId>jakarta-authorization-tck</artifactId>
+        <version>4.0.0-SNAPSHOT</version>
+    </parent>
+
+	<artifactId>app-mem-policy</artifactId>
+	<packaging>war</packaging>
+
+	<description>
+        This tests executing a custom permission check before authentication takes place.
+    </description>
+
+	<properties>
+        <failOnMissingWebXml>false</failOnMissingWebXml>
+    </properties>
+
+	<dependencies>
+        <dependency>
+            <groupId>org.eclipse.ee4j.authorization.tck</groupId>
+            <artifactId>common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+
+	<build>
+        <finalName>app-mem-policy</finalName>
+	</build>
+</project>
diff --git a/...pp-policy/src/main/java/ee/jakarta/tck/authorization/test/PolicyRegistrationListener.java b/...pp-policy/src/main/java/ee/jakarta/tck/authorization/test/PolicyRegistrationListener.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+package ee.jakarta.tck.authorization.test;
+
+import jakarta.security.jacc.PolicyFactory;
+import jakarta.servlet.ServletContextEvent;
+import jakarta.servlet.ServletContextListener;
+import jakarta.servlet.annotation.WebListener;
+
+/**
+ * ServletContextListener that is used to install a custom authorization policy.
+ *
+ * @author Arjan Tijms
+ *
+ */
+@WebListener
+public class PolicyRegistrationListener implements ServletContextListener {
+
+    @Override
+    public void contextInitialized(ServletContextEvent sce) {
+        PolicyFactory policyFactory = PolicyFactory.getPolicyFactory();
+        policyFactory.setPolicy(new TestPolicy(policyFactory.getPolicy()));
+    }
+
+}
diff --git a/tck/app-policy/src/main/java/ee/jakarta/tck/authorization/test/ProtectedServlet.java b/tck/app-policy/src/main/java/ee/jakarta/tck/authorization/test/ProtectedServlet.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2024 Contributors to Eclipse Foundation.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.authorization.test;
+
+import jakarta.annotation.security.DeclareRoles;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.HttpConstraint;
+import jakarta.servlet.annotation.ServletSecurity;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Protected Servlet that prints out the name of the authenticated caller and whether
+ * this caller is in any of the roles {foo, bar, kaz}
+ *
+ * <p>
+ * The role "foo" is required to access this Servlet. "bar" is a role assigned by the
+ * TestIdentityStore, "kaz" doesn't exist (but we should still be able to test for it).
+ *
+ */
+@WebServlet("/protectedServlet/*")
+@DeclareRoles("bar")
+@ServletSecurity(@HttpConstraint(rolesAllowed = "foo"))
+public class ProtectedServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        response.getWriter().write("This is a servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        response.getWriter().write("web user has role \"foo\": " + request.isUserInRole("foo") + "\n");
+        response.getWriter().write("web user has role \"bar\": " + request.isUserInRole("bar") + "\n");
+        response.getWriter().write("web user has role \"kaz\": " + request.isUserInRole("kaz") + "\n");
+    }
+
+}
diff --git a/tck/app-policy/src/main/java/ee/jakarta/tck/authorization/test/TestPolicy.java b/tck/app-policy/src/main/java/ee/jakarta/tck/authorization/test/TestPolicy.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+package ee.jakarta.tck.authorization.test;
+
+import jakarta.security.jacc.Policy;
+import jakarta.security.jacc.WebResourcePermission;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.util.logging.Logger;
+import javax.security.auth.Subject;
+
+/**
+ * Policy implementation that uses a custom permission check
+ * to grant access to {@code /protectedServlet/[*]/test} to
+ * the unauthenticated caller.
+ */
+public class TestPolicy implements Policy {
+
+    private static final Logger LOGGER = Logger.getLogger(TestPolicy.class.getName());
+
+    private final Policy originalPolicy;
+
+    public TestPolicy(Policy policy) {
+        this.originalPolicy = policy;
+    }
+
+    public boolean implies(Permission permissionToBeChecked, Subject subject) {
+        LOGGER.info(permissionToBeChecked.toString());
+        LOGGER.info(subject.toString());
+
+        // First try our custom permission checking
+        if (impliesCustom(permissionToBeChecked)) {
+           return true;
+        }
+
+        // If custom doesn't grant access, try the original policy so we
+        // keep all normal checks in place.
+        return originalPolicy.implies(permissionToBeChecked, subject);
+    }
+
+    public PermissionCollection getPermissionCollection(Subject subject) {
+        return originalPolicy.getPermissionCollection(subject);
+    }
+
+    private boolean impliesCustom(Permission permissionToBeChecked) {
+        return
+            permissionToBeChecked instanceof WebResourcePermission &&
+            permissionToBeChecked.getName().startsWith("/protectedServlet/") &&
+            permissionToBeChecked.getName().endsWith("/test");
+    }
+
+}
diff --git a/tck/app-policy/src/main/webapp/WEB-INF/beans.xml b/tck/app-policy/src/main/webapp/WEB-INF/beans.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Contributors to Eclipse Foundation.
+    Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+<beans xmlns="https://jakarta.ee/xml/ns/jakartaee"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
+       bean-discovery-mode="all" version="3.0">
+</beans>
diff --git a/tck/app-policy/src/main/webapp/WEB-INF/web.xml b/tck/app-policy/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Contributors to Eclipse Foundation.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
+         version="6.0">
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>file</realm-name>
+    </login-config>
+</web-app>
diff --git a/tck/app-policy/src/test/java/ee/jakarta/tck/authorization/test/AppPolicyIT.java b/tck/app-policy/src/test/java/ee/jakarta/tck/authorization/test/AppPolicyIT.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2024 Contributors to Eclipse Foundation.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.authorization.test;
+
+import static ee.jakarta.tck.authorization.util.Assert.assertDefaultAccess;
+import static ee.jakarta.tck.authorization.util.Assert.assertDefaultAuthenticated;
+import static ee.jakarta.tck.authorization.util.Assert.assertDefaultNoAccess;
+import static ee.jakarta.tck.authorization.util.Assert.assertDefaultNotAuthenticated;
+import static ee.jakarta.tck.authorization.util.ShrinkWrap.mavenWar;
+
+import com.gargoylesoftware.htmlunit.DefaultCredentialsProvider;
+import ee.jakarta.tck.authorization.util.ArquillianBase;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.shrinkwrap.api.Archive;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+@RunWith(Arquillian.class)
+public class AppPolicyIT extends ArquillianBase {
+
+    @Deployment(testable = false)
+    public static Archive<?> createDeployment() {
+        return mavenWar();
+    }
+
+    // Test several general conditions to make sure security
+    // works in the normal way
+
+    /**
+     * Normally authenticated for a request to the default path.
+     * Should have access via the role foo
+     */
+    @Test
+    public void testAuthenticated() {
+        DefaultCredentialsProvider credentialsProvider = new DefaultCredentialsProvider();
+        credentialsProvider.addCredentials("reza", "secret1");
+
+        getWebClient().setCredentialsProvider(credentialsProvider);
+
+        assertDefaultAuthenticated(
+            readFromServer("/protectedServlet"));
+    }
+
+    /**
+     * Not authenticated on the default path.
+     * Should not have access, since not in the required role foo
+     */
+    @Test
+    public void testNotAuthenticated() {
+        assertDefaultNoAccess(
+            readFromServer("/protectedServlet"));
+    }
+
+    /**
+     * Wrongly authenticated on the default path.
+     * Should not have access, since not in the required role foo
+     */
+    @Test
+    public void testNotAuthenticatedWrongName() {
+        assertDefaultNoAccess(
+            readFromServer("/protectedServlet?name=romo&password=secret1"));
+    }
+
+    // Test on the special test path which a custom policy is observing
+
+    /**
+     * Should have access, despite not being in the required role foo.
+     * The custom policy made an exception here.
+     *
+     * But, the caller should not be in any roles (specially, should not be in role foo)
+     */
+    @Test
+    public void testNotAuthenticatedSpecial() {
+        String response = readFromServer("/protectedServlet/foo/test");
+
+        assertDefaultAccess(response);
+        assertDefaultNotAuthenticated(response);
+    }
+
+}