Merge pull request #9364 from kabir/naming-failure-elytron

Upgrade Core to 3.0.0.Alpha12; bring in WFLY-4588 elytron work

appclient/pom.xml

@@ -142,11 +142,6 @@
             <artifactId>jboss-remoting</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>org.jboss.sasl</groupId>
-            <artifactId>jboss-sasl</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>org.jboss.spec.javax.jms</groupId>
             <artifactId>jboss-jms-api_2.0_spec</artifactId>

appclient/src/main/java/org/jboss/as/appclient/service/LazyConnectionContextSelector.java

@@ -22,6 +22,8 @@
 
 package org.jboss.as.appclient.service;
 
+import static java.security.AccessController.doPrivileged;
+
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -36,9 +38,10 @@
 import org.jboss.ejb.client.remoting.IoFutureHelper;
 import org.jboss.remoting3.Connection;
 import org.jboss.remoting3.Endpoint;
-import org.jboss.remoting3.Remoting;
-import org.jboss.remoting3.remote.HttpUpgradeConnectionProviderFactory;
-import org.jboss.remoting3.remote.RemoteConnectionProviderFactory;
+import org.wildfly.security.auth.client.AuthenticationConfiguration;
+import org.wildfly.security.auth.client.AuthenticationContext;
+import org.wildfly.security.auth.client.AuthenticationContextConfigurationClient;
+import org.wildfly.security.auth.client.MatchRule;
 import org.wildfly.security.manager.WildFlySecurityManager;
 import org.xnio.IoFuture;
 import org.xnio.IoUtils;
@@ -54,6 +57,8 @@
  */
 public class LazyConnectionContextSelector implements ContextSelector<EJBClientContext> {
 
+    private static final AuthenticationContextConfigurationClient AUTH_CONFIGURATION_CLIENT = doPrivileged(AuthenticationContextConfigurationClient.ACTION);
+
     private final String hostUrl;
     private final CallbackHandler callbackHandler;
     private final ClassLoader classLoader;
@@ -73,13 +78,15 @@ public LazyConnectionContextSelector(final String hostUrl, final CallbackHandler
 
     private synchronized void createConnection() {
         try {
-            endpoint = Remoting.createEndpoint("endpoint", OptionMap.EMPTY);
-            endpoint.addConnectionProvider("remote", new RemoteConnectionProviderFactory(), OptionMap.create(Options.SSL_ENABLED, Boolean.FALSE));
-            endpoint.addConnectionProvider("http-remoting", new HttpUpgradeConnectionProviderFactory(), OptionMap.create(Options.SSL_ENABLED, Boolean.FALSE));
-            endpoint.addConnectionProvider("https-remoting", new HttpUpgradeConnectionProviderFactory(),  OptionMap.create(Options.SSL_ENABLED, Boolean.TRUE));
+            final URI uri = new URI(hostUrl);
+            AuthenticationContext captured = AuthenticationContext.captureCurrent();
+            AuthenticationConfiguration mergedConfiguration = AUTH_CONFIGURATION_CLIENT.getAuthenticationConfiguration(uri, captured);
+            if (callbackHandler != null) mergedConfiguration = mergedConfiguration.useCallbackHandler(callbackHandler);
+            final AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, mergedConfiguration);
 
             // open a connection
-            final IoFuture<Connection> futureConnection = endpoint.connect(new URI(hostUrl), OptionMap.create(Options.SASL_POLICY_NOANONYMOUS, Boolean.FALSE, Options.SASL_POLICY_NOPLAINTEXT, Boolean.FALSE), callbackHandler);
+            endpoint = Endpoint.getCurrent();
+            final IoFuture<Connection> futureConnection = endpoint.connect(uri, OptionMap.create(Options.SASL_POLICY_NOANONYMOUS, Boolean.FALSE, Options.SASL_POLICY_NOPLAINTEXT, Boolean.FALSE), context);
             connection = IoFutureHelper.get(futureConnection, 30L, TimeUnit.SECONDS);
 
             final EJBClientContext ejbClientContext = EJBClientContext.create(classLoader);

client/ejb/pom.xml

@@ -76,11 +76,6 @@
             <artifactId>jboss-remoting</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>org.jboss.sasl</groupId>
-            <artifactId>jboss-sasl</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>org.jboss.spec.javax.transaction</groupId>
             <artifactId>jboss-transaction-api_1.2_spec</artifactId>
@@ -101,6 +96,11 @@
             <artifactId>xnio-nio</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron</artifactId>
+        </dependency>
+
     </dependencies>
 
 </project>

client/jms/pom.xml

@@ -106,11 +106,6 @@
             <artifactId>jboss-remoting</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>org.jboss.sasl</groupId>
-            <artifactId>jboss-sasl</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>org.jboss.spec.javax.jms</groupId>
             <artifactId>jboss-jms-api_2.0_spec</artifactId>
@@ -140,6 +135,11 @@
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron</artifactId>
+        </dependency>
     </dependencies>
 
 </project>

ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java

@@ -36,6 +36,7 @@
  * @author <a href="mailto:david.lloyd@redhat.com">David M. Lloyd</a>
  */
 public class RunAsPrincipalInterceptor implements Interceptor {
+    private static final String ANONYMOUS_PRINCIPAL = "anonymous";
     private final String runAsPrincipal;
 
     public RunAsPrincipalInterceptor(final String runAsPrincipal) {
@@ -58,10 +59,18 @@ public Object processInvocation(final InterceptorContext context) throws Excepti
         try {
             // The run-as-principal operation should succeed if the current identity is authorized to
             // run as a user with the given name or if the caller has sufficient permission
-            try {
-                newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal);
-            } catch (AuthorizationFailureException ex) {
-                newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false);
+            if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) {
+                try {
+                    newIdentity = currentIdentity.createRunAsAnonymous();
+                } catch (AuthorizationFailureException ex) {
+                    newIdentity = currentIdentity.createRunAsAnonymous(false);
+                }
+            } else {
+                try {
+                    newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal);
+                } catch (AuthorizationFailureException ex) {
+                    newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false);
+                }
             }
             ejbComponent.setIncomingRunAsIdentity(currentIdentity);
             return newIdentity.runAs(context);

feature-pack/src/main/resources/configuration/domain/subsystems-elytron.xml

@@ -20,7 +20,7 @@
       <subsystem>mail.xml</subsystem>
       <subsystem>naming.xml</subsystem>
       <subsystem>pojo.xml</subsystem>
-      <subsystem>remoting.xml</subsystem>
+      <subsystem supplement="elytron">remoting.xml</subsystem>
       <subsystem>resource-adapters.xml</subsystem>
       <subsystem>request-controller.xml</subsystem>
       <subsystem>sar.xml</subsystem>
@@ -53,7 +53,7 @@
       <subsystem>mod_cluster.xml</subsystem>
       <subsystem>naming.xml</subsystem>
       <subsystem>pojo.xml</subsystem>
-      <subsystem>remoting.xml</subsystem>
+      <subsystem supplement="elytron">remoting.xml</subsystem>
       <subsystem>resource-adapters.xml</subsystem>
       <subsystem>request-controller.xml</subsystem>
       <subsystem>sar.xml</subsystem>
@@ -88,7 +88,7 @@
       <subsystem>messaging-activemq.xml</subsystem>
       <subsystem>naming.xml</subsystem>
       <subsystem>pojo.xml</subsystem>
-      <subsystem>remoting.xml</subsystem>
+      <subsystem supplement="elytron">remoting.xml</subsystem>
       <subsystem>resource-adapters.xml</subsystem>
       <subsystem>request-controller.xml</subsystem>
       <subsystem>sar.xml</subsystem>
@@ -124,7 +124,7 @@
       <subsystem>mod_cluster.xml</subsystem>
       <subsystem>naming.xml</subsystem>
       <subsystem>pojo.xml</subsystem>
-      <subsystem>remoting.xml</subsystem>
+      <subsystem supplement="elytron">remoting.xml</subsystem>
       <subsystem>resource-adapters.xml</subsystem>
       <subsystem>request-controller.xml</subsystem>
       <subsystem>sar.xml</subsystem>

feature-pack/src/main/resources/configuration/host/host-elytron.xml

@@ -6,29 +6,14 @@
     </extensions>
 
     <management>
+        <identity security-domain="ManagementDomain"/>
         <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
-                </authorization>
-            </security-realm>
             <security-realm name="ApplicationRealm">
                 <server-identities>
                     <ssl>
                         <keystore path="application.keystore" relative-to="jboss.domain.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                     </ssl>
                 </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.domain.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.domain.config.dir"/>
-                </authorization>
             </security-realm>
         </security-realms>
         <audit-log>
@@ -51,11 +36,11 @@
             </server-logger>
         </audit-log>
         <management-interfaces>
-            <native-interface security-realm="ManagementRealm">
+            <native-interface sasl-authentication-factory="management-sasl-authentication">
                 <socket interface="management" port="${jboss.management.native.port:9999}"/>
             </native-interface>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true" />
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true"  sasl-authentication-factory="management-sasl-authentication"/>
                 <socket interface="management" port="${jboss.management.http.port:9990}"/>
             </http-interface>
         </management-interfaces>

feature-pack/src/main/resources/configuration/standalone/subsystems-elytron.xml

@@ -20,7 +20,7 @@
       <subsystem>mail.xml</subsystem>
       <subsystem>naming.xml</subsystem>
       <subsystem>pojo.xml</subsystem>
-      <subsystem>remoting.xml</subsystem>
+      <subsystem supplement="elytron">remoting.xml</subsystem>
       <subsystem>resource-adapters.xml</subsystem>
       <subsystem>request-controller.xml</subsystem>
       <subsystem>sar.xml</subsystem>

feature-pack/src/main/resources/configuration/standalone/template-elytron.xml

@@ -7,29 +7,14 @@
     </extensions>
 
     <management>
+        <identity security-domain="ManagementDomain"/>
         <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
             <security-realm name="ApplicationRealm">
                 <server-identities>
                     <ssl>
                         <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                     </ssl>
                 </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
             </security-realm>
         </security-realms>
         <audit-log>
@@ -46,8 +31,8 @@
             </logger>
         </audit-log>
         <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true" />
+            <http-interface http-authentication-factory="management-http-authentication">
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                 <socket-binding http="management-http"/>
             </http-interface>
         </management-interfaces>

feature-pack/src/main/resources/modules/system/layers/base/org/jboss/as/security-api/main/module.xml

@@ -38,5 +38,6 @@
         <module name="org.jboss.as.core-security"/>
         <module name="org.jboss.as.security"/>
         <module name="org.jboss.remoting"/>        
+        <module name="org.wildfly.security.elytron"/>
     </dependencies>
 </module>

feature-pack/src/main/resources/modules/system/layers/base/org/jboss/ejb-client/main/module.xml

@@ -35,6 +35,7 @@
         <module name="org.jboss.logging"/>
         <module name="org.jboss.marshalling"/>
         <module name="org.jboss.marshalling.river"/>
+        <module name="org.wildfly.security.elytron"/>
         <module name="javax.transaction.api"/>
 
         <!-- TODO WFLY-5966 validate the need for these and remove if not needed.

legacy/web/src/test/java/org/jboss/as/web/test/WebMigrateTestCase.java

@@ -53,6 +53,7 @@
 import org.jboss.as.controller.SimpleOperationDefinitionBuilder;
 import org.jboss.as.controller.SimpleResourceDefinition;
 import org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer;
+import org.jboss.as.controller.access.management.ManagementSecurityIdentitySupplier;
 import org.jboss.as.controller.capability.registry.RuntimeCapabilityRegistry;
 import org.jboss.as.controller.descriptions.StandardResourceDescriptionResolver;
 import org.jboss.as.controller.descriptions.common.ControllerResolver;
@@ -66,6 +67,7 @@
 import org.jboss.as.network.SocketBinding;
 import org.jboss.as.subsystem.test.AbstractSubsystemTest;
 import org.jboss.as.subsystem.test.AdditionalInitialization;
+import org.jboss.as.subsystem.test.ControllerInitializer;
 import org.jboss.as.subsystem.test.KernelServices;
 import org.jboss.as.web.WebExtension;
 import org.jboss.dmr.ModelNode;
@@ -282,7 +284,8 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
                     }
                 }
             }, null));
-            rootRegistration.registerSubModel(CoreManagementResourceDefinition.forStandaloneServer(new DelegatingConfigurableAuthorizer(), null, null, new EnvironmentNameReader() {
+            rootRegistration.registerSubModel(CoreManagementResourceDefinition.forStandaloneServer(new DelegatingConfigurableAuthorizer(), new ManagementSecurityIdentitySupplier(),
+                    null, null, new EnvironmentNameReader() {
                 public boolean isServer() {
                     return true;
                 }
@@ -321,5 +324,10 @@ protected ProcessType getProcessType() {
             return ProcessType.SELF_CONTAINED;
         }
 
+        @Override
+        protected void setupController(ControllerInitializer controllerInitializer) {
+            controllerInitializer.addPath("jboss.controller.temp.dir", System.getProperty("java.io.tmpdir"), null);
+        }
+
     }
 }

naming/src/main/java/org/jboss/as/naming/NamingContext.java

@@ -462,7 +462,11 @@ public NameParser getNameParser(String name) throws NamingException {
     /** {@inheritDoc} */
     public Name composeName(Name name, Name prefix) throws NamingException {
         final Name result = (Name) prefix.clone();
-        result.addAll(name);
+        if (name instanceof CompositeName) {
+            result.addAll(name);
+        } else {
+            result.addAll(new CompositeName(name.toString()));
+        }
         return result;
     }
 
@@ -585,7 +589,11 @@ private void check(Name name, int actions) throws NamingException {
                     absoluteName.addAll(name.getSuffix(1));
                 } else {
                     absoluteName.addAll(prefix);
-                    absoluteName.addAll(name);
+                    if(name instanceof CompositeName) {
+                        absoluteName.addAll(name);
+                    } else {
+                        absoluteName.addAll(new CompositeName(name.toString()));
+                    }
                 }
             }
             sm.checkPermission(new JndiPermission(absoluteName.toString(), actions));