From 9852f5e0577bc800d6d0864851420eed23aba4ec Mon Sep 17 00:00:00 2001 From: Jared Anderson Date: Tue, 19 Nov 2024 09:51:52 -0600 Subject: [PATCH] Restructure and update Jakarta authorization code - Update to have interfaces in EJB and Web bundles so that can reference actual classes instead of using Object - Move JaccService function to the corresponding EJB and Web projects to keep the methods with their appropriate container function - Update to add PrincipalMapper to PolicyContextHandlerImpl in preparation of adding PrincipalMapper implementation - Update to use instance methods instead of static methods in PolicyConfigurationManager - Inline most of the Validator and Propagator function into the EJB and Web classes except for EJB propagator which is used by both EJB function and base Jacc function --- dev/com.ibm.ws.ejbcontainer.security/bnd.bnd | 11 +- .../internal/EJBSecurityCollaboratorImpl.java | 38 +- .../jacc/EJBJaccAuthorizationHelper.java | 10 +- .../security/jacc/EJBJaccService.java | 86 ++ .../security/jacc}/package-info.java | 12 +- .../jacc/EJBJaccAuthorizationHelperTest.java | 22 +- .../bnd.bnd | 7 +- .../jacc/ejb/impl/EJBJaccServiceImpl.java | 288 ++++++ .../ejb/impl/EJBSecurityPropagatorImpl.java | 23 +- .../ejb/impl/EJBSecurityValidatorImpl.java | 173 ---- .../jacc/ejb/impl/EJBServiceImpl.java | 59 -- .../jacc/ejb/impl}/JaccUtil.java | 14 +- .../jacc/ejb/impl/EJBJaccServiceImplTest.java | 480 +++++++++ ...a => EJBJaccServiceImplWithTraceTest.java} | 10 +- .../impl/EJBSecurityPropagatorImplTest.java | 31 +- .../impl/EJBSecurityValidatorImplTest.java | 223 ---- .../jacc/ejb/impl/EJBServiceImplTest.java | 93 -- .../jacc/ejb/impl}/JaccUtilTest.java | 6 +- .../jacc/ejb/impl}/JaccUtilWithTraceTest.java | 6 +- .../jacc/internal/DummyPolicy.java | 39 + .../DummyPolicyConfigurationFactory.java | 44 + .../jacc/internal/JaccServiceTestUtil.java | 48 + .../jacc/internal/proxy/ProxyTestUtil.java | 35 + .../bnd.bnd | 10 +- .../jacc/web/impl/ServletServiceImpl.java | 63 -- ...gatorImpl.java => WebJaccServiceImpl.java} | 282 ++++- .../web/impl/WebSecurityValidatorImpl.java | 153 --- .../jacc/internal/DummyPolicy.java | 39 + .../DummyPolicyConfigurationFactory.java | 44 + .../jacc/internal/JaccServiceTestUtil.java | 48 + .../jacc/web/impl/ServletServiceImplTest.java | 93 -- .../jacc/web/impl/WebJaccServiceImplTest.java | 395 +++++++ ...a => WebJaccServiceImplWithTraceTest.java} | 9 +- .../impl/WebSecurityPropagatorImplTest.java | 349 ------- ...ebSecurityPropagatorImplWithTraceTest.java | 35 - .../impl/WebSecurityValidatorImplTest.java | 141 --- .../jacc/internal/proxy/ProxyTestUtil.java | 35 + .../bnd.bnd | 7 +- .../original.bnd | 7 +- .../authorization/jacc/JaccService.java | 35 + .../authorization/jacc/MethodInfo.java | 0 .../jacc/PolicyConfigurationManager.java | 34 + .../security/authorization/jacc/RoleInfo.java | 0 ...va => PolicyConfigurationManagerImpl.java} | 64 +- .../jacc/common/PolicyContextHandlerImpl.java | 75 +- .../jacc/ejb/EJBSecurityPropagator.java | 10 +- .../jacc/ejb/EJBSecurityValidator.java | 29 - .../authorization/jacc/ejb/EJBService.java | 26 - .../jacc/internal/JaccServiceImpl.java | 301 +----- .../authorization/jacc/package-info.java | 0 .../jacc/web/ServletService.java | 26 - .../jacc/web/WebSecurityPropagator.java | 28 - .../jacc/web/WebSecurityValidator.java | 32 - .../authorization/jacc/MethodInfoTest.java | 0 .../authorization/jacc/RoleInfoTest.java | 0 .../PolicyConfigurationManagerTest.java | 44 +- .../jacc/internal/JaccServiceImplTest.java | 960 +----------------- .../transformed.bnd | 7 +- .../.classpath | 1 - dev/com.ibm.ws.security.authorization/bnd.bnd | 5 +- .../authorization/jacc/JaccService.java | 177 ---- .../bnd.bnd | 20 +- .../security/MetaDataListenerImpl.java | 27 +- .../security/ServletStartedListener.java | 60 +- .../WebAppSecurityCollaboratorImpl.java | 23 +- .../webcontainer/security/WebJaccService.java | 102 ++ .../jacc/WebAppJaccAuthorizationHelper.java | 10 +- .../security/MetaDataListenerImplTest.java | 45 +- .../security/ServletStartedListenerTest.java | 17 +- .../WebAppJaccAuthorizationHelperTest.java | 32 +- 70 files changed, 2368 insertions(+), 3290 deletions(-) create mode 100644 dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/EJBJaccService.java rename dev/{com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web => com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc}/package-info.java (61%) create mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImpl.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImpl.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImpl.java rename dev/{com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc => com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl}/JaccUtil.java (94%) create mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplTest.java rename dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/{EJBSecurityValidatorImplWithTraceTest.java => EJBJaccServiceImplWithTraceTest.java} (80%) mode change 100755 => 100644 delete mode 100755 dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplTest.java delete mode 100755 dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImplTest.java rename dev/{com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc => com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl}/JaccUtilTest.java (99%) rename dev/{com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc => com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl}/JaccUtilWithTraceTest.java (89%) create mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.ejb/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImpl.java rename dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/{WebSecurityPropagatorImpl.java => WebJaccServiceImpl.java} (68%) delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImpl.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImplTest.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplTest.java rename dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/{WebSecurityValidatorImplWithTraceTest.java => WebJaccServiceImplWithTraceTest.java} (81%) delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplTest.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplWithTraceTest.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplTest.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc.web/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java create mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/JaccService.java rename dev/{com.ibm.ws.security.authorization => com.ibm.ws.security.authorization.jacc}/src/com/ibm/ws/security/authorization/jacc/MethodInfo.java (100%) create mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/PolicyConfigurationManager.java rename dev/{com.ibm.ws.security.authorization => com.ibm.ws.security.authorization.jacc}/src/com/ibm/ws/security/authorization/jacc/RoleInfo.java (100%) rename dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/{PolicyConfigurationManager.java => PolicyConfigurationManagerImpl.java} (77%) delete mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityValidator.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBService.java rename dev/{com.ibm.ws.security.authorization => com.ibm.ws.security.authorization.jacc}/src/com/ibm/ws/security/authorization/jacc/package-info.java (100%) delete mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/ServletService.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityPropagator.java delete mode 100644 dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityValidator.java rename dev/{com.ibm.ws.security.authorization => com.ibm.ws.security.authorization.jacc}/test/com/ibm/ws/security/authorization/jacc/MethodInfoTest.java (100%) rename dev/{com.ibm.ws.security.authorization => com.ibm.ws.security.authorization.jacc}/test/com/ibm/ws/security/authorization/jacc/RoleInfoTest.java (100%) delete mode 100644 dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/JaccService.java create mode 100644 dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebJaccService.java diff --git a/dev/com.ibm.ws.ejbcontainer.security/bnd.bnd b/dev/com.ibm.ws.ejbcontainer.security/bnd.bnd index 090c186c5848..73e3db8fe8c4 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/bnd.bnd +++ b/dev/com.ibm.ws.ejbcontainer.security/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2017, 2023 IBM Corporation and others. +# Copyright (c) 2017, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -24,6 +24,9 @@ bVersion=1.0 WS-TraceGroup: \ SecurityCollaborator +Export-Package: \ + com.ibm.ws.ejbcontainer.security.jacc + Private-Package: \ com.ibm.ws.ejbcontainer.security.internal.* @@ -45,9 +48,9 @@ Service-Component: \ securityReadyService=com.ibm.ws.security.ready.SecurityReadyService; \ unauthenticatedSubjectService=com.ibm.ws.security.authentication.UnauthenticatedSubjectService; \ credentialsService=com.ibm.ws.security.credentials.CredentialsService; \ - jaccService=com.ibm.ws.security.authorization.jacc.JaccService;\ - dynamic:='jaccService'; \ - optional:='jaccService'; \ + eJBJaccService=com.ibm.ws.ejbcontainer.security.jacc.EJBJaccService;\ + dynamic:='eJBJaccService'; \ + optional:='eJBJaccService'; \ properties:="service.vendor=IBM" instrument.classesExcludes: com/ibm/ws/ejbcontainer/security/internal/resources/*.class diff --git a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/EJBSecurityCollaboratorImpl.java b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/EJBSecurityCollaboratorImpl.java index ed866356ae2c..543b0151bea0 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/EJBSecurityCollaboratorImpl.java +++ b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/EJBSecurityCollaboratorImpl.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2011, 2023 IBM Corporation and others. + * Copyright (c) 2011, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -51,7 +51,7 @@ import com.ibm.ws.ejbcontainer.EJBRequestData; import com.ibm.ws.ejbcontainer.EJBSecurityCollaborator; import com.ibm.ws.ejbcontainer.security.internal.jacc.EJBJaccAuthorizationHelper; -import com.ibm.ws.ejbcontainer.security.internal.jacc.JaccUtil; +import com.ibm.ws.ejbcontainer.security.jacc.EJBJaccService; import com.ibm.ws.ffdc.annotation.FFDCIgnore; import com.ibm.ws.runtime.metadata.ComponentMetaData; import com.ibm.ws.runtime.metadata.MetaData; @@ -62,7 +62,6 @@ import com.ibm.ws.security.authentication.principals.WSIdentity; import com.ibm.ws.security.authentication.principals.WSPrincipal; import com.ibm.ws.security.authorization.AuthorizationService; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.security.collaborator.CollaboratorUtils; import com.ibm.ws.security.context.SubjectManager; import com.ibm.ws.security.credentials.CredentialsService; @@ -79,13 +78,13 @@ public class EJBSecurityCollaboratorImpl implements EJBSecurityCollaborator securityServiceRef = new AtomicServiceReference(KEY_SECURITY_SERVICE); private final AtomicServiceReference credServiceRef = new AtomicServiceReference(KEY_CREDENTIAL_SERVICE); private final AtomicServiceReference unauthenticatedSubjectServiceRef = new AtomicServiceReference(KEY_UNAUTHENTICATED_SUBJECT_SERVICE); - private final AtomicServiceReference jaccService = new AtomicServiceReference(KEY_JACC_SERVICE); + private final AtomicServiceReference ejbJaccService = new AtomicServiceReference(KEY_EJB_JACC_SERVICE); protected SubjectManager subjectManager; protected CollaboratorUtils collabUtils; @@ -96,9 +95,9 @@ public class EJBSecurityCollaboratorImpl implements EJBSecurityCollaborator() { @Override @@ -156,13 +155,13 @@ protected void unsetUnauthenticatedSubjectService(ServiceReference reference) { - jaccService.setReference(reference); - eah = new EJBJaccAuthorizationHelper(jaccService); + protected void setEJBJaccService(ServiceReference reference) { + ejbJaccService.setReference(reference); + eah = new EJBJaccAuthorizationHelper(ejbJaccService); } - protected void unsetJaccService(ServiceReference reference) { - jaccService.unsetReference(reference); + protected void unsetEJBJaccService(ServiceReference reference) { + ejbJaccService.unsetReference(reference); eah = this; } @@ -170,7 +169,7 @@ protected void activate(ComponentContext cc, Map props) { securityServiceRef.activate(cc); credServiceRef.activate(cc); unauthenticatedSubjectServiceRef.activate(cc); - jaccService.activate(cc); + ejbJaccService.activate(cc); ejbSecConfig = new EJBSecurityConfigImpl(props); } @@ -186,7 +185,7 @@ protected void deactivate(ComponentContext cc) { securityServiceRef.deactivate(cc); credServiceRef.deactivate(cc); unauthenticatedSubjectServiceRef.deactivate(cc); - jaccService.deactivate(cc); + ejbJaccService.deactivate(cc); } /** @@ -237,7 +236,7 @@ public SecurityCookieImpl preInvoke(EJBRequestData request) throws EJBAccessDeni @Override public void postInvoke(EJBRequestData request, SecurityCookieImpl preInvokeResult) throws EJBAccessDeniedException { if (preInvokeResult != null) { - JaccService js = jaccService.getService(); + EJBJaccService js = ejbJaccService.getService(); if (js != null) { js.resetPolicyContextHandlerInfo(); } @@ -726,7 +725,7 @@ private boolean setUnauthenticatedSubjectIfNeeded(Subject invokedSubject, Subjec @Override public boolean areRequestMethodArgumentsRequired() { - JaccService js = jaccService.getService(); + EJBJaccService js = ejbJaccService.getService(); boolean result = false; if (js != null) { result = js.areRequestMethodArgumentsRequired(); @@ -741,13 +740,12 @@ public boolean areRequestMethodArgumentsRequired() { */ @Override public void componentMetaDataCreated(MetaDataEvent event) { - JaccService js = jaccService.getService(); + EJBJaccService js = ejbJaccService.getService(); if (js != null) { MetaData metaData = event.getMetaData(); if (metaData instanceof BeanMetaData) { BeanMetaData bmd = (BeanMetaData) metaData; - js.propagateEJBRoles(bmd.j2eeName.getApplication(), bmd.j2eeName.getModule(), bmd.enterpriseBeanName, bmd.ivRoleLinkMap, - JaccUtil.convertMethodInfoList(JaccUtil.mergeMethodInfos(bmd))); + js.propagateEJBRoles(bmd); } } } diff --git a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelper.java b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelper.java index 2808fff364fe..5ecbc7607a50 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelper.java +++ b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelper.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015,2022 IBM Corporation and others. + * Copyright (c) 2015,2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -33,9 +33,9 @@ import com.ibm.ws.ejbcontainer.security.internal.EJBAccessDeniedException; import com.ibm.ws.ejbcontainer.security.internal.EJBAuthorizationHelper; import com.ibm.ws.ejbcontainer.security.internal.TraceConstants; +import com.ibm.ws.ejbcontainer.security.jacc.EJBJaccService; import com.ibm.ws.security.audit.Audit; import com.ibm.ws.security.authentication.principals.WSPrincipal; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference; /** @@ -44,9 +44,9 @@ public class EJBJaccAuthorizationHelper implements EJBAuthorizationHelper { private static final TraceComponent tc = Tr.register(EJBJaccAuthorizationHelper.class); - private AtomicServiceReference jaccServiceRef = null; + private AtomicServiceReference jaccServiceRef = null; - public EJBJaccAuthorizationHelper(AtomicServiceReference jaccServiceRef) { + public EJBJaccAuthorizationHelper(AtomicServiceReference jaccServiceRef) { this.jaccServiceRef = jaccServiceRef; } diff --git a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/EJBJaccService.java b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/EJBJaccService.java new file mode 100644 index 000000000000..1744504a0fc9 --- /dev/null +++ b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/EJBJaccService.java @@ -0,0 +1,86 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.ejbcontainer.security.jacc; + +import java.util.List; + +import javax.ejb.EnterpriseBean; +import javax.security.auth.Subject; + +import com.ibm.ejs.container.BeanMetaData; + +public interface EJBJaccService { + + /** + * Propagates EJB role mapping information to JACC. + * + * @param bmd Bean meta data + */ + public void propagateEJBRoles(BeanMetaData bmd); + + /** + * Validates whether given Subject is granted to access the specified resource. + * + * @param applicationName Application name + * @param moduleName Module name + * @param beanName Bean name + * @param methodName Method name + * @param methodInterface Method interface + * @param methodName Method signature + * @param methodParameters The list of method parameters. this is optional and null is accepted. + * @param bean EnterpriseBean object this is an optional and null is allowed. + * @param subject Subject object to be authorized. + * @return true if the specified subject is granted to access the specified resource. + */ + public boolean isAuthorized(String applicationName, + String moduleName, + String beanName, + String methodName, + String methodInterface, + String methodSignature, + List methodParameters, + EnterpriseBean bean, + Subject subject); + + /** + * Validates whether given Subject is a member of the specified role + * + * @param applicationName Application name + * @param moduleName Module name + * @param beanName Bean name + * @param methodName Method name + * @param methodInterface Method interface + * @param methodParameters The list of method parameters. this is optional and null is accepted. + * @param role Role name + * @param bean EnterpriseBean object this is an optional and null is allowed. + * @param subject Subject object to be authorized. + * @return true if the specified subject has a member of the specified role. + */ + public boolean isSubjectInRole(String applicationName, + String moduleName, + String beanName, + String methodName, + List methodParameters, + String role, + EnterpriseBean bean, + Subject subject); + + /** + * Returns whether RequestMethodArguments are required for authorization decision for EJB. + * + * @return true if RequestMethodArguments are required. false otherwise. + */ + public boolean areRequestMethodArgumentsRequired(); + + /** + * Reset the policyContext Handler as per JACC specification + */ + public void resetPolicyContextHandlerInfo(); +} diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/package-info.java b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/package-info.java similarity index 61% rename from dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/package-info.java rename to dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/package-info.java index d5b45b2632f4..0a912c7c7367 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/package-info.java +++ b/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/jacc/package-info.java @@ -1,18 +1,18 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 * - * Contributors: - * IBM Corporation - initial API and implementation + * SPDX-License-Identifier: EPL-2.0 *******************************************************************************/ /** * @version 1.0 */ @org.osgi.annotation.versioning.Version("1.0") -package com.ibm.ws.security.authorization.jacc.web; +@TraceOptions(traceGroup = TraceConstants.TRACE_GROUP, messageBundle = TraceConstants.MESSAGE_BUNDLE) +package com.ibm.ws.ejbcontainer.security.jacc; +import com.ibm.websphere.ras.annotation.TraceOptions; +import com.ibm.ws.ejbcontainer.security.internal.TraceConstants; diff --git a/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelperTest.java b/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelperTest.java index e4aaeefb57c4..4f7f572f7ae2 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelperTest.java +++ b/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/EJBJaccAuthorizationHelperTest.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015, 2022 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -42,8 +42,8 @@ import com.ibm.ws.ejbcontainer.EJBRequestData; import com.ibm.ws.ejbcontainer.InternalConstants; import com.ibm.ws.ejbcontainer.security.internal.EJBAccessDeniedException; +import com.ibm.ws.ejbcontainer.security.jacc.EJBJaccService; import com.ibm.ws.security.authentication.principals.WSPrincipal; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference; import test.common.SharedOutputManager; @@ -58,7 +58,7 @@ public class EJBJaccAuthorizationHelperTest { @Rule public TestRule managerRule = outputMgr; - static final String KEY_JACC_SERVICE = "jaccService"; + static final String KEY_EJB_JACC_SERVICE = "eJBJaccService"; private final Mockery context = new JUnit4Mockery(); private final EJBRequestData erd = context.mock(EJBRequestData.class); @@ -66,12 +66,12 @@ public class EJBJaccAuthorizationHelperTest { private final EJBComponentMetaData ecmd = context.mock(EJBComponentMetaData.class); private final J2EEName jen = context.mock(J2EEName.class); @SuppressWarnings("unchecked") - private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); - private final JaccService js = context.mock(JaccService.class); + private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); + private final EJBJaccService js = context.mock(EJBJaccService.class); private final ComponentContext cc = context.mock(ComponentContext.class); private final EnterpriseBean eb = context.mock(EnterpriseBean.class); private final WSPrincipal wp = new WSPrincipal("securityName", "accessId", "BASIC"); - private final AtomicServiceReference ajsr = new AtomicServiceReference(KEY_JACC_SERVICE); + private final AtomicServiceReference ajsr = new AtomicServiceReference(KEY_EJB_JACC_SERVICE); /** * Tests authorizeEJB method normal role. @@ -118,7 +118,7 @@ public void authorizeEJBNormalNoMethodArgDenied() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("eJBJaccService", jsr); will(returnValue(js)); one(js).isAuthorized(APP_NAME, MODULE_NAME, BEAN_NAME, METHOD_NAME, METHOD_INTERFACE_NAME, METHOD_SIGNATURE, null, null, SUBJECT); will(returnValue(false)); @@ -185,7 +185,7 @@ public void authorizeEJBNormalMethodArgEenterpriseBeanGranted() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("eJBJaccService", jsr); will(returnValue(js)); one(js).isAuthorized(APP_NAME, MODULE_NAME, BEAN_NAME, METHOD_NAME, METHOD_INTERFACE_NAME, METHOD_SIGNATURE, Arrays.asList(ARG_LIST), eb, SUBJECT); will(returnValue(true)); @@ -243,7 +243,7 @@ public void isCallerInRoleFalse() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("eJBJaccService", jsr); will(returnValue(js)); one(js).isSubjectInRole(APP_NAME, MODULE_NAME, BEAN_NAME, METHOD_NAME, Arrays.asList(ARG_LIST), ROLE, eb, SUBJECT); will(returnValue(false)); @@ -294,7 +294,7 @@ public void isCallerInRoleTrue() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("eJBJaccService", jsr); will(returnValue(js)); one(js).isSubjectInRole(APP_NAME, MODULE_NAME, BEAN_NAME, METHOD_NAME, null, ROLE, null, SUBJECT); will(returnValue(true)); diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/bnd.bnd b/dev/com.ibm.ws.security.authorization.jacc.ejb/bnd.bnd index 8fd98476c4e7..7049b754e908 100644 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/bnd.bnd +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/bnd.bnd @@ -33,7 +33,7 @@ Import-Package: \ ${defaultPackageImport} -dsannotations: \ - com.ibm.ws.security.authorization.jacc.ejb.impl.EJBServiceImpl + com.ibm.ws.security.authorization.jacc.ejb.impl.EJBJaccServiceImpl -buildpath: \ com.ibm.ws.security.authorization.jacc.common;version=latest,\ @@ -45,7 +45,10 @@ Import-Package: \ com.ibm.websphere.org.osgi.service.component,\ com.ibm.wsspi.org.osgi.service.component.annotations,\ com.ibm.ws.container.service;version=latest,\ - com.ibm.ws.org.osgi.annotation.versioning;version=latest + com.ibm.ws.org.osgi.annotation.versioning;version=latest,\ + com.ibm.ws.ejbcontainer;version=latest,\ + com.ibm.ws.ejbcontainer.security;version=latest,\ + com.ibm.ws.kernel.service;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file,\ diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImpl.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImpl.java new file mode 100644 index 000000000000..9aac9e87ad48 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImpl.java @@ -0,0 +1,288 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc.ejb.impl; + +import java.security.AccessController; +import java.security.Permission; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.StringTokenizer; + +import javax.ejb.EnterpriseBean; +import javax.ejb.SessionContext; +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.NamingException; +import javax.security.auth.Subject; +import javax.security.jacc.EJBMethodPermission; +import javax.security.jacc.EJBRoleRefPermission; +import javax.security.jacc.PolicyContext; +import javax.security.jacc.PolicyContextException; + +import org.osgi.framework.ServiceReference; +import org.osgi.service.component.ComponentContext; +import org.osgi.service.component.annotations.Activate; +import org.osgi.service.component.annotations.Component; +import org.osgi.service.component.annotations.ConfigurationPolicy; +import org.osgi.service.component.annotations.Deactivate; +import org.osgi.service.component.annotations.Reference; +import org.osgi.service.component.annotations.ReferencePolicy; + +import com.ibm.ejs.container.BeanMetaData; +import com.ibm.websphere.ras.Tr; +import com.ibm.websphere.ras.TraceComponent; +import com.ibm.ws.ejbcontainer.security.jacc.EJBJaccService; +import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.security.authorization.jacc.JaccService; +import com.ibm.ws.security.authorization.jacc.MethodInfo; +import com.ibm.ws.security.authorization.jacc.RoleInfo; +import com.ibm.ws.security.authorization.jacc.common.PolicyContextHandlerImpl; +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; +import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference; + +@Component(service = EJBJaccService.class, immediate = true, name = "com.ibm.ws.security.authorization.jacc.ejb.service", configurationPolicy = ConfigurationPolicy.IGNORE, property = { "service.vendor=IBM" }) +public class EJBJaccServiceImpl implements EJBJaccService { + + private static final String JACC_EJB_METHOD_ARGUMENT = "RequestMethodArgumentsRequired"; + + private static final TraceComponent tc = Tr.register(EJBJaccServiceImpl.class); + private static PolicyContextHandlerImpl pch = PolicyContextHandlerImpl.getInstance(); + protected static final String KEY_JACC_SERVICE = "jaccService"; + + private static final String[] jaccHandlerKeyArray; + + static { + boolean principalMapperSupported = false; + try { + principalMapperSupported = pch.supports("jakarta.security.jacc.PrincipalMapper"); + } catch (PolicyContextException pce) { + // our implementation doesn't throw an exception, but it is on the interface so need to catch it. + } + if (principalMapperSupported) { + /** Keys for Jakarta EE 11 and higher. */ + jaccHandlerKeyArray = new String[] { "javax.security.auth.Subject.container", "jakarta.ejb.EnterpriseBean", "jakarta.ejb.arguments", + "jakarta.xml.soap.SOAPMessage", "jakarta.security.jacc.PrincipalMapper" }; + } else { + // javax.ejb and javax.xml.soap prefixed strings will be jakarta-ized during transformation + jaccHandlerKeyArray = new String[] { "javax.security.auth.Subject.container", "javax.ejb.EnterpriseBean", "javax.ejb.arguments", + "javax.xml.soap.SOAPMessage" }; + } + } + + /** + * Are we running with jakarta.ejb.* packages? This will indicate we are running with (at least) Jakarta EE 9. + * + * This check may seem silly on the surface, but the packages are transformed at build time to swap the javax.ejb.* packages with + * jakarta.ejb.*. + */ + private static boolean isEENineOrHigher = SessionContext.class.getCanonicalName().startsWith("jakarta.ejb"); + + private final EJBSecurityPropagator esp = new EJBSecurityPropagatorImpl(); + + private final AtomicServiceReference jaccServiceRef = new AtomicServiceReference(KEY_JACC_SERVICE); + + @Reference(service = JaccService.class, policy = ReferencePolicy.DYNAMIC, name = KEY_JACC_SERVICE) + protected void setJaccService(ServiceReference reference) { + jaccServiceRef.setReference(reference); + } + + protected void unsetJaccService(ServiceReference reference) { + jaccServiceRef.unsetReference(reference); + } + + @Activate + protected void activate(ComponentContext cc) { + jaccServiceRef.activate(cc); + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + jaccService.getPolicyConfigurationManager().setEJBSecurityPropagator(esp); + } + } + + @Deactivate + protected void deactivate(ComponentContext cc) { + jaccServiceRef.deactivate(cc); + } + + @Override + public void propagateEJBRoles(BeanMetaData bmd) { + propagateEJBRoles(esp, bmd.j2eeName.getApplication(), bmd.j2eeName.getModule(), bmd.enterpriseBeanName, bmd.ivRoleLinkMap, + JaccUtil.convertMethodInfoList(JaccUtil.mergeMethodInfos(bmd))); + } + + protected void propagateEJBRoles(EJBSecurityPropagator esp, + String applicationName, + String moduleName, + String beanName, + Map roleLinkMap, + Map> methodMap) { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + esp.propagateEJBRoles(jaccService.getContextId(applicationName, moduleName), applicationName, beanName, roleLinkMap, methodMap, + jaccService.getPolicyConfigurationManager()); + } + } + + @Override + public boolean isAuthorized(String applicationName, String moduleName, String beanName, String methodName, String methodInterface, + String methodSignature, List methodParameters, EnterpriseBean bean, Subject subject) { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + String[] methodSignatureArray = convertMethodSignature(methodSignature); + final EJBMethodPermission ejbPerm = new EJBMethodPermission(beanName, methodName, methodInterface, methodSignatureArray); + return checkResourceConstraints(jaccService.getContextId(applicationName, moduleName), methodParameters, bean, ejbPerm, subject, jaccService.getPolicyProxy()); + } + return false; + } + + @Override + public boolean isSubjectInRole(String applicationName, String moduleName, String beanName, String methodName, + List methodParameters, String role, EnterpriseBean bean, Subject subject) { + + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); + return checkResourceConstraints(jaccService.getContextId(applicationName, moduleName), methodParameters, bean, ejbPerm, subject, jaccService.getPolicyProxy()); + } + return false; + } + + private boolean checkResourceConstraints(String contextId, List methodParameters, EnterpriseBean bean, Permission ejbPerm, Subject subject, PolicyProxy policyProxy) { + boolean result = false; + final HashMap ho = new HashMap(); + final Object[] ma = null; + + /* + * TODO Doesn't seem to handle EJB-3.0 annotated beans. + */ + if (methodParameters != null && methodParameters.size() > 0) { + methodParameters.toArray(new Object[methodParameters.size()]); + } + try { + result = checkMethodConstraints(contextId, ma, bean, ejbPerm, subject, ho, policyProxy); + } catch (PrivilegedActionException pae) { + Tr.error(tc, "JACC_EJB_IMPLIES_FAILURE", new Object[] { contextId, pae.getException() }); + } // Moved resetHandlerInfo to postInvoke. + return result; + } + + private boolean checkMethodConstraints(final String contextId, + final Object[] methodParameters, + final EnterpriseBean bean, + final Permission permission, + final Subject subject, + final HashMap handlerObjects, + final PolicyProxy policyProxy) throws PrivilegedActionException { + Boolean result = Boolean.FALSE; + result = AccessController.doPrivileged( + new PrivilegedExceptionAction() { + @Override + public Boolean run() throws javax.security.jacc.PolicyContextException { + PolicyContext.setContextID(contextId); + + if (tc.isDebugEnabled()) + Tr.debug(tc, "Registering JACC context handlers"); + + for (String key : jaccHandlerKeyArray) { + PolicyContext.registerHandler(key, pch, true); + } + + handlerObjects.put(jaccHandlerKeyArray[0], subject); + handlerObjects.put(jaccHandlerKeyArray[1], bean); + handlerObjects.put(jaccHandlerKeyArray[2], methodParameters); + + /* + * EE 8 and below support JAX-RPC MessageContext. EE 9 removed this support. + */ + if (!isEENineOrHigher) { + Object mc = null; + try { + InitialContext ic = new InitialContext(); + mc = getMessageContext(ic); + } catch (NamingException e) { + if (tc.isDebugEnabled()) + Tr.debug(tc, "NamingException is caught. Ignoring.", e); + } + if (mc != null) { + if (tc.isDebugEnabled()) + Tr.debug(tc, "javax.xml.soap.SOAPMessage is set: ", mc); + handlerObjects.put(jaccHandlerKeyArray[3], mc); + } + } + + if (tc.isDebugEnabled()) + Tr.debug(tc, "Setting JACC handler data"); + PolicyContext.setHandlerData(handlerObjects); + if (tc.isDebugEnabled()) + Tr.debug(tc, "Calling JACC implies. subject : " + subject); + return policyProxy.implies(contextId, subject, permission); + } + }); + return result.booleanValue(); + } + + @FFDCIgnore({ NamingException.class, IllegalStateException.class }) + Object getMessageContext(Context c) { + Object mc = null; + try { + SessionContext sc = (SessionContext) c.lookup("java:comp/EJBContext"); + if (sc != null) { + mc = sc.getMessageContext(); + } + } catch (NamingException ne) { + if (tc.isDebugEnabled()) + Tr.debug(tc, "NamingException is caught. Safe to ignore.", ne); + } catch (IllegalStateException ise) { + if (tc.isDebugEnabled()) + Tr.debug(tc, "IllegalStateException is caught. Safe to ignore.", ise); + } + return mc; + } + + @Override + public boolean areRequestMethodArgumentsRequired() { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + String value = jaccService.getProviderServiceProperty(JACC_EJB_METHOD_ARGUMENT); + return "true".equalsIgnoreCase(value); + } + return false; + } + + @Override + public void resetPolicyContextHandlerInfo() { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + jaccService.resetPolicyContextHandlerInfo(); + } + } + + private String[] convertMethodSignature(String methodSignature) { + ArrayList methodSignatureList = new ArrayList(); + if (methodSignature != null && methodSignature.length() > 0) { + int index = methodSignature.indexOf(":"); + if (index != -1) { + String s = methodSignature.substring(index + 1); + if (s != null && s.length() > 0) { + StringTokenizer st = new StringTokenizer(s, ","); + while (st.hasMoreTokens()) { + methodSignatureList.add(st.nextToken()); + } + } + } + } + return methodSignatureList.toArray(new String[methodSignatureList.size()]); + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImpl.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImpl.java index 18f568d919a7..607742b0c19b 100644 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImpl.java +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImpl.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -29,8 +29,8 @@ import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager; import com.ibm.ws.security.authorization.jacc.MethodInfo; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; import com.ibm.ws.security.authorization.jacc.RoleInfo; import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; @@ -39,25 +39,27 @@ public class EJBSecurityPropagatorImpl implements EJBSecurityPropagator { private static final TraceComponent tc = Tr.register(EJBSecurityPropagatorImpl.class); private static Map> moduleRoleInfoMap = new ConcurrentHashMap>(); - public EJBSecurityPropagatorImpl() {} + public EJBSecurityPropagatorImpl() { + } @Override public void propagateEJBRoles(String contextId, String appName, String beanName, Map roleLinkMap, - Map> methodMap) { + Map> methodMap, + PolicyConfigurationManager policyConfigManager) { Set mris = moduleRoleInfoMap.get(contextId); if (mris == null) { mris = Collections.newSetFromMap(new ConcurrentHashMap()); moduleRoleInfoMap.put(contextId, mris); } mris.add(new ModuleRoleInfo(appName, beanName, roleLinkMap, methodMap)); - PolicyConfigurationManager.addEJB(appName, contextId); + policyConfigManager.addEJB(appName, contextId); } @Override - public void processEJBRoles(PolicyConfigurationFactory pcf, String contextId) { + public void processEJBRoles(PolicyConfigurationFactory pcf, String contextId, PolicyConfigurationManager policyConfigManager) { Set mris = moduleRoleInfoMap.get(contextId); if (mris == null) { //nothing to do. @@ -68,7 +70,7 @@ public void processEJBRoles(PolicyConfigurationFactory pcf, String contextId) { PolicyConfiguration ejbPC = null; String appName = mris.iterator().next().appName; - boolean exist = PolicyConfigurationManager.containModule(appName, contextId); + boolean exist = policyConfigManager.containModule(appName, contextId); try { ejbPC = pcf.getPolicyConfiguration(contextId, !exist); } catch (PolicyContextException pce) { @@ -82,7 +84,7 @@ public void processEJBRoles(PolicyConfigurationFactory pcf, String contextId) { processMethodPermissions(ejbPC, mri.beanName, mri.methodMap, allRoles); // commit will be invoked in PolicyCOnfigurationManager class. } - PolicyConfigurationManager.linkConfiguration(appName, ejbPC); + policyConfigManager.linkConfiguration(appName, ejbPC); moduleRoleInfoMap.remove(contextId); } catch (PolicyContextException e) { Tr.error(tc, "JACC_EJB_PERMISSION_PROPAGATION_FAILURE", new Object[] { contextId, e }); @@ -107,7 +109,8 @@ private Set getAllRoles(Set mris) { return allRoles; } - private void processMethodPermissions(PolicyConfiguration ejbPC, String beanName, Map> methodMap, Set allRoles) throws PolicyContextException { + private void processMethodPermissions(PolicyConfiguration ejbPC, String beanName, Map> methodMap, + Set allRoles) throws PolicyContextException { if (methodMap != null && methodMap.size() > 0) { Permissions ejbRolePerms = null; Permissions ejbUncheckedPerms = null; diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImpl.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImpl.java deleted file mode 100644 index 92e2cbc28aaf..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImpl.java +++ /dev/null @@ -1,173 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.ejb.impl; - -import java.security.AccessController; -import java.security.Permission; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.util.HashMap; -import java.util.List; - -import javax.ejb.EnterpriseBean; -import javax.ejb.SessionContext; -import javax.naming.Context; -import javax.naming.InitialContext; -import javax.naming.NamingException; -import javax.security.auth.Subject; -import javax.security.jacc.PolicyContext; - -import com.ibm.websphere.ras.Tr; -import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.ffdc.annotation.FFDCIgnore; -import com.ibm.ws.security.authorization.jacc.common.PolicyContextHandlerImpl; -import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityValidator; - -public class EJBSecurityValidatorImpl implements EJBSecurityValidator { - private static final TraceComponent tc = Tr.register(EJBSecurityValidatorImpl.class); - - /** Keys for Java / Jakarta EE 8 and lower. */ - private static String[] jaccHandlerKeyArrayEe8 = new String[] { "javax.security.auth.Subject.container", "javax.ejb.EnterpriseBean", "javax.ejb.arguments", - "javax.xml.soap.SOAPMessage" }; - - /** Keys for Jakarta EE 9 and higher. */ - private static String[] jaccHandlerKeyArrayEe9 = new String[] { "javax.security.auth.Subject.container", "jakarta.ejb.EnterpriseBean", "jakarta.ejb.arguments", - "jakarta.xml.soap.SOAPMessage" }; - - private static PolicyContextHandlerImpl pch = PolicyContextHandlerImpl.getInstance(); - - /** - * Are we running with jakarta.ejb.* packages? This will indicate we are running with (at least) Jakarta EE 9. - * - * This check may seem silly on the surface, but the packages are transformed at build time to swap the javax.ejb.* packages with - * jakarta.ejb.*. - */ - private static boolean isEENineOrHigher = SessionContext.class.getCanonicalName().startsWith("jakarta.ejb"); - - public EJBSecurityValidatorImpl() { - } - - @Override - public boolean checkResourceConstraints(String contextId, List methodParameters, Object bean, Permission ejbPerm, Subject subject, PolicyProxy policyProxy) { - boolean result = false; - final String fci = contextId; - final HashMap ho = new HashMap(); - final Subject s = subject; - final Object[] ma = null; - - /* - * TODO Doesn't seem to handle EJB-3.0 annotated beans. - */ - EnterpriseBean eb = null; - if (bean != null) { - try { - eb = (EnterpriseBean) bean; - } catch (ClassCastException cce) { - Tr.error(tc, "JACC_EJB_SPI_PARAMETER_ERROR", new Object[] { bean.getClass().getName(), "checkResourceConstraints", "EnterpriseBean" }); - return false; - } - } - final EnterpriseBean b = eb; - if (methodParameters != null && methodParameters.size() > 0) { - methodParameters.toArray(new Object[methodParameters.size()]); - } - final Permission p = ejbPerm; - try { - result = checkMethodConstraints(fci, ma, b, p, s, ho, policyProxy); - } catch (PrivilegedActionException pae) { - Tr.error(tc, "JACC_EJB_IMPLIES_FAILURE", new Object[] { contextId, pae.getException() }); - } // Moved resetHandlerInfo to postInvoke. - return result; - } - - private boolean checkMethodConstraints(final String contextId, - final Object[] methodParameters, - final EnterpriseBean bean, - final Permission permission, - final Subject subject, - final HashMap handlerObjects, - final PolicyProxy policyProxy) throws PrivilegedActionException { - Boolean result = Boolean.FALSE; - result = AccessController.doPrivileged( - new PrivilegedExceptionAction() { - @Override - public Boolean run() throws javax.security.jacc.PolicyContextException { - PolicyContext.setContextID(contextId); - - if (tc.isDebugEnabled()) - Tr.debug(tc, "Registering JACC context handlers"); - - for (String key : jaccHandlerKeyArrayEe8) { - PolicyContext.registerHandler(key, pch, true); - } - for (String key : jaccHandlerKeyArrayEe9) { - PolicyContext.registerHandler(key, pch, true); - } - - handlerObjects.put(jaccHandlerKeyArrayEe8[0], subject); - handlerObjects.put(jaccHandlerKeyArrayEe8[1], bean); - handlerObjects.put(jaccHandlerKeyArrayEe8[2], methodParameters); - - handlerObjects.put(jaccHandlerKeyArrayEe9[0], subject); - handlerObjects.put(jaccHandlerKeyArrayEe9[1], bean); - handlerObjects.put(jaccHandlerKeyArrayEe9[2], methodParameters); - - /* - * EE 8 and below support JAX-RPC MessageContext. EE 9 removed this support. - */ - if (!isEENineOrHigher) { - Object mc = null; - try { - InitialContext ic = new InitialContext(); - mc = getMessageContext(ic); - } catch (NamingException e) { - if (tc.isDebugEnabled()) - Tr.debug(tc, "NamingException is caught. Ignoring.", e); - } - if (mc != null) { - if (tc.isDebugEnabled()) - Tr.debug(tc, "javax.xml.soap.SOAPMessage is set: ", mc); - handlerObjects.put(jaccHandlerKeyArrayEe8[3], mc); - } - } - - if (tc.isDebugEnabled()) - Tr.debug(tc, "Setting JACC handler data"); - PolicyContext.setHandlerData(handlerObjects); - if (tc.isDebugEnabled()) - Tr.debug(tc, "Calling JACC implies. subject : " + subject); - return policyProxy.implies(contextId, subject, permission); - } - }); - return result.booleanValue(); - } - - @FFDCIgnore({ NamingException.class, IllegalStateException.class }) - public Object getMessageContext(Context c) { - Object mc = null; - try { - SessionContext sc = (SessionContext) c.lookup("java:comp/EJBContext"); - if (sc != null) { - mc = sc.getMessageContext(); - } - } catch (NamingException ne) { - if (tc.isDebugEnabled()) - Tr.debug(tc, "NamingException is caught. Safe to ignore.", ne); - } catch (IllegalStateException ise) { - if (tc.isDebugEnabled()) - Tr.debug(tc, "IllegalStateException is caught. Safe to ignore.", ise); - } - return mc; - } -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImpl.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImpl.java deleted file mode 100644 index 530e2848c1d9..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImpl.java +++ /dev/null @@ -1,59 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.ejb.impl; - -import org.osgi.service.component.ComponentContext; -import org.osgi.service.component.annotations.Activate; -import org.osgi.service.component.annotations.Component; -import org.osgi.service.component.annotations.ConfigurationPolicy; -import org.osgi.service.component.annotations.Deactivate; - -import com.ibm.websphere.ras.Tr; -import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityValidator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBService; - -@Component(service = EJBService.class, immediate = true, name = "com.ibm.ws.security.authorization.jacc.ejb.ejbservice", configurationPolicy = ConfigurationPolicy.IGNORE, property = { "service.vendor=IBM" }) -public class EJBServiceImpl implements EJBService { - private static final TraceComponent tc = Tr.register(EJBServiceImpl.class); - - private static EJBSecurityPropagatorImpl esp = null; - private static EJBSecurityValidatorImpl esv = null; - - public EJBServiceImpl() {} - - @Activate - protected synchronized void activate(ComponentContext cc) {} - - @Deactivate - protected synchronized void deactivate(ComponentContext cc) {} - - /** {@inheritDoc} */ - @Override - public synchronized EJBSecurityPropagator getPropagator() { - if (esp == null) { - esp = new EJBSecurityPropagatorImpl(); - } - return esp; - } - - /** {@inheritDoc} */ - @Override - public synchronized EJBSecurityValidator getValidator() { - if (esv == null) { - esv = new EJBSecurityValidatorImpl(); - } - return esv; - } -} diff --git a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtil.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtil.java similarity index 94% rename from dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtil.java rename to dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtil.java index 941615b88074..97eac342c1ad 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/src/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtil.java +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtil.java @@ -1,16 +1,16 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: * IBM Corporation - initial API and implementation *******************************************************************************/ -package com.ibm.ws.ejbcontainer.security.internal.jacc; +package com.ibm.ws.security.authorization.jacc.ejb.impl; import java.lang.reflect.Method; import java.util.ArrayList; @@ -32,11 +32,11 @@ ** This class is for restructure the contents of MetaData to the ** contents for JACC provider. */ -public class JaccUtil -{ +public class JaccUtil { private static TraceComponent tc = Tr.register(JaccUtil.class); - public JaccUtil() {} + public JaccUtil() { + } public static Map> convertMethodInfoList(List methodInfos) { Map> methodMap = null; @@ -89,7 +89,7 @@ public static Map> convertMethodInfoList(List mergeMethodInfos(BeanMetaData bmd) { List miList = new ArrayList(); EJBMethodInfoImpl list[][] = { bmd.homeMethodInfos, bmd.localHomeMethodInfos, bmd.methodInfos, bmd.localMethodInfos, bmd.timedMethodInfos, bmd.wsEndpointMethodInfos, - bmd.lifecycleInterceptorMethodInfos }; + bmd.lifecycleInterceptorMethodInfos }; for (EJBMethodMetaData[] miArray : list) { if (miArray != null && miArray.length > 0) { diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplTest.java new file mode 100644 index 000000000000..adc77a8571ca --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplTest.java @@ -0,0 +1,480 @@ +/******************************************************************************* + * Copyright (c) 2015, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ + +package com.ibm.ws.security.authorization.jacc.ejb.impl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.security.Policy; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.ejb.EnterpriseBean; +import javax.security.auth.Subject; +import javax.security.jacc.EJBMethodPermission; +import javax.security.jacc.EJBRoleRefPermission; +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyConfigurationFactory; + +import org.jmock.Expectations; +import org.jmock.Mockery; +import org.jmock.integration.junit4.JUnit4Mockery; +import org.junit.After; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TestRule; +import org.osgi.framework.ServiceReference; +import org.osgi.service.component.ComponentContext; + +import com.ibm.ws.security.authorization.jacc.JaccService; +import com.ibm.ws.security.authorization.jacc.MethodInfo; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.RoleInfo; +import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManagerImpl; +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.ws.security.authorization.jacc.common.ProviderServiceProxy; +import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; +import com.ibm.ws.security.authorization.jacc.internal.JaccServiceImpl; +import com.ibm.ws.security.authorization.jacc.internal.JaccServiceTestUtil; +import com.ibm.wsspi.kernel.service.location.WsLocationAdmin; +import com.ibm.wsspi.security.authorization.jacc.ProviderService; + +import test.common.SharedOutputManager; + +public class EJBJaccServiceImplTest { + static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); + /** + * Using the test rule will drive capture/restore and will dump on error.. + * Notice this is not a static variable, though it is being assigned a value we + * allocated statically. -- the normal-variable-ness is for before/after processing + */ + @Rule + public TestRule managerRule = outputMgr; + + private final Mockery context = new JUnit4Mockery(); + private final ComponentContext cc = context.mock(ComponentContext.class); + @SuppressWarnings("unchecked") + private final ServiceReference jaccProviderServiceProxyRef = context.mock(ServiceReference.class, "providerServiceProxyRef"); + private final ProviderServiceProxy jaccProviderServiceProxy = context.mock(ProviderServiceProxy.class); + @SuppressWarnings("unchecked") + private final ServiceReference jaccProviderServiceRef = context.mock(ServiceReference.class, "providerServiceRef"); + private final ProviderService jaccProviderService = context.mock(ProviderService.class); + @SuppressWarnings("unchecked") + private final ServiceReference wsLocationAdminRef = context.mock(ServiceReference.class, "wsLocationAdminRef"); + private final WsLocationAdmin wsLocationAdmin = context.mock(WsLocationAdmin.class); + private final PolicyConfiguration pc = context.mock(PolicyConfiguration.class); + private final EnterpriseBean eBean = context.mock(EnterpriseBean.class); + private final EJBSecurityPropagator esp = context.mock(EJBSecurityPropagator.class); + private final ServiceReference jaccServiceRef = context.mock(ServiceReference.class, "jaccServiceRef"); + private final EJBJaccServiceImpl ejbJaccService = new EJBJaccServiceImpl(); + + private final Policy policy = Policy.getPolicy(); + private final PolicyProxy policyProxy = context.mock(PolicyProxy.class); + private final PolicyConfigurationFactory pcf = new DummyPolicyConfigurationFactory(pc); + private final PolicyConfigurationManager pcm = new PolicyConfigurationManagerImpl(); + + private static final String JACC_FACTORY = "javax.security.jacc.PolicyConfigurationFactory.provider"; + private static final String JACC_FACTORY_EE9 = "jakarta.security.jacc.PolicyConfigurationFactory.provider"; + private static final String JACC_POLICY_PROVIDER = "javax.security.jacc.policy.provider"; + private static final String JACC_POLICY_PROVIDER_EE9 = "jakarta.security.jacc.policy.provider"; + private static final String JACC_FACTORY_IMPL = "com.ibm.ws.security.authorization.jacc.internal.DummyPolicyConfigurationFactory"; + private static final String JACC_POLICY_PROVIDER_IMPL = "com.ibm.ws.security.authorization.jacc.internal.DummyPolicy"; + private static final String JACC_EJB_METHOD_ARGUMENT = "RequestMethodArgumentsRequired"; + + private final String origPp = System.getProperty(JACC_POLICY_PROVIDER); + private final String origPpEe9 = System.getProperty(JACC_POLICY_PROVIDER_EE9); + private final String origFn = System.getProperty(JACC_FACTORY); + private final String origFnEe9 = System.getProperty(JACC_FACTORY_EE9); + + @After + public void tearDown() throws Exception { + // clean up. + if (origPp != null) { + System.setProperty(JACC_POLICY_PROVIDER, origPp); + } else { + System.clearProperty(JACC_POLICY_PROVIDER); + } + if (origPpEe9 != null) { + System.setProperty(JACC_POLICY_PROVIDER_EE9, origPpEe9); + } else { + System.clearProperty(JACC_POLICY_PROVIDER_EE9); + } + if (origFn != null) { + System.getProperty(JACC_FACTORY, origFn); + } else { + System.clearProperty(JACC_FACTORY); + } + if (origFnEe9 != null) { + System.getProperty(JACC_FACTORY_EE9, origFnEe9); + } else { + System.clearProperty(JACC_FACTORY_EE9); + } + Policy.setPolicy(policy); + } + + /** + * Tests propagateEJBRoles method + * Expected result: no exception. + */ + @Test + public void propagateEJBRoles() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String beanName = "testBean"; + + try { + ejbJaccService.propagateEJBRoles(esp, appName, moduleName, beanName, null, null); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + /** + * Tests propagateEJBRoles method + * Expected result: no exception. + */ + @SuppressWarnings("unchecked") + @Test + public void propagateEJBRolesValid() { + final String directory = "/wlp/test"; + final String name = "jaccServer"; + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String beanName = "testBean"; + final Map rl = new HashMap(); + final Map> mm = new HashMap>(); + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); + will(returnValue(directory)); + allowing(wsLocationAdmin).getServerName(); + will(returnValue(name)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + allowing(esp).propagateEJBRoles(with(any(String.class)), with(any(String.class)), with(any(String.class)), with(any(HashMap.class)), with(any(HashMap.class)), + with(any(PolicyConfigurationManager.class))); + } + }); + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + ejbJaccService.setJaccService(jaccServiceRef); + ejbJaccService.activate(cc); + ejbJaccService.propagateEJBRoles(esp, appName, moduleName, beanName, rl, mm); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + /** + * Tests isAuthorized method + * Expected result: false if there is no permission defined. + */ + @Test + public void isAuthorized() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String beanName = "testBean"; + final String methodName = "testMethod"; + final String methodInterface = "String"; + final String ms1 = null; + final List methodParameters = null; + final Subject subject = new Subject(); + + try { + assertFalse(ejbJaccService.isAuthorized(appName, moduleName, beanName, methodName, methodInterface, ms1, methodParameters, eBean, subject)); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + /** + * Tests isAuthorized method + * Expected result: false if there is no permission defined. + */ + @Test + public void isAuthorizedEjbValid() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String beanName = "testBean"; + final String methodName = "testMethod"; + final String methodInterface = "String"; + final String ms2 = "aaa:bbb,ccc,ddd"; + final String ms3 = "aaa"; + final String ms4 = "aaa:"; + final List mp = new ArrayList(); + final String directory = "/wlp/test"; + final String name = "jaccServer"; + final Subject subject = new Subject(); + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); + will(returnValue(directory)); + allowing(wsLocationAdmin).getServerName(); + will(returnValue(name)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + allowing(policyProxy).implies(with(any(String.class)), with(any(Subject.class)), with(any(EJBMethodPermission.class))); + will(returnValue(true)); + } + }); + + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + ejbJaccService.setJaccService(jaccServiceRef); + ejbJaccService.activate(cc); + assertTrue(ejbJaccService.isAuthorized(appName, moduleName, beanName, methodName, methodInterface, ms2, mp, eBean, subject)); + // different method signature + assertTrue(ejbJaccService.isAuthorized(appName, moduleName, beanName, methodName, methodInterface, ms3, mp, eBean, subject)); + assertTrue(ejbJaccService.isAuthorized(appName, moduleName, beanName, methodName, methodInterface, ms4, mp, eBean, subject)); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + /** + * Tests isSubjectInRole method + * Expected result: false if there is no permission defined. + */ + @Test + public void isEjbSubjectInRole() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String beanName = "testBean"; + final String methodName = "testMethod"; + final List mp = null; + final String role = "allRole"; + final Subject subject = new Subject(); + try { + // this is for null check + assertFalse(ejbJaccService.isSubjectInRole(appName, moduleName, beanName, methodName, mp, role, eBean, subject)); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + /** + * Tests isSubjectInRole method + * Expected result: false if there is no permission defined. + */ + @Test + public void isEjbSubjectInRoleValid() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String beanName = "testBean"; + final String methodName = "testMethod"; + final List mp = new ArrayList(); + final String role = "allRole"; + final String directory = "/wlp/test"; + final String name = "jaccServer"; + final Subject subject = new Subject(); + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); + will(returnValue(directory)); + allowing(wsLocationAdmin).getServerName(); + will(returnValue(name)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + allowing(policyProxy).implies(with(any(String.class)), with(any(Subject.class)), with(any(EJBRoleRefPermission.class))); + will(returnValue(true)); + } + }); + + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + ejbJaccService.setJaccService(jaccServiceRef); + ejbJaccService.activate(cc); + assertTrue(ejbJaccService.isSubjectInRole(appName, moduleName, beanName, methodName, mp, role, eBean, subject)); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + private void areRequestMethodArgumentsRequired(Object value, boolean expectedValue) { + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(jaccProviderServiceProxy).getProperty(JACC_EJB_METHOD_ARGUMENT); + will(returnValue(value)); + allowing(jaccProviderServiceRef).getProperty(JACC_EJB_METHOD_ARGUMENT); + will(returnValue(value)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + } + }); + + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + ejbJaccService.setJaccService(jaccServiceRef); + ejbJaccService.activate(cc); + assertEquals(expectedValue, ejbJaccService.areRequestMethodArgumentsRequired()); + } catch (Exception e) { + e.printStackTrace(); + fail("Exception is caught : " + e); + } + } + + /** + * Tests areRequestMethodArgumentsRequired method + * Expected result: true + */ + @Test + public void areRequestMethodArgumentsRequiredTrue() { + areRequestMethodArgumentsRequired("true", true); + } + + /** + * Tests areRequestMethodArgumentsRequired method + * Expected result: false + */ + @Test + public void areRequestMethodArgumentsRequiredFalseNull() { + areRequestMethodArgumentsRequired(null, false); + } + + /** + * Tests areRequestMethodArgumentsRequired method + * Expected result: false + */ + @Test + public void areRequestMethodArgumentsRequiredFalseInvalidObject() { + areRequestMethodArgumentsRequired(new Object(), false); + } + + /** + * Tests areRequestMethodArgumentsRequired method + * Expected result: false + */ + @Test + public void areRequestMethodArgumentsRequiredFalse() { + areRequestMethodArgumentsRequired("false", false); + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplWithTraceTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplWithTraceTest.java old mode 100755 new mode 100644 similarity index 80% rename from dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplWithTraceTest.java rename to dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplWithTraceTest.java index 8ca61fab0bcb..8b489ae0bed3 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplWithTraceTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBJaccServiceImplWithTraceTest.java @@ -1,16 +1,12 @@ /******************************************************************************* - * Copyright (c) 2015, 2020 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 * - * Contributors: - * IBM Corporation - initial API and implementation + * SPDX-License-Identifier: EPL-2.0 *******************************************************************************/ - package com.ibm.ws.security.authorization.jacc.ejb.impl; import org.junit.AfterClass; @@ -21,7 +17,7 @@ * Used to drive out any lingering bugs which may only be discovered * when tracing is enabled. */ -public class EJBSecurityValidatorImplWithTraceTest extends EJBSecurityValidatorImplTest { +public class EJBJaccServiceImplWithTraceTest extends EJBJaccServiceImplTest { @BeforeClass public static void traceSetUp() { diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImplTest.java index 2f163d5b2189..47903e49037f 100755 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImplTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityPropagatorImplTest.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015, 2020 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -36,8 +36,9 @@ import org.junit.rules.TestRule; import com.ibm.ws.security.authorization.jacc.MethodInfo; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; import com.ibm.ws.security.authorization.jacc.RoleInfo; -import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManagerImpl; import test.common.SharedOutputManager; @@ -56,11 +57,13 @@ public class EJBSecurityPropagatorImplTest { private final String STARSTAR = "**"; private PolicyConfigurationFactory pcf = null; + private PolicyConfigurationManager pcm = null; @Before public void setUp() { pcf = new DummyPolicyConfigurationFactory(pc); - PolicyConfigurationManager.initialize(null, pcf); + pcm = new PolicyConfigurationManagerImpl(); + pcm.initialize(null, pcf); } @After @@ -91,8 +94,8 @@ public void propagateEJBRoleRefPermissionsNormal() { } EJBSecurityPropagatorImpl esp = new EJBSecurityPropagatorImpl(); - esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap); - esp.processEJBRoles(pcf, contextId); + esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap, pcm); + esp.processEJBRoles(pcf, contextId, pcm); } /** @@ -126,8 +129,8 @@ public void propagateRoleRefs() { } EJBSecurityPropagatorImpl esp = new EJBSecurityPropagatorImpl(); - esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap); - esp.processEJBRoles(pcf, contextId); + esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap, pcm); + esp.processEJBRoles(pcf, contextId, pcm); } /** @@ -171,8 +174,8 @@ public void propagateMethodPermissionsValidRole() { } EJBSecurityPropagatorImpl esp = new EJBSecurityPropagatorImpl(); - esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap); - esp.processEJBRoles(pcf, contextId); + esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap, pcm); + esp.processEJBRoles(pcf, contextId, pcm); } /** @@ -209,8 +212,8 @@ public void propagateMethodPermissionsValidDenyAll() { } EJBSecurityPropagatorImpl esp = new EJBSecurityPropagatorImpl(); - esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap); - esp.processEJBRoles(pcf, contextId); + esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap, pcm); + esp.processEJBRoles(pcf, contextId, pcm); } /** @@ -247,8 +250,8 @@ public void propagateMethodPermissionsValidPermitAll() { } EJBSecurityPropagatorImpl esp = new EJBSecurityPropagatorImpl(); - esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap); - esp.processEJBRoles(pcf, contextId); + esp.propagateEJBRoles(contextId, appName, beanName, roleLinkMap, methodMap, pcm); + esp.processEJBRoles(pcf, contextId, pcm); } } diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplTest.java deleted file mode 100755 index 6c7a8e8a75ea..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImplTest.java +++ /dev/null @@ -1,223 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.ejb.impl; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.fail; - -import java.security.Principal; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import javax.ejb.EnterpriseBean; -import javax.ejb.SessionContext; -import javax.naming.Context; -import javax.naming.NamingException; -import javax.security.auth.Subject; -import javax.security.auth.x500.X500Principal; -import javax.security.jacc.EJBRoleRefPermission; -import javax.xml.rpc.handler.MessageContext; - -import org.jmock.Expectations; -import org.jmock.Mockery; -import org.jmock.integration.junit4.JUnit4Mockery; -import org.junit.After; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TestRule; - -import io.openliberty.security.authorization.jacc.internal.proxy.JavaSePolicyProxyImpl; -import test.common.SharedOutputManager; - -public class EJBSecurityValidatorImplTest { - static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); - /** - * Using the test rule will drive capture/restore and will dump on error.. - * Notice this is not a static variable, though it is being assigned a value we - * allocated statically. -- the normal-variable-ness is for before/after processing - */ - @Rule - public TestRule managerRule = outputMgr; - - private final Mockery context = new JUnit4Mockery(); - private final EnterpriseBean eBean = context.mock(EnterpriseBean.class); - private final Context ic = context.mock(Context.class); - private final SessionContext sc = context.mock(SessionContext.class); - private final MessageContext mc = context.mock(MessageContext.class); - - @After - public void tearDown() throws Exception { - context.assertIsSatisfied(); - } - - /** - * Tests checkResourceConstraints method - * Expected result: false - */ - @Test - public void checkResourceConstraintsNormal() { - final String contextId = "test#context#Id"; - final List methodParameters = new ArrayList(); - final String parm1 = "parm1"; - methodParameters.add(parm1); - final String beanName = "beanName"; - final String role = "ejbRole"; - final Subject subject = new Subject(); - final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertFalse(esv.checkResourceConstraints(contextId, methodParameters, eBean, ejbPerm, subject, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkResourceConstraints method with null method params. - * Expected result: false - */ - @Test - public void checkResourceConstraintsNullEmptyMethodParams() { - final String contextId = "test#context#Id"; - final List methodParameters = new ArrayList(); - final String beanName = "beanName"; - final String role = "ejbRole"; - final Subject subject = new Subject(); - final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertFalse(esv.checkResourceConstraints(contextId, null, eBean, ejbPerm, subject, new JavaSePolicyProxyImpl())); - assertFalse(esv.checkResourceConstraints(contextId, methodParameters, eBean, ejbPerm, subject, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkResourceConstraints method with null bean - * Expected result: false - */ - @Test - public void checkResourceConstraintsNullBean() { - final String contextId = "test#context#Id"; - final List methodParameters = new ArrayList(); - final String parm1 = "parm1"; - methodParameters.add(parm1); - final String beanName = "beanName"; - final String role = "ejbRole"; - final Subject subject = new Subject(); - final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertFalse(esv.checkResourceConstraints(contextId, methodParameters, null, ejbPerm, subject, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkResourceConstraints method with invalid object - * Expected result: false - */ - @Test - public void checkResourceConstraintsInvalidBean() { - final String contextId = "test#context#Id"; - final List methodParameters = new ArrayList(); - final String parm1 = "parm1"; - methodParameters.add(parm1); - final String beanName = "beanName"; - final String role = "ejbRole"; - final Subject subject = new Subject(); - final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertFalse(esv.checkResourceConstraints(contextId, methodParameters, new String("invalid"), ejbPerm, subject, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkResourceConstraints method - * Expected result: true - */ - @Test - public void checkResourceConstraintsNullSubject() { - final String contextId = "test#context#Id"; - final List methodParameters = new ArrayList(); - final String beanName = "beanName"; - final String role = "ejbRole"; - final Principal principal = new X500Principal("cn=data"); - final Set principals = new HashSet(); - final Set credentials = new HashSet(); - principals.add(principal); - final Subject subject = new Subject(false, principals, credentials, credentials); - final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertFalse(esv.checkResourceConstraints(contextId, methodParameters, eBean, ejbPerm, subject, new JavaSePolicyProxyImpl())); - } - - /** - * Tests getMessageContext method - * Expected result: null if MessageContext doesn't exist - */ - @Test - public void getMessageContextNullMC() { - try { - context.checking(new Expectations() { - { - allowing(ic).lookup("java:comp/EJBContext"); - will(returnValue(null)); - } - }); - } catch (NamingException e) { - fail("NamingException is caught." + e); - } - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertNull(esv.getMessageContext(ic)); - } - - /** - * Tests getMessageContext method - * Expected result: valid if MessageContext exists - */ - @Test - public void getMessageContextValidMC() { - try { - context.checking(new Expectations() { - { - allowing(ic).lookup("java:comp/EJBContext"); - will(returnValue(sc)); - allowing(sc).getMessageContext(); - will(returnValue(mc)); - } - }); - } catch (NamingException e) { - fail("NamingException is caught." + e); - } - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertEquals(mc, esv.getMessageContext(ic)); - } - - /** - * Tests getMessageContext method - * Expected result: null when IllegalStateException - */ - @Test - public void getMessageContextISE() { - try { - context.checking(new Expectations() { - { - allowing(ic).lookup("java:comp/EJBContext"); - will(returnValue(sc)); - allowing(sc).getMessageContext(); - will(throwException(new IllegalStateException())); - } - }); - } catch (NamingException e) { - fail("NamingException is caught." + e); - } - EJBSecurityValidatorImpl esv = new EJBSecurityValidatorImpl(); - assertNull(esv.getMessageContext(ic)); - } - -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImplTest.java deleted file mode 100755 index 962c97570907..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBServiceImplTest.java +++ /dev/null @@ -1,93 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2020 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.ejb.impl; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import org.jmock.Mockery; -import org.jmock.integration.junit4.JUnit4Mockery; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TestRule; -import org.osgi.service.component.ComponentContext; - -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityValidator; - -import test.common.SharedOutputManager; - -public class EJBServiceImplTest { - static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); - /** - * Using the test rule will drive capture/restore and will dump on error.. - * Notice this is not a static variable, though it is being assigned a value we - * allocated statically. -- the normal-variable-ness is for before/after processing - */ - @Rule - public TestRule managerRule = outputMgr; - - private final Mockery context = new JUnit4Mockery(); - private final ComponentContext cc = context.mock(ComponentContext.class); - - /** - * Tests activate/deactivate method - * Expected result: true - */ - @Test - public void activateDeactivateNormal() { - try { - EJBServiceImpl es = new EJBServiceImpl(); - es.activate(cc); - es.deactivate(cc); - } catch (Exception e) { - e.printStackTrace(); - fail("An exception is caught : " + e); - } - } - - /** - * Tests getPropagator method - * Expected result: true - */ - @Test - public void getPropagatorNormal() { - try { - EJBServiceImpl es = new EJBServiceImpl(); - EJBSecurityPropagator esp = es.getPropagator(); - // make sure that it returns the singleton. - assertEquals(esp, es.getPropagator()); - } catch (Exception e) { - e.printStackTrace(); - fail("An exception is caught : " + e); - } - } - - /** - * Tests getValidator method - * Expected result: true - */ - @Test - public void getValidatorNormal() { - try { - EJBServiceImpl es = new EJBServiceImpl(); - EJBSecurityValidator esv = es.getValidator(); - // make sure that it returns the singleton. - assertEquals(esv, es.getValidator()); - } catch (Exception e) { - e.printStackTrace(); - fail("An exception is caught : " + e); - } - } -} diff --git a/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtilTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtilTest.java similarity index 99% rename from dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtilTest.java rename to dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtilTest.java index 04a9033a96dd..e075d8be7faf 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtilTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtilTest.java @@ -1,16 +1,16 @@ /******************************************************************************* - * Copyright (c) 2015, 2022 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: * IBM Corporation - initial API and implementation *******************************************************************************/ -package com.ibm.ws.ejbcontainer.security.internal.jacc; +package com.ibm.ws.security.authorization.jacc.ejb.impl; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; diff --git a/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtilWithTraceTest.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtilWithTraceTest.java similarity index 89% rename from dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtilWithTraceTest.java rename to dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtilWithTraceTest.java index 7a55dde6b4de..583fde98cec2 100644 --- a/dev/com.ibm.ws.ejbcontainer.security/test/com/ibm/ws/ejbcontainer/security/internal/jacc/JaccUtilWithTraceTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/ejb/impl/JaccUtilWithTraceTest.java @@ -1,16 +1,16 @@ /******************************************************************************* - * Copyright (c) 2015, 2022 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: * IBM Corporation - initial API and implementation *******************************************************************************/ -package com.ibm.ws.ejbcontainer.security.internal.jacc; +package com.ibm.ws.security.authorization.jacc.ejb.impl; import org.junit.AfterClass; import org.junit.BeforeClass; diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java new file mode 100644 index 000000000000..776ca819084d --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java @@ -0,0 +1,39 @@ +/******************************************************************************* + * Copyright (c) 2015, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc.internal; + +import java.security.CodeSource; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Policy; +import java.security.ProtectionDomain; + +public class DummyPolicy extends Policy { + public DummyPolicy() {} + + @Override + public PermissionCollection getPermissions(CodeSource codeSource) { + return null; + } + + @Override + public void refresh() {} + + @Override + public PermissionCollection getPermissions(ProtectionDomain domain) { + return null; + } + + @Override + public boolean implies(ProtectionDomain pd, Permission p) { + return true; + } + +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java new file mode 100644 index 000000000000..ff77e1f2ade3 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java @@ -0,0 +1,44 @@ +/******************************************************************************* + * Copyright (c) 2015, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ + +package com.ibm.ws.security.authorization.jacc.internal; + +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyConfigurationFactory; +import javax.security.jacc.PolicyContextException; + +public class DummyPolicyConfigurationFactory extends PolicyConfigurationFactory { + private PolicyConfiguration pc = null; + + public DummyPolicyConfigurationFactory(PolicyConfiguration pc) { + this.pc = pc; + } + + public DummyPolicyConfigurationFactory() { + } + + public PolicyConfiguration getPolicyConfiguration() { + return pc; + } + + public PolicyConfiguration getPolicyConfiguration(String contextID) { + return pc; + } + + @Override + public PolicyConfiguration getPolicyConfiguration(String contextId, boolean flag) throws PolicyContextException { + return pc; + } + + @Override + public boolean inService(String contextID) throws PolicyContextException { + return true; + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java new file mode 100644 index 000000000000..83f0c735e3b0 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java @@ -0,0 +1,48 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc.internal; + +import org.osgi.framework.ServiceReference; +import org.osgi.service.component.ComponentContext; + +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.common.ProviderServiceProxy; +import com.ibm.wsspi.kernel.service.location.WsLocationAdmin; +import com.ibm.wsspi.security.authorization.jacc.ProviderService; + +import io.openliberty.security.authorization.jacc.internal.proxy.ProviderServiceProxyImpl; +import io.openliberty.security.authorization.jacc.internal.proxy.ProxyTestUtil; + +public class JaccServiceTestUtil { + + /** + * @param pcm + */ + public static JaccServiceImpl createJaccService(PolicyConfigurationManager pcm) { + return new JaccServiceImpl(pcm); + } + + /** + * @param jaccService + * @param jaccProviderServiceProxyRef + * @param jaccProviderServiceRef + * @param wsLocationAdminRef + * @param cc + */ + public static void initJaccService(JaccServiceImpl jaccService, ServiceReference jaccProviderServiceProxyRef, + ServiceReference jaccProviderServiceRef, ServiceReference wsLocationAdminRef, + ComponentContext cc) { + jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); + ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); + ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); + jaccService.setLocationAdmin(wsLocationAdminRef); + jaccService.activate(cc); + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java new file mode 100644 index 000000000000..b6ef29141679 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.ejb/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java @@ -0,0 +1,35 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package io.openliberty.security.authorization.jacc.internal.proxy; + +import java.security.Policy; + +import org.osgi.framework.ServiceReference; + +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.wsspi.security.authorization.jacc.ProviderService; + +/** + * Utility to set the ProviderService ServiceReference and create a PolicyProxy + */ +public class ProxyTestUtil { + public static void setProviderService(ProviderServiceProxyImpl providerServiceProxy, ServiceReference jaccProviderServiceRef) { + providerServiceProxy.setJaccProviderService(jaccProviderServiceRef); + } + + public static void unsetProviderService(ProviderServiceProxyImpl providerServiceProxy, ServiceReference jaccProviderServiceRef) { + providerServiceProxy.unsetJaccProviderService(jaccProviderServiceRef); + } + + public static PolicyProxy createPolicyProxy(Policy policy) { + return new JavaSePolicyProxyImpl(policy); + } + +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/bnd.bnd b/dev/com.ibm.ws.security.authorization.jacc.web/bnd.bnd index f06a07e25454..3107c303ad52 100644 --- a/dev/com.ibm.ws.security.authorization.jacc.web/bnd.bnd +++ b/dev/com.ibm.ws.security.authorization.jacc.web/bnd.bnd @@ -32,7 +32,7 @@ Import-Package: \ ${defaultPackageImport} -dsannotations: \ - com.ibm.ws.security.authorization.jacc.web.impl.ServletServiceImpl + com.ibm.ws.security.authorization.jacc.web.impl.WebJaccServiceImpl -buildpath: \ com.ibm.websphere.appserver.spi.logging,\ @@ -44,7 +44,9 @@ Import-Package: \ com.ibm.ws.webcontainer.security;version=latest,\ com.ibm.websphere.javaee.servlet.3.0;version=latest,\ com.ibm.ws.container.service;version=latest,\ - com.ibm.ws.org.osgi.annotation.versioning;version=latest + com.ibm.ws.org.osgi.annotation.versioning;version=latest,\ + com.ibm.ws.kernel.service;version=latest,\ + com.ibm.websphere.org.osgi.core;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file,\ @@ -58,6 +60,4 @@ Import-Package: \ com.ibm.ws.org.objectweb.asm;version=latest,\ com.ibm.ws.kernel.boot;version=latest,\ com.ibm.ws.logging;version=latest,\ - io.openliberty.security.authorization.internal.jacc.1.5;project=com.ibm.ws.security.authorization.jacc;source=none,\ - com.ibm.websphere.org.osgi.core - + io.openliberty.security.authorization.internal.jacc.1.5;project=com.ibm.ws.security.authorization.jacc;source=none diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImpl.java b/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImpl.java deleted file mode 100644 index 6f16657333c2..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImpl.java +++ /dev/null @@ -1,63 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.web.impl; - -import org.osgi.service.component.ComponentContext; -import org.osgi.service.component.annotations.Activate; -import org.osgi.service.component.annotations.Component; -import org.osgi.service.component.annotations.ConfigurationPolicy; -import org.osgi.service.component.annotations.Deactivate; - -import com.ibm.websphere.ras.Tr; -import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.security.authorization.jacc.web.ServletService; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityValidator; - -@Component(service = ServletService.class, - immediate = true, - name = "com.ibm.ws.security.authorization.jacc.web.servletservice", - configurationPolicy = ConfigurationPolicy.IGNORE, - property = { "service.vendor=IBM" }) -public class ServletServiceImpl implements ServletService { - private static final TraceComponent tc = Tr.register(ServletServiceImpl.class); - - private static WebSecurityPropagatorImpl wsp = null; - private static WebSecurityValidatorImpl wsv = null; - - public ServletServiceImpl() {} - - @Activate - protected synchronized void activate(ComponentContext cc) {} - - @Deactivate - protected synchronized void deactivate(ComponentContext cc) {} - - /** {@inheritDoc} */ - @Override - public synchronized WebSecurityPropagator getPropagator() { - if (wsp == null) { - wsp = new WebSecurityPropagatorImpl(); - } - return wsp; - } - - /** {@inheritDoc} */ - @Override - public synchronized WebSecurityValidator getValidator() { - if (wsv == null) { - wsv = new WebSecurityValidatorImpl(); - } - return wsv; - } -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImpl.java b/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImpl.java similarity index 68% rename from dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImpl.java rename to dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImpl.java index 458e7f74ab91..56a2f0403d0e 100644 --- a/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImpl.java +++ b/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImpl.java @@ -1,19 +1,19 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 * - * Contributors: - * IBM Corporation - initial API and implementation + * SPDX-License-Identifier: EPL-2.0 *******************************************************************************/ - package com.ibm.ws.security.authorization.jacc.web.impl; +import java.security.AccessController; +import java.security.Permission; import java.security.Permissions; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.HashMap; import java.util.Iterator; import java.util.List; @@ -21,27 +21,44 @@ import java.util.Map.Entry; import java.util.StringTokenizer; +import javax.security.auth.Subject; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; +import javax.security.jacc.PolicyContext; import javax.security.jacc.PolicyContextException; import javax.security.jacc.WebResourcePermission; import javax.security.jacc.WebRoleRefPermission; import javax.security.jacc.WebUserDataPermission; +import javax.servlet.http.HttpServletRequest; + +import org.osgi.framework.ServiceReference; +import org.osgi.service.component.ComponentContext; +import org.osgi.service.component.annotations.Activate; +import org.osgi.service.component.annotations.Component; +import org.osgi.service.component.annotations.ConfigurationPolicy; +import org.osgi.service.component.annotations.Reference; +import org.osgi.service.component.annotations.ReferencePolicy; import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator; +import com.ibm.ws.security.authorization.jacc.JaccService; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.common.PolicyContextHandlerImpl; +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.ws.webcontainer.security.WebJaccService; import com.ibm.ws.webcontainer.security.metadata.SecurityConstraint; import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection; import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata; import com.ibm.ws.webcontainer.security.metadata.WebResourceCollection; import com.ibm.ws.webcontainer.webapp.WebAppConfigExtended; +import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference; import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData; import com.ibm.wsspi.webcontainer.webapp.WebAppConfig; -public class WebSecurityPropagatorImpl implements WebSecurityPropagator { - private static final TraceComponent tc = Tr.register(WebSecurityPropagatorImpl.class); +@Component(service = WebJaccService.class, immediate = true, name = "com.ibm.ws.security.authorization.jacc.web.service", configurationPolicy = ConfigurationPolicy.IGNORE, property = { "service.vendor=IBM" }) +public class WebJaccServiceImpl implements WebJaccService { + + private static final TraceComponent tc = Tr.register(WebJaccServiceImpl.class); private static final int EXTENSION_PATTERN = 0; private static final int PATHPREFIX_PATTERN = 1; @@ -50,22 +67,49 @@ public class WebSecurityPropagatorImpl implements WebSecurityPropagator { private static final String STARSTAR = "**"; private static final ActionString ALLMETHOD = new ActionString(":NONE"); - public WebSecurityPropagatorImpl() {} + protected static final String KEY_JACC_SERVICE = "jaccService"; + private static PolicyContextHandlerImpl pch = PolicyContextHandlerImpl.getInstance(); - /** {@inheritDoc} */ - @Override - public void propagateWebConstraints(PolicyConfigurationFactory pcf, - String contextId, - Object webAppConfigObject) { - WebAppConfig webAppConfig = null; - if (webAppConfigObject != null) { - try { - webAppConfig = (WebAppConfig) webAppConfigObject; - } catch (ClassCastException cce) { - Tr.error(tc, "JACC_WEB_SPI_PARAMETER_ERROR", new Object[] { webAppConfigObject.getClass().getName(), "propagateWebConstraints", "WebAppConfig" }); - return; - } + private static final String[] jaccHandlerKeyArray; + + static { + boolean principalMapperSupported = false; + try { + principalMapperSupported = pch.supports("jakarta.security.jacc.PrincipalMapper"); + } catch (PolicyContextException pce) { + // our implementation doesn't throw an exception, but it is on the interface so need to catch it. + } + if (principalMapperSupported) { + jaccHandlerKeyArray = new String[] { "javax.security.auth.Subject.container", "jakarta.servlet.http.HttpServletRequest", "jakarta.security.jacc.PrincipalMapper" }; } else { + // javax.servlet.http prefixed string will be jakarta-ized during transformation + jaccHandlerKeyArray = new String[] { "javax.security.auth.Subject.container", "javax.servlet.http.HttpServletRequest" }; + } + } + + private final AtomicServiceReference jaccServiceRef = new AtomicServiceReference(KEY_JACC_SERVICE); + + @Reference(service = JaccService.class, policy = ReferencePolicy.DYNAMIC, name = KEY_JACC_SERVICE) + protected void setJaccService(ServiceReference reference) { + jaccServiceRef.setReference(reference); + } + + protected void unsetJaccService(ServiceReference reference) { + jaccServiceRef.unsetReference(reference); + } + + @Activate + protected void activate(ComponentContext cc) { + jaccServiceRef.activate(cc); + } + + protected void deactivate(ComponentContext cc) { + jaccServiceRef.deactivate(cc); + } + + @Override + public void propagateWebConstraints(String applicationName, String moduleName, WebAppConfig webAppConfig) { + if (webAppConfig == null) { // if null, do nothing. if (tc.isDebugEnabled()) Tr.debug(tc, "Nothing to propagate due to null webAppConfig object."); @@ -78,14 +122,23 @@ public void propagateWebConstraints(PolicyConfigurationFactory pcf, Tr.debug(tc, "Nothing to propagate due to no security constraints."); return; } + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService == null) { + if (tc.isDebugEnabled()) + Tr.debug(tc, "Nothing to propagate due to JaccService not being set."); + return; + } // if there is the same contextId in the map, delete it. This is for preventing to link PolicyConfiguration incorrectly. String appName = webAppConfig.getApplicationName(); - PolicyConfigurationManager.removeModule(appName, contextId); + String contextId = jaccService.getContextId(applicationName, moduleName); + PolicyConfigurationManager policyConfigManager = jaccService.getPolicyConfigurationManager(); + policyConfigManager.removeModule(appName, contextId); PolicyConfiguration webPC = null; try { // for web, there is no scenario to update (add) the Permissions, // therefore, the existing permissions are deleted upon invoking getPolicyConfiguration. + PolicyConfigurationFactory pcf = jaccService.getPolicyConfigurationFactory(); webPC = pcf.getPolicyConfiguration(contextId, true); } catch (PolicyContextException pce) { Tr.error(tc, "JACC_WEB_GET_POLICYCONFIGURATION_FAILURE", new Object[] { contextId, pce }); @@ -97,21 +150,18 @@ public void propagateWebConstraints(PolicyConfigurationFactory pcf, List scList = scc.getSecurityConstraints(); Map allURLMap = convertURLMap(scList); processUrlMap(webPC, allURLMap, isDenyUncoveredHttpMethods(scList)); - PolicyConfigurationManager.linkConfiguration(appName, webPC); - PolicyConfigurationManager.addModule(appName, contextId); + policyConfigManager.linkConfiguration(appName, webPC); + policyConfigManager.addModule(appName, contextId); // commit will be invoked in PolicyCOnfigurationManager class. } catch (PolicyContextException e) { Tr.error(tc, "JACC_WEB_PERMISSION_PROPAGATION_FAILURE", new Object[] { contextId, e }); } - - return; - } private void processRole(PolicyConfiguration webPC, WebAppConfig webAppConfig) throws PolicyContextException { SecurityMetadata smd = getSecurityMetadata(webAppConfig); List roles = smd.getRoles(); - // loop all servlets + // loop all servlets Iterator servletNames = webAppConfig.getServletNames(); while (servletNames.hasNext()) { String servletName = (String) servletNames.next(); @@ -302,8 +352,7 @@ private void processUrlMap(PolicyConfiguration webPC, Map allURL URLMap newMap = e.getValue(); String urlPatternName = newMap.getURLPattern(); - if (isUnqualified(url, urlPatternName)) - { + if (isUnqualified(url, urlPatternName)) { if (tc.isDebugEnabled()) Tr.debug(tc, "url: " + url + " is unqualified"); continue; @@ -380,8 +429,7 @@ private void processUrlMap(PolicyConfiguration webPC, Map allURL userDataRest = ALLMETHOD; // all methods } else { userDataRest = newMap.getUserDataString("REST"); - if (userDataRest == null && userDataConfidential == null) - { + if (userDataRest == null && userDataConfidential == null) { // no output, either all methods or none. if there is confidential, then it would be none. userDataRest = ALLMETHOD; // all methods } @@ -432,9 +480,7 @@ private void processUrlMap(PolicyConfiguration webPC, Map allURL Tr.debug(tc, "addToRole(specific methods) role : " + role + " permission : " + wrp); } } - } - else - { + } else { if (tc.isDebugEnabled()) Tr.debug(tc, "No role map. URL: " + urlPatternName); } @@ -476,16 +522,12 @@ private boolean isUnqualified(String url, String urlPattern) { return unqualified; } - private void addUserData(Permissions permissions, String url, String userdata) - { - if (userdata != null && userdata.startsWith(":")) - { + private void addUserData(Permissions permissions, String url, String userdata) { + if (userdata != null && userdata.startsWith(":")) { String transport = userdata.substring(1); // all methods permissions.add(new WebUserDataPermission(url, null, transport)); - } - else - { + } else { permissions.add(new WebUserDataPermission(url, userdata)); } } @@ -524,7 +566,7 @@ private int urlType(String urlPattern) { * 5) this pattern is the special default pattern, "/", which matches all * other patterns. **************************************************************************/ - protected boolean urlPatternMatch(String pattern1, String pattern2) { + private boolean urlPatternMatch(String pattern1, String pattern2) { if (pattern1.equals(pattern2)) { return true; } @@ -555,7 +597,7 @@ protected boolean urlPatternMatch(String pattern1, String pattern2) { /** * Gets the security metadata from the web app config - * + * * @param webAppConfig the webAppConfig representing the deployed module * @return the security metadata */ @@ -568,7 +610,7 @@ private SecurityMetadata getSecurityMetadata(WebAppConfig webAppConfig) { * Returns whether deny-uncovered-http-methods attribute is set. * In order to check this value, entire WebResourceCollection objects need to be examined, * since it only set properly when web.xml is processed. - * + * * @param scList the List of SecurityConstraint objects. * @return true if deny-uncovered-http-methods attribute is set, false otherwise. */ @@ -584,4 +626,148 @@ private boolean isDenyUncoveredHttpMethods(List scList) { return false; } + @Override + public boolean isSSLRequired(String applicationName, String moduleName, String uriName, String methodName, HttpServletRequest req) { + return !checkDataConstraints(applicationName, moduleName, uriName, methodName, req, null); + } + + @Override + public boolean isAccessExcluded(String applicationName, String moduleName, String uriName, String methodName, HttpServletRequest req) { + return !checkDataConstraints(applicationName, moduleName, uriName, methodName, req, "CONFIDENTIAL"); + } + + /* + * check DataConstraints + * true if permission is is implied. + * false otherwise. + */ + private boolean checkDataConstraints(String applicationName, String moduleName, String uriName, String methodName, HttpServletRequest req, String transportType) { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService == null) { + return false; + } + String[] methodNameArray = new String[] { methodName }; + /** + ** if uriName ends with "*", Web*Permission.implies won't work property since * is treated as a wildcard. + ** In order to avoid this issue, substitute * as | which cannot be used as a part of real URL, but URLPatternSpec object doesn't care. + */ + uriName = substituteAsterisk(uriName); + WebUserDataPermission webUDPerm = new WebUserDataPermission(uriName, methodNameArray, transportType); + // In this method, we check for the following constraints + // 1. Data Constraints (is SSL required?) + Boolean result = Boolean.FALSE; + String contextId = jaccService.getContextId(applicationName, moduleName); + PolicyProxy policyProxy = jaccService.getPolicyProxy(); + try { + final HashMap handlerObjects = new HashMap(); + result = AccessController.doPrivileged(new PrivilegedExceptionAction() { + @Override + public Boolean run() throws javax.security.jacc.PolicyContextException { + PolicyContext.setContextID(contextId); + for (String jaccHandlerKey : jaccHandlerKeyArray) { + PolicyContext.registerHandler(jaccHandlerKey, pch, true); + } + handlerObjects.put(jaccHandlerKeyArray[1], req); + PolicyContext.setHandlerData(handlerObjects); + if (tc.isDebugEnabled()) + Tr.debug(tc, "Calling JACC implies"); + return Boolean.valueOf(policyProxy.implies(contextId, null, webUDPerm)); + } + }); + + } catch (PrivilegedActionException e) { + Tr.error(tc, "JACC_WEB_IMPLIES_FAILURE", new Object[] { contextId, e.getException() }); + result = Boolean.FALSE; + } + + return result.booleanValue(); + } + + @Override + public boolean isAuthorized(String applicationName, String moduleName, String uriName, String methodName, HttpServletRequest req, Subject subject) { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService == null) { + return false; + } + String[] methodNameArray = new String[] { methodName }; + uriName = substituteAsterisk(uriName); + WebResourcePermission webPerm = new WebResourcePermission(uriName, methodNameArray); + String contextId = jaccService.getContextId(applicationName, moduleName); + PolicyProxy policyProxy = jaccService.getPolicyProxy(); + return checkResourceConstraints(contextId, req, webPerm, subject, policyProxy); + } + + @Override + public boolean isSubjectInRole(String applicationName, String moduleName, String servletName, String role, HttpServletRequest req, Subject subject) { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService == null) { + return false; + } + WebRoleRefPermission webRolePerm = new WebRoleRefPermission(servletName, role); + String contextId = jaccService.getContextId(applicationName, moduleName); + PolicyProxy policyProxy = jaccService.getPolicyProxy(); + return checkResourceConstraints(contextId, req, webRolePerm, subject, policyProxy); + } + + private boolean checkResourceConstraints(String contextId, HttpServletRequest req, Permission webPerm, Subject subject, PolicyProxy policyProxy) { + boolean result = false; + try { + final HashMap ho = new HashMap(); + result = checkResourceConstraints(contextId, req, webPerm, subject, ho, policyProxy); + } catch (PrivilegedActionException e) { + Tr.error(tc, "JACC_WEB_IMPLIES_FAILURE", new Object[] { contextId, e.getException() }); + } + return result; + } + + private boolean checkResourceConstraints(final String contextId, + final HttpServletRequest req, + final Permission permission, + final Subject subject, + final HashMap handlerObjects, + PolicyProxy policyProxy) throws PrivilegedActionException { + Boolean result = Boolean.FALSE; + result = AccessController.doPrivileged( + new PrivilegedExceptionAction() { + @Override + public Boolean run() throws javax.security.jacc.PolicyContextException { + PolicyContext.setContextID(contextId); + + if (tc.isDebugEnabled()) + Tr.debug(tc, "Registering JACC context handlers"); + for (String key : jaccHandlerKeyArray) { + PolicyContext.registerHandler(key, pch, true); + } + + handlerObjects.put(jaccHandlerKeyArray[0], subject); + handlerObjects.put(jaccHandlerKeyArray[1], req); + + if (tc.isDebugEnabled()) + Tr.debug(tc, "Setting JACC handler data"); + PolicyContext.setHandlerData(handlerObjects); + if (tc.isDebugEnabled()) + Tr.debug(tc, "Calling JACC implies. Subject : " + subject); + return policyProxy.implies(contextId, subject, permission); + } + }); + return result.booleanValue(); + } + + @Override + public void resetPolicyContextHandlerInfo() { + JaccService jaccService = jaccServiceRef.getService(); + if (jaccService != null) { + jaccService.resetPolicyContextHandlerInfo(); + } + } + + private String substituteAsterisk(String uriName) { + if (uriName != null && uriName.endsWith("/*")) { + if (tc.isDebugEnabled()) + Tr.debug(tc, "The URI ends with \"/*\" which is substituted by \"/|\""); + uriName = uriName.substring(0, uriName.lastIndexOf("*")) + "|"; + } + return uriName; + } + } diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImpl.java b/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImpl.java deleted file mode 100644 index 93d70adee36c..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImpl.java +++ /dev/null @@ -1,153 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.web.impl; - -import java.security.AccessController; -import java.security.Permission; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.util.HashMap; - -import javax.security.auth.Subject; -import javax.security.jacc.PolicyContext; -import javax.security.jacc.WebUserDataPermission; -import javax.servlet.http.HttpServletRequest; - -import com.ibm.websphere.ras.Tr; -import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.security.authorization.jacc.common.PolicyContextHandlerImpl; -import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityValidator; - -public class WebSecurityValidatorImpl implements WebSecurityValidator { - private static final TraceComponent tc = Tr.register(WebSecurityValidatorImpl.class); - private static String[] jaccHandlerKeyArrayEe8 = new String[] { "javax.security.auth.Subject.container", "javax.servlet.http.HttpServletRequest" }; - private static String[] jaccHandlerKeyArrayEe9 = new String[] { "javax.security.auth.Subject.container", "jakarta.servlet.http.HttpServletRequest" }; - private static PolicyContextHandlerImpl pch = PolicyContextHandlerImpl.getInstance(); - - public WebSecurityValidatorImpl() { - } - - /** {@inheritDoc} */ - @Override - public boolean checkDataConstraints(String contextId, Object httpServletRequest, WebUserDataPermission webUDPermission, PolicyProxy policyProxy) { - HttpServletRequest req = null; - if (httpServletRequest != null) { - try { - req = (HttpServletRequest) httpServletRequest; - } catch (ClassCastException cce) { - Tr.error(tc, "JACC_WEB_SPI_PARAMETER_ERROR", new Object[] { httpServletRequest.getClass().getName(), "checkDataConstraints", "HttpServletRequest" }); - return false; - } - } - - // In this method, we check for the following constraints - // 1. Data Constraints (is SSL required?) - Boolean result = Boolean.FALSE; - try { - final WebUserDataPermission wudp = webUDPermission; - final String fci = contextId; - final HashMap handlerObjects = new HashMap(); - final HttpServletRequest hsr = req; - result = AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public Boolean run() throws javax.security.jacc.PolicyContextException { - PolicyContext.setContextID(fci); - for (String jaccHandlerKey : jaccHandlerKeyArrayEe8) { - PolicyContext.registerHandler(jaccHandlerKey, pch, true); - } - for (String jaccHandlerKey : jaccHandlerKeyArrayEe9) { - PolicyContext.registerHandler(jaccHandlerKey, pch, true); - } - handlerObjects.put(jaccHandlerKeyArrayEe8[1], hsr); - handlerObjects.put(jaccHandlerKeyArrayEe9[1], hsr); - PolicyContext.setHandlerData(handlerObjects); - if (tc.isDebugEnabled()) - Tr.debug(tc, "Calling JACC implies"); - return Boolean.valueOf(policyProxy.implies(contextId, null, wudp)); - } - }); - - } catch (PrivilegedActionException e) { - Tr.error(tc, "JACC_WEB_IMPLIES_FAILURE", new Object[] { contextId, e.getException() }); - result = Boolean.FALSE; - } - - return result.booleanValue(); - } - - /** {@inheritDoc} */ - @Override - public boolean checkResourceConstraints(String contextId, Object httpServletRequest, Permission webPerm, Subject subject, PolicyProxy policyProxy) { - HttpServletRequest req = null; - if (httpServletRequest != null) { - try { - req = (HttpServletRequest) httpServletRequest; - } catch (ClassCastException cce) { - Tr.error(tc, "JACC_WEB_SPI_PARAMETER_ERROR", new Object[] { httpServletRequest.getClass().getName(), "checkDataConstraints", "HttpServletRequest" }); - return false; - } - } - boolean result = false; - try { - final HashMap ho = new HashMap(); - final Subject s = subject; - final String cid = contextId; - final Permission p = webPerm; - final HttpServletRequest r = req; - result = checkResourceConstraints(cid, r, p, s, ho, policyProxy); - } catch (PrivilegedActionException e) { - Tr.error(tc, "JACC_WEB_IMPLIES_FAILURE", new Object[] { contextId, e.getException() }); - } - return result; - } - - private boolean checkResourceConstraints(final String contextId, - final HttpServletRequest req, - final Permission permission, - final Subject subject, - final HashMap handlerObjects, - PolicyProxy policyProxy) throws PrivilegedActionException { - Boolean result = Boolean.FALSE; - result = AccessController.doPrivileged( - new PrivilegedExceptionAction() { - @Override - public Boolean run() throws javax.security.jacc.PolicyContextException { - PolicyContext.setContextID(contextId); - - if (tc.isDebugEnabled()) - Tr.debug(tc, "Registering JACC context handlers"); - for (String key : jaccHandlerKeyArrayEe8) { - PolicyContext.registerHandler(key, pch, true); - } - for (String key : jaccHandlerKeyArrayEe9) { - PolicyContext.registerHandler(key, pch, true); - } - - handlerObjects.put(jaccHandlerKeyArrayEe8[0], subject); - handlerObjects.put(jaccHandlerKeyArrayEe8[1], req); - - handlerObjects.put(jaccHandlerKeyArrayEe9[0], subject); - handlerObjects.put(jaccHandlerKeyArrayEe9[1], req); - - if (tc.isDebugEnabled()) - Tr.debug(tc, "Setting JACC handler data"); - PolicyContext.setHandlerData(handlerObjects); - if (tc.isDebugEnabled()) - Tr.debug(tc, "Calling JACC implies. Subject : " + subject); - return policyProxy.implies(contextId, subject, permission); - } - }); - return result.booleanValue(); - } -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java new file mode 100644 index 000000000000..776ca819084d --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicy.java @@ -0,0 +1,39 @@ +/******************************************************************************* + * Copyright (c) 2015, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc.internal; + +import java.security.CodeSource; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Policy; +import java.security.ProtectionDomain; + +public class DummyPolicy extends Policy { + public DummyPolicy() {} + + @Override + public PermissionCollection getPermissions(CodeSource codeSource) { + return null; + } + + @Override + public void refresh() {} + + @Override + public PermissionCollection getPermissions(ProtectionDomain domain) { + return null; + } + + @Override + public boolean implies(ProtectionDomain pd, Permission p) { + return true; + } + +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java new file mode 100644 index 000000000000..ff77e1f2ade3 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/DummyPolicyConfigurationFactory.java @@ -0,0 +1,44 @@ +/******************************************************************************* + * Copyright (c) 2015, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ + +package com.ibm.ws.security.authorization.jacc.internal; + +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyConfigurationFactory; +import javax.security.jacc.PolicyContextException; + +public class DummyPolicyConfigurationFactory extends PolicyConfigurationFactory { + private PolicyConfiguration pc = null; + + public DummyPolicyConfigurationFactory(PolicyConfiguration pc) { + this.pc = pc; + } + + public DummyPolicyConfigurationFactory() { + } + + public PolicyConfiguration getPolicyConfiguration() { + return pc; + } + + public PolicyConfiguration getPolicyConfiguration(String contextID) { + return pc; + } + + @Override + public PolicyConfiguration getPolicyConfiguration(String contextId, boolean flag) throws PolicyContextException { + return pc; + } + + @Override + public boolean inService(String contextID) throws PolicyContextException { + return true; + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java new file mode 100644 index 000000000000..83f0c735e3b0 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceTestUtil.java @@ -0,0 +1,48 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc.internal; + +import org.osgi.framework.ServiceReference; +import org.osgi.service.component.ComponentContext; + +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.common.ProviderServiceProxy; +import com.ibm.wsspi.kernel.service.location.WsLocationAdmin; +import com.ibm.wsspi.security.authorization.jacc.ProviderService; + +import io.openliberty.security.authorization.jacc.internal.proxy.ProviderServiceProxyImpl; +import io.openliberty.security.authorization.jacc.internal.proxy.ProxyTestUtil; + +public class JaccServiceTestUtil { + + /** + * @param pcm + */ + public static JaccServiceImpl createJaccService(PolicyConfigurationManager pcm) { + return new JaccServiceImpl(pcm); + } + + /** + * @param jaccService + * @param jaccProviderServiceProxyRef + * @param jaccProviderServiceRef + * @param wsLocationAdminRef + * @param cc + */ + public static void initJaccService(JaccServiceImpl jaccService, ServiceReference jaccProviderServiceProxyRef, + ServiceReference jaccProviderServiceRef, ServiceReference wsLocationAdminRef, + ComponentContext cc) { + jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); + ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); + ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); + jaccService.setLocationAdmin(wsLocationAdminRef); + jaccService.activate(cc); + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImplTest.java deleted file mode 100644 index bfd25224173d..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/ServletServiceImplTest.java +++ /dev/null @@ -1,93 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.web.impl; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -import org.jmock.Mockery; -import org.jmock.integration.junit4.JUnit4Mockery; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TestRule; -import org.osgi.service.component.ComponentContext; - -import test.common.SharedOutputManager; - -import com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityValidator; - -public class ServletServiceImplTest { - static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); - /** - * Using the test rule will drive capture/restore and will dump on error.. - * Notice this is not a static variable, though it is being assigned a value we - * allocated statically. -- the normal-variable-ness is for before/after processing - */ - @Rule - public TestRule managerRule = outputMgr; - - private final Mockery context = new JUnit4Mockery(); - private final ComponentContext cc = context.mock(ComponentContext.class); - - /** - * Tests activate/deactivate method - * Expected result: true - */ - @Test - public void activateDeactivateNormal() { - try { - ServletServiceImpl ws = new ServletServiceImpl(); - ws.activate(cc); - ws.deactivate(cc); - } catch (Exception e) { - e.printStackTrace(); - fail("An exception is caught : " + e); - } - } - - /** - * Tests getPropagator method - * Expected result: true - */ - @Test - public void getPropagatorNormal() { - try { - ServletServiceImpl ws = new ServletServiceImpl(); - WebSecurityPropagator wsp = ws.getPropagator(); - // make sure that it returns the singleton. - assertEquals(wsp, ws.getPropagator()); - } catch (Exception e) { - e.printStackTrace(); - fail("An exception is caught : " + e); - } - } - - /** - * Tests getValidator method - * Expected result: true - */ - @Test - public void getValidatorNormal() { - try { - ServletServiceImpl ws = new ServletServiceImpl(); - WebSecurityValidator wsv = ws.getValidator(); - // make sure that it returns the singleton. - assertEquals(wsv, ws.getValidator()); - } catch (Exception e) { - e.printStackTrace(); - fail("An exception is caught : " + e); - } - } -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplTest.java new file mode 100644 index 000000000000..ad018561c351 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplTest.java @@ -0,0 +1,395 @@ +/******************************************************************************* + * Copyright (c) 2015, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ + +package com.ibm.ws.security.authorization.jacc.web.impl; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.security.Policy; + +import javax.security.auth.Subject; +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyConfigurationFactory; +import javax.security.jacc.WebResourcePermission; +import javax.security.jacc.WebRoleRefPermission; +import javax.security.jacc.WebUserDataPermission; +import javax.servlet.http.HttpServletRequest; + +import org.jmock.Expectations; +import org.jmock.Mockery; +import org.jmock.integration.junit4.JUnit4Mockery; +import org.junit.After; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TestRule; +import org.osgi.framework.ServiceReference; +import org.osgi.service.component.ComponentContext; + +import com.ibm.ws.security.authorization.jacc.JaccService; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManagerImpl; +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.ws.security.authorization.jacc.common.ProviderServiceProxy; +import com.ibm.ws.security.authorization.jacc.internal.JaccServiceImpl; +import com.ibm.ws.security.authorization.jacc.internal.JaccServiceTestUtil; +import com.ibm.wsspi.kernel.service.location.WsLocationAdmin; +import com.ibm.wsspi.security.authorization.jacc.ProviderService; + +import test.common.SharedOutputManager; + +public class WebJaccServiceImplTest { + static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); + /** + * Using the test rule will drive capture/restore and will dump on error.. + * Notice this is not a static variable, though it is being assigned a value we + * allocated statically. -- the normal-variable-ness is for before/after processing + */ + @Rule + public TestRule managerRule = outputMgr; + + private final Mockery context = new JUnit4Mockery(); + private final ComponentContext cc = context.mock(ComponentContext.class); + @SuppressWarnings("unchecked") + private final ServiceReference jaccProviderServiceProxyRef = context.mock(ServiceReference.class, "providerServiceProxyRef"); + private final ProviderServiceProxy jaccProviderServiceProxy = context.mock(ProviderServiceProxy.class); + @SuppressWarnings("unchecked") + private final ServiceReference jaccProviderServiceRef = context.mock(ServiceReference.class, "providerServiceRef"); + private final ProviderService jaccProviderService = context.mock(ProviderService.class); + @SuppressWarnings("unchecked") + private final ServiceReference wsLocationAdminRef = context.mock(ServiceReference.class, "wsLocationAdminRef"); + private final WsLocationAdmin wsLocationAdmin = context.mock(WsLocationAdmin.class); + private final PolicyConfiguration pc = context.mock(PolicyConfiguration.class); + private final HttpServletRequest req = context.mock(HttpServletRequest.class); + private final ServiceReference jaccServiceRef = context.mock(ServiceReference.class, "jaccServiceRef"); + private final WebJaccServiceImpl webJaccService = new WebJaccServiceImpl(); + + private final Policy policy = Policy.getPolicy(); + private final PolicyProxy policyProxy = context.mock(PolicyProxy.class); + private final PolicyConfigurationFactory pcf = new DummyPolicyConfigurationFactory(pc); + private final PolicyConfigurationManager pcm = new PolicyConfigurationManagerImpl(); + + private static final String JACC_FACTORY = "javax.security.jacc.PolicyConfigurationFactory.provider"; + private static final String JACC_FACTORY_EE9 = "jakarta.security.jacc.PolicyConfigurationFactory.provider"; + private static final String JACC_POLICY_PROVIDER = "javax.security.jacc.policy.provider"; + private static final String JACC_POLICY_PROVIDER_EE9 = "jakarta.security.jacc.policy.provider"; + private static final String JACC_FACTORY_IMPL = "com.ibm.ws.security.authorization.jacc.internal.DummyPolicyConfigurationFactory"; + private static final String JACC_POLICY_PROVIDER_IMPL = "com.ibm.ws.security.authorization.jacc.internal.DummyPolicy"; + + private final String origPp = System.getProperty(JACC_POLICY_PROVIDER); + private final String origPpEe9 = System.getProperty(JACC_POLICY_PROVIDER_EE9); + private final String origFn = System.getProperty(JACC_FACTORY); + private final String origFnEe9 = System.getProperty(JACC_FACTORY_EE9); + + @After + public void tearDown() throws Exception { + // clean up. + if (origPp != null) { + System.setProperty(JACC_POLICY_PROVIDER, origPp); + } else { + System.clearProperty(JACC_POLICY_PROVIDER); + } + if (origPpEe9 != null) { + System.setProperty(JACC_POLICY_PROVIDER_EE9, origPpEe9); + } else { + System.clearProperty(JACC_POLICY_PROVIDER_EE9); + } + if (origFn != null) { + System.getProperty(JACC_FACTORY, origFn); + } else { + System.clearProperty(JACC_FACTORY); + } + if (origFnEe9 != null) { + System.getProperty(JACC_FACTORY_EE9, origFnEe9); + } else { + System.clearProperty(JACC_FACTORY_EE9); + } + Policy.setPolicy(policy); + } + + /** + * Tests propagateWebSecurity method + * Expected result: no exception + */ + @Test + public void propagateWebConstraintsNull() { + try { + webJaccService.propagateWebConstraints(null, null, null); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isSSLRequire method + * Expected result: true if there is some error in the parameter. + */ + @Test + public void isSSLRequired() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String uriName = "/test/index.html"; + final String method = "GET"; + + try { + assertTrue(webJaccService.isSSLRequired(appName, moduleName, uriName, method, req)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isAccessExcluded method + * Expected result: true if there is some error in the parameter. + */ + @Test + public void isAccessExcluded() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String uriName = "/test/index.html"; + final String method = "GET"; + + try { + assertTrue(webJaccService.isAccessExcluded(appName, moduleName, uriName, method, req)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isSSLRequire method + * Expected result: true if there is no permission defined. + */ + @Test + public void isSSlRequiredValid() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String directory = "/wlp/test"; + final String name = "jaccServer"; + final String uriName = "/test/index.html"; + final String method = "GET"; + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); + will(returnValue(directory)); + allowing(wsLocationAdmin).getServerName(); + will(returnValue(name)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + allowing(policyProxy).implies(with(any(String.class)), with(aNull(Subject.class)), with(any(WebUserDataPermission.class))); + will(returnValue(false)); + } + }); + + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + webJaccService.setJaccService(jaccServiceRef); + webJaccService.activate(cc); + assertTrue(webJaccService.isSSLRequired(appName, moduleName, uriName, method, req)); + // this is for null check + assertTrue(webJaccService.isSSLRequired(appName, moduleName, uriName, method, req)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isAuthorized method + * Expected result: false if there is no permission defined. + */ + @Test + public void isAuthorizedWeb() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String uriName = "/test/*"; + final String method = "GET"; + final Subject subject = new Subject(); + + try { + assertFalse(webJaccService.isAuthorized(appName, moduleName, uriName, method, req, subject)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isAuthorized method + * Expected result: false if there is no permission defined. + */ + @Test + public void isAuthorizedWebDataValid() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String directory = "/wlp/test"; + final String name = "jaccServer"; + final String uriName = "/test/*"; + final String method = "GET"; + final Subject subject = new Subject(); + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); + will(returnValue(directory)); + allowing(wsLocationAdmin).getServerName(); + will(returnValue(name)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + allowing(policyProxy).implies(with(any(String.class)), with(any(Subject.class)), with(any(WebResourcePermission.class))); + will(returnValue(false)); + } + }); + + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + webJaccService.setJaccService(jaccServiceRef); + webJaccService.activate(cc); + assertFalse(webJaccService.isAuthorized(appName, moduleName, uriName, method, req, subject)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isSubjectInRole method + * Expected result: false if there is no permission defined. + */ + @Test + public void isWebSubjectInRole() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String servletName = "servlet.class"; + final String role = "UserRole"; + final Subject subject = new Subject(); + try { + assertFalse(webJaccService.isSubjectInRole(appName, moduleName, servletName, role, req, subject)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } + + /** + * Tests isSubjectInRole method + * Expected result: false if there is no permission defined. + */ + @Test + public void isWebSubjectInRoleValid() { + final String appName = "applicationName"; + final String moduleName = "moduleName"; + final String directory = "/wlp/test"; + final String name = "jaccServer"; + final String servletName = "servlet.class"; + final String role = "UserRole"; + final Subject subject = new Subject(); + final JaccServiceImpl jaccService = JaccServiceTestUtil.createJaccService(pcm); + + context.checking(new Expectations() { + { + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); + allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); + allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); + will(returnValue(jaccProviderServiceProxy)); + allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); + will(returnValue(jaccProviderService)); + allowing(cc).locateService("locationAdmin", wsLocationAdminRef); + will(returnValue(wsLocationAdmin)); + allowing(jaccProviderServiceProxy).getPolicyProxy(); + will(returnValue(policyProxy)); + allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderService).getPolicy(); + will(returnValue(policy)); + allowing(policyProxy).setPolicy(); + allowing(policyProxy).refresh(); + allowing(jaccProviderService).getPolicyConfigFactory(); + will(returnValue(pcf)); + allowing(jaccProviderServiceProxy).getPolicyName(); + will(returnValue(JACC_POLICY_PROVIDER_IMPL)); + allowing(jaccProviderServiceProxy).getFactoryName(); + will(returnValue(JACC_FACTORY_IMPL)); + allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); + will(returnValue(directory)); + allowing(wsLocationAdmin).getServerName(); + will(returnValue(name)); + allowing(cc).locateService("jaccService", jaccServiceRef); + will(returnValue(jaccService)); + allowing(policyProxy).implies(with(any(String.class)), with(any(Subject.class)), with(any(WebRoleRefPermission.class))); + will(returnValue(true)); + } + }); + + try { + JaccServiceTestUtil.initJaccService(jaccService, jaccProviderServiceProxyRef, jaccProviderServiceRef, wsLocationAdminRef, cc); + webJaccService.setJaccService(jaccServiceRef); + webJaccService.activate(cc); + assertTrue(webJaccService.isSubjectInRole(appName, moduleName, servletName, role, req, subject)); + } catch (Exception e) { + fail("Exception is caught : " + e); + } + } +} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplWithTraceTest.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplWithTraceTest.java similarity index 81% rename from dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplWithTraceTest.java rename to dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplWithTraceTest.java index 98d594e42c3c..74216f082956 100644 --- a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplWithTraceTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebJaccServiceImplWithTraceTest.java @@ -1,14 +1,11 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 * - * Contributors: - * IBM Corporation - initial API and implementation + * SPDX-License-Identifier: EPL-2.0 *******************************************************************************/ package com.ibm.ws.security.authorization.jacc.web.impl; @@ -20,7 +17,7 @@ * Used to drive out any lingering bugs which may only be discovered * when tracing is enabled. */ -public class WebSecurityValidatorImplWithTraceTest extends WebSecurityValidatorImplTest { +public class WebJaccServiceImplWithTraceTest extends WebJaccServiceImplTest { @BeforeClass public static void traceSetUp() { diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplTest.java deleted file mode 100644 index 37870f1fb826..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplTest.java +++ /dev/null @@ -1,349 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.web.impl; - -import static org.junit.Assert.fail; - -import java.security.Permissions; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; - -import javax.security.jacc.PolicyConfiguration; -import javax.security.jacc.PolicyConfigurationFactory; -import javax.security.jacc.PolicyContextException; -import javax.security.jacc.WebResourcePermission; -import javax.security.jacc.WebRoleRefPermission; - -import org.jmock.Expectations; -import org.jmock.Mockery; -import org.jmock.integration.junit4.JUnit4Mockery; -import org.junit.After; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TestRule; - -import com.ibm.ws.webcontainer.security.metadata.SecurityConstraint; -import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection; -import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata; -import com.ibm.ws.webcontainer.security.metadata.WebResourceCollection; -import com.ibm.ws.webcontainer.webapp.WebAppConfigExtended; -import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData; - -import test.common.SharedOutputManager; - -public class WebSecurityPropagatorImplTest { - static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); - /** - * Using the test rule will drive capture/restore and will dump on error.. - * Notice this is not a static variable, though it is being assigned a value we - * allocated statically. -- the normal-variable-ness is for before/after processing - */ - @Rule - public TestRule managerRule = outputMgr; - - private final Mockery context = new JUnit4Mockery(); - private final PolicyConfiguration pc = context.mock(PolicyConfiguration.class); - private final WebAppConfigExtended wac = context.mock(WebAppConfigExtended.class); - private final WebModuleMetaData wmmd = context.mock(WebModuleMetaData.class); - private final SecurityMetadata smd = context.mock(SecurityMetadata.class); - private final SecurityConstraintCollection scc = context.mock(SecurityConstraintCollection.class); - private PolicyConfigurationFactory pcf = null; - - @Before - public void setUp() { - pcf = new DummyPolicyConfigurationFactory(pc); - } - - @After - public void tearDown() throws Exception { - context.assertIsSatisfied(); - } - - /** - * Tests propagateWebConstraints method - * Expected result: no exception. - */ - @Test - public void propagateWebConstraintsNormal() { - final String appName = "applicationName"; - final String contextId = "test#context#Id"; - final String role = "webRole"; - final List roles = new ArrayList(); - roles.add(role); - final List servletList = new ArrayList(); - final String servletName = "testServlet"; - servletList.add(servletName); - final Iterator servletNames = servletList.iterator(); - final String refName = "refName"; - final String name = "roleName"; - final Map roleRefs = new HashMap(); - roleRefs.put(refName, name); - final WebRoleRefPermission webRoleRefPerm = new WebRoleRefPermission(servletName, refName); - final WebRoleRefPermission webRolePerm = new WebRoleRefPermission(servletName, role); - final WebRoleRefPermission webRoleDefaultPerm = new WebRoleRefPermission("", role); - final WebRoleRefPermission webRoleRefPermStarStar = new WebRoleRefPermission(servletName, "**"); - final String urlPattern1 = "/*"; - final String urlPattern2 = "/omission/*"; - final String urlPattern3 = "/allmethods/*"; - final List urlPatterns1 = new ArrayList(); - final List urlPatterns2 = new ArrayList(); - final List urlPatterns3 = new ArrayList(); - urlPatterns1.add(urlPattern1); - urlPatterns2.add(urlPattern2); - urlPatterns3.add(urlPattern3); - final String method1 = "GET"; - final String method2 = "POST"; - final List methods1 = new ArrayList(); - final List methods2 = new ArrayList(); - methods1.add(method1); - methods2.add(method2); - final WebResourceCollection wrc1 = new WebResourceCollection(urlPatterns1, methods1); - final WebResourceCollection wrc2 = new WebResourceCollection(urlPatterns2, new ArrayList(), methods2); - final WebResourceCollection wrc3 = new WebResourceCollection(urlPatterns3, new ArrayList()); - final List wrcs = new ArrayList(); - wrcs.add(wrc1); - wrcs.add(wrc2); - wrcs.add(wrc3); - final SecurityConstraint sc = new SecurityConstraint(wrcs, roles, false, false, false, false); - final List scs = new ArrayList(); - scs.add(sc); - final WebResourcePermission webResPerm1 = new WebResourcePermission(urlPattern1 + ":" + urlPattern2 + ":" + urlPattern3, method1); - final WebResourcePermission webResPerm2 = new WebResourcePermission(urlPattern2, "!" + method2); - final WebResourcePermission webResPerm3 = new WebResourcePermission(urlPattern3, (String) null); - - try { - context.checking(new Expectations() { - { - allowing(wac).getMetaData(); - will(returnValue(wmmd)); - allowing(wmmd).getSecurityMetaData(); - will(returnValue(smd)); - one(smd).getRoles(); - will(returnValue(roles)); - one(wac).getServletNames(); - will(returnValue(servletNames)); - one(smd).getRoleRefs(servletName); - will(returnValue(roleRefs)); - one(pc).addToRole("**", webRoleRefPermStarStar); - one(pc).addToRole(name, webRoleRefPerm); - one(pc).addToRole(role, webRolePerm); - one(pc).addToRole(role, webRoleDefaultPerm); - one(smd).getSecurityConstraintCollection(); - will(returnValue(scc)); - one(scc).getSecurityConstraints(); - will(returnValue(scs)); - one(pc).addToRole(role, webResPerm1); - one(pc).addToRole(role, webResPerm2); - one(pc).addToRole(role, webResPerm3); - one(pc).addToUncheckedPolicy(with(any(Permissions.class))); - atMost(2).of(wac).getApplicationName(); - will(returnValue(appName)); - allowing(pc).linkConfiguration(with(any(PolicyConfiguration.class))); - } - }); - } catch (PolicyContextException e) { - fail("PolicyContextException is caught : " + e); - } - WebSecurityPropagatorImpl wsp = new WebSecurityPropagatorImpl(); - wsp.propagateWebConstraints(pcf, contextId, wac); - } - - /** - * Tests propagateWebConstraints method - * webconfig object is null. - * Expected result: do nothing - */ - @Test - public void propagateWebConstraintsNullWebConfigObject() { - final String contextId = "test#context#Id"; - - WebSecurityPropagatorImpl wsp = new WebSecurityPropagatorImpl(); - wsp.propagateWebConstraints(pcf, contextId, null); - } - - /** - * Tests propagateWebConstraints method - * Expected result: no exception. - */ - @Test - public void propagateWebConstraintsNormalAlternative1() { - final String appName = "applicationName"; - final String contextId = "test#context#Id"; - final String role = "webRole"; - final List roles = new ArrayList(); - roles.add(role); - final List servletList = new ArrayList(); - final String servletName = "testServlet"; - servletList.add(servletName); - final Iterator servletNames = servletList.iterator(); - final String refName = "refName"; - final String name = "roleName"; - final Map roleRefs = new HashMap(); - roleRefs.put(refName, name); - final WebRoleRefPermission webRoleRefPermStarStar = new WebRoleRefPermission(servletName, "**"); - final WebRoleRefPermission webRoleRefPerm = new WebRoleRefPermission(servletName, refName); - final WebRoleRefPermission webRolePerm = new WebRoleRefPermission(servletName, role); - final WebRoleRefPermission webRoleDefaultPerm = new WebRoleRefPermission("", role); - final String urlPattern1 = "/*"; - final String urlPattern2 = "/omission/*"; - final String urlPattern3 = "/allmethods/*"; - final List urlPatterns1 = new ArrayList(); - final List urlPatterns2 = new ArrayList(); - final List urlPatterns3 = new ArrayList(); - urlPatterns1.add(urlPattern1); - urlPatterns2.add(urlPattern2); - urlPatterns3.add(urlPattern3); - final String method1 = "GET"; - final String method2 = "POST"; - final List methods1 = new ArrayList(); - final List methods2 = new ArrayList(); - methods1.add(method1); - methods2.add(method2); - final WebResourceCollection wrc1 = new WebResourceCollection(urlPatterns1, methods1); - final WebResourceCollection wrc2 = new WebResourceCollection(urlPatterns2, new ArrayList(), methods2, true); - final WebResourceCollection wrc3 = new WebResourceCollection(urlPatterns3, new ArrayList()); - final List wrcs = new ArrayList(); - wrcs.add(wrc1); - wrcs.add(wrc2); - wrcs.add(wrc3); - final SecurityConstraint sc = new SecurityConstraint(wrcs, null, true, true, false, false); - final List scs = new ArrayList(); - scs.add(sc); - - try { - context.checking(new Expectations() { - { - allowing(wac).getMetaData(); - will(returnValue(wmmd)); - allowing(wmmd).getSecurityMetaData(); - will(returnValue(smd)); - one(smd).getRoles(); - will(returnValue(roles)); - one(wac).getServletNames(); - will(returnValue(servletNames)); - one(smd).getRoleRefs(servletName); - will(returnValue(roleRefs)); - one(pc).addToRole("**", webRoleRefPermStarStar); - one(pc).addToRole(name, webRoleRefPerm); - one(pc).addToRole(role, webRolePerm); - one(pc).addToRole(role, webRoleDefaultPerm); - one(smd).getSecurityConstraintCollection(); - will(returnValue(scc)); - one(scc).getSecurityConstraints(); - will(returnValue(scs)); - one(pc).addToExcludedPolicy(with(any(Permissions.class))); - atMost(2).of(wac).getApplicationName(); - will(returnValue(appName)); - allowing(pc).linkConfiguration(with(any(PolicyConfiguration.class))); - } - }); - } catch (PolicyContextException e) { - fail("PolicyContextException is caught : " + e); - } - WebSecurityPropagatorImpl wsp = new WebSecurityPropagatorImpl(); - wsp.propagateWebConstraints(pcf, contextId, wac); - } - - /** - * Tests propagateWebConstraints method - * Expected result: no exception. - */ - @Test - public void propagateWebConstraintsNormalAlternative2() { - final String appName = "applicationName"; - final String contextId = "test#context#Id"; - final String role = "webRole"; - final List roles = new ArrayList(); - roles.add(role); - final List servletList = new ArrayList(); - final String servletName = "testServlet"; - servletList.add(servletName); - final Iterator servletNames = servletList.iterator(); - final String refName = "refName"; - final String name = "roleName"; - final Map roleRefs = new HashMap(); - roleRefs.put(refName, name); - final WebRoleRefPermission webRoleRefPermStarStar = new WebRoleRefPermission(servletName, "**"); - final WebRoleRefPermission webRoleRefPerm = new WebRoleRefPermission(servletName, refName); - final WebRoleRefPermission webRolePerm = new WebRoleRefPermission(servletName, role); - final WebRoleRefPermission webRoleDefaultPerm = new WebRoleRefPermission("", role); - final String urlPattern1 = "/exact"; - final String urlPattern2 = "*.html"; - final String urlPattern3 = "/"; - final String urlPattern4 = "/"; - final List urlPatterns1 = new ArrayList(); - final List urlPatterns2 = new ArrayList(); - final List urlPatterns3 = new ArrayList(); - final List urlPatterns4 = new ArrayList(); - urlPatterns1.add(urlPattern1); - urlPatterns2.add(urlPattern2); - urlPatterns3.add(urlPattern3); - urlPatterns4.add(urlPattern4); - final String method1 = "GET"; - final String method2 = "POST"; - final List methods1 = new ArrayList(); - final List methods2 = new ArrayList(); - methods1.add(method1); - methods2.add(method2); - final WebResourceCollection wrc1 = new WebResourceCollection(urlPatterns1, methods1); - final WebResourceCollection wrc2 = new WebResourceCollection(urlPatterns2, new ArrayList(), methods2); - final WebResourceCollection wrc3 = new WebResourceCollection(urlPatterns3, new ArrayList()); - final WebResourceCollection wrc4 = new WebResourceCollection(urlPatterns4, methods2); - final List wrcs = new ArrayList(); - wrcs.add(wrc1); - wrcs.add(wrc2); - wrcs.add(wrc3); - wrcs.add(wrc4); - final SecurityConstraint sc = new SecurityConstraint(wrcs, null, true, false, false, false); - final List scs = new ArrayList(); - scs.add(sc); - - try { - context.checking(new Expectations() { - { - allowing(wac).getMetaData(); - will(returnValue(wmmd)); - allowing(wmmd).getSecurityMetaData(); - will(returnValue(smd)); - one(smd).getRoles(); - will(returnValue(roles)); - one(wac).getServletNames(); - will(returnValue(servletNames)); - one(smd).getRoleRefs(servletName); - will(returnValue(roleRefs)); - one(pc).addToRole("**", webRoleRefPermStarStar); - one(pc).addToRole(name, webRoleRefPerm); - one(pc).addToRole(role, webRolePerm); - one(pc).addToRole(role, webRoleDefaultPerm); - one(smd).getSecurityConstraintCollection(); - will(returnValue(scc)); - one(scc).getSecurityConstraints(); - will(returnValue(scs)); - one(pc).addToUncheckedPolicy(with(any(Permissions.class))); - atMost(2).of(wac).getApplicationName(); - will(returnValue(appName)); - allowing(pc).linkConfiguration(with(any(PolicyConfiguration.class))); - } - }); - } catch (PolicyContextException e) { - fail("PolicyContextException is caught : " + e); - } - WebSecurityPropagatorImpl wsp = new WebSecurityPropagatorImpl(); - wsp.propagateWebConstraints(pcf, contextId, wac); - } -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplWithTraceTest.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplWithTraceTest.java deleted file mode 100644 index 21f9f5016bd8..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImplWithTraceTest.java +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.web.impl; - -import org.junit.AfterClass; -import org.junit.BeforeClass; - -/** - * Drives the extended JUnit tests but with all trace enabled. - * Used to drive out any lingering bugs which may only be discovered - * when tracing is enabled. - */ -public class WebSecurityPropagatorImplWithTraceTest extends WebSecurityPropagatorImplTest { - - @BeforeClass - public static void traceSetUp() { - outputMgr.trace("*=all"); - } - - @AfterClass - public static void traceTearDown() { - outputMgr.trace("*=all=disabled"); - } - -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplTest.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplTest.java deleted file mode 100644 index 5bb91ee459df..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc.web/test/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImplTest.java +++ /dev/null @@ -1,141 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.web.impl; - -import static org.junit.Assert.assertFalse; - -import java.security.Principal; -import java.util.HashSet; -import java.util.Set; - -import javax.security.auth.Subject; -import javax.security.auth.x500.X500Principal; -import javax.security.jacc.PolicyConfiguration; -import javax.security.jacc.PolicyConfigurationFactory; -import javax.security.jacc.WebResourcePermission; -import javax.security.jacc.WebUserDataPermission; -import javax.servlet.http.HttpServletRequest; - -import org.jmock.Mockery; -import org.jmock.integration.junit4.JUnit4Mockery; -import org.junit.After; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TestRule; - -import io.openliberty.security.authorization.jacc.internal.proxy.JavaSePolicyProxyImpl; -import test.common.SharedOutputManager; - -public class WebSecurityValidatorImplTest { - static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); - /** - * Using the test rule will drive capture/restore and will dump on error.. - * Notice this is not a static variable, though it is being assigned a value we - * allocated statically. -- the normal-variable-ness is for before/after processing - */ - @Rule - public TestRule managerRule = outputMgr; - - private final Mockery context = new JUnit4Mockery(); - private final HttpServletRequest req = context.mock(HttpServletRequest.class); - private final PolicyConfiguration pc = context.mock(PolicyConfiguration.class); - - private PolicyConfigurationFactory pcf = null; - - @Before - public void setUp() { - pcf = new DummyPolicyConfigurationFactory(pc); - } - - @After - public void tearDown() throws Exception { - context.assertIsSatisfied(); - } - - /** - * Tests checkDataConstraints method - * Expected result: true - */ - @Test - public void checkDataConstraintsNormal() { - final String contextId = "test#context#Id"; - final String uriName = "/context/index.html"; - final String methodName = "POST"; - final String[] mna = new String[] { methodName }; - final WebUserDataPermission wudPerm = new WebUserDataPermission(uriName, mna, null); - WebSecurityValidatorImpl wsv = new WebSecurityValidatorImpl(); - assertFalse(wsv.checkDataConstraints(contextId, req, wudPerm, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkDataConstraints method - * with invalid httpservletrequest object. - * Expected result: false - */ - @Test - public void checkDataConstraintsInvalidObject() { - final String contextId = "test#context#Id"; - final String uriName = "/context/index.html"; - final String methodName = "POST"; - final String[] mna = new String[] { methodName }; - final WebUserDataPermission wudPerm = new WebUserDataPermission(uriName, mna, null); - WebSecurityValidatorImpl wsv = new WebSecurityValidatorImpl(); - assertFalse(wsv.checkDataConstraints(contextId, new String(), wudPerm, new JavaSePolicyProxyImpl())); - assertFalse(wsv.checkDataConstraints(contextId, null, wudPerm, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkResourceConstraints method - * Expected result: true - */ - @Test - public void checkResourceConstraintsNormal() { - final String contextId = "test#context#Id"; - final String uriName = "/context/index.html"; - final String methodName = "POST"; - final String[] mna = new String[] { methodName }; - final Principal principal = new X500Principal("cn=data"); - final Set principals = new HashSet(); - final Set credentials = new HashSet(); - principals.add(principal); - final Subject subject = new Subject(false, principals, credentials, credentials); - final WebResourcePermission webPerm = new WebResourcePermission(uriName, mna); - WebSecurityValidatorImpl wsv = new WebSecurityValidatorImpl(); - assertFalse(wsv.checkResourceConstraints(contextId, req, webPerm, subject, new JavaSePolicyProxyImpl())); - } - - /** - * Tests checkResourceConstraints method - * with invalid objects - * Expected result: false - */ - @Test - public void checkResourceConstraintsInvalidObject() { - final String contextId = "test#context#Id"; - final String uriName = "/context/index.html"; - final String methodName = "POST"; - final String[] mna = new String[] { methodName }; - final Principal principal = new X500Principal("cn=data"); - final Set principals = new HashSet(); - final Set credentials = new HashSet(); - principals.add(principal); - final Subject subject = new Subject(false, principals, credentials, credentials); - final WebResourcePermission webPerm = new WebResourcePermission(uriName, mna); - WebSecurityValidatorImpl wsv = new WebSecurityValidatorImpl(); - assertFalse(wsv.checkResourceConstraints(contextId, new String(), webPerm, subject, new JavaSePolicyProxyImpl())); - assertFalse(wsv.checkResourceConstraints(contextId, null, webPerm, subject, new JavaSePolicyProxyImpl())); - } - -} diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java b/dev/com.ibm.ws.security.authorization.jacc.web/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java new file mode 100644 index 000000000000..b6ef29141679 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc.web/test/io/openliberty/security/authorization/jacc/internal/proxy/ProxyTestUtil.java @@ -0,0 +1,35 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package io.openliberty.security.authorization.jacc.internal.proxy; + +import java.security.Policy; + +import org.osgi.framework.ServiceReference; + +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.wsspi.security.authorization.jacc.ProviderService; + +/** + * Utility to set the ProviderService ServiceReference and create a PolicyProxy + */ +public class ProxyTestUtil { + public static void setProviderService(ProviderServiceProxyImpl providerServiceProxy, ServiceReference jaccProviderServiceRef) { + providerServiceProxy.setJaccProviderService(jaccProviderServiceRef); + } + + public static void unsetProviderService(ProviderServiceProxyImpl providerServiceProxy, ServiceReference jaccProviderServiceRef) { + providerServiceProxy.unsetJaccProviderService(jaccProviderServiceRef); + } + + public static PolicyProxy createPolicyProxy(Policy policy) { + return new JavaSePolicyProxyImpl(policy); + } + +} diff --git a/dev/com.ibm.ws.security.authorization.jacc/bnd.bnd b/dev/com.ibm.ws.security.authorization.jacc/bnd.bnd index 1b2b46e9cab7..aa2d0c47d55f 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/bnd.bnd +++ b/dev/com.ibm.ws.security.authorization.jacc/bnd.bnd @@ -33,7 +33,6 @@ instrument.classesExcludes: com/ibm/ws/security/authorization/jacc/internal/reso com.ibm.websphere.javaee.jacc.1.5;version=latest,\ com.ibm.ws.container.service;version=latest,\ com.ibm.ws.logging;version=latest,\ - com.ibm.ws.security.authorization;version=latest,\ com.ibm.websphere.appserver.spi.kernel.service;version=latest, \ com.ibm.websphere.security;version=latest, \ com.ibm.ws.security;version=latest, \ @@ -47,9 +46,5 @@ instrument.classesExcludes: com/ibm/ws/security/authorization/jacc/internal/reso org.jmock:jmock;strategy=exact;version=2.5.1, \ com.ibm.ws.org.objenesis:objenesis;version=1.0, \ com.ibm.ws.kernel.boot;version=latest,\ - com.ibm.websphere.appserver.spi.servlet;version=latest,\ - com.ibm.websphere.javaee.ejb.3.2;version=latest,\ - com.ibm.websphere.javaee.servlet.3.0;version=latest,\ com.ibm.ws.adaptable.module;version=latest,\ - com.ibm.ws.classloading;version=latest,\ - com.ibm.ws.webcontainer.security;version=latest + com.ibm.ws.classloading;version=latest diff --git a/dev/com.ibm.ws.security.authorization.jacc/original.bnd b/dev/com.ibm.ws.security.authorization.jacc/original.bnd index 8ea75abf2048..586ac1cd0291 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/original.bnd +++ b/dev/com.ibm.ws.security.authorization.jacc/original.bnd @@ -16,14 +16,13 @@ Bundle-SymbolicName: com.ibm.ws.security.authorization.jacc.common Bundle-Description: WAS Security JACC Service, version=${bVersion} Export-Package: \ + com.ibm.ws.security.authorization.jacc;provide:=true, \ com.ibm.ws.security.authorization.jacc.ejb, \ - com.ibm.ws.security.authorization.jacc.web, \ - com.ibm.ws.security.authorization.jacc.common, \ - com.ibm.ws.security.authorization.jacc;provide:=true + com.ibm.ws.security.authorization.jacc.common Private-Package: com.ibm.ws.security.authorization.jacc.internal, \ com.ibm.ws.security.authorization.jacc.internal.resources -dsannotations: \ com.ibm.ws.security.authorization.jacc.internal.JaccServiceImpl, \ - com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager + com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManagerImpl diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/JaccService.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/JaccService.java new file mode 100644 index 000000000000..d20d6db34ad3 --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/JaccService.java @@ -0,0 +1,35 @@ +/******************************************************************************* + * Copyright (c) 2017, 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + * + * Contributors: + * IBM Corporation - initial API and implementation + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc; + +import javax.security.jacc.PolicyConfigurationFactory; + +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; + +public interface JaccService { + + /** + * Reset the policyContext Handler as per JACC specification + */ + public void resetPolicyContextHandlerInfo(); + + public String getContextId(String applicationName, String moduleName); + + public PolicyConfigurationFactory getPolicyConfigurationFactory(); + + public PolicyConfigurationManager getPolicyConfigurationManager(); + + public PolicyProxy getPolicyProxy(); + + public String getProviderServiceProperty(String propertyName); +} diff --git a/dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/MethodInfo.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/MethodInfo.java similarity index 100% rename from dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/MethodInfo.java rename to dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/MethodInfo.java diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/PolicyConfigurationManager.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/PolicyConfigurationManager.java new file mode 100644 index 000000000000..ab70b07dc45e --- /dev/null +++ b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/PolicyConfigurationManager.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.security.authorization.jacc; + +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyConfigurationFactory; +import javax.security.jacc.PolicyContextException; + +import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; +import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; + +public interface PolicyConfigurationManager { + + void setEJBSecurityPropagator(EJBSecurityPropagator esp); + + void initialize(PolicyProxy policyProxy, PolicyConfigurationFactory pcf); + + void linkConfiguration(String appName, PolicyConfiguration pc) throws PolicyContextException; + + void addModule(String appName, String contextId); + + boolean containModule(String appName, String contextId); + + void removeModule(String appName, String contextId); + + void addEJB(String appName, String contextId); +} diff --git a/dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/RoleInfo.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/RoleInfo.java similarity index 100% rename from dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/RoleInfo.java rename to dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/RoleInfo.java diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManager.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerImpl.java similarity index 77% rename from dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManager.java rename to dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerImpl.java index e7d22e018965..641903efff81 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManager.java +++ b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerImpl.java @@ -27,37 +27,41 @@ import com.ibm.websphere.ras.TraceComponent; import com.ibm.ws.container.service.app.deploy.ApplicationInfo; import com.ibm.ws.container.service.state.ApplicationStateListener; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; -@Component(service = { ApplicationStateListener.class }) -public class PolicyConfigurationManager implements ApplicationStateListener { - private static final TraceComponent tc = Tr.register(PolicyConfigurationManager.class); - private static final Map> pcConfigsMap = new ConcurrentHashMap>(); - private static final Map> pcModulesMap = new ConcurrentHashMap>(); - private static final Map> pcEjbMap = new ConcurrentHashMap>(); - private static final List pcRunningList = new ArrayList(); +@Component(service = { ApplicationStateListener.class, PolicyConfigurationManager.class }) +public class PolicyConfigurationManagerImpl implements ApplicationStateListener, PolicyConfigurationManager { + private static final TraceComponent tc = Tr.register(PolicyConfigurationManagerImpl.class); + private final Map> pcConfigsMap = new ConcurrentHashMap>(); + private final Map> pcModulesMap = new ConcurrentHashMap>(); + private final Map> pcEjbMap = new ConcurrentHashMap>(); + private final List pcRunningList = new ArrayList(); - private static PolicyConfigurationFactory pcf = null; - private static PolicyProxy policyProxy = null; - private static EJBSecurityPropagator esp = null; + private PolicyConfigurationFactory pcf = null; + private PolicyProxy policyProxy = null; + private EJBSecurityPropagator esp = null; // for listener.. - public PolicyConfigurationManager() { + public PolicyConfigurationManagerImpl() { } - public static void initialize(PolicyProxy policyProxy, PolicyConfigurationFactory pcf) { - PolicyConfigurationManager.policyProxy = policyProxy; - PolicyConfigurationManager.pcf = pcf; + @Override + public void setEJBSecurityPropagator(EJBSecurityPropagator esp) { + this.esp = esp; + } + + @Override + public void initialize(PolicyProxy policyProxy, PolicyConfigurationFactory pcf) { + this.policyProxy = policyProxy; + this.pcf = pcf; pcConfigsMap.clear(); pcModulesMap.clear(); pcRunningList.clear(); } - public static void setEJBSecurityPropagator(EJBSecurityPropagator esp) { - PolicyConfigurationManager.esp = esp; - } - - public static void linkConfiguration(String appName, PolicyConfiguration pc) throws PolicyContextException { + @Override + public void linkConfiguration(String appName, PolicyConfiguration pc) throws PolicyContextException { List pcs = pcConfigsMap.get(appName); if (pcs != null) { pc.linkConfiguration(pcs.get(0)); @@ -68,7 +72,8 @@ public static void linkConfiguration(String appName, PolicyConfiguration pc) thr pcs.add(pc); } - public static void addModule(String appName, String contextId) { + @Override + public void addModule(String appName, String contextId) { List ctxIds = pcModulesMap.get(appName); if (ctxIds == null) { ctxIds = new ArrayList(); @@ -85,7 +90,8 @@ public static void addModule(String appName, String contextId) { } } - public static boolean containModule(String appName, String contextId) { + @Override + public boolean containModule(String appName, String contextId) { List ctxIds = pcModulesMap.get(appName); if (ctxIds != null && ctxIds.contains(contextId)) { return true; @@ -93,7 +99,8 @@ public static boolean containModule(String appName, String contextId) { return false; } - public static void removeModule(String appName, String contextId) { + @Override + public void removeModule(String appName, String contextId) { List ctxIds = pcModulesMap.get(appName); if (ctxIds != null) { int index = ctxIds.indexOf(contextId); @@ -109,7 +116,8 @@ public static void removeModule(String appName, String contextId) { } } - public static void addEJB(String appName, String contextId) { + @Override + public void addEJB(String appName, String contextId) { // ejb modules are not processed yet, so store the propagater for propagating the data upon starting application. List ctxIds = pcEjbMap.get(appName); if (ctxIds == null) { @@ -122,16 +130,16 @@ public static void addEJB(String appName, String contextId) { addModule(appName, contextId); } - public static boolean isApplicationRunning(String appName) { + public boolean isApplicationRunning(String appName) { return pcRunningList.contains(appName); } - protected static void processEJBs(String appName) { + protected void processEJBs(String appName) { List ctxIds = pcEjbMap.get(appName); if (ctxIds != null) { for (String contextId : ctxIds) { if (esp != null) { - esp.processEJBRoles(pcf, contextId); + esp.processEJBRoles(pcf, contextId, this); } else { Tr.error(tc, "JACC_NO_EJB_PLUGIN"); } @@ -140,7 +148,7 @@ protected static void processEJBs(String appName) { } } - private static void commitModules(String appName) { + private void commitModules(String appName) { List pcs = pcConfigsMap.get(appName); if (pcs != null) { for (PolicyConfiguration pc : pcs) { @@ -162,7 +170,7 @@ private static void commitModules(String appName) { } } - private static void removeModules(String appName) { + private void removeModules(String appName) { List ctxIds = pcModulesMap.get(appName); if (ctxIds != null) { for (String ctxId : ctxIds) { diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyContextHandlerImpl.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyContextHandlerImpl.java index c821a4eb744b..a050f3cda456 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyContextHandlerImpl.java +++ b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyContextHandlerImpl.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015, 2020 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -17,34 +17,64 @@ import javax.security.jacc.PolicyContextException; import javax.security.jacc.PolicyContextHandler; +import com.ibm.ws.ffdc.annotation.FFDCIgnore; + public class PolicyContextHandlerImpl implements PolicyContextHandler { - private static boolean initialized = false; + private static final String[] keysArray = getKeysArray(); - private static final String[] keysArray = new String[] { - // Maintain order from EE8-. Probably doesn't matter. - "javax.security.auth.Subject.container", - "javax.xml.soap.SOAPMessage", - "javax.servlet.http.HttpServletRequest", - "javax.ejb.EnterpriseBean", - "javax.ejb.arguments", + @FFDCIgnore(Throwable.class) + private static String[] getKeysArray() { + String[] keysArrayToUse; + boolean principalMapperSupported = false; + // If it is before EE 9, we can skip checking if is EE 11 or later version + if (PolicyContextHandler.class.getName().startsWith("jakarta")) { + Class principalMapperClass = null; + try { + principalMapperClass = Class.forName("jakarta.security.jacc.PrincipalMapper", false, PolicyContextHandlerImpl.class.getClassLoader()); + } catch (Throwable t) { - // EE9+ unique keys below here. - "jakarta.xml.soap.SOAPMessage", - "jakarta.servlet.http.HttpServletRequest", - "jakarta.ejb.EnterpriseBean", - "jakarta.ejb.arguments" - }; + } + principalMapperSupported = principalMapperClass != null; + } + if (principalMapperSupported) { + /** Keys for Jakarta EE 11 and higher. */ + keysArrayToUse = new String[] { + // Maintain order from EE8-. Probably doesn't matter. + // javax prefixed strings will be converted during transformation + // except javax.security.auth since that is Java SE + "javax.security.auth.Subject.container", + "jakarta.xml.soap.SOAPMessage", + "jakarta.servlet.http.HttpServletRequest", + "jakarta.ejb.EnterpriseBean", + "jakarta.ejb.arguments", - private static PolicyContextHandlerImpl pchi; + // EE11+ unique keys below here. + "jakarta.security.jacc.PrincipalMapper" + }; - private PolicyContextHandlerImpl() {} + } else { + // javax.ejb, javax.servlet and javax.xml.soap prefixed strings will be jakarta-ized during transformation + keysArrayToUse = new String[] { + // Maintain order from EE8-. Probably doesn't matter. + // javax prefixed strings will be converted during transformation + // except javax.security.auth since that is Java SE + "javax.security.auth.Subject.container", + "javax.xml.soap.SOAPMessage", + "javax.servlet.http.HttpServletRequest", + "javax.ejb.EnterpriseBean", + "javax.ejb.arguments" + }; + } + return keysArrayToUse; + } + + private static final PolicyContextHandlerImpl pchi = new PolicyContextHandlerImpl(); + + private PolicyContextHandlerImpl() { + } public static PolicyContextHandlerImpl getInstance() { - if (!initialized) { - pchi = new PolicyContextHandlerImpl(); - initialized = true; - } return pchi; } @@ -71,5 +101,4 @@ public Object getContext(String key, Object object) throws PolicyContextExceptio } return ((HashMap) object).get(key); } - } diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityPropagator.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityPropagator.java index 0795f147ec1e..e995ecce1e93 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityPropagator.java +++ b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityPropagator.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -18,6 +18,7 @@ import javax.security.jacc.PolicyConfigurationFactory; import com.ibm.ws.security.authorization.jacc.MethodInfo; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; import com.ibm.ws.security.authorization.jacc.RoleInfo; /** @@ -32,7 +33,8 @@ void propagateEJBRoles(String contextId, String appName, String beanName, Map roleLinkMap, - Map> methodMap); + Map> methodMap, + PolicyConfigurationManager policyConfigManager); - void processEJBRoles(PolicyConfigurationFactory pcf, String contextId); + void processEJBRoles(PolicyConfigurationFactory pcf, String contextId, PolicyConfigurationManager policyConfigManager); } diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityValidator.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityValidator.java deleted file mode 100644 index 5dc73bc33cc1..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBSecurityValidator.java +++ /dev/null @@ -1,29 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.ejb; - -import java.security.Permission; -import java.util.List; - -import javax.security.auth.Subject; - -import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; - -/** - ** this class is for enforcing the security constraints for EJB. - ** since EJB feature might not exist, all of EJB related code is located - ** to the separate feature which only activated when ejb feature exists. - **/ -public interface EJBSecurityValidator { - boolean checkResourceConstraints(String contextId, List methodParameters, Object bean, Permission ejbPerm, Subject subject, PolicyProxy policyProxy); -} diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBService.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBService.java deleted file mode 100644 index 71edd52e665c..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/ejb/EJBService.java +++ /dev/null @@ -1,26 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.ejb; - -public interface EJBService { - /** - * Returns the EJBSecurityPropagator class - */ - public EJBSecurityPropagator getPropagator(); - - /** - * Returns the EJBSecurityValidator class - */ - public EJBSecurityValidator getValidator(); -} diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImpl.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImpl.java index 43555b5e06be..a6ea0bc27fe3 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImpl.java +++ b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImpl.java @@ -15,19 +15,10 @@ import java.security.AccessController; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; -import java.util.ArrayList; -import java.util.List; import java.util.Map; -import java.util.StringTokenizer; -import javax.security.auth.Subject; -import javax.security.jacc.EJBMethodPermission; -import javax.security.jacc.EJBRoleRefPermission; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; -import javax.security.jacc.WebResourcePermission; -import javax.security.jacc.WebRoleRefPermission; -import javax.security.jacc.WebUserDataPermission; import org.osgi.framework.ServiceReference; import org.osgi.service.component.ComponentContext; @@ -37,25 +28,14 @@ import org.osgi.service.component.annotations.Deactivate; import org.osgi.service.component.annotations.Modified; import org.osgi.service.component.annotations.Reference; -import org.osgi.service.component.annotations.ReferenceCardinality; import org.osgi.service.component.annotations.ReferencePolicy; -import org.osgi.service.component.annotations.ReferencePolicyOption; import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; -import com.ibm.websphere.security.audit.AuditAuthenticationResult; import com.ibm.ws.security.authorization.jacc.JaccService; -import com.ibm.ws.security.authorization.jacc.MethodInfo; -import com.ibm.ws.security.authorization.jacc.RoleInfo; -import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; import com.ibm.ws.security.authorization.jacc.common.ProviderServiceProxy; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityValidator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBService; -import com.ibm.ws.security.authorization.jacc.web.ServletService; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityValidator; import com.ibm.wsspi.kernel.service.location.WsLocationAdmin; import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference; @@ -63,16 +43,11 @@ public class JaccServiceImpl implements JaccService { private static final TraceComponent tc = Tr.register(JaccServiceImpl.class); - private static final String JACC_EJB_METHOD_ARGUMENT = "RequestMethodArgumentsRequired"; - static final String KEY_JACC_PROVIDER_SERVICE_PROXY = "jaccProviderServiceProxy"; - private final String KEY_LOCATION_ADMIN = "locationAdmin"; + private static final String KEY_JACC_PROVIDER_SERVICE_PROXY = "jaccProviderServiceProxy"; + private static final String KEY_LOCATION_ADMIN = "locationAdmin"; private final AtomicServiceReference jaccProviderServiceProxy = new AtomicServiceReference(KEY_JACC_PROVIDER_SERVICE_PROXY); private final AtomicServiceReference locationAdminRef = new AtomicServiceReference(KEY_LOCATION_ADMIN); - - private static final String KEY_SERVLET_SERVICE = "servletService"; - private final AtomicServiceReference servletServiceRef = new AtomicServiceReference(KEY_SERVLET_SERVICE); - private static final String KEY_EJB_SERVICE = "ejbService"; - private final AtomicServiceReference ejbServiceRef = new AtomicServiceReference(KEY_EJB_SERVICE); + private final PolicyConfigurationManager pcm; private String policyName = null; private String factoryName = null; @@ -80,6 +55,11 @@ public class JaccServiceImpl implements JaccService { private PolicyProxy policyProxy = null; private PolicyConfigurationFactory pcf = null; + @Activate + public JaccServiceImpl(@Reference PolicyConfigurationManager pcm) { + this.pcm = pcm; + } + @Reference(service = ProviderServiceProxy.class, policy = ReferencePolicy.DYNAMIC, name = KEY_JACC_PROVIDER_SERVICE_PROXY) protected void setJaccProviderServiceProxy(ServiceReference reference) { jaccProviderServiceProxy.setReference(reference); @@ -98,24 +78,6 @@ protected void unsetLocationAdmin(ServiceReference reference) { locationAdminRef.unsetReference(reference); } - @Reference(service = ServletService.class, name = KEY_SERVLET_SERVICE, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY) - protected void setServletService(ServiceReference reference) { - servletServiceRef.setReference(reference); - } - - protected void unsetServletService(ServiceReference reference) { - servletServiceRef.unsetReference(reference); - } - - @Reference(service = EJBService.class, name = KEY_EJB_SERVICE, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY) - protected void setEJBService(ServiceReference reference) { - ejbServiceRef.setReference(reference); - } - - protected void unsetEJBService(ServiceReference reference) { - ejbServiceRef.unsetReference(reference); - } - @Activate protected void activate(ComponentContext cc) { jaccProviderServiceProxy.activate(cc); @@ -126,8 +88,6 @@ protected void activate(ComponentContext cc) { } Tr.info(tc, "JACC_SERVICE_STARTING", new Object[] { policyName, factoryName }); locationAdminRef.activate(cc); - servletServiceRef.activate(cc); - ejbServiceRef.activate(cc); if (loadClasses()) { Tr.info(tc, "JACC_SERVICE_STARTED", new Object[] { policyName, factoryName }); } else { @@ -143,8 +103,6 @@ protected void modify(Map props) { protected void deactivate(ComponentContext cc) { locationAdminRef.deactivate(cc); jaccProviderServiceProxy.deactivate(cc); - servletServiceRef.deactivate(cc); - ejbServiceRef.deactivate(cc); Tr.info(tc, "JACC_SERVICE_STOPPED", new Object[] { policyName }); } @@ -180,7 +138,7 @@ public Boolean run() { if (pcf != null) { if (tc.isDebugEnabled()) Tr.debug(tc, "factory object : " + pcf); - PolicyConfigurationManager.initialize(policyProxy, pcf); + pcm.initialize(policyProxy, pcf); } else { Tr.error(tc, "JACC_FACTORY_INSTANTIATION_FAILURE", new Object[] { factoryName }); return Boolean.FALSE; @@ -192,212 +150,41 @@ public Boolean run() { } @Override - public void propagateWebConstraints(String applicationName, String moduleName, Object webAppConfig) { - WebSecurityPropagator wsp = getWsp(servletServiceRef.getService()); - if (wsp != null) { - propagateWebConstraints(wsp, applicationName, moduleName, webAppConfig); - } else { - Tr.error(tc, "JACC_NO_WEB_PLUGIN"); - } - return; - } - - protected void propagateWebConstraints(WebSecurityPropagator wsp, String applicationName, String moduleName, Object webAppConfig) { - wsp.propagateWebConstraints(pcf, getContextId(applicationName, moduleName), webAppConfig); - return; - } - - @Override - public boolean isSSLRequired(String applicationName, String moduleName, String uriName, String methodName, Object req) { - return !checkDataConstraints(applicationName, moduleName, uriName, methodName, req, null); - } - - @Override - public boolean isAccessExcluded(String applicationName, String moduleName, String uriName, String methodName, Object req) { - return !checkDataConstraints(applicationName, moduleName, uriName, methodName, req, "CONFIDENTIAL"); - } - - /* - * check DataConstraints - * true if permission is is implied. - * false otherwise. - */ - protected boolean checkDataConstraints(String applicationName, String moduleName, String uriName, String methodName, Object req, String transportType) { - boolean result = false; - WebSecurityValidator wsv = getWsv(servletServiceRef.getService()); - if (wsv != null) { - result = checkDataConstraints(wsv, applicationName, moduleName, uriName, methodName, req, transportType); - } else { - Tr.error(tc, "JACC_NO_WEB_PLUGIN"); - } - return result; - } - - protected boolean checkDataConstraints(WebSecurityValidator wsv, String applicationName, String moduleName, String uriName, String methodName, Object req, - String transportType) { - boolean result = false; - String[] methodNameArray = new String[] { methodName }; - /** - ** if uriName ends with "*", Web*Permission.implies won't work property since * is treated as a wildcard. - ** In order to avoid this issue, substitute * as | which cannot be used as a part of real URL, but URLPatternSpec object doesn't care. - */ - uriName = substituteAsterisk(uriName); - WebUserDataPermission webUDPerm = new WebUserDataPermission(uriName, methodNameArray, transportType); - result = wsv.checkDataConstraints(getContextId(applicationName, moduleName), req, webUDPerm, policyProxy); - return result; - } - - @Override - public boolean isAuthorized(String applicationName, String moduleName, String uriName, String methodName, Object req, Subject subject) { - boolean result = false; - WebSecurityValidator wsv = getWsv(servletServiceRef.getService()); - if (wsv != null) { - result = isAuthorized(wsv, applicationName, moduleName, uriName, methodName, req, subject); - } else { - Tr.error(tc, "JACC_NO_WEB_PLUGIN"); - } - return result; - } - - protected boolean isAuthorized(WebSecurityValidator wsv, String applicationName, String moduleName, String uriName, String methodName, Object req, Subject subject) { - AuditAuthenticationResult authResult = null; - String subjectName = null; - String[] methodNameArray = new String[] { methodName }; - uriName = substituteAsterisk(uriName); - WebResourcePermission webPerm = new WebResourcePermission(uriName, methodNameArray); - boolean isAuthorized = wsv.checkResourceConstraints(getContextId(applicationName, moduleName), req, webPerm, subject, policyProxy); - return isAuthorized; - } - - @Override - public boolean isSubjectInRole(String applicationName, String moduleName, String servletName, String role, Object req, Subject subject) { - boolean result = false; - WebSecurityValidator wsv = getWsv(servletServiceRef.getService()); - if (wsv != null) { - result = isSubjectInRole(wsv, applicationName, moduleName, servletName, role, req, subject); - } else { - Tr.error(tc, "JACC_NO_WEB_PLUGIN"); - } - return result; - } - - protected boolean isSubjectInRole(WebSecurityValidator wsv, String applicationName, String moduleName, String servletName, String role, Object req, Subject subject) { - WebRoleRefPermission webRolePerm = new WebRoleRefPermission(servletName, role); - return wsv.checkResourceConstraints(getContextId(applicationName, moduleName), req, webRolePerm, subject, policyProxy); + public String getContextId(String applicationName, String moduleName) { + StringBuffer output = new StringBuffer(); + WsLocationAdmin locationAdmin = locationAdminRef.getService(); + output.append(getHostName()).append("#").append(locationAdmin.resolveString("${wlp.user.dir}").replace('\\', + '/')).append("#").append(locationAdmin.getServerName()).append("#"); + output.append(applicationName).append("#").append(moduleName); + return output.toString(); } @Override - public void propagateEJBRoles(String applicationName, - String moduleName, - String beanName, - Map roleLinkMap, - Map> methodMap) { - EJBSecurityPropagator esp = getEsp(ejbServiceRef.getService()); - if (esp != null) { - propagateEJBRoles(esp, applicationName, moduleName, beanName, roleLinkMap, methodMap); - } else { - Tr.error(tc, "JACC_NO_EJB_PLUGIN"); - } - return; - } - - protected void propagateEJBRoles(EJBSecurityPropagator esp, - String applicationName, - String moduleName, - String beanName, - Map roleLinkMap, - Map> methodMap) { - PolicyConfigurationManager.setEJBSecurityPropagator(esp); - esp.propagateEJBRoles(getContextId(applicationName, moduleName), applicationName, beanName, roleLinkMap, methodMap); - return; + public PolicyConfigurationFactory getPolicyConfigurationFactory() { + return pcf; } @Override - public boolean isAuthorized(String applicationName, String moduleName, String beanName, String methodName, String methodInterface, - String methodSignature, List methodParameters, Object bean, Subject subject) { - EJBSecurityValidator esv = getEsv(ejbServiceRef.getService()); - if (esv != null) { - return isAuthorized(esv, applicationName, moduleName, beanName, methodName, methodInterface, methodSignature, methodParameters, bean, subject); - } else { - Tr.error(tc, "JACC_NO_EJB_PLUGIN"); - return false; - } - } - - protected boolean isAuthorized(EJBSecurityValidator esv, String applicationName, String moduleName, String beanName, String methodName, - String methodInterface, String methodSignature, List methodParameters, Object bean, Subject subject) { - String[] methodSignatureArray = convertMethodSignature(methodSignature); - final EJBMethodPermission ejbPerm = new EJBMethodPermission(beanName, methodName, methodInterface, methodSignatureArray); - return esv.checkResourceConstraints(getContextId(applicationName, moduleName), methodParameters, bean, ejbPerm, subject, policyProxy); + public PolicyConfigurationManager getPolicyConfigurationManager() { + return pcm; } @Override - public boolean isSubjectInRole(String applicationName, String moduleName, String beanName, String methodName, - List methodParameters, String role, Object bean, Subject subject) { - EJBSecurityValidator esv = getEsv(ejbServiceRef.getService()); - if (esv != null) { - return isSubjectInRole(esv, applicationName, moduleName, beanName, methodName, methodParameters, role, bean, subject); - } else { - Tr.error(tc, "JACC_NO_EJB_PLUGIN"); - return false; - } - } - - protected boolean isSubjectInRole(EJBSecurityValidator esv, String applicationName, String moduleName, String beanName, String methodName, - List methodParameters, String role, Object bean, Subject subject) { - final EJBRoleRefPermission ejbPerm = new EJBRoleRefPermission(beanName, role); - return esv.checkResourceConstraints(getContextId(applicationName, moduleName), methodParameters, bean, ejbPerm, subject, policyProxy); + public PolicyProxy getPolicyProxy() { + return policyProxy; } @Override - public boolean areRequestMethodArgumentsRequired() { - boolean result = false; + public String getProviderServiceProperty(String propertyName) { ProviderServiceProxy reference = jaccProviderServiceProxy.getService(); + String value = null; if (reference != null) { - Object obj = reference.getProperty(JACC_EJB_METHOD_ARGUMENT); + Object obj = reference.getProperty(propertyName); if (obj instanceof String) { - String value = (String) obj; - if ("true".equalsIgnoreCase(value)) { - result = true; - } + value = (String) obj; } } - return result; - } - - private String getContextId(String applicationName, String moduleName) { - StringBuffer output = new StringBuffer(); - WsLocationAdmin locationAdmin = locationAdminRef.getService(); - output.append(getHostName()).append("#").append(locationAdmin.resolveString("${wlp.user.dir}").replace('\\', - '/')).append("#").append(locationAdmin.getServerName()).append("#"); - output.append(applicationName).append("#").append(moduleName); - return output.toString(); - } - - private String[] convertMethodSignature(String methodSignature) { - ArrayList methodSignatureList = new ArrayList(); - if (methodSignature != null && methodSignature.length() > 0) { - int index = methodSignature.indexOf(":"); - if (index != -1) { - String s = methodSignature.substring(index + 1); - if (s != null && s.length() > 0) { - StringTokenizer st = new StringTokenizer(s, ","); - while (st.hasMoreTokens()) { - methodSignatureList.add(st.nextToken()); - } - } - } - } - return methodSignatureList.toArray(new String[methodSignatureList.size()]); - } - - private String substituteAsterisk(String uriName) { - if (uriName != null && uriName.endsWith("/*")) { - if (tc.isDebugEnabled()) - Tr.debug(tc, "The URI ends with \"/*\" which is substituted by \"/|\""); - uriName = uriName.substring(0, uriName.lastIndexOf("*")) + "|"; - } - return uriName; + return value; } /** @@ -419,38 +206,6 @@ public String run() { return hostName; } - protected EJBSecurityPropagator getEsp(EJBService es) { - if (es != null) { - return es.getPropagator(); - } else { - return null; - } - } - - protected EJBSecurityValidator getEsv(EJBService es) { - if (es != null) { - return es.getValidator(); - } else { - return null; - } - } - - protected WebSecurityPropagator getWsp(ServletService ws) { - if (ws != null) { - return ws.getPropagator(); - } else { - return null; - } - } - - protected WebSecurityValidator getWsv(ServletService ws) { - if (ws != null) { - return ws.getValidator(); - } else { - return null; - } - } - @Override public void resetPolicyContextHandlerInfo() { try { diff --git a/dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/package-info.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/package-info.java similarity index 100% rename from dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/package-info.java rename to dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/package-info.java diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/ServletService.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/ServletService.java deleted file mode 100644 index 5719836692f2..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/ServletService.java +++ /dev/null @@ -1,26 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ - -package com.ibm.ws.security.authorization.jacc.web; - -public interface ServletService { - /** - * Returns the WebSecurityPropagator class - */ - public WebSecurityPropagator getPropagator(); - - /** - * Returns the WebSecurityValidator class - */ - public WebSecurityValidator getValidator(); -} diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityPropagator.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityPropagator.java deleted file mode 100644 index 4a2349ec9eaf..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityPropagator.java +++ /dev/null @@ -1,28 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.web; - -import javax.security.jacc.PolicyConfigurationFactory; - -/** - ** this class is for propagating the security constraints for Web servlet. - ** since Servlet-3.x feature might not exist, all of servlet related code is located - ** to the separate feature which only activated when servlet feature exists. - **/ - -public interface WebSecurityPropagator { - - public void propagateWebConstraints(PolicyConfigurationFactory pcf, - String contextId, - Object webAppConfig); -} diff --git a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityValidator.java b/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityValidator.java deleted file mode 100644 index 296e861641d2..000000000000 --- a/dev/com.ibm.ws.security.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/web/WebSecurityValidator.java +++ /dev/null @@ -1,32 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2015, 2024 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc.web; - -import java.security.Permission; - -import javax.security.auth.Subject; -import javax.security.jacc.WebUserDataPermission; - -import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; - -/** - ** this class is for enforcing the security constraints for Web servlet. - ** since Servlet-3.x feature might not exist, all of servlet related code is located - ** to the separate feature which only activated when servlet feature exists. - **/ -public interface WebSecurityValidator { - boolean checkDataConstraints(String contextId, Object req, WebUserDataPermission webUDPermission, PolicyProxy policyProxy); - - boolean checkResourceConstraints(String contextId, Object req, Permission webPerm, Subject subject, PolicyProxy policyProxy); - -} diff --git a/dev/com.ibm.ws.security.authorization/test/com/ibm/ws/security/authorization/jacc/MethodInfoTest.java b/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/MethodInfoTest.java similarity index 100% rename from dev/com.ibm.ws.security.authorization/test/com/ibm/ws/security/authorization/jacc/MethodInfoTest.java rename to dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/MethodInfoTest.java diff --git a/dev/com.ibm.ws.security.authorization/test/com/ibm/ws/security/authorization/jacc/RoleInfoTest.java b/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/RoleInfoTest.java similarity index 100% rename from dev/com.ibm.ws.security.authorization/test/com/ibm/ws/security/authorization/jacc/RoleInfoTest.java rename to dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/RoleInfoTest.java diff --git a/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerTest.java b/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerTest.java index f014a8456407..f66d3151cda8 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/common/PolicyConfigurationManagerTest.java @@ -58,7 +58,7 @@ public class PolicyConfigurationManagerTest { private final ApplicationMetaData amd = context.mock(ApplicationMetaData.class); private final J2EEName jen = context.mock(J2EEName.class); private final EJBSecurityPropagator esp = context.mock(EJBSecurityPropagator.class); - private PolicyConfigurationManager pcm = null; + private PolicyConfigurationManagerImpl pcm = null; private PolicyConfigurationFactory pcf = null; private Policy policy = null; @@ -66,8 +66,8 @@ public class PolicyConfigurationManagerTest { public void setUp() { pcf = new DummyPolicyConfigurationFactory(pc1); policy = new DummyPolicy(); - pcm = new PolicyConfigurationManager(); - PolicyConfigurationManager.initialize(ProxyTestUtil.createPolicyProxy(policy), pcf); + pcm = new PolicyConfigurationManagerImpl(); + pcm.initialize(ProxyTestUtil.createPolicyProxy(policy), pcf); } @After @@ -83,9 +83,9 @@ public void tearDown() throws Exception { public void containModule() { final String appName = "app"; final String contextId = "contextId"; - assertFalse(PolicyConfigurationManager.containModule(appName, contextId)); - PolicyConfigurationManager.addModule(appName, contextId); - assertTrue(PolicyConfigurationManager.containModule(appName, contextId)); + assertFalse(pcm.containModule(appName, contextId)); + pcm.addModule(appName, contextId); + assertTrue(pcm.containModule(appName, contextId)); } /** @@ -97,14 +97,14 @@ public void removeModule() { final String appName = "app"; final String contextId = "contextId"; final String contextId2 = "contextId2"; - PolicyConfigurationManager.removeModule(appName, contextId); - PolicyConfigurationManager.addModule(appName, contextId); - PolicyConfigurationManager.addModule(appName, contextId2); - PolicyConfigurationManager.removeModule(appName, contextId); - assertFalse(PolicyConfigurationManager.containModule(appName, contextId)); - assertTrue(PolicyConfigurationManager.containModule(appName, contextId2)); - PolicyConfigurationManager.removeModule(appName, contextId2); - assertFalse(PolicyConfigurationManager.containModule(appName, contextId2)); + pcm.removeModule(appName, contextId); + pcm.addModule(appName, contextId); + pcm.addModule(appName, contextId2); + pcm.removeModule(appName, contextId); + assertFalse(pcm.containModule(appName, contextId)); + assertTrue(pcm.containModule(appName, contextId2)); + pcm.removeModule(appName, contextId2); + assertFalse(pcm.containModule(appName, contextId2)); } /** @@ -118,14 +118,14 @@ public void addEJB() { context.checking(new Expectations() { { - one(esp).processEJBRoles(pcf, contextId); + one(esp).processEJBRoles(pcf, contextId, pcm); } }); - PolicyConfigurationManager.addEJB(appName, contextId); - assertTrue(PolicyConfigurationManager.containModule(appName, contextId)); + pcm.addEJB(appName, contextId); + assertTrue(pcm.containModule(appName, contextId)); - PolicyConfigurationManager.setEJBSecurityPropagator(esp); - PolicyConfigurationManager.processEJBs(appName); + pcm.setEJBSecurityPropagator(esp); + pcm.processEJBs(appName); } /** @@ -165,7 +165,7 @@ public void commitModulesApps() { fail("An exception is caught: " + e); } try { - PolicyConfigurationManager.linkConfiguration(APP_NAME, pc1); + pcm.linkConfiguration(APP_NAME, pc1); } catch (PolicyContextException e) { e.printStackTrace(); fail("An exception is caught."); @@ -198,7 +198,7 @@ public void commitModulesAppsException() { fail("An exception is caught."); } try { - PolicyConfigurationManager.linkConfiguration(APP_NAME, pc1); + pcm.linkConfiguration(APP_NAME, pc1); } catch (PolicyContextException e) { e.printStackTrace(); fail("An exception is caught."); @@ -226,7 +226,7 @@ public void removeModulesApps() { } catch (PolicyContextException e) { fail("An exception is caught: " + e); } - PolicyConfigurationManager.addModule(APP_NAME, CONTEXT_ID); + pcm.addModule(APP_NAME, CONTEXT_ID); pcm.applicationStopped(ai); } diff --git a/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImplTest.java b/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImplTest.java index c82ff76454c1..9d5c2c8befd0 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImplTest.java +++ b/dev/com.ibm.ws.security.authorization.jacc/test/com/ibm/ws/security/authorization/jacc/internal/JaccServiceImplTest.java @@ -16,26 +16,11 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; import java.security.Policy; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import javax.ejb.EnterpriseBean; -import javax.security.auth.Subject; -import javax.security.jacc.EJBMethodPermission; -import javax.security.jacc.EJBRoleRefPermission; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; -import javax.security.jacc.WebResourcePermission; -import javax.security.jacc.WebRoleRefPermission; -import javax.security.jacc.WebUserDataPermission; -import javax.servlet.http.HttpServletRequest; import org.jmock.Expectations; import org.jmock.Mockery; @@ -48,23 +33,13 @@ import org.osgi.framework.ServiceReference; import org.osgi.service.component.ComponentContext; -import com.ibm.ws.security.authorization.jacc.MethodInfo; -import com.ibm.ws.security.authorization.jacc.RoleInfo; +import com.ibm.ws.security.authorization.jacc.PolicyConfigurationManager; +import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManagerImpl; import com.ibm.ws.security.authorization.jacc.common.PolicyProxy; import com.ibm.ws.security.authorization.jacc.common.ProviderServiceProxy; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBSecurityValidator; -import com.ibm.ws.security.authorization.jacc.ejb.EJBService; -import com.ibm.ws.security.authorization.jacc.web.ServletService; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator; -import com.ibm.ws.security.authorization.jacc.web.WebSecurityValidator; -import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection; -import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata; import com.ibm.wsspi.kernel.service.location.WsLocationAdmin; import com.ibm.wsspi.library.Library; import com.ibm.wsspi.security.authorization.jacc.ProviderService; -import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData; -import com.ibm.wsspi.webcontainer.webapp.WebAppConfig; import io.openliberty.security.authorization.jacc.internal.proxy.ProviderServiceProxyImpl; import io.openliberty.security.authorization.jacc.internal.proxy.ProxyTestUtil; @@ -92,27 +67,12 @@ public class JaccServiceImplTest { private final ServiceReference wsLocationAdminRef = context.mock(ServiceReference.class, "wsLocationAdminRef"); private final WsLocationAdmin wsLocationAdmin = context.mock(WsLocationAdmin.class); private final PolicyConfiguration pc = context.mock(PolicyConfiguration.class); - private final WebAppConfig wac = context.mock(WebAppConfig.class); - private final HttpServletRequest req = context.mock(HttpServletRequest.class); - private final EnterpriseBean eBean = context.mock(EnterpriseBean.class); private final Library sl = context.mock(Library.class); - private final WebModuleMetaData wmmd = context.mock(WebModuleMetaData.class); - private final SecurityMetadata smd = context.mock(SecurityMetadata.class); - private final SecurityConstraintCollection scc = context.mock(SecurityConstraintCollection.class); - private final WebSecurityPropagator wsp = context.mock(WebSecurityPropagator.class); - private final WebSecurityValidator wsv = context.mock(WebSecurityValidator.class); - private final EJBSecurityPropagator esp = context.mock(EJBSecurityPropagator.class); - private final EJBSecurityValidator esv = context.mock(EJBSecurityValidator.class); - private final EJBService es = context.mock(EJBService.class); - private final ServletService ss = context.mock(ServletService.class); - private final List servletList = new ArrayList(); - private final Iterator servletNames = servletList.iterator(); - private final List roles = new ArrayList(); private final Policy policy = Policy.getPolicy(); private final PolicyProxy policyProxy = context.mock(PolicyProxy.class); private final PolicyConfigurationFactory pcf = new DummyPolicyConfigurationFactory(pc); - private final JaccServiceImpl jaccService = new JaccServiceImpl(); + private final PolicyConfigurationManager pcm = new PolicyConfigurationManagerImpl(); private final ClassLoader scl = ClassLoader.getSystemClassLoader(); private static final String JACC_FACTORY = "javax.security.jacc.PolicyConfigurationFactory.provider"; @@ -121,7 +81,6 @@ public class JaccServiceImplTest { private static final String JACC_POLICY_PROVIDER_EE9 = "jakarta.security.jacc.policy.provider"; private static final String JACC_FACTORY_IMPL = "com.ibm.ws.security.authorization.jacc.internal.DummyPolicyConfigurationFactory"; private static final String JACC_POLICY_PROVIDER_IMPL = "com.ibm.ws.security.authorization.jacc.internal.DummyPolicy"; - private static final String JACC_EJB_METHOD_ARGUMENT = "RequestMethodArgumentsRequired"; private final String origPp = System.getProperty(JACC_POLICY_PROVIDER); private final String origPpEe9 = System.getProperty(JACC_POLICY_PROVIDER_EE9); @@ -206,7 +165,7 @@ public void initializationNormal() { will(returnValue(scl)); } }); - JaccServiceImpl jaccService = new JaccServiceImpl(); + JaccServiceImpl jaccService = new JaccServiceImpl(pcm); jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); @@ -281,7 +240,7 @@ public void initializationRestoreSystemProps() { System.setProperty(JACC_FACTORY, tmpFn); System.setProperty(JACC_FACTORY_EE9, tmpFn); - JaccServiceImpl jaccService = new JaccServiceImpl(); + JaccServiceImpl jaccService = new JaccServiceImpl(pcm); jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); @@ -325,7 +284,7 @@ public void initializeSystemPropertiesSameSystemPolicy() { System.setProperty(JACC_FACTORY, tmpFn); System.setProperty(JACC_FACTORY_EE9, tmpFn); - JaccServiceImpl jaccService = new JaccServiceImpl(); + JaccServiceImpl jaccService = new JaccServiceImpl(pcm); jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); assertEquals(tmpPp, System.getProperty(JACC_POLICY_PROVIDER)); @@ -355,7 +314,7 @@ public void initializeSystemPropertiesNoProperties() { System.clearProperty(JACC_FACTORY); System.clearProperty(JACC_FACTORY_EE9); - JaccServiceImpl jaccService = new JaccServiceImpl(); + JaccServiceImpl jaccService = new JaccServiceImpl(pcm); jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); assertNull(System.getProperty(JACC_POLICY_PROVIDER)); @@ -415,7 +374,7 @@ public void loadClassesNullPolicy() { // will(returnValue(scl)); } }); - JaccServiceImpl jaccService = new JaccServiceImpl(); + JaccServiceImpl jaccService = new JaccServiceImpl(pcm); jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); @@ -477,7 +436,7 @@ public void loadClassesNullFactory() { will(returnValue(scl)); } }); - JaccServiceImpl jaccService = new JaccServiceImpl(); + JaccServiceImpl jaccService = new JaccServiceImpl(pcm); jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); @@ -487,905 +446,4 @@ public void loadClassesNullFactory() { assertFalse(jaccService.loadClasses()); } - /** - * Tests propagateWebSecurity method - * Expected result: no exception - */ - @Test - public void propagateWebConstraintsNull() { - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.propagateWebConstraints(null, null, null); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests propagateWebConstraints method - * Expected result: no exception even invalid object was supplied - */ - @Test - public void propagateWebConstraintsInvalidObject() { - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.propagateWebConstraints("application", "module", "abc"); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests propagateWebConstraints method - * Expected result: no exception. - */ - @Test - public void propagateWebConstraintsNormal() { - final String directory = "/wlp/test"; - final String name = "jaccServer"; - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(wsp).propagateWebConstraints(with(any(PolicyConfigurationFactory.class)), with(any(String.class)), with(any(String.class))); - } - }); - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - jaccService.propagateWebConstraints(wsp, "application", "module", "abc"); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests isSSLRequire method - * Expected result: true if there is some error in the parameter. - */ - @Test - public void isSSLRequired() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String uriName = "/test/index.html"; - final String method = "GET"; - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertTrue(jaccService.isSSLRequired(appName, moduleName, uriName, method, new Object())); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests isAccessExcluded method - * Expected result: true if there is some error in the parameter. - */ - @Test - public void isAccessExcluded() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String uriName = "/test/index.html"; - final String method = "GET"; - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertTrue(jaccService.isAccessExcluded(appName, moduleName, uriName, method, new Object())); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests checkDataConstraints method - * Expected result: true if there is some error in the parameter. - */ - @Test - public void checkDataConstraintsInvalid() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final String uriName = "/test/index.html"; - final String method = "GET"; - - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(wsv).checkDataConstraints(with(any(String.class)), with(any(Object.class)), with(any(WebUserDataPermission.class)), with(any(PolicyProxy.class))); - will(returnValue(false)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertFalse(jaccService.checkDataConstraints(wsv, appName, moduleName, uriName, method, new Object(), null)); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests isSSLRequire method - * Expected result: true if there is no permission defined. - */ - @Test - public void isSSlRequiredValid() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final String uriName = "/test/index.html"; - final String method = "GET"; - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertTrue(jaccService.isSSLRequired(appName, moduleName, uriName, method, req)); - // this is for null check - assertTrue(jaccService.isSSLRequired(appName, moduleName, uriName, method, req)); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests isAuthorized method - * Expected result: false if there is no permission defined. - */ - @Test - public void isAuthorizedWeb() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String uriName = "/test/*"; - final String method = "GET"; - final Subject subject = new Subject(); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.isAuthorized(appName, moduleName, uriName, method, req, subject)); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests isAuthorized method - * Expected result: false if there is no permission defined. - */ - @Test - public void isAuthorizedWebDataValid() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final String uriName = "/test/*"; - final String method = "GET"; - final Subject subject = new Subject(); - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(wsv).checkResourceConstraints(with(any(String.class)), with(any(Object.class)), with(any(WebResourcePermission.class)), with(any(Subject.class)), - with(any(PolicyProxy.class))); - will(returnValue(false)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertFalse(jaccService.isAuthorized(wsv, appName, moduleName, uriName, method, req, subject)); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests isSubjectInRole method - * Expected result: false if there is no permission defined. - */ - @Test - public void isWebSubjectInRole() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String servletName = "servlet.class"; - final String role = "UserRole"; - final Subject subject = new Subject(); - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.isSubjectInRole(appName, moduleName, servletName, role, req, subject)); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests isSubjectInRole method - * Expected result: false if there is no permission defined. - */ - @Test - public void isWebSubjectInRoleValid() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final String servletName = "servlet.class"; - final String role = "UserRole"; - final Subject subject = new Subject(); - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(wsv).checkResourceConstraints(with(any(String.class)), with(any(Object.class)), with(any(WebRoleRefPermission.class)), with(any(Subject.class)), - with(any(PolicyProxy.class))); - will(returnValue(true)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertTrue(jaccService.isSubjectInRole(wsv, appName, moduleName, servletName, role, req, subject)); - } catch (Exception e) { - fail("Exception is caught : " + e); - } - } - - /** - * Tests propagateEJBRoles method - * Expected result: no exception. - */ - @Test - public void propagateEJBRoles() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String beanName = "testBean"; - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.propagateEJBRoles(appName, moduleName, beanName, null, null); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests propagateEJBRoles method - * Expected result: no exception. - */ - @SuppressWarnings("unchecked") - @Test - public void propagateEJBRolesValid() { - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String beanName = "testBean"; - final Map rl = new HashMap(); - final Map> mm = new HashMap>(); - - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(esp).propagateEJBRoles(with(any(String.class)), with(any(String.class)), with(any(String.class)), with(any(HashMap.class)), with(any(HashMap.class))); - } - }); - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - jaccService.propagateEJBRoles(esp, appName, moduleName, beanName, rl, mm); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests isAuthorized method - * Expected result: false if there is no permission defined. - */ - @Test - public void isAuthorized() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String beanName = "testBean"; - final String methodName = "testMethod"; - final String methodInterface = "String"; - final String ms1 = null; - final List methodParameters = null; - final Subject subject = new Subject(); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.isAuthorized(appName, moduleName, beanName, methodName, methodInterface, ms1, methodParameters, eBean, subject)); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests isAuthorized method - * Expected result: false if there is no permission defined. - */ - @SuppressWarnings("unchecked") - @Test - public void isAuthorizedEjbValid() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String beanName = "testBean"; - final String methodName = "testMethod"; - final String methodInterface = "String"; - final String ms2 = "aaa:bbb,ccc,ddd"; - final String ms3 = "aaa"; - final String ms4 = "aaa:"; - final List mp = new ArrayList(); - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final String method = "GET"; - final Subject subject = new Subject(); - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(req).getMethod(); - will(returnValue(method)); - allowing(esv).checkResourceConstraints(with(any(String.class)), with(any(ArrayList.class)), with(any(EnterpriseBean.class)), with(any(EJBMethodPermission.class)), - with(any(Subject.class)), with(any(PolicyProxy.class))); - will(returnValue(true)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertTrue(jaccService.isAuthorized(esv, appName, moduleName, beanName, methodName, methodInterface, ms2, mp, eBean, subject)); - // different method signature - assertTrue(jaccService.isAuthorized(esv, appName, moduleName, beanName, methodName, methodInterface, ms3, mp, eBean, subject)); - assertTrue(jaccService.isAuthorized(esv, appName, moduleName, beanName, methodName, methodInterface, ms4, mp, eBean, subject)); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests isSubjectInRole method - * Expected result: false if there is no permission defined. - */ - @Test - public void isEjbSubjectInRole() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String beanName = "testBean"; - final String methodName = "testMethod"; - final List mp = null; - final String role = "allRole"; - final Subject subject = new Subject(); - try { - // this is for null check - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.isSubjectInRole(appName, moduleName, beanName, methodName, mp, role, eBean, subject)); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests isSubjectInRole method - * Expected result: false if there is no permission defined. - */ - @SuppressWarnings("unchecked") - @Test - public void isEjbSubjectInRoleValid() { - final String appName = "applicationName"; - final String moduleName = "moduleName"; - final String beanName = "testBean"; - final String methodName = "testMethod"; - final List mp = new ArrayList(); - final String role = "allRole"; - final String directory = "/wlp/test"; - final String name = "jaccServer"; - final Subject subject = new Subject(); - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(wsLocationAdmin).resolveString("${wlp.user.dir}"); - will(returnValue(directory)); - allowing(wsLocationAdmin).getServerName(); - will(returnValue(name)); - allowing(esv).checkResourceConstraints(with(any(String.class)), with(any(ArrayList.class)), with(any(EnterpriseBean.class)), with(any(EJBRoleRefPermission.class)), - with(any(Subject.class)), with(any(PolicyProxy.class))); - will(returnValue(true)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertTrue(jaccService.isSubjectInRole(esv, appName, moduleName, beanName, methodName, mp, role, eBean, subject)); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests areRequestMethodArgumentsRequired method - * Expected result: true - */ - @Test - public void areRequestMethodArgumentsRequiredTrue() { - final String value = "true"; - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER); - allowing(jaccProviderServiceRef).getProperty(JACC_POLICY_PROVIDER_EE9); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY); - allowing(jaccProviderServiceRef).getProperty(JACC_FACTORY_EE9); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(cc).locateService("jaccProviderServiceProxy", jaccProviderServiceProxyRef); - will(returnValue(jaccProviderServiceProxy)); - allowing(cc).locateService("jaccProviderService", jaccProviderServiceRef); - will(returnValue(jaccProviderService)); - allowing(cc).locateService("locationAdmin", wsLocationAdminRef); - will(returnValue(wsLocationAdmin)); - allowing(jaccProviderServiceProxy).getPolicyProxy(); - will(returnValue(policyProxy)); - allowing(jaccProviderServiceProxy).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderService).getPolicy(); - will(returnValue(policy)); - allowing(policyProxy).setPolicy(); - allowing(policyProxy).refresh(); - allowing(jaccProviderService).getPolicyConfigFactory(); - will(returnValue(pcf)); - allowing(jaccProviderServiceProxy).getPolicyName(); - will(returnValue(JACC_POLICY_PROVIDER_IMPL)); - allowing(jaccProviderServiceProxy).getFactoryName(); - will(returnValue(JACC_FACTORY_IMPL)); - allowing(jaccProviderServiceProxy).getProperty(JACC_EJB_METHOD_ARGUMENT); - will(returnValue(value)); - allowing(jaccProviderServiceRef).getProperty(JACC_EJB_METHOD_ARGUMENT); - will(returnValue(value)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - jaccService.setJaccProviderServiceProxy(jaccProviderServiceProxyRef); - ProviderServiceProxyImpl providerServiceProxy = new ProviderServiceProxyImpl(); - ProxyTestUtil.setProviderService(providerServiceProxy, jaccProviderServiceRef); - jaccService.setLocationAdmin(wsLocationAdminRef); - jaccService.activate(cc); - assertTrue(jaccService.areRequestMethodArgumentsRequired()); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests areRequestMethodArgumentsRequired method - * Expected result: false - */ - @Test - public void areRequestMethodArgumentsRequiredFalseNull() { - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_EJB_METHOD_ARGUMENT); - will(returnValue(null)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.areRequestMethodArgumentsRequired()); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests areRequestMethodArgumentsRequired method - * Expected result: false - */ - @Test - public void areRequestMethodArgumentsRequiredFalseInvalidObject() { - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_EJB_METHOD_ARGUMENT); - will(returnValue(new Object())); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.areRequestMethodArgumentsRequired()); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests areRequestMethodArgumentsRequired method - * Expected result: false - */ - @Test - public void areRequestMethodArgumentsRequiredFalse() { - final String value = "false"; - context.checking(new Expectations() { - { - allowing(jaccProviderServiceRef).getProperty(JACC_EJB_METHOD_ARGUMENT); - will(returnValue(value)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertFalse(jaccService.areRequestMethodArgumentsRequired()); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests getEsp method - * Expected result: return an object when service is not null. - */ - @Test - public void getEsp() { - context.checking(new Expectations() { - { - allowing(es).getPropagator(); - will(returnValue(esp)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertEquals(jaccService.getEsp(es), esp); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests getEsv method - * Expected result: return an object when service is not null. - */ - @Test - public void getEsv() { - context.checking(new Expectations() { - { - allowing(es).getValidator(); - will(returnValue(esv)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertEquals(jaccService.getEsv(es), esv); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests getWsp method - * Expected result: return an object when service is not null. - */ - @Test - public void getWsp() { - context.checking(new Expectations() { - { - allowing(ss).getPropagator(); - will(returnValue(wsp)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertEquals(jaccService.getWsp(ss), wsp); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - - /** - * Tests getWsv method - * Expected result: return an object when service is not null. - */ - @Test - public void getWsv() { - context.checking(new Expectations() { - { - allowing(ss).getValidator(); - will(returnValue(wsv)); - } - }); - - try { - JaccServiceImpl jaccService = new JaccServiceImpl(); - assertEquals(jaccService.getWsv(ss), wsv); - } catch (Exception e) { - e.printStackTrace(); - fail("Exception is caught : " + e); - } - } - } diff --git a/dev/com.ibm.ws.security.authorization.jacc/transformed.bnd b/dev/com.ibm.ws.security.authorization.jacc/transformed.bnd index 0afde2fc8c5f..15fa6343cf22 100644 --- a/dev/com.ibm.ws.security.authorization.jacc/transformed.bnd +++ b/dev/com.ibm.ws.security.authorization.jacc/transformed.bnd @@ -17,14 +17,13 @@ Bundle-SymbolicName: io.openliberty.security.authorization.internal.jacc.common Bundle-Description: Security JACC Service, Jakarta enabled Export-Package: \ + com.ibm.ws.security.authorization.jacc;provide:=true, \ com.ibm.ws.security.authorization.jacc.ejb, \ - com.ibm.ws.security.authorization.jacc.web, \ - com.ibm.ws.security.authorization.jacc.common, \ - com.ibm.ws.security.authorization.jacc;provide:=true + com.ibm.ws.security.authorization.jacc.common Private-Package: com.ibm.ws.security.authorization.jacc.internal, \ com.ibm.ws.security.authorization.jacc.internal.resources -dsannotations: \ com.ibm.ws.security.authorization.jacc.internal.JaccServiceImpl, \ - com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager + com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManagerImpl diff --git a/dev/com.ibm.ws.security.authorization/.classpath b/dev/com.ibm.ws.security.authorization/.classpath index 8c73872f8b24..eecb56c2fdc3 100644 --- a/dev/com.ibm.ws.security.authorization/.classpath +++ b/dev/com.ibm.ws.security.authorization/.classpath @@ -1,7 +1,6 @@ - diff --git a/dev/com.ibm.ws.security.authorization/bnd.bnd b/dev/com.ibm.ws.security.authorization/bnd.bnd index cf099704807f..02ea021a7a07 100644 --- a/dev/com.ibm.ws.security.authorization/bnd.bnd +++ b/dev/com.ibm.ws.security.authorization/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2017 IBM Corporation and others. +# Copyright (c) 2017, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -22,8 +22,7 @@ WS-TraceGroup: \ Authorization Export-Package: \ - com.ibm.ws.security.authorization, \ - com.ibm.ws.security.authorization.jacc + com.ibm.ws.security.authorization -buildpath: \ com.ibm.websphere.org.osgi.service.cm;version=latest, \ diff --git a/dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/JaccService.java b/dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/JaccService.java deleted file mode 100644 index d0aaa2b5e676..000000000000 --- a/dev/com.ibm.ws.security.authorization/src/com/ibm/ws/security/authorization/jacc/JaccService.java +++ /dev/null @@ -1,177 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2017 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License 2.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-2.0/ - * - * SPDX-License-Identifier: EPL-2.0 - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package com.ibm.ws.security.authorization.jacc; - -import java.util.List; -import java.util.Map; - -import javax.security.auth.Subject; - -public interface JaccService { - - /** - * Propagates web constraints information to JACC. - * - * @param applicationName Application name - * @param moduleName Module name - * @param webAppConfig WebAppConfig object. In this interface, it is intentionally declare as Object to avoid adding any dependency to webcontainer project. - */ - public void propagateWebConstraints(String applicationName, - String moduleName, - Object webAppConfig); - - /** - * Validates whether SSL is required for web inbound transport. - * - * @param applicationName Application name - * @param moduleName Module name - * @param uriName Uri - * @param methodName method Name - * @param req HttpServletObject of this request. In this interface, it is intentionally declare as Object to avoid adding any dependency to webcontainer project. - * @return true if SSL is required. - */ - public boolean isSSLRequired(String applicationName, - String moduleName, - String uriName, - String methodName, - Object req); - - /** - * Validates whether the http request is excluded. - * - * @param applicationName Application name - * @param moduleName Module name - * @param uriName Uri - * @param methodName method Name - * @param req HttpServletObject of this request. In this interface, it is intentionally declare as Object to avoid adding any dependency to webcontainer project. - * @return true if SSL is required. - */ - public boolean isAccessExcluded(String applicationName, - String moduleName, - String uriName, - String methodName, - Object req); - - /** - * Validates whether given Subject is granted to access the specified resource. - * - * @param applicationName Application name - * @param moduleName Module name - * @param uriName Uri - * @param methodName method Name - * @param req HttpServletObject of this request. In this interface, it is intentionally declare as Object to avoid adding any dependency to webcontainer project. - * @param subject Subject object to be authorized. - * @return true if access is granted. - */ - public boolean isAuthorized(String applicationName, - String moduleName, - String uriName, - String methodName, - Object req, - Subject subject); - - /** - * Validates whether given Subject is granted to access the specified resource. - * - * @param applicationName Application name - * @param moduleName Module name - * @param uriName Uri - * @param req HttpServletObject of this request. In this interface, it is intentionally declare as Object to avoid adding any dependency to webcontainer project. - * @param role role name to be examined. - * @param subject Subject object to be authorized. - * @return true if the specified subject has the specified role. - */ - public boolean isSubjectInRole(String applicationName, - String moduleName, - String servletName, - String role, - Object req, - Subject subject); - - /** - * Propagates EJB role mapping information to JACC. - * - * @param applicationName Application name - * @param moduleName Module name - * @param beanName Bean name - * @param roleLinkMap list of role-ref link - * @param methodMap method to role mapping. - */ - public void propagateEJBRoles(String applicationName, - String moduleName, - String beanName, - Map roleLinkMap, - Map> methodMap); - - /** - * Validates whether given Subject is granted to access the specified resource. - * - * @param applicationName Application name - * @param moduleName Module name - * @param beanName Bean name - * @param methodName Method name - * @param methodInterface Method interface - * @param methodName Method signature - * @param methodParameters The list of method parameters. this is optional and null is accepted. - * @param bean EnterpriseBean object this is an optional and null is allowed. In this interface, it is intentionally declare as Object to avoid adding any dependency to - * ejbcontainer project. - * @param subject Subject object to be authorized. - * @return true if the specified subject is granted to access the specified resource. - */ - public boolean isAuthorized(String applicationName, - String moduleName, - String beanName, - String methodName, - String methodInterface, - String methodSignature, - List methodParameters, - Object bean, - Subject subject); - - /** - * Validates whether given Subject is a member of the specified role - * - * @param applicationName Application name - * @param moduleName Module name - * @param beanName Bean name - * @param methodName Method name - * @param methodInterface Method interface - * @param methodParameters The list of method parameters. this is optional and null is accepted. - * @param role Role name - * @param bean EnterpriseBean object this is an optional and null is allowed. In this interface, it is intentionally declare as Object to avoid adding any dependency to - * ejbcontainer project. - * @param subject Subject object to be authorized. - * @return true if the specified subject has a member of the specified role. - */ - public boolean isSubjectInRole(String applicationName, - String moduleName, - String beanName, - String methodName, - List methodParameters, - String role, - Object bean, - Subject subject); - - /** - * Returns whether RequestMethodArguments are required for authorization decision for EJB. - * - * @return true if RequestMethodArguments are required. false otherwise. - */ - - public boolean areRequestMethodArgumentsRequired(); - - /** - * Reset the policyContext Handler as per JACC specification - */ - public void resetPolicyContextHandlerInfo(); -} diff --git a/dev/com.ibm.ws.webcontainer.security.app/bnd.bnd b/dev/com.ibm.ws.webcontainer.security.app/bnd.bnd index b4dc9cd02316..1685dcd9d117 100644 --- a/dev/com.ibm.ws.webcontainer.security.app/bnd.bnd +++ b/dev/com.ibm.ws.webcontainer.security.app/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2017, 2022 IBM Corporation and others. +# Copyright (c) 2017, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -45,23 +45,23 @@ Service-Component: \ authenticatorFactory=com.ibm.ws.webcontainer.security.WebAuthenticatorFactory; \ unauthenticatedSubjectService=com.ibm.ws.security.authentication.UnauthenticatedSubjectService; \ unprotectedResourceService=com.ibm.ws.webcontainer.security.UnprotectedResourceService; \ - jaccService=com.ibm.ws.security.authorization.jacc.JaccService;\ + webJaccService=com.ibm.ws.webcontainer.security.WebJaccService;\ kernelProvisioner=com.ibm.ws.kernel.feature.FeatureProvisioner;\ webAppSecurityConfigChangeListener=com.ibm.ws.webcontainer.security.WebAppSecurityConfigChangeListener;\ loggedOutCookieCacheService=io.openliberty.jcache.CacheService;\ multiple:='interceptorService, webAuthenticator, unprotectedResourceService, webAppSecurityConfigChangeListener'; \ greedy:='ssoAuthFilter,interceptorService, webAuthenticator, unprotectedResourceService,authenticatorFactory'; \ - optional:='taiService,interceptorService,webAuthenticator,jaccService,unprotectedResourceService,webAppSecurityConfigChangeListener,loggedOutCookieCacheService'; \ - dynamic:='ssoAuthFilter,taiService,interceptorService,webAuthenticator,jaccService,unprotectedResourceService,authenticatorFactory,webAppSecurityConfigChangeListener'; \ + optional:='taiService,interceptorService,webAuthenticator,webJaccService,unprotectedResourceService,webAppSecurityConfigChangeListener,loggedOutCookieCacheService'; \ + dynamic:='ssoAuthFilter,taiService,interceptorService,webAuthenticator,webJaccService,unprotectedResourceService,authenticatorFactory,webAppSecurityConfigChangeListener'; \ properties:="service.vendor=IBM,loggedOutCookieCacheService.target=(id=unbound)", \ com.ibm.ws.webcontainer.security.ServletStartedListener; \ implementation:=com.ibm.ws.webcontainer.security.ServletStartedListener; \ provide:='com.ibm.wsspi.webcontainer.collaborator.WebAppInitializationCollaborator'; \ activate:=activate;\ deactivate:=deactivate;\ - jaccService=com.ibm.ws.security.authorization.jacc.JaccService;\ - dynamic:='jaccService';\ - optional:='jaccService';\ + webJaccService=com.ibm.ws.webcontainer.security.WebJaccService;\ + dynamic:='webJaccService';\ + optional:='webJaccService';\ configuration-policy:=ignore;\ properties:="service.vendor=IBM", \ SecurityTransferContextService; \ @@ -76,9 +76,9 @@ Service-Component: \ configuration-policy:=ignore; \ activate:=activate; \ deactivate:=deactivate; \ - jaccService=com.ibm.ws.security.authorization.jacc.JaccService; \ - dynamic:='jaccService'; \ - optional:='jaccService'; \ + webJaccService=com.ibm.ws.webcontainer.security.WebJaccService; \ + dynamic:='webJaccService'; \ + optional:='webJaccService'; \ properties:="service.vendor=IBM" -buildpath: com.ibm.ws.webcontainer.security;version=latest diff --git a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/MetaDataListenerImpl.java b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/MetaDataListenerImpl.java index 5492afa639d6..f7c5fab2eaec 100644 --- a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/MetaDataListenerImpl.java +++ b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/MetaDataListenerImpl.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -22,7 +22,6 @@ import com.ibm.ws.container.service.metadata.ModuleMetaDataListener; import com.ibm.ws.runtime.metadata.MetaData; import com.ibm.ws.runtime.metadata.ModuleMetaData; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata; import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference; import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData; @@ -31,33 +30,33 @@ public class MetaDataListenerImpl implements ModuleMetaDataListener { private static final TraceComponent tc = Tr.register(MetaDataListenerImpl.class); - protected static final String KEY_JACC_SERVICE = "jaccService"; - protected final AtomicServiceReference jaccService = new AtomicServiceReference(KEY_JACC_SERVICE); + protected static final String KEY_WEB_JACC_SERVICE = "webJaccService"; + protected final AtomicServiceReference webJaccService = new AtomicServiceReference(KEY_WEB_JACC_SERVICE); - protected void setJaccService(ServiceReference reference) { - jaccService.setReference(reference); + protected void setWebJaccService(ServiceReference reference) { + webJaccService.setReference(reference); } - protected void unsetJaccService(ServiceReference reference) { - jaccService.unsetReference(reference); + protected void unsetWebJaccService(ServiceReference reference) { + webJaccService.unsetReference(reference); } protected void activate(ComponentContext cc) { - jaccService.activate(cc); + webJaccService.activate(cc); } protected void deactivate(ComponentContext cc) { - jaccService.deactivate(cc); + webJaccService.deactivate(cc); } /* * (non-Javadoc) - * + * * @see com.ibm.ws.container.service.metadata.ModuleMetaDataListener#moduleMetaDataCreated(com.ibm.ws.container.service.metadata.MetaDataEvent) */ @Override public void moduleMetaDataCreated(MetaDataEvent event) throws MetaDataException { - JaccService js = jaccService.getService(); + WebJaccService js = webJaccService.getService(); if (js != null) { MetaData metaData = event.getMetaData(); if (metaData instanceof WebModuleMetaData) { @@ -73,7 +72,7 @@ public void moduleMetaDataCreated(MetaDataEvent event) throws Me /* * (non-Javadoc) - * + * * @see com.ibm.ws.container.service.metadata.ModuleMetaDataListener#moduleMetaDataDestroyed(com.ibm.ws.container.service.metadata.MetaDataEvent) */ @Override diff --git a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/ServletStartedListener.java b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/ServletStartedListener.java index a224c885edd7..0e1395be506f 100644 --- a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/ServletStartedListener.java +++ b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/ServletStartedListener.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2012 IBM Corporation and others. + * Copyright (c) 2012, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -31,7 +31,6 @@ import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.webcontainer.security.metadata.MatchResponse; import com.ibm.ws.webcontainer.security.metadata.SecurityConstraint; import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection; @@ -59,23 +58,23 @@ public class ServletStartedListener implements WebAppInitializationCollaborator private static final TraceComponent tc = Tr.register(ServletStartedListener.class); private static final String[] STANDARD_METHODS = { "GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "TRACE" }; - protected static final String KEY_JACC_SERVICE = "jaccService"; - private final AtomicServiceReference jaccService = new AtomicServiceReference(KEY_JACC_SERVICE); + protected static final String KEY_WEB_JACC_SERVICE = "webJaccService"; + private final AtomicServiceReference webJaccService = new AtomicServiceReference(KEY_WEB_JACC_SERVICE); - protected void setJaccService(ServiceReference reference) { - jaccService.setReference(reference); + protected void setWebJaccService(ServiceReference reference) { + webJaccService.setReference(reference); } - protected void unsetJaccService(ServiceReference reference) { - jaccService.unsetReference(reference); + protected void unsetWebJaccService(ServiceReference reference) { + webJaccService.unsetReference(reference); } protected void activate(ComponentContext cc) { - jaccService.activate(cc); + webJaccService.activate(cc); } protected void deactivate(ComponentContext cc) { - jaccService.deactivate(cc); + webJaccService.deactivate(cc); } /** {@inheritDoc} */ @@ -97,7 +96,7 @@ public void started(Container moduleContainer) { notifyDeployOfUncoveredMethods(webAppConfig); } if (checkDynamicAnnotation(webAppConfig)) { - JaccService js = jaccService.getService(); + WebJaccService js = webJaccService.getService(); if (js != null) { js.propagateWebConstraints(webAppConfig.getApplicationName(), webAppConfig.getModuleName(), webAppConfig); } @@ -206,7 +205,7 @@ public void notifyDeployOfUncoveredMethods(WebAppConfig webAppConfig) { /** * Updates the security metadata object (which at this time only has the deployment descriptor info) * with the webAppConfig information comprising all sources. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor * @param webAppConfig the web app configuration provided by the web container */ @@ -225,7 +224,7 @@ private void updateSecurityMetadata(SecurityMetadata securityMetadataFromDD, Web * Updates the security metadata object (which at this time only has the deployment descriptor info) * with the runAs roles defined in the servlet. The sources are the web.xml, static annotations, * and dynamic annotations. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor * @param servletConfig the configuration of the servlet */ @@ -252,7 +251,7 @@ public void updateSecurityMetadataWithRunAs(SecurityMetadata securityMetadataFro * Updates the security constraints in the security metadata object (which at this time only has the deployment descriptor info) * with the servletSecurity element defined in the servlet. * A servletSecurity element only exists for servlets that have static or dynamic annotations. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor * @param servletConfig the configuration of the servlet */ @@ -278,8 +277,7 @@ public void updateSecurityMetadataWithSecurityConstraints(SecurityMetadata secur // per spec, constraints from annotations that would match patterns for constraints defined in DD // should have no effect for those patterns, so remove the patterns. urlPatternsForAnnotations.removeAll(urlPatternsInDD); - List securityConstraints = - createSecurityConstraints(securityMetadataFromDD, servletSecurity, urlPatternsForAnnotations); + List securityConstraints = createSecurityConstraints(securityMetadataFromDD, servletSecurity, urlPatternsForAnnotations); if (securityConstraintsInDD == null) { securityConstraintsInDD = new ArrayList(); } @@ -296,7 +294,7 @@ public void updateSecurityMetadataWithSecurityConstraints(SecurityMetadata secur /** * Constructs a list of SecurityConstraint objects from the given ServletSecurityElement and list of URL patterns. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor, for updating the roles * @param servletSecurity the ServletSecurityElement that represents the information parsed from the @ServletSecurity annotation * @param urlPatterns the list of URL patterns defined in the @WebServlet annotation @@ -312,10 +310,10 @@ private List createSecurityConstraints(SecurityMetadata secu /** * Gets the security constraint from the HttpConstraint element defined in the given ServletSecurityElement * with the given list of url patterns. - * + * * This constraint applies to all methods that are not explicitly overridden by the HttpMethodConstraint element. The method * constraints are defined as omission methods in this security constraint. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor, for updating the roles * @param urlPatterns the list of URL patterns defined in the @WebServlet annotation * @param servletSecurity the ServletSecurityElement that represents the information parsed from the @ServletSecurity annotation @@ -336,7 +334,7 @@ private SecurityConstraint getConstraintFromHttpElement(SecurityMetadata securit /** * Gets the security constraints from the HttpMethodConstraint elements defined in the given ServletSecurityElement * with the given list of url patterns. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor, for updating the roles * @param urlPatterns the list of URL patterns defined in the @WebServlet annotation * @param servletSecurity the ServletSecurityElement that represents the information parsed from the @ServletSecurity annotation @@ -361,7 +359,7 @@ private List getConstraintsFromHttpMethodElement(SecurityMet /** * Creates a security constraint from the given web resource collections, url patterns and HttpConstraint element. - * + * * @param securityMetadataFromDD the security metadata processed from the deployment descriptor, for updating the roles * @param webResourceCollections a list of web resource collections * @param httpConstraint the element representing the information in the @HttpConstraint annotation @@ -384,7 +382,7 @@ private SecurityConstraint createSecurityConstraint(SecurityMetadata securityMet /** * Gets a list of roles from the rolesAllowed element in the @HttpConstraint annotation - * + * * @param httpConstraint the element representing the information in the @HttpConstraint annotation * @return a list of allowed roles defined in the annotation's security constraint */ @@ -399,9 +397,9 @@ private List createRoles(HttpConstraintElement httpConstraint) { /** * Determines if SSL is required for the given HTTP constraint. - * + * * SSL is required if the transport guarantee is any value other than NONE. - * + * * @param httpConstraint the element representing the information in the @HttpConstraint annotation * @return true if SSL is required, otherwise false */ @@ -416,10 +414,10 @@ private boolean isSSLRequired(HttpConstraintElement httpConstraint) { /** * Determines if access is precluded for the given HTTP constraint. - * + * * Access is precluded when there are no roles, and the emptyRoleSemantic * defined in the annotation is DENY. - * + * * @param httpConstraint the element representing the information in the @HttpConstraint annotation * @return true if access is precluded, otherwise false */ @@ -435,10 +433,10 @@ private boolean isAccessPrecluded(HttpConstraintElement httpConstraint) { /** * Determines if access is uncovered for the given HTTP constraint. - * + * * Access is uncovered when there are no roles, and the emptyRoleSemantic * defined in the annotation is PERMIT. - * + * * @param httpConstraint the element representing the information in the @HttpConstraint annotation * @return true if access is precluded, otherwise false */ @@ -455,7 +453,7 @@ private boolean isAccessUncovered(HttpConstraintElement httpConstraint) { /** * Sets the given security metadata on the deployed module's web module metadata for retrieval later. - * + * * @param deployedModule the deployed module to get the web module metadata * @param securityMetadataFromDD the security metadata processed from the deployment descriptor */ @@ -472,7 +470,7 @@ private void setModuleSecurityMetaData(Container moduleContainer, SecurityMetada /** * Gets the security metadata from the web app config - * + * * @param webAppConfig the webAppConfig representing the deployed module * @return the security metadata */ diff --git a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebAppSecurityCollaboratorImpl.java b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebAppSecurityCollaboratorImpl.java index 4d1eb365998c..91d5107e24f5 100644 --- a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebAppSecurityCollaboratorImpl.java +++ b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebAppSecurityCollaboratorImpl.java @@ -55,7 +55,6 @@ import com.ibm.ws.security.authentication.tai.TAIService; import com.ibm.ws.security.authentication.utility.SubjectHelper; import com.ibm.ws.security.authorization.AuthorizationService; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.security.collaborator.CollaboratorUtils; import com.ibm.ws.security.context.SubjectManager; import com.ibm.ws.security.registry.RegistryException; @@ -115,7 +114,7 @@ public class WebAppSecurityCollaboratorImpl implements IWebAppSecurityCollaborat public static final String KEY_SSO_SERVICE = "ssoAuthFilter"; public static final String KEY_TAI_SERVICE = "taiService"; public static final String KEY_INTERCEPTOR_SERVICE = "interceptorService"; - static final String KEY_JACC_SERVICE = "jaccService"; + static final String KEY_WEB_JACC_SERVICE = "webJaccService"; static final String JASPI_SERVICE_COMPONENT_NAME = "com.ibm.ws.security.jaspi"; public static final String KEY_WEB_AUTHENTICATOR = "webAuthenticator"; public static final String KEY_UNPROTECTED_RESOURCE_SERVICE = "unprotectedResourceService"; @@ -129,7 +128,7 @@ public class WebAppSecurityCollaboratorImpl implements IWebAppSecurityCollaborat protected final AtomicServiceReference taiServiceRef = new AtomicServiceReference(KEY_TAI_SERVICE); protected final ConcurrentServiceReferenceMap interceptorServiceRef = new ConcurrentServiceReferenceMap(KEY_INTERCEPTOR_SERVICE); protected final AtomicServiceReference securityServiceRef = new AtomicServiceReference(KEY_SECURITY_SERVICE); - protected final AtomicServiceReference jaccServiceRef = new AtomicServiceReference(KEY_JACC_SERVICE); + protected final AtomicServiceReference webJaccServiceRef = new AtomicServiceReference(KEY_WEB_JACC_SERVICE); protected final ConcurrentServiceReferenceSet webAppSecurityConfigchangeListenerRef = new ConcurrentServiceReferenceSet(KEY_CONFIG_CHANGE_LISTENER); private static final String KEY_LOCATION_ADMIN = "locationAdmin"; @@ -304,19 +303,19 @@ public void unsetAuthenticatorFactory(WebAuthenticatorFactory authenticatorFacto } } - protected void setJaccService(ServiceReference ref) { + protected void setWebJaccService(ServiceReference ref) { if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) { Tr.debug(tc, "enabling JACC service"); } - jaccServiceRef.setReference(ref); - wasch = new WebAppJaccAuthorizationHelper(jaccServiceRef); + webJaccServiceRef.setReference(ref); + wasch = new WebAppJaccAuthorizationHelper(webJaccServiceRef); } - protected void unsetJaccService(ServiceReference ref) { + protected void unsetWebJaccService(ServiceReference ref) { if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) { Tr.debug(tc, "disabling JACC service"); } - jaccServiceRef.unsetReference(ref); + webJaccServiceRef.unsetReference(ref); wasch = this; } @@ -361,7 +360,7 @@ protected void activate(ComponentContext cc, Map props) { interceptorServiceRef.activate(cc); ssoAuthFilterRef.activate(cc); taiServiceRef.activate(cc); - jaccServiceRef.activate(cc); + webJaccServiceRef.activate(cc); webAuthenticatorRef.activate(cc); unprotectedResourceServiceRef.activate(cc); webAppSecurityConfigchangeListenerRef.activate(cc); @@ -413,7 +412,7 @@ protected void deactivate(ComponentContext cc) { ssoAuthFilterRef.deactivate(cc); taiServiceRef.deactivate(cc); interceptorServiceRef.deactivate(cc); - jaccServiceRef.deactivate(cc); + webJaccServiceRef.deactivate(cc); webAuthenticatorRef.deactivate(cc); unprotectedResourceServiceRef.deactivate(cc); webAppSecurityConfigchangeListenerRef.deactivate(cc); @@ -546,8 +545,8 @@ public boolean isUserInRole(String role, IExtendedRequest req) { @Override public void postInvokeForSecureResponse(Object secObject) throws ServletException { try { - if (jaccServiceRef.getService() != null) { - jaccServiceRef.getService().resetPolicyContextHandlerInfo(); + if (webJaccServiceRef.getService() != null) { + webJaccServiceRef.getService().resetPolicyContextHandlerInfo(); } if (secObject != null) { diff --git a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebJaccService.java b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebJaccService.java new file mode 100644 index 000000000000..60f42708072d --- /dev/null +++ b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/WebJaccService.java @@ -0,0 +1,102 @@ +/******************************************************************************* + * Copyright (c) 2024 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-2.0/ + * + * SPDX-License-Identifier: EPL-2.0 + *******************************************************************************/ +package com.ibm.ws.webcontainer.security; + +import javax.security.auth.Subject; +import javax.servlet.http.HttpServletRequest; + +import com.ibm.wsspi.webcontainer.webapp.WebAppConfig; + +public interface WebJaccService { + + /** + * Propagates web constraints information to JACC. + * + * @param applicationName Application name + * @param moduleName Module name + * @param webAppConfig WebAppConfig object. + */ + public void propagateWebConstraints(String applicationName, + String moduleName, + WebAppConfig webAppConfig); + + /** + * Validates whether SSL is required for web inbound transport. + * + * @param applicationName Application name + * @param moduleName Module name + * @param uriName Uri + * @param methodName method Name + * @param req HttpServletObject of this request. + * @return true if SSL is required. + */ + public boolean isSSLRequired(String applicationName, + String moduleName, + String uriName, + String methodName, + HttpServletRequest req); + + /** + * Validates whether the http request is excluded. + * + * @param applicationName Application name + * @param moduleName Module name + * @param uriName Uri + * @param methodName method Name + * @param req HttpServletObject of this request. + * @return true if SSL is required. + */ + public boolean isAccessExcluded(String applicationName, + String moduleName, + String uriName, + String methodName, + HttpServletRequest req); + + /** + * Validates whether given Subject is granted to access the specified resource. + * + * @param applicationName Application name + * @param moduleName Module name + * @param uriName Uri + * @param methodName method Name + * @param req HttpServletObject of this request. + * @param subject Subject object to be authorized. + * @return true if access is granted. + */ + public boolean isAuthorized(String applicationName, + String moduleName, + String uriName, + String methodName, + HttpServletRequest req, + Subject subject); + + /** + * Validates whether given Subject is granted to access the specified resource. + * + * @param applicationName Application name + * @param moduleName Module name + * @param uriName Uri + * @param req HttpServletObject of this request. + * @param role role name to be examined. + * @param subject Subject object to be authorized. + * @return true if the specified subject has the specified role. + */ + public boolean isSubjectInRole(String applicationName, + String moduleName, + String servletName, + String role, + HttpServletRequest req, + Subject subject); + + /** + * Reset the policyContext Handler as per JACC specification + */ + public void resetPolicyContextHandlerInfo(); +} diff --git a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelper.java b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelper.java index 9da008917980..e588510264bb 100644 --- a/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelper.java +++ b/dev/com.ibm.ws.webcontainer.security/src/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelper.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -24,10 +24,10 @@ import com.ibm.ws.security.audit.Audit; import com.ibm.ws.security.audit.utils.AuditConstants; import com.ibm.ws.security.authentication.principals.WSPrincipal; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.threadContext.ComponentMetaDataAccessorImpl; import com.ibm.ws.webcontainer.security.AuthenticationResult; import com.ibm.ws.webcontainer.security.WebAppAuthorizationHelper; +import com.ibm.ws.webcontainer.security.WebJaccService; import com.ibm.ws.webcontainer.security.WebRequest; import com.ibm.ws.webcontainer.security.internal.DenyReply; import com.ibm.ws.webcontainer.security.internal.PermitReply; @@ -41,10 +41,10 @@ public class WebAppJaccAuthorizationHelper implements WebAppAuthorizationHelper { private static final TraceComponent tc = Tr.register(WebAppJaccAuthorizationHelper.class); - private AtomicServiceReference jaccServiceRef = null; + private AtomicServiceReference jaccServiceRef = null; private static final WebReply DENY_AUTHZ_FAILED = new DenyReply("AuthorizationFailed"); - public WebAppJaccAuthorizationHelper(AtomicServiceReference ref) { + public WebAppJaccAuthorizationHelper(AtomicServiceReference ref) { this.jaccServiceRef = ref; } diff --git a/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/MetaDataListenerImplTest.java b/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/MetaDataListenerImplTest.java index ea59dd3c2543..54f5cabae23f 100644 --- a/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/MetaDataListenerImplTest.java +++ b/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/MetaDataListenerImplTest.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -24,17 +24,16 @@ import org.osgi.framework.ServiceReference; import org.osgi.service.component.ComponentContext; -import test.common.SharedOutputManager; - import com.ibm.ws.container.service.metadata.MetaDataEvent; import com.ibm.ws.container.service.metadata.MetaDataException; import com.ibm.ws.runtime.metadata.ModuleMetaData; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection; import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata; import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData; import com.ibm.wsspi.webcontainer.webapp.WebAppConfig; +import test.common.SharedOutputManager; + public class MetaDataListenerImplTest { static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); /** @@ -45,15 +44,15 @@ public class MetaDataListenerImplTest { @Rule public TestRule managerRule = outputMgr; - static final String KEY_JACC_SERVICE = "jaccService"; + static final String KEY_WEB_JACC_SERVICE = "webJaccService"; private final Mockery context = new JUnit4Mockery(); private final WebModuleMetaData wmmd = context.mock(WebModuleMetaData.class); private final ModuleMetaData mmd = context.mock(ModuleMetaData.class); private final WebAppConfig wac = context.mock(WebAppConfig.class); @SuppressWarnings("unchecked") - private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); - private final JaccService js = context.mock(JaccService.class); + private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); + private final WebJaccService js = context.mock(WebJaccService.class); private final ComponentContext cc = context.mock(ComponentContext.class); @SuppressWarnings("rawtypes") private final MetaDataEvent mde = context.mock(MetaDataEvent.class); @@ -83,13 +82,13 @@ public void moduleMetaDataCreatedWithJaccEnabled() { will(returnValue(APP_NAME)); one(wac).getModuleName(); will(returnValue(MODULE_NAME)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).propagateWebConstraints(APP_NAME, MODULE_NAME, wac); } }); MetaDataListenerImpl mdli = new MetaDataListenerImpl(); - mdli.setJaccService(jsr); + mdli.setWebJaccService(jsr); mdli.activate(cc); try { @@ -101,7 +100,7 @@ public void moduleMetaDataCreatedWithJaccEnabled() { } mdli.deactivate(cc); - mdli.unsetJaccService(jsr); + mdli.unsetWebJaccService(jsr); context.assertIsSatisfied(); } @@ -115,13 +114,13 @@ public void moduleMetaDataCreatedNoJaccEnabled() { context.checking(new Expectations() { { - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(null)); never(js).propagateWebConstraints(APP_NAME, MODULE_NAME, wac); } }); MetaDataListenerImpl mdli = new MetaDataListenerImpl(); - mdli.setJaccService(jsr); + mdli.setWebJaccService(jsr); mdli.activate(cc); try { @@ -132,7 +131,7 @@ public void moduleMetaDataCreatedNoJaccEnabled() { } mdli.deactivate(cc); - mdli.unsetJaccService(jsr); + mdli.unsetWebJaccService(jsr); context.assertIsSatisfied(); } @@ -148,13 +147,13 @@ public void moduleMetaDataCreatedNoWebModuleMetaData() { { one(mde).getMetaData(); will(returnValue(mmd)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); never(js).propagateWebConstraints(APP_NAME, MODULE_NAME, wac); } }); MetaDataListenerImpl mdli = new MetaDataListenerImpl(); - mdli.setJaccService(jsr); + mdli.setWebJaccService(jsr); mdli.activate(cc); try { @@ -165,7 +164,7 @@ public void moduleMetaDataCreatedNoWebModuleMetaData() { } mdli.deactivate(cc); - mdli.unsetJaccService(jsr); + mdli.unsetWebJaccService(jsr); context.assertIsSatisfied(); } @@ -183,13 +182,13 @@ public void moduleMetaDataCreatedNoSecurityMetaData() { will(returnValue(wmmd)); allowing(wmmd).getSecurityMetaData(); will(returnValue(null)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); never(js).propagateWebConstraints(APP_NAME, MODULE_NAME, wac); } }); MetaDataListenerImpl mdli = new MetaDataListenerImpl(); - mdli.setJaccService(jsr); + mdli.setWebJaccService(jsr); mdli.activate(cc); try { @@ -200,7 +199,7 @@ public void moduleMetaDataCreatedNoSecurityMetaData() { } mdli.deactivate(cc); - mdli.unsetJaccService(jsr); + mdli.unsetWebJaccService(jsr); context.assertIsSatisfied(); } @@ -220,13 +219,13 @@ public void moduleMetaDataCreatedNoSecurityConstraint() { will(returnValue(smd)); one(smd).getSecurityConstraintCollection(); will(returnValue(null)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); never(js).propagateWebConstraints(APP_NAME, MODULE_NAME, wac); } }); MetaDataListenerImpl mdli = new MetaDataListenerImpl(); - mdli.setJaccService(jsr); + mdli.setWebJaccService(jsr); mdli.activate(cc); try { @@ -237,7 +236,7 @@ public void moduleMetaDataCreatedNoSecurityConstraint() { } mdli.deactivate(cc); - mdli.unsetJaccService(jsr); + mdli.unsetWebJaccService(jsr); context.assertIsSatisfied(); } diff --git a/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/ServletStartedListenerTest.java b/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/ServletStartedListenerTest.java index 4b859c991e6d..2e64f4b6ad3c 100644 --- a/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/ServletStartedListenerTest.java +++ b/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/ServletStartedListenerTest.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -32,7 +32,6 @@ import com.ibm.ws.container.service.metadata.MetaDataEvent; import com.ibm.ws.runtime.metadata.ModuleMetaData; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection; import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata; import com.ibm.ws.webcontainer.webapp.WebAppConfigExtended; @@ -54,7 +53,7 @@ public class ServletStartedListenerTest { @Rule public TestRule managerRule = outputMgr; - static final String KEY_JACC_SERVICE = "jaccService"; + static final String KEY_WEB_JACC_SERVICE = "webJaccService"; private final Mockery context = new JUnit4Mockery(); private final Container mc = context.mock(Container.class); @@ -62,8 +61,8 @@ public class ServletStartedListenerTest { private final ModuleMetaData mmd = context.mock(ModuleMetaData.class); private final WebAppConfigExtended wac = context.mock(WebAppConfigExtended.class); @SuppressWarnings("unchecked") - private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); - private final JaccService js = context.mock(JaccService.class); + private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); + private final WebJaccService js = context.mock(WebJaccService.class); private final ComponentContext cc = context.mock(ComponentContext.class); private final Iterator it = context.mock(Iterator.class); @SuppressWarnings("rawtypes") @@ -124,7 +123,7 @@ public void startedWithJaccEnabled() { will(returnValue(APP_NAME)); one(wac).getModuleName(); will(returnValue(MODULE_NAME)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).propagateWebConstraints(APP_NAME, MODULE_NAME, wac); } @@ -136,14 +135,14 @@ public void startedWithJaccEnabled() { fail("An exception is caught." + e); } ServletStartedListener ssl = new ServletStartedListener(); - ssl.setJaccService(jsr); + ssl.setWebJaccService(jsr); ssl.activate(cc); ssl.starting(mc); ssl.started(mc); ssl.deactivate(cc); - ssl.unsetJaccService(jsr); + ssl.unsetWebJaccService(jsr); context.assertIsSatisfied(); } diff --git a/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelperTest.java b/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelperTest.java index 8fb87d95d1a0..37dbd6dab7a3 100644 --- a/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelperTest.java +++ b/dev/com.ibm.ws.webcontainer.security/test/com/ibm/ws/webcontainer/security/jacc/WebAppJaccAuthorizationHelperTest.java @@ -1,10 +1,10 @@ /******************************************************************************* - * Copyright (c) 2015 IBM Corporation and others. + * Copyright (c) 2015, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -33,13 +33,11 @@ import org.osgi.framework.ServiceReference; import org.osgi.service.component.ComponentContext; -import test.common.SharedOutputManager; - import com.ibm.ws.security.authentication.principals.WSPrincipal; -import com.ibm.ws.security.authorization.jacc.JaccService; import com.ibm.ws.threadContext.ComponentMetaDataAccessorImpl; import com.ibm.ws.webcontainer.security.AuthResult; import com.ibm.ws.webcontainer.security.AuthenticationResult; +import com.ibm.ws.webcontainer.security.WebJaccService; import com.ibm.ws.webcontainer.security.WebRequest; import com.ibm.ws.webcontainer.security.internal.DenyReply; import com.ibm.ws.webcontainer.security.internal.WebReply; @@ -51,6 +49,8 @@ import com.ibm.wsspi.webcontainer.webapp.IWebAppDispatcherContext; import com.ibm.wsspi.webcontainer.webapp.WebAppConfig; +import test.common.SharedOutputManager; + public class WebAppJaccAuthorizationHelperTest { static final SharedOutputManager outputMgr = SharedOutputManager.getInstance(); /** @@ -61,7 +61,7 @@ public class WebAppJaccAuthorizationHelperTest { @Rule public TestRule managerRule = outputMgr; - static final String KEY_JACC_SERVICE = "jaccService"; + static final String KEY_WEB_JACC_SERVICE = "webJaccService"; private final Mockery context = new JUnit4Mockery(); private final IExtendedRequest ier = context.mock(IExtendedRequest.class); @@ -72,11 +72,11 @@ public class WebAppJaccAuthorizationHelperTest { private final WebAppConfig wac = context.mock(WebAppConfig.class); private final WebRequest wr = context.mock(WebRequest.class); @SuppressWarnings("unchecked") - private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); - private final JaccService js = context.mock(JaccService.class); + private final ServiceReference jsr = context.mock(ServiceReference.class, "jaccServiceRef"); + private final WebJaccService js = context.mock(WebJaccService.class); private final ComponentContext cc = context.mock(ComponentContext.class); private final WSPrincipal wp = new WSPrincipal("securityName", "accessId", "BASIC"); - private final AtomicServiceReference ajsr = new AtomicServiceReference(KEY_JACC_SERVICE); + private final AtomicServiceReference ajsr = new AtomicServiceReference(KEY_WEB_JACC_SERVICE); /** * Tests isUserInRole method @@ -114,7 +114,7 @@ public void isUserInRoleTrue() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isSubjectInRole(APP_NAME, MODULE_NAME, SERVLET_NAME, ROLE, ier, SUBJECT); will(returnValue(true)); @@ -162,7 +162,7 @@ public void isUserInRoleNoReqProc() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isSubjectInRole(APP_NAME, MODULE_NAME, null, ROLE, ier, SUBJECT); will(returnValue(false)); @@ -212,7 +212,7 @@ public void authorizeTrue() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isAuthorized(APP_NAME, MODULE_NAME, URI_NAME, METHOD_NAME, ier, SUBJECT); will(returnValue(true)); @@ -258,7 +258,7 @@ public void isSSLRequiredTrue() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isSSLRequired(APP_NAME, MODULE_NAME, URI_NAME, METHOD_NAME, ier); will(returnValue(true)); @@ -296,7 +296,7 @@ public void isSSLRequiredAlreadySSL() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isSSLRequired(APP_NAME, MODULE_NAME, URI_NAME, METHOD_NAME, ier); will(returnValue(false)); @@ -337,7 +337,7 @@ public void checkPrecludedAccessFalse() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isAccessExcluded(APP_NAME, MODULE_NAME, URI_NAME, METHOD_NAME, ier); will(returnValue(false)); @@ -381,7 +381,7 @@ public void checkPrecludedAccessTrue() { will(returnValue(0L)); allowing(jsr).getProperty(Constants.SERVICE_RANKING); will(returnValue(0)); - one(cc).locateService("jaccService", jsr); + one(cc).locateService("webJaccService", jsr); will(returnValue(js)); one(js).isAccessExcluded(APP_NAME, MODULE_NAME, URI_NAME, METHOD_NAME, ier); will(returnValue(true));