[WFLY-17991] / [WFLY-17976] ee-security should depend on elytron and ensure the JACC policy is enabled by default.

docs/src/main/asciidoc/_elytron/Elytron_and_Jakarta_Authorization.adoc

@@ -11,33 +11,20 @@ endif::[]
 
 [abstract]
 
-This document will guide you on how to enable JACC using Elytron
-Subsystem.
+This document will guide you on how to enable JACC for your deployments
+using the default policy defined in the Elytron subsystem.
 
 [[defining-a-jacc-policy-provider]]
 == Defining a JACC Policy Provider
 
 Elytron subsystem provides a built-in policy provider based on JACC
-specification. To create the policy provider you can execute a CLI
-command as follows:
-
-[source,options="nowrap"]
-----
-[standalone@localhost:9990 /] /subsystem=elytron/policy=jacc:add(jacc-policy={})
-----
-
-After executing the command above, please reload the server
-configuration as follows:
-
-[source,options="nowrap"]
-----
-[standalone@localhost:9990 /] reload
-----
+specification. This policy provider is active by default in the 
+default configuration.
 
 [[enabling-jacc-to-a-web-deployment]]
 == Enabling JACC to a Web Deployment
 
-Once JACC Policy Provider is defined you can enable JACC to web
+You can enable JACC to web
 deployments by executing the following command:
 
 [source,options="nowrap"]
@@ -58,8 +45,7 @@ can execute a command as follows:
 [[enabling-jacc-to-a-ejb-deployment]]
 == Enabling JACC to a EJB Deployment
 
-Once JACC Policy Provider is defined you can enable JACC to EJB
-deployments by executing the following command:
+You can enable JACC to EJB deployments by executing the following command:
 
 [source,options="nowrap"]
 ----

docs/src/main/asciidoc/_galleon/Galleon_layers.adoc

@@ -191,6 +191,7 @@ link:#gal.naming[naming] +
 |Support for EE Security.
 |
 link:#gal.cdi[cdi] +
+link:#gal.elytron[elytron] +
 
 |[[gal.ejb-http-invoker]]ejb-http-invoker
 |Support for invoking Jakarta Enterprise Beans over HTTP.
@@ -386,7 +387,6 @@ link:#gal.microprofile-config[microprofile-config] +
 |Support for MicroProfile JWT.
 |
 link:#gal.ee-security[ee-security] +
-link:#gal.elytron[elytron] +
 link:#gal.microprofile-config[microprofile-config] +
 
 |[[gal.microprofile-openapi]]microprofile-openapi

ee-feature-pack/galleon-common/src/main/resources/feature_groups/jacc-policy.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<feature-group-spec name="jacc-policy" xmlns="urn:jboss:galleon:feature-group:1.0">
+
+    <feature spec="subsystem.elytron">
+        <feature spec="subsystem.elytron.policy">
+            <param name="policy" value="jacc" />
+            <param name="jacc-policy" value="{}" />
+        </feature>
+    </feature>
+
+</feature-group-spec>

ee-feature-pack/galleon-common/src/main/resources/feature_groups/unsecured-basic-profile.xml

@@ -29,6 +29,7 @@
     <feature-group name="transactions"/>
     <feature-group name="datasources"/>
     <feature spec="subsystem.ee-security"/>
+    <feature-group name="jacc-policy" />
     <feature-group name="ejb3"/>
     <feature spec="subsystem.resource-adapters"/>
     <feature-group name="jca"/>

ee-feature-pack/galleon-common/src/main/resources/layers/standalone/ee-security/layer-spec.xml

@@ -2,6 +2,8 @@
 <layer-spec xmlns="urn:jboss:galleon:layer-spec:1.0" name="ee-security">
      <dependencies>
         <layer name="cdi"/>
+        <layer name="elytron"/>
      </dependencies>
+    <feature-group name="jacc-policy"/>
     <feature spec="subsystem.ee-security"/>
 </layer-spec>

microprofile/galleon-common/src/main/resources/layers/standalone/microprofile-jwt/layer-spec.xml

@@ -2,7 +2,6 @@
 <layer-spec xmlns="urn:jboss:galleon:layer-spec:1.0" name="microprofile-jwt">
     <dependencies>
         <layer name="ee-security"/>
-        <layer name="elytron"/>
         <layer name="microprofile-config"/>
     </dependencies>
     <feature spec="subsystem.microprofile-jwt-smallrye"/>

testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/jacc/context/PolicyContextTestCase.java

@@ -33,13 +33,7 @@
 import org.jboss.arquillian.container.test.api.RunAsClient;
 import org.jboss.arquillian.junit.Arquillian;
 import org.jboss.arquillian.test.api.ArquillianResource;
-import org.jboss.as.arquillian.api.ServerSetup;
-import org.jboss.as.arquillian.container.ManagementClient;
-import org.jboss.as.controller.client.helpers.Operations;
 import org.jboss.as.test.integration.common.HttpRequest;
-import org.jboss.as.test.shared.ServerReload;
-import org.jboss.as.test.shared.SnapshotRestoreSetupTask;
-import org.jboss.dmr.ModelNode;
 import org.jboss.logging.Logger;
 import org.jboss.shrinkwrap.api.ShrinkWrap;
 import org.jboss.shrinkwrap.api.spec.EnterpriseArchive;
@@ -50,7 +44,6 @@
 
 @RunWith(Arquillian.class)
 @RunAsClient
-@ServerSetup(PolicyContextTestCase.EnableJakartaAuthorizationTask.class)
 public class PolicyContextTestCase {
 
     private static Logger LOGGER = Logger.getLogger(PolicyContextTestCase.class);
@@ -93,20 +86,4 @@ private static WebArchive createWar(final String warName) {
         return war;
     }
 
-    static class EnableJakartaAuthorizationTask extends SnapshotRestoreSetupTask {
-
-        @Override
-        protected void doSetup(ManagementClient client, String containerId) throws Exception {
-            ModelNode addOperation = Operations.createAddOperation(Operations.createAddress("subsystem", "elytron", "policy", "jacc"));
-            addOperation.get("jacc-policy").set(new ModelNode().setEmptyObject());
-
-            final ModelNode result = client.getControllerClient().execute(addOperation);
-            if (!Operations.isSuccessfulOutcome(result)) {
-                throw new RuntimeException("Failed to activate Jakarta Authorization: " + Operations.getFailureDescription(result).asString());
-            }
-            // Reload.
-            ServerReload.executeReloadAndWaitForCompletion(client);
-        }
-
-    }
 }

testsuite/integration/clustering/src/test/java/org/jboss/as/test/clustering/cluster/web/authentication/CustomAuthenticationWebFailoverTestCase.java

@@ -207,15 +207,9 @@ static class ServerSetup extends ManagementServerSetupTask {
             super(NODE_1_2, createContainerConfigurationBuilder()
                     .setupScript(createScriptBuilder()
                             .startBatch()
-                            .add("/subsystem=elytron/policy=jacc:add(jacc-policy={})")
                             .add("/subsystem=undertow/application-security-domain=%s:write-attribute(name=integrated-jaspi, value=false)", SECURITY_DOMAIN_NAME)
                             .endBatch()
                             .build())
-                    .tearDownScript(createScriptBuilder()
-                            .startBatch()
-                            .add("/subsystem=elytron/policy=jacc:remove")
-                            .endBatch()
-                            .build())
                     .build());
         }
     }

testsuite/integration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/EESecurityAuthMechanismMultiConstraintsTestCase.java

@@ -161,15 +161,10 @@ static class ServerSetup extends AbstractElytronSetupTask {
 
         @Override
         protected ConfigurableElement[] getConfigurableElements() {
-            ConfigurableElement[] elements = new ConfigurableElement[2];
-            // 1 - Add empty JACC Policy
-            elements[0] = Policy.builder()
-                    .withName("jacc")
-                    .withJaccPolicy()
-                    .build();
+            ConfigurableElement[] elements = new ConfigurableElement[1];
 
-            // 2 - Map the application-security-domain
-            elements[1] = UndertowApplicationSecurityDomain.builder()
+            // 1 - Map the application-security-domain
+            elements[0] = UndertowApplicationSecurityDomain.builder()
                     .withName("SecurityAPI")
                     .withSecurityDomain("ApplicationDomain")
                     .withIntegratedJaspi(false)

testsuite/integration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/EESecurityInjectionEnabledElytronTestCase.java

@@ -104,18 +104,12 @@ static class ServerSetup extends EESecurityInjectionEnabledAbstractTestCase.Serv
 
         @Override
         protected ConfigurableElement[] getConfigurableElements() {
-            ConfigurableElement[] elements =  new ConfigurableElement[7];
+            ConfigurableElement[] elements =  new ConfigurableElement[6];
             // Add module with custom principal and principal transformer
             elements[0] = module;
 
-            // Add empty JACC policy
-            elements[1] = Policy.builder()
-                    .withName("jacc")
-                    .withJaccPolicy()
-                    .build();
-
             // Create filesystem security realm with one identity
-            elements[2] = FileSystemRealm.builder()
+            elements[1] = FileSystemRealm.builder()
                     .withName(TEST_REALM)
                     .withUser(UserWithAttributeValues.builder()
                             .withName("user1")
@@ -125,14 +119,14 @@ protected ConfigurableElement[] getConfigurableElements() {
                     .build();
 
             // Add custom pre-realm principal transformer to create custom principal
-            elements[3] = CustomPrincipalTransformer.builder()
+            elements[2] = CustomPrincipalTransformer.builder()
                     .withName(TEST_CUSTOM_PRINCIPAL_TRANSFORMER)
                     .withModule(MODULE_NAME)
                     .withClassName(TestCustomPrincipalTransformer.class.getCanonicalName())
                     .build();
 
             // Create security domain using security realm and principal transformer
-            elements[4] = SimpleSecurityDomain.builder()
+            elements[3] = SimpleSecurityDomain.builder()
                     .withName(TEST_SECURITY_DOMAIN)
                     .withRealms(SimpleSecurityDomain.SecurityDomainRealm.builder()
                             .withRealm(TEST_REALM)
@@ -142,7 +136,7 @@ protected ConfigurableElement[] getConfigurableElements() {
                     .build();
 
             // Create HTTP authentication factory
-            elements[5] = SimpleHttpAuthenticationFactory.builder()
+            elements[4] = SimpleHttpAuthenticationFactory.builder()
                     .withName(TEST_HTTP_FACTORY)
                     .withHttpServerMechanismFactory("global")
                     .withSecurityDomain(TEST_SECURITY_DOMAIN)
@@ -156,7 +150,7 @@ protected ConfigurableElement[] getConfigurableElements() {
                     .build();
 
             // Add HTTP authentication factory to Undertow configuration
-            elements[6] = UndertowApplicationSecurityDomain.builder()
+            elements[5] = UndertowApplicationSecurityDomain.builder()
                     .withName(TEST_APP_DOMAIN)
                     .httpAuthenticationFactory(TEST_HTTP_FACTORY)
                     .withEnableJacc(true)

testsuite/integration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/EESecurityInjectionEnabledJakartaTestCase.java

@@ -120,24 +120,18 @@ static class ServerSetup extends EESecurityInjectionEnabledAbstractTestCase.Serv
 
         @Override
         protected ConfigurableElement[] getConfigurableElements() {
-            ConfigurableElement[] elements  = new ConfigurableElement[4];
+            ConfigurableElement[] elements  = new ConfigurableElement[3];
             // Add module with custom principal and principal transformer
             elements[0] = module;
 
-            // Add empty JACC policy
-            elements[1] = Policy.builder()
-                    .withName("jacc")
-                    .withJaccPolicy()
-                    .build();
-
             // Create security domain with default permission mapper
-            elements[2] = SimpleSecurityDomain.builder()
+            elements[1] = SimpleSecurityDomain.builder()
                     .withName(TEST_SECURITY_DOMAIN)
                     .withPermissionMapper(DEFAULT_PERMISSION_MAPPER)
                     .build();
 
             // Add security domain to Undertow configuration
-            elements[3] = UndertowApplicationSecurityDomain.builder()
+            elements[2] = UndertowApplicationSecurityDomain.builder()
                     .withName(TEST_APP_DOMAIN)
                     .withSecurityDomain(TEST_SECURITY_DOMAIN)
                     .withIntegratedJaspi(false)

testsuite/integration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/SecurityAPITestCase.java

@@ -179,15 +179,10 @@ static class ServerSetup extends AbstractElytronSetupTask {
 
         @Override
         protected ConfigurableElement[] getConfigurableElements() {
-            ConfigurableElement[] elements = new ConfigurableElement[2];
-            // 1 - Add empty JACC Policy
-            elements[0] = Policy.builder()
-                    .withName("jacc")
-                    .withJaccPolicy()
-                    .build();
+            ConfigurableElement[] elements = new ConfigurableElement[1];
 
-            // 2 - Map the application-security-domain
-            elements[1] = UndertowApplicationSecurityDomain.builder()
+            // 1 - Map the application-security-domain
+            elements[0] = UndertowApplicationSecurityDomain.builder()
                     .withName("SecurityAPI")
                     .withSecurityDomain("ApplicationDomain")
                     .withIntegratedJaspi(false)