Initial setup and Payara API example for JACC per web module

Author: arjantijms

.gitignore

@@ -0,0 +1,95 @@
+# Directories #
+build/
+bin/
+target/
+libs/
+tmp/
+node_modules/
+ 
+# OS Files #
+.DS_Store
+ 
+*.class
+ 
+# Package Files #
+*.jar
+*.war
+*.ear
+*.db
+rebel.xml
+
+######################
+# Windows
+######################
+ 
+# Windows image file caches
+Thumbs.db 
+ 
+# Folder config file
+Desktop.ini
+ 
+######################
+# OSX
+######################
+ 
+.DS_Store
+.svn
+ 
+# Thumbnails
+._*
+ 
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+######################
+# NetBeans
+######################
+nbproject/
+build/
+nbbuild/
+dist/
+nbdist/
+nbactions.xml
+nb-configuration.xml
+ 
+######################
+# IDEA
+######################
+*.iml
+*.ipr
+*.iws
+.idea/
+atlassian-ide-plugin.xml
+
+ 
+######################
+# Eclipse
+######################
+ 
+*.pydevproject
+.project
+.metadata
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
+
+# External tool builders
+.externalToolBuilders/
+ 
+# Locally stored "Eclipse launch configurations"
+*.launch
+ 
+# CDT-specific
+.cproject
+ 
+# PDT-specific
+.buildpath
+
+# Testing environment specific
+derby.log

README.md

@@ -1,2 +1,3 @@
 # vendoree-samples
-Samples for EE related/additional functionality that's specific for a vendor (such as JBoss, Payara, etc)
+
+Samples for EE related/additional functionality that's specific to a vendor (such as JBoss, Payara, etc)

payara/jacc-per-app/pom.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.vendoree</groupId>
+ <artifactId>payara</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>jacc-per-app</artifactId>
+ <packaging>war</packaging>
+ <name>Vendor EE: Payara - Jacc Providers per Application</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.omnifaces</groupId>
+ <artifactId>jacc-provider</artifactId>
+ <version>0.1</version>
+ </dependency>
+
+ <dependency>
+ <groupId>fish.payara.api</groupId>
+ <artifactId>payara-api</artifactId>
+ <version>5.182-SNAPSHOT</version>
+ </dependency>
+ </dependencies>
+
+</project>

payara/jacc-per-app/src/main/java/org/vendoree/payara/jaccperapp/JaccInstaller.java

@@ -0,0 +1,37 @@
+/** Copyright Payara Services Limited **/
+
+package org.vendoree.payara.jaccperapp;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import javax.servlet.annotation.WebListener;
+
+import org.omnifaces.jaccprovider.TestPolicyConfigurationFactory;
+
+import fish.payara.jacc.JaccConfigurationFactory;
+
+/**
+ * The core of this sample; installing our own JACC Policy for the current web application.
+ *
+ * @author Arjan Tijms
+ *
+ */
+@WebListener
+public class JaccInstaller implements ServletContextListener {
+
+ @Override
+ public void contextInitialized(ServletContextEvent sce) {
+
+ JaccConfigurationFactory.getJaccConfigurationFactory().registerContextProvider(
+ getAppContextId(sce.getServletContext()),
+ new TestPolicyConfigurationFactory(),
+ new LoggingTestPolicy());
+
+ }
+
+ private String getAppContextId(ServletContext servletContext) {
+ return servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
+ }
+
+}

payara/jacc-per-app/src/main/java/org/vendoree/payara/jaccperapp/LoggingTestPolicy.java

@@ -0,0 +1,42 @@
+/** Copyright Payara Services Limited **/
+
+package org.vendoree.payara.jaccperapp;
+
+import java.security.Permission;
+import java.security.ProtectionDomain;
+import java.util.concurrent.ConcurrentLinkedQueue;
+
+import javax.security.jacc.WebResourcePermission;
+import javax.security.jacc.WebRoleRefPermission;
+import javax.security.jacc.WebUserDataPermission;
+
+import org.omnifaces.jaccprovider.TestPolicy;
+
+/**
+ * Test policy used for easy testing that the policy is indeed used.
+ *
+ * <p>
+ * This inherits from {@link TestPolicy}, which comes from an external dependency, and is a standalone JACC policy
+ * used for testing as well. It implements the default Servlet authorization rules and is compatible with various
+ * application servers.
+ *
+ * @author Arjan Tijms
+ *
+ */
+public class LoggingTestPolicy extends TestPolicy {
+
+ public static final ConcurrentLinkedQueue<Permission> loggedPermissions = new ConcurrentLinkedQueue<>();
+
+ @Override
+ public boolean implies(ProtectionDomain domain, Permission permission) {
+
+ if (permission instanceof WebResourcePermission || permission instanceof WebRoleRefPermission || permission instanceof WebUserDataPermission) {
+ // Only for test! Don't log like this in an actual application!
+ loggedPermissions.add(permission);
+ System.out.println(permission);
+ }
+
+ return super.implies(domain, permission);
+ }
+
+}

payara/jacc-per-app/src/main/java/org/vendoree/payara/jaccperapp/ProtectedServlet.java

@@ -0,0 +1,59 @@
+/** Copyright Payara Services Limited **/
+
+package org.vendoree.payara.jaccperapp;
+
+import java.io.IOException;
+import java.security.Permission;
+
+import javax.annotation.security.DeclareRoles;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.ServletSecurity;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Protected test Servlet printinhg out authentication details and the permissions
+ * logged by our special test JACC Policy; {@link LoggingTestPolicy}.
+ *
+ * <p>
+ * If the Servlet is accessible and the permission are logged, it's proof that the JACC provider
+ * we set in {@link JaccInstaller} is used and works.
+ *
+ * @author Arjan Tijms
+ */
+@DeclareRoles({ "a", "b", "c" })
+@WebServlet("/protected/servlet")
+@ServletSecurity(@HttpConstraint(rolesAllowed = "a"))
+public class ProtectedServlet extends HttpServlet {
+
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+ response.getWriter().write("This is a protected servlet \n");
+
+ String webName = null;
+ if (request.getUserPrincipal() != null) {
+ webName = request.getUserPrincipal().getName();
+ }
+
+ response.getWriter().write("web username: " + webName + "\n");
+
+ response.getWriter().write("web user has role \"a\": " + request.isUserInRole("a") + "\n");
+ response.getWriter().write("web user has role \"b\": " + request.isUserInRole("b") + "\n");
+ response.getWriter().write("web user has role \"c\": " + request.isUserInRole("c") + "\n");
+
+ response.getWriter().write("\nLogged permissions: \n");
+
+ for (Permission permission : LoggingTestPolicy.loggedPermissions) {
+ response.getWriter().write(permission + "\n");
+ }
+
+ LoggingTestPolicy.loggedPermissions.clear();
+ }
+
+}

payara/jacc-per-app/src/main/java/org/vendoree/payara/jaccperapp/TestAuthenticationMechanism.java

@@ -0,0 +1,54 @@
+/** Copyright Payara Services Limited **/
+
+package org.vendoree.payara.jaccperapp;
+
+import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.inject.Inject;
+import javax.security.enterprise.AuthenticationException;
+import javax.security.enterprise.AuthenticationStatus;
+import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
+import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
+import javax.security.enterprise.credential.UsernamePasswordCredential;
+import javax.security.enterprise.identitystore.CredentialValidationResult;
+import javax.security.enterprise.identitystore.IdentityStoreHandler;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ * Test authentication mechanism for authenticating with <code>name</code> and <code>password</code>
+ * request parameters. This only makes sense for testing.
+ *
+ * @author Arjan Tijms
+ *
+ */
+@ApplicationScoped
+public class TestAuthenticationMechanism implements HttpAuthenticationMechanism {
+
+ @Inject
+ private IdentityStoreHandler identityStoreHandler;
+
+ @Override
+ public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException {
+
+ if (request.getParameter("name") != null && request.getParameter("password") != null) {
+
+ CredentialValidationResult result = identityStoreHandler.validate(
+ new UsernamePasswordCredential(
+ request.getParameter("name"),
+ request.getParameter("password")));
+
+ if (result.getStatus() == VALID) {
+ return httpMessageContext.notifyContainerAboutLogin(
+ result.getCallerPrincipal(), result.getCallerGroups());
+ }
+
+ return httpMessageContext.responseUnauthorized();
+ }
+
+ return httpMessageContext.doNothing();
+ }
+
+}

payara/jacc-per-app/src/main/java/org/vendoree/payara/jaccperapp/TestIdentityStore.java

@@ -0,0 +1,32 @@
+/** Copyright Payara Services Limited **/
+
+package org.vendoree.payara.jaccperapp;
+
+import static java.util.Arrays.asList;
+import static javax.security.enterprise.identitystore.CredentialValidationResult.INVALID_RESULT;
+
+import java.util.HashSet;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.security.enterprise.credential.UsernamePasswordCredential;
+import javax.security.enterprise.identitystore.CredentialValidationResult;
+import javax.security.enterprise.identitystore.IdentityStore;
+
+/**
+ * Test identity store that just provides a build-in user with name/password test/secret and roles a and b.
+ *
+ * @author Arjan Tijms
+ */
+@ApplicationScoped
+public class TestIdentityStore implements IdentityStore {
+
+ public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
+
+ if (usernamePasswordCredential.compareTo("test", "secret")) {
+ return new CredentialValidationResult("test", new HashSet<>(asList("a", "b")));
+ }
+
+ return INVALID_RESULT;
+ }
+
+}