[WFLY-8603] [WFLY-8604] [WFLY-8605] [WFLY-8606] Upgrade components fo…

…r fixed Remoting/Elytron authentication methodology

ejb3/src/main/java/org/jboss/as/ejb3/remote/LocalEjbReceiver.java

@@ -53,7 +53,7 @@
 import org.jboss.marshalling.cloner.ObjectCloners;
 import org.jboss.security.SecurityContext;
 import org.jboss.security.SecurityContextAssociation;
-import org.wildfly.naming.client.NamingProvider;
+import org.wildfly.security.auth.client.AuthenticationConfiguration;
 import org.wildfly.security.manager.WildFlySecurityManager;
 
 import java.lang.reflect.Method;
@@ -65,6 +65,8 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 
+import javax.net.ssl.SSLContext;
+
 /**
  * {@link EJBReceiver} for local same-VM invocations. This handles all invocations on remote interfaces
  * within the server JVM.
@@ -330,7 +332,7 @@ private ObjectCloner createCloner(final ClonerConfiguration paramConfig) {
     }
 
     @Override
-    protected <T> StatefulEJBLocator<T> createSession(StatelessEJBLocator<T> statelessLocator, NamingProvider namingProvider) throws Exception {
+    protected <T> StatefulEJBLocator<T> createSession(final StatelessEJBLocator<T> statelessLocator, final AuthenticationConfiguration authenticationConfiguration, final SSLContext sslContext) throws Exception {
         final EjbDeploymentInformation ejbInfo = findBean(statelessLocator);
         final EJBComponent component = ejbInfo.getEjbComponent();
         if (!(component instanceof StatefulSessionComponent)) {

pom.xml

@@ -157,7 +157,7 @@
         <version.org.jboss.activemq.artemis.integration>1.0.2</version.org.jboss.activemq.artemis.integration>
         <version.org.jboss.common.jboss-common-beans>2.0.0.Final</version.org.jboss.common.jboss-common-beans>
         <version.org.jboss.hal.release-stream>2.9.6.Final</version.org.jboss.hal.release-stream>
-        <version.org.jboss.ejb-client>4.0.0.Beta24</version.org.jboss.ejb-client>
+        <version.org.jboss.ejb-client>4.0.0.Beta25</version.org.jboss.ejb-client>
         <version.org.jboss.ejb3.ext-api>2.2.0.Final</version.org.jboss.ejb3.ext-api>
         <version.org.jboss.genericjms>2.0.0.Alpha2</version.org.jboss.genericjms>
         <version.org.jboss.iiop-client>1.0.0.Final</version.org.jboss.iiop-client>
@@ -215,12 +215,12 @@
         <version.org.syslog4j>0.9.30</version.org.syslog4j>
         <version.org.wildfly.build-tools>1.1.8.Final</version.org.wildfly.build-tools>
         <version.org.wildfly.checkstyle-config>1.0.5.Final</version.org.wildfly.checkstyle-config>
-        <version.org.wildfly.core>3.0.0.Beta15</version.org.wildfly.core>
+        <version.org.wildfly.core>3.0.0.Beta16</version.org.wildfly.core>
         <version.org.wildfly.plugin>1.2.0.Alpha4</version.org.wildfly.plugin>
         <version.org.wildfly.arquillian>2.1.0.Alpha1</version.org.wildfly.arquillian>
-        <version.org.wildfly.http-client>1.0.0.Alpha4</version.org.wildfly.http-client>
-        <version.org.wildfly.naming-client>1.0.0.Beta13</version.org.wildfly.naming-client>
-        <version.org.wildfly.transaction.client>1.0.0.Beta19</version.org.wildfly.transaction.client>
+        <version.org.wildfly.http-client>1.0.0.CR2-SNAPSHOT</version.org.wildfly.http-client>
+        <version.org.wildfly.naming-client>1.0.0.Beta14</version.org.wildfly.naming-client>
+        <version.org.wildfly.transaction.client>1.0.0.Beta21</version.org.wildfly.transaction.client>
         <version.org.yaml.snakeyaml>1.17</version.org.yaml.snakeyaml>
         <version.sun.jaxb>2.2.11.jbossorg-1</version.sun.jaxb>
         <version.sun.saaj-impl>1.3.16-jbossorg-1</version.sun.saaj-impl>

security/subsystem/src/main/java/org/jboss/as/security/remoting/RemotingConnectionCredential.java

@@ -34,6 +34,7 @@
 import org.jboss.as.core.security.RealmRole;
 import org.jboss.as.core.security.RealmUser;
 import org.jboss.remoting3.Connection;
+import org.wildfly.common.Assert;
 import org.wildfly.security.auth.server.SecurityIdentity;
 
 /**
@@ -44,27 +45,32 @@
 public final class RemotingConnectionCredential {
 
     private final Connection connection;
+    private final SecurityIdentity securityIdentity;
     private final Subject subject;
 
-    public RemotingConnectionCredential(final Connection connection) {
+    public RemotingConnectionCredential(final Connection connection, final SecurityIdentity securityIdentity) {
+        Assert.checkNotNullParam("connection", connection);
+        Assert.checkNotNullParam("securityIdentity", securityIdentity);
         this.connection = connection;
+        this.securityIdentity = securityIdentity;
         Subject subject = new Subject();
-        SecurityIdentity localIdentity = connection.getLocalIdentity();
-        if (localIdentity != null) {
-            Set<Principal> principals = subject.getPrincipals();
-            principals.add(new RealmUser(localIdentity.getPrincipal().getName()));
-            StreamSupport.stream(localIdentity.getRoles().spliterator(), true).forEach((String role) -> {
-                principals.add(new RealmGroup(role));
-                principals.add(new RealmRole(role));
-            });
-        }
+        Set<Principal> principals = subject.getPrincipals();
+        principals.add(new RealmUser(securityIdentity.getPrincipal().getName()));
+        StreamSupport.stream(securityIdentity.getRoles().spliterator(), true).forEach((String role) -> {
+            principals.add(new RealmGroup(role));
+            principals.add(new RealmRole(role));
+        });
         this.subject = subject;
     }
 
     Connection getConnection() {
         return connection;
     }
 
+    SecurityIdentity getSecurityIdentity() {
+        return securityIdentity;
+    }
+
     public Subject getSubject() {
         return subject;
     }
@@ -76,10 +82,10 @@ public int hashCode() {
 
     @Override
     public boolean equals(Object obj) {
-        return obj instanceof RemotingConnectionCredential ? equals((RemotingConnectionCredential) obj) : false;
+        return obj instanceof RemotingConnectionCredential && equals((RemotingConnectionCredential) obj);
     }
 
     public boolean equals(RemotingConnectionCredential obj) {
-        return connection.equals(obj.connection);
+        return connection.equals(obj.connection) && securityIdentity.equals(obj.securityIdentity);
     }
 }

security/subsystem/src/main/java/org/jboss/as/security/remoting/RemotingLoginModule.java

@@ -98,49 +98,41 @@ public boolean login() throws LoginException {
 
         Object credential = getCredential();
         if (credential instanceof RemotingConnectionCredential) {
-            Connection con = ((RemotingConnectionCredential) credential).getConnection();
-            Principal up = null;
-
-            SecurityIdentity localIdentity = con.getLocalIdentity();
-            if (localIdentity != null) {
-                up = new RealmUser(localIdentity.getPrincipal().getName());
-            }
-
-            // If we found a principal from the connection then authentication succeeded.
-            if (up != null) {
-                identity = up;
-                if (getUseFirstPass()) {
-                    String userName = identity.getName();
-                    log.debugf("Storing username '%s'", userName);
-                    // Add the username to the shared state map
-                    sharedState.put("javax.security.auth.login.name", identity);
-
-                    if (useNewClientCert) {
-                        SSLSession session = con.getSslSession();
-                        if (session != null) {
-                            try {
-                                credential = session.getPeerCertificates()[0];
-                                log.debug("Using new certificate as credential.");
-                            } catch (SSLPeerUnverifiedException e) {
-                                log.debugf("No peer certificate available for '%s'", userName);
-                            }
+            final RemotingConnectionCredential remotingConnectionCredential = (RemotingConnectionCredential) credential;
+            Connection con = remotingConnectionCredential.getConnection();
+            SecurityIdentity localIdentity = remotingConnectionCredential.getSecurityIdentity();
+            identity = new RealmUser(localIdentity.getPrincipal().getName());
+            if (getUseFirstPass()) {
+                String userName = identity.getName();
+                log.debugf("Storing username '%s'", userName);
+                // Add the username to the shared state map
+                sharedState.put("javax.security.auth.login.name", identity);
+
+                if (useNewClientCert) {
+                    SSLSession session = con.getSslSession();
+                    if (session != null) {
+                        try {
+                            credential = session.getPeerCertificates()[0];
+                            log.debug("Using new certificate as credential.");
+                        } catch (SSLPeerUnverifiedException e) {
+                            log.debugf("No peer certificate available for '%s'", userName);
                         }
-                    } else if (useClientCert) {
-                        SSLSession session = con.getSslSession();
-                        if (session != null) {
-                            try {
-                                credential = session.getPeerCertificateChain()[0];
-                                log.debug("Using certificate as credential.");
-                            } catch (SSLPeerUnverifiedException e) {
-                                log.debugf("No peer certificate available for '%s'", userName);
-                            }
+                    }
+                } else if (useClientCert) {
+                    SSLSession session = con.getSslSession();
+                    if (session != null) {
+                        try {
+                            credential = session.getPeerCertificateChain()[0];
+                            log.debug("Using certificate as credential.");
+                        } catch (SSLPeerUnverifiedException e) {
+                            log.debugf("No peer certificate available for '%s'", userName);
                         }
                     }
-                    sharedState.put("javax.security.auth.login.password", credential);
                 }
-                loginOk = true;
-                return true;
+                sharedState.put("javax.security.auth.login.password", credential);
             }
+            loginOk = true;
+            return true;
         }
 
         // We return false to allow the next module to attempt authentication, maybe a

security/subsystem/src/main/java/org/jboss/as/security/service/SimpleSecurityManager.java

@@ -66,6 +66,7 @@
 import org.jboss.security.javaee.SecurityHelperFactory;
 import org.jboss.security.javaee.SecurityRoleRef;
 import org.wildfly.security.auth.server.IdentityCredentials;
+import org.wildfly.security.auth.server.SecurityDomain;
 import org.wildfly.security.auth.server.SecurityIdentity;
 import org.wildfly.security.credential.PasswordCredential;
 import org.wildfly.security.password.interfaces.ClearPassword;
@@ -301,15 +302,15 @@ public void push(final String securityDomain) {
                 Principal p = null;
                 Object credential = null;
 
-                SecurityIdentity localIdentity = connection.getLocalIdentity();
+                SecurityIdentity localIdentity = SecurityDomain.forIdentity(connection.getLocalIdentity()).getCurrentSecurityIdentity();
                 if (localIdentity != null) {
                     p = new SimplePrincipal(localIdentity.getPrincipal().getName());
                     IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials();
                     PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);
                     if (passwordCredential != null) {
                         credential = new String(passwordCredential.getPassword(ClearPassword.class).getPassword());
                     } else {
-                        credential = new RemotingConnectionCredential(connection);
+                        credential = new RemotingConnectionCredential(connection, localIdentity);
                     }
                 } else {
                     throw SecurityLogger.ROOT_LOGGER.noUserPrincipalFound();

testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/container/interceptor/security/SwitchIdentityTestCase.java

@@ -81,6 +81,16 @@ public class SwitchIdentityTestCase {
     @ArquillianResource
     private ManagementClient mgmtClient;
 
+    private final Map<String, String> passwordsToUse;
+
+    public SwitchIdentityTestCase() {
+        passwordsToUse = new HashMap<>();
+        passwordsToUse.put("guest", "b5d048a237bfd2874b6928e1f37ee15e");
+        passwordsToUse.put("user1", "23624d2f74dfcb9688651a066d90b97e");
+        passwordsToUse.put("user2", "ab3f9e12039435236d89de9023a304b7");
+        passwordsToUse.put("remoteejbuser", "d37cd830cc282510807b82c4b861256d");
+    }
+
     // Public methods --------------------------------------------------------
 
     @BeforeClass
@@ -174,6 +184,7 @@ private AuthenticationContext setupAuthenticationContext(final String username)
                         AuthenticationConfiguration.EMPTY
                                 .useName(username == null ? "$local" : username)
                                 .useRealm(null)
+                                .usePassword(passwordsToUse.getOrDefault(username, ""))
                                 .allowSaslMechanisms("DIGEST-MD5")
                                 .useMechanismProperties(getSaslProperties(builder.getMap()))
                                 .useProvidersFromClassLoader(SwitchIdentityTestCase.class.getClassLoader()));

testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/container/interceptor/security/api/SwitchIdentityTestCase.java

@@ -83,6 +83,16 @@ public class SwitchIdentityTestCase {
     private static final String EJB_OUTBOUND_REALM = "ejb-outbound-realm";
     private static final String SECURITY_DOMAIN_NAME = "switch-identity-test";
 
+    private final Map<String, String> passwordsToUse;
+
+    public SwitchIdentityTestCase() {
+        passwordsToUse = new HashMap<>();
+        passwordsToUse.put("guest", "b5d048a237bfd2874b6928e1f37ee15e");
+        passwordsToUse.put("user1", "23624d2f74dfcb9688651a066d90b97e");
+        passwordsToUse.put("user2", "ab3f9e12039435236d89de9023a304b7");
+        passwordsToUse.put("remoteejbuser", "d37cd830cc282510807b82c4b861256d");
+    }
+
     @ArquillianResource
     private ManagementClient mgmtClient;
 
@@ -196,6 +206,7 @@ private AuthenticationContext setupAuthenticationContext(final String username)
                         AuthenticationConfiguration.EMPTY
                                 .useName(username == null ? "$local" : username)
                                 .useRealm(null)
+                                .usePassword(passwordsToUse.getOrDefault(username, ""))
                                 .allowSaslMechanisms("DIGEST-MD5")
                                 .useMechanismProperties(getSaslProperties(builder.getMap()))
                                 .useProvidersFromClassLoader(org.jboss.as.test.integration.ejb.container.interceptor.security.SwitchIdentityTestCase.class.getClassLoader()));

testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/mapbased/MapBasedInitialContextEjbClientTestCase.java

@@ -30,7 +30,6 @@
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.arquillian.container.test.api.RunAsClient;
 import org.jboss.arquillian.junit.Arquillian;
-import org.jboss.as.test.shared.util.AssumeTestGroupUtil;
 import org.jboss.shrinkwrap.api.Archive;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
@@ -64,7 +63,6 @@ public static Archive<?> getDeployment() {
      */
     @Test
     public void testScopedEJBClientContexts() throws Exception {
-        AssumeTestGroupUtil.assumeElytronProfileTestsEnabled();
         InitialContext ctx = new InitialContext(getEjbClientProperties(System.getProperty("node0", "127.0.0.1"), 8080));
         try {
             String lookupName = "ejb:/" + ARCHIVE_NAME + "/" + StatelessBean.class.getSimpleName() + "!" + StatelessIface.class.getCanonicalName();

testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/AnnSBTest.java

@@ -47,6 +47,7 @@
 import org.wildfly.security.auth.client.AuthenticationConfiguration;
 import org.wildfly.security.auth.client.AuthenticationContext;
 import org.wildfly.security.auth.client.MatchRule;
+import org.wildfly.security.auth.principal.AnonymousPrincipal;
 import org.xnio.OptionMap;
 import org.xnio.Options;
 import org.xnio.Property;
@@ -106,7 +107,7 @@ private SimpleAuthorizationRemote getBean(final String MODULE, final Logger log,
      */
     public void testSingleMethodAnnotationsNoUserTemplate(final String MODULE, final Logger log, final Class SB_CLASS) throws Exception {
         final Context ctx = Util.createNamingContext();
-        final AuthenticationContext authenticationContext = setupAuthenticationContext("$local", null);
+        final AuthenticationContext authenticationContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.EMPTY.useAuthorizationPrincipal(AnonymousPrincipal.getInstance()));
         authenticationContext.runCallable(() -> {
             String echoValue = getBean(MODULE, log, SB_CLASS, ctx).defaultAccess("alohomora");
             Assert.assertEquals(echoValue, "alohomora");