Added sample of client-cert using JCE

Author: arjantijms

servlet/pom.xml

@@ -33,6 +33,7 @@
         <module>security-digest</module>
         <module>security-form-based</module>
         <module>security-clientcert</module>
+        <module>security-clientcert-jce</module>
 
 
         <module>security-programmatic</module>

servlet/security-clientcert-jce/pom.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.javaee7</groupId>
+        <artifactId>servlet</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>servlet-security-clientcert-jce</artifactId>
+    <packaging>war</packaging>
+
+    <name>Java EE 7 Sample: servlet - security-clientcert-jce</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <version>1.59</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+            <version>1.59</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <skipTests>${skipServletClientCertificate}</skipTests>
+                    <systemPropertyVariables>
+                        <buildDirectory>${project.build.directory}</buildDirectory>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    
+</project>

servlet/security-clientcert-jce/src/main/java/org/javaee7/servlet/security/clientcert/jce/BouncyServlet.java

@@ -0,0 +1,38 @@
+/** Copyright Payara Services Limited **/
+package org.javaee7.servlet.security.clientcert.jce;
+
+import java.io.IOException;
+import java.security.Security;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+/**
+ * This Servlet is used to set our custom JCE provider.
+ * 
+ * @author Arjan Tijms
+ */
+@WebServlet(urlPatterns = { "/BouncyServlet" })
+public class BouncyServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        
+        BouncyCastleProvider provider = new BouncyCastleProvider();
+        provider.put("CertificateFactory.X.509", MyJCECertificateFactory.class.getName());
+        
+        // Installs the JCE provider
+        int pos = Security.insertProviderAt(provider, 1);
+        
+        // Returns the position of the JCE provider, this should be 1.
+        response.getWriter().print("pos:" + pos);
+    }
+
+}

servlet/security-clientcert-jce/src/main/java/org/javaee7/servlet/security/clientcert/jce/MyJCECertificateFactory.java

@@ -0,0 +1,33 @@
+/** Copyright Payara Services Limited **/
+package org.javaee7.servlet.security.clientcert.jce;
+
+import java.io.InputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
+
+/**
+ * Our own custom CertificateFactory based on the bouncy castle one.
+ * 
+ * <p>
+ * We use this to provide a customized certificate, based on the certificate
+ * instance created by bouncy castle.
+ * 
+ * @author Arjan Tijms
+ */
+public class MyJCECertificateFactory extends CertificateFactory {
+
+    @Override
+    public Certificate engineGenerateCertificate(InputStream in) throws CertificateException {
+        Certificate certificate = super.engineGenerateCertificate(in);
+
+        if (certificate instanceof X509Certificate == false) {
+            return certificate;
+        }
+
+        return new MyJCEX509Certificate((X509Certificate) certificate);
+    }
+
+}

servlet/security-clientcert-jce/src/main/java/org/javaee7/servlet/security/clientcert/jce/MyJCEX509Certificate.java

@@ -0,0 +1,185 @@
+/** Copyright Payara Services Limited **/
+package org.javaee7.servlet.security.clientcert.jce;
+
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * @author Arjan Tijms
+ */
+public class MyJCEX509Certificate extends X509Certificate {
+
+    private final X509Certificate certificate;
+
+    public MyJCEX509Certificate(X509Certificate certificate) {
+        this.certificate = certificate;
+    }
+    
+    @Override
+    public X500Principal getSubjectX500Principal() {
+        
+        X500Principal principal = certificate.getSubjectX500Principal();
+
+        if ("C=UK,ST=lak,L=zak,O=kaz,OU=bar,CN=lfoo".equals(principal.getName())) {
+            return new X500Principal("CN=u1");
+        }
+        
+        return principal;
+    }
+    
+    @Override
+    public Principal getSubjectDN() {
+        
+        Principal principal = certificate.getSubjectDN();
+
+        if ("CN=lfoo,OU=bar,O=kaz,L=zak,ST=lak,C=UK".equals(principal.getName())) {
+            // Doesn't have to be X500 but keep it for simplicity
+            return new X500Principal("CN=u1");
+        }
+        
+        return principal;
+    }
+
+    @Override
+    public boolean hasUnsupportedCriticalExtension() {
+        return certificate.hasUnsupportedCriticalExtension();
+    }
+
+    @Override
+    public Set<String> getCriticalExtensionOIDs() {
+        return certificate.getCriticalExtensionOIDs();
+    }
+
+    @Override
+    public Set<String> getNonCriticalExtensionOIDs() {
+        return certificate.getCriticalExtensionOIDs();
+    }
+
+    @Override
+    public byte[] getExtensionValue(String oid) {
+        return certificate.getExtensionValue(oid);
+    }
+
+    @Override
+    public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException {
+        certificate.checkValidity();
+
+    }
+
+    @Override
+    public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException {
+        certificate.checkValidity(date);
+    }
+
+    @Override
+    public int getVersion() {
+        return certificate.getVersion();
+    }
+
+    @Override
+    public BigInteger getSerialNumber() {
+        return certificate.getSerialNumber();
+    }
+
+    @Override
+    public Principal getIssuerDN() {
+        return certificate.getIssuerDN();
+    }
+
+    @Override
+    public Date getNotBefore() {
+        return certificate.getNotBefore();
+    }
+
+    @Override
+    public Date getNotAfter() {
+        return certificate.getNotAfter();
+    }
+
+    @Override
+    public byte[] getTBSCertificate() throws CertificateEncodingException {
+        return certificate.getTBSCertificate();
+    }
+
+    @Override
+    public byte[] getSignature() {
+        return certificate.getSignature();
+    }
+
+    @Override
+    public String getSigAlgName() {
+        return certificate.getSigAlgName();
+    }
+
+    @Override
+    public String getSigAlgOID() {
+        return certificate.getSigAlgOID();
+    }
+
+    @Override
+    public byte[] getSigAlgParams() {
+        return certificate.getSigAlgParams();
+    }
+
+    @Override
+    public boolean[] getIssuerUniqueID() {
+        return certificate.getIssuerUniqueID();
+    }
+
+    @Override
+    public boolean[] getSubjectUniqueID() {
+        return certificate.getSubjectUniqueID();
+    }
+
+    @Override
+    public boolean[] getKeyUsage() {
+        return certificate.getKeyUsage();
+    }
+
+    @Override
+    public int getBasicConstraints() {
+        return certificate.getBasicConstraints();
+    }
+
+    @Override
+    public byte[] getEncoded() throws CertificateEncodingException {
+        return certificate.getEncoded();
+    }
+
+    @Override
+    public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
+        certificate.verify(key);
+
+    }
+
+    @Override
+    public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
+        certificate.verify(key, sigProvider);
+
+    }
+
+    @Override
+    public String toString() {
+        return certificate.toString();
+    }
+
+    @Override
+    public PublicKey getPublicKey() {
+        return certificate.getPublicKey();
+    }
+
+}

servlet/security-clientcert-jce/src/main/java/org/javaee7/servlet/security/clientcert/jce/SecureServlet.java

@@ -0,0 +1,29 @@
+/** Copyright Payara Services Limited **/
+package org.javaee7.servlet.security.clientcert.jce;
+
+import java.io.IOException;
+import java.security.Security;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+/**
+ * @author Arjan Tijms
+ */
+@WebServlet(urlPatterns = { "/SecureServlet" })
+public class SecureServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        
+        response.getWriter().print("principal " + request.getUserPrincipal() + " in role g1:" + request.isUserInRole("g1"));
+    }
+
+}

servlet/security-clientcert-jce/src/main/webapp/WEB-INF/glassfish-web.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/** Copyright Payara Services Limited **/
+-->
+<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
+<glassfish-web-app>
+
+    <security-role-mapping>
+        <role-name>g1</role-name>
+        <group-name>g1</group-name>
+        <principal-name>CN=u1</principal-name>
+    </security-role-mapping>
+
+</glassfish-web-app>

servlet/security-clientcert-jce/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/** Copyright Payara Services Limited **/
+-->
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1">
+         
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>SecureServlet</web-resource-name>
+            <url-pattern>/SecureServlet</url-pattern>
+            <http-method>GET</http-method>
+            <http-method>POST</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>g1</role-name>
+        </auth-constraint>
+    </security-constraint>
+    
+    <login-config>
+        <auth-method>CLIENT-CERT</auth-method>
+    </login-config>
+    
+    <security-role>
+        <role-name>g1</role-name>
+    </security-role>
+</web-app>