Merge pull request #171 from arjantijms/master

Added tests for the javax.servlet.http.registerSession feature

Author: arun-gupta

jaspic/pom.xml

@@ -28,6 +28,12 @@
 
         <!-- Tests that the main methods of JASPIC artifacts like the SAM are called by the container at the right moment -->
         <module>lifecycle</module>
+        
+         <!-- JASPIC is normally stateless but with a new option introduced in JASPIC 1.1 it can semi-transparently 
+             remember an authenticated identity (semi, because the SAM will still be called and has to explicitly
+             indidate it wants to continue this remembered session). This tests that remembering a session indeed works.
+         -->
+        <module>register-session</module>
 
         <!-- Like Servlet filters, a JASPIC SAM for the Servlet Profile can wrap the request and response. This tests that 
             this indeed happens. -->

jaspic/register-session/pom.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.javaee7.jaspic</groupId>
+        <artifactId>jaspic-samples</artifactId>
+        <version>1.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <groupId>org.javaee7.jaspic</groupId>
+    <artifactId>register-session</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>war</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.javaee7.jaspic</groupId>
+            <artifactId>common</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+        
+    </dependencies>
+
+</project>

jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java

@@ -0,0 +1,22 @@
+package org.javaee7.jaspic.registersession.sam;
+
+import javax.servlet.ServletContextEvent;
+import javax.servlet.annotation.WebListener;
+
+import org.javaee7.jaspic.common.BaseServletContextListener;
+import org.javaee7.jaspic.common.JaspicUtils;
+
+/**
+ * 
+ * @author Arjan Tijms
+ *
+ */
+@WebListener
+public class SamAutoRegistrationListener extends BaseServletContextListener {
+
+    @Override
+    public void contextInitialized(ServletContextEvent sce) {
+        JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule());
+    }
+
+}

jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java

@@ -0,0 +1,110 @@
+package org.javaee7.jaspic.registersession.sam;
+
+import static java.lang.Boolean.TRUE;
+import static javax.security.auth.message.AuthStatus.SUCCESS;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Map;
+import java.util.logging.Logger;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.security.auth.message.MessagePolicy;
+import javax.security.auth.message.callback.CallerPrincipalCallback;
+import javax.security.auth.message.callback.GroupPrincipalCallback;
+import javax.security.auth.message.module.ServerAuthModule;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * 
+ * @author Arjan Tijms
+ * 
+ */
+public class TestServerAuthModule implements ServerAuthModule {
+
+    Logger logger = Logger.getLogger("blalllalala");
+    
+    private CallbackHandler handler;
+    private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class, HttpServletResponse.class };
+
+    @Override
+    public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler,
+            @SuppressWarnings("rawtypes") Map options) throws AuthException {
+        this.handler = handler;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
+            throws AuthException {
+
+        HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
+        Callback[] callbacks;
+        
+        Principal userPrincipal = request.getUserPrincipal();
+        if (userPrincipal != null && request.getParameter("continueSession") != null) {
+            
+            // ### If already authenticated before, continue this session
+            
+            // Execute protocol to signal container registered authentication session be used.
+            callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, userPrincipal) };
+            
+        } else if (request.getParameter("doLogin") != null) {
+            
+            // ### If not authenticated before, do a new login if so requested
+
+            // For the test perform a login by directly "returning" the details of the authenticated user.
+            // Normally credentials would be checked and the details fetched from some repository
+
+            callbacks = new Callback[] {
+                    // The name of the authenticated user
+                    new CallerPrincipalCallback(clientSubject, "test"),
+                    // the roles of the authenticated user
+                    new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) };
+
+            // Tell container to register an authentication session.
+            messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString());
+        } else {
+            
+            // ### If no registered session and no login request "do nothing"
+            
+            // The JASPIC protocol for "do nothing"
+            callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) };
+        }
+
+        try {
+
+            // Communicate the details of the authenticated user to the container. In many
+            // cases the handler will just store the details and the container will actually handle
+            // the login after we return from this method.
+            handler.handle(callbacks);
+
+        } catch (IOException | UnsupportedCallbackException e) {
+            throw (AuthException) new AuthException().initCause(e);
+        }
+
+        return SUCCESS;
+    }
+
+    @Override
+    public Class<?>[] getSupportedMessageTypes() {
+        return supportedMessageTypes;
+    }
+
+    @Override
+    public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException {
+        return AuthStatus.SEND_SUCCESS;
+    }
+
+    @Override
+    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
+
+    }
+}

jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/servlet/ProtectedServlet.java

@@ -0,0 +1,39 @@
+package org.javaee7.jaspic.registersession.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * 
+ * @author Arjan Tijms
+ * 
+ */
+@WebServlet(urlPatterns = "/protected/servlet")
+public class ProtectedServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        response.getWriter().write("This is a protected servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        boolean webHasRole = request.isUserInRole("architect");
+
+        response.getWriter().write("web user has role \"architect\": " + webHasRole + "\n");
+
+    }
+
+}

jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/servlet/PublicServlet.java

@@ -0,0 +1,39 @@
+package org.javaee7.jaspic.registersession.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * 
+ * @author Arjan Tijms
+ * 
+ */
+@WebServlet(urlPatterns = "/public/servlet")
+public class PublicServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        response.getWriter().write("This is a public servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        boolean webHasRole = request.isUserInRole("architect");
+
+        response.getWriter().write("web user has role \"architect\": " + webHasRole + "\n");
+
+    }
+
+}

jaspic/register-session/src/main/webapp/WEB-INF/glassfish-web.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
+<glassfish-web-app>
+
+	<security-role-mapping>
+		<role-name>architect</role-name>
+		<group-name>architect</group-name>
+	</security-role-mapping>
+
+	<parameter-encoding default-charset="UTF-8" />
+
+</glassfish-web-app>

jaspic/register-session/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+	version="3.0">
+
+	<security-constraint>
+		<web-resource-collection>
+			<web-resource-name>Test</web-resource-name>
+			<url-pattern>/protected/*</url-pattern>
+		</web-resource-collection>
+		<auth-constraint>
+			<role-name>architect</role-name>
+		</auth-constraint>
+	</security-constraint>
+
+	<security-role>
+		<role-name>architect</role-name>
+	</security-role>
+
+</web-app>