PAYARA-3658 ejb-invoker endpoint BASIC_AUTH security support

appserver/ejb/ejb-http-remoting/admin/pom.xml

@@ -73,5 +73,15 @@
             <artifactId>javaee-api</artifactId>
             <version>${javaee.api.version}</version>
         </dependency>
+        <dependency>
+            <groupId>fish.payara.server.internal.deployment</groupId>
+            <artifactId>dol</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>fish.payara.server.internal.core</groupId>
+            <artifactId>kernel</artifactId>
+            <version>${project.version}</version>
+        </dependency>
     </dependencies>
 </project>

appserver/ejb/ejb-http-remoting/admin/src/main/java/fish/payara/ejb/http/admin/Constants.java

@@ -0,0 +1,53 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package fish.payara.ejb.http.admin;
+
+/**
+ *
+ * @author Gaurav Gupta
+ */
+public interface Constants {
+
+    String DEFAULT_USER_NAME = "invoker";
+
+    String DEFAULT_GROUP_NAME = "invoker";
+
+    String DEFAULT_ENDPOINT = "ejb-invoker";
+}

appserver/ejb/ejb-http-remoting/admin/src/main/java/fish/payara/ejb/http/admin/DisableEjbInvokerCommand.java

@@ -78,6 +78,7 @@
  * @author Arjan Tijms
  *
  */
+@Deprecated
 @Service(name = "disable-ejb-invoker")
 @PerLookup
 @ExecuteOn(RuntimeType.DAS)

appserver/ejb/ejb-http-remoting/admin/src/main/java/fish/payara/ejb/http/admin/EjbInvokerConfiguration.java

@@ -0,0 +1,121 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ * 
+ *    Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved.
+ * 
+ *     The contents of this file are subject to the terms of either the GNU
+ *     General Public License Version 2 only ("GPL") or the Common Development
+ *     and Distribution License("CDDL") (collectively, the "License").  You
+ *     may not use this file except in compliance with the License.  You can
+ *     obtain a copy of the License at
+ *     https://github.com/payara/Payara/blob/master/LICENSE.txt
+ *     See the License for the specific
+ *     language governing permissions and limitations under the License.
+ * 
+ *     When distributing the software, include this License Header Notice in each
+ *     file and include the License file at glassfish/legal/LICENSE.txt.
+ * 
+ *     GPL Classpath Exception:
+ *     The Payara Foundation designates this particular file as subject to the "Classpath"
+ *     exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ *     file that accompanied this code.
+ * 
+ *     Modifications:
+ *     If applicable, add the following below the License Header, with the fields
+ *     enclosed by brackets [] replaced by your own identifying information:
+ *     "Portions Copyright [year] [name of copyright owner]"
+ * 
+ *     Contributor(s):
+ *     If you wish your version of this file to be governed by only the CDDL or
+ *     only the GPL Version 2, indicate your decision by adding "[Contributor]
+ *     elects to include this software in this distribution under the [CDDL or GPL
+ *     Version 2] license."  If you don't indicate a single choice of license, a
+ *     recipient has the option to distribute your version of this file under
+ *     either the CDDL, the GPL Version 2 or to extend the choice of license to
+ *     its licensees as provided above.  However, if you add GPL Version 2 code
+ *     and therefore, elected the GPL Version 2 license, then the option applies
+ *     only if the new code is made subject to such option by the copyright
+ *     holder.
+ */
+
+package fish.payara.ejb.http.admin;
+
+import static fish.payara.ejb.http.admin.Constants.DEFAULT_ENDPOINT;
+import static fish.payara.ejb.http.admin.Constants.DEFAULT_GROUP_NAME;
+import java.beans.PropertyVetoException;
+import static javax.servlet.http.HttpServletRequest.BASIC_AUTH;
+import org.glassfish.api.admin.config.ConfigExtension;
+import org.jvnet.hk2.config.Attribute;
+import org.jvnet.hk2.config.ConfigBeanProxy;
+import org.jvnet.hk2.config.Configured;
+
+/**
+ * Configuration for the EJB Invoker Service.
+ *
+ * @author Gaurav Gupta
+ */
+@Configured(name = "ejb-invoker-configuration")
+public interface EjbInvokerConfiguration extends ConfigBeanProxy, ConfigExtension {
+
+    /**
+     * @return a Boolean value determining if the ejb-invoker service is enabled
+     * or disabled.
+     */
+    @Attribute(defaultValue = "false", dataType = Boolean.class)
+    String getEnabled();
+
+    void setEnabled(String value) throws PropertyVetoException;
+
+    /**
+     * @return a String value defines the endpoint of ejb-invoker service.
+     */
+    @Attribute(defaultValue = DEFAULT_ENDPOINT)
+    String getEndpoint();
+
+    void setEndpoint(String value) throws PropertyVetoException;
+
+    /**
+     * @return a String value defines the attached virtual servers.
+     */
+    @Attribute(dataType = String.class)
+    String getVirtualServers();
+
+    void setVirtualServers(String value) throws PropertyVetoException;
+
+    /**
+     * @return a Boolean value determining if the security is enabled or not.
+     */
+    @Attribute(defaultValue = "false", dataType = Boolean.class)
+    String getSecurityEnabled();
+
+    void setSecurityEnabled(String value) throws PropertyVetoException;
+
+    /**
+     * @return a String value defines the realm name.
+     *
+     * By default, file realm is used as default value fetched from
+     * {@code com.sun.enterprise.config.serverbeans.SecurityService#getDefaultRealm}.
+     */
+    @Attribute(dataType = String.class)
+    String getRealmName();
+
+    void setRealmName(String value) throws PropertyVetoException;
+
+    /**
+     * @return a String value defines the name of the authentication mechanism
+     * used to protect the ejb-invoker endpoint.
+     */
+    @Attribute(defaultValue = BASIC_AUTH, dataType = String.class)
+    String getAuthType();
+
+    void setAuthType(String value) throws PropertyVetoException;
+
+    /**
+     * @return a String value defines the roles.
+     */
+    @Attribute(defaultValue = DEFAULT_GROUP_NAME, dataType = String.class)
+    String getRoles();
+
+    void setRoles(String value) throws PropertyVetoException;
+
+}

appserver/ejb/ejb-http-remoting/admin/src/main/java/fish/payara/ejb/http/admin/EjbInvokerContainerInitializer.java

@@ -0,0 +1,87 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package fish.payara.ejb.http.admin;
+
+import java.util.Set;
+import javax.servlet.HttpConstraintElement;
+import javax.servlet.ServletContainerInitializer;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
+import javax.servlet.ServletSecurityElement;
+import static javax.servlet.annotation.ServletSecurity.TransportGuarantee.NONE;
+import org.glassfish.internal.api.Globals;
+import java.util.logging.Logger;
+
+/**
+ *
+ * @author Gaurav Gupta
+ */
+public class EjbInvokerContainerInitializer  implements ServletContainerInitializer {
+
+    private static final Logger LOGGER = Logger.getLogger(EjbInvokerContainerInitializer.class.getName());
+
+    @Override
+    public void onStartup(Set<Class<?>> set, ServletContext ctx) throws ServletException {
+
+        EjbInvokerConfiguration configuration = Globals.getDefaultBaseServiceLocator()
+                .getService(EjbInvokerConfiguration.class);
+        String endpoint = ctx.getContextPath();
+        if(endpoint.startsWith("/")){
+            endpoint = endpoint.substring(1);
+        }
+        if (!configuration.getEndpoint().equals(endpoint)) {
+            return;
+        }
+
+        if (Boolean.parseBoolean(configuration.getSecurityEnabled())) {
+            String[] roles = configuration.getRoles().split(",");
+            ServletRegistration.Dynamic reg = (ServletRegistration.Dynamic) ctx.getServletRegistration("fish.payara.ejb.http.endpoint.EjbOverHttpApplication");
+            if (reg != null) {
+                reg.setServletSecurity(new ServletSecurityElement(new HttpConstraintElement(NONE, roles)));
+            } else {
+                LOGGER.warning("ejb-invoker endpoint not initialized");
+            }
+            ctx.declareRoles(roles);
+        }
+
+    }
+
+}

appserver/ejb/ejb-http-remoting/admin/src/main/java/fish/payara/ejb/http/admin/EjbInvokerService.java

@@ -0,0 +1,94 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) [2019] Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package fish.payara.ejb.http.admin;
+
+import com.sun.enterprise.config.serverbeans.SecurityService;
+import com.sun.enterprise.deployment.Application;
+import com.sun.enterprise.deployment.WebBundleDescriptor;
+import com.sun.enterprise.deployment.web.LoginConfiguration;
+import com.sun.enterprise.util.StringUtils;
+import javax.annotation.PostConstruct;
+import javax.inject.Inject;
+import org.glassfish.api.StartupRunLevel;
+import org.glassfish.api.deployment.DeploymentContext;
+import org.glassfish.api.event.EventListener;
+import org.glassfish.api.event.Events;
+import org.glassfish.hk2.runlevel.RunLevel;
+import org.glassfish.internal.api.Globals;
+import org.glassfish.internal.deployment.Deployment;
+import org.jvnet.hk2.annotations.Service;
+/**
+ *
+ * @author Gaurav Gupta
+ */
+@Service(name = "ejb-invoker-service")
+@RunLevel(StartupRunLevel.VAL)
+public class EjbInvokerService implements EventListener {
+
+    @Inject
+    private Events events;
+
+    @Inject
+    private SecurityService securityService;
+
+    @Inject
+    private EjbInvokerConfiguration config;
+
+    @PostConstruct
+    public void init() {
+        if (events == null) {
+            events = Globals.getDefaultBaseServiceLocator().getService(Events.class);
+        }
+        events.register(this);
+    }
+
+    @Override
+    public void event(EventListener.Event event) {//event.type().type()
+        if (event.is(Deployment.APPLICATION_PREPARED)) {
+            DeploymentContext context = (DeploymentContext) event.hook();
+            Application app = context.getModuleMetaData(Application.class);
+            for (WebBundleDescriptor descriptor : app.getBundleDescriptors(WebBundleDescriptor.class)) {
+                LoginConfiguration loginConf = descriptor.getLoginConfiguration();
+                loginConf.setAuthenticationMethod(config.getAuthType());
+                loginConf.setRealmName(StringUtils.ok(config.getRealmName()) ? securityService.getDefaultRealm() : config.getRealmName());
+            }
+        }
+    }
+}

appserver/ejb/ejb-http-remoting/admin/src/main/java/fish/payara/ejb/http/admin/EnableEjbInvokerCommand.java

@@ -75,6 +75,7 @@
  * @author Arjan Tijms
  *
  */
+@Deprecated
 @Service(name = "enable-ejb-invoker")
 @PerLookup
 @ExecuteOn(RuntimeType.DAS)