Merge pull request wildfly#11914 from darranl/WFLY-7186

[WFLY-7186] EE Security API Integration with WildFly Elytron
sfcoy · Jan 19, 2019 · 8c4e18b · 8c4e18b
2 parents 3974872 + 5a917ff
commit 8c4e18b
Show file tree

Hide file tree

Showing 21 changed files with 720 additions and 49 deletions.
diff --git a/docs/src/main/asciidoc/WildFly_Elytron_Security.adoc b/docs/src/main/asciidoc/WildFly_Elytron_Security.adoc
@@ -91,6 +91,7 @@ include::_elytron/Using_WildFly_Elytron_with_WildFly.adoc[]
 include::_elytron/Client_Authentication_with_Elytron_Client.adoc[]
 include::_elytron/Elytron_and_Java_Authorization_Contract_for_Containers-JACC.adoc[]
 include::_elytron/Elytron_and_Java_Authentication_SPI_for_Containers-JASPI.adoc[]
+include::_elytron/Elytron_and_Java_EE_Security.adoc[]
 include::_elytron/KeyCloak_Integration.adoc[]
 include::_elytron/Bearer_Token_Authorization.adoc[]
 include::_elytron/OpenSSL.adoc[]

diff --git a/...asciidoc/_elytron/Elytron_and_Java_Authentication_SPI_for_Containers-JASPI.adoc b/...asciidoc/_elytron/Elytron_and_Java_Authentication_SPI_for_Containers-JASPI.adoc
@@ -17,9 +17,10 @@ Once the WildFly Elytron security framework is activate for a deployment at the
 Any updates made to the `AuthConfigFactory` are immediately available, this means that if an `AuthConfigProvider` is registered which is a match for an existing application it will start to be used immediately without requiring redeployment of the application.
 
 All web applications deployed to WildFly have a security domain which will be resolved in the following order: -
- . From the deployment descriptors / annotations of the deployment being deployed.
- . The value defined on the `default-security-domain` attribute on the Undertow subsystem.
- . Default to 'other'.
+
+. From the deployment descriptors / annotations of the deployment being deployed.
+. The value defined on the `default-security-domain` attribute on the Undertow subsystem.
+. Default to 'other'.
 
 We assume that this security domain is a reference to a PicketBox security domain so the final step in activation is ensuring this is mapped to WildFly Elytron using an `application-security-domain` resource in the Undertow subsystem.  This mapping can either reference a WildFly Elytron security domain directly or it can reference a `http-authentication-factory` resource to obtain instances of authentication mechanisms.
 

diff --git a/docs/src/main/asciidoc/_elytron/Elytron_and_Java_EE_Security.adoc b/docs/src/main/asciidoc/_elytron/Elytron_and_Java_EE_Security.adoc
@@ -0,0 +1,46 @@
+[[Elytron_and_Java_EE_Security]]
+= Elytron and Java EE Security
+
+[abstract]
+== Introduction
+
+Starting from WildFly 15 an implementation of the Servlet Profile from Java Authentication SPI for Containers (JSR-196 / JASPI) specification has been included in the application server, in addition to making JASPI available for deployments using WildFly Elytron it also makes it possible to make use of EE Security with WildFly Elytron.
+
+== Activation
+
+EE Security with WildFly Elytron is available out of the box with just a couple of small steps required.
+
+=== Define JACC Policy
+
+The `SecurityContext` API makes use of JACC to access the current authenticated identity, if deployments are going to make use of this API then a JACC policy needs to be activated in the WildFly Elytron subsystem.  If this API is not being used then the activation can be skipped.
+
+[source, ruby]
+----
+/subsystem=security:write-attribute(name=initialize-jacc, value=false)
+/subsystem=elytron/policy=jacc:add(jacc-policy={})
+:reload
+----
+
+As is shown in the example no specific configuration is required other than the presence of a default JACC policy, additionally after making these changes the server needs to be reloaded to ensure the new policy activates correctly.
+
+=== Add `application-security-domain` mapping
+
+As with all deployments a mapping is required from the security domain defined for the deployment to either a WildFly Elytron security domain or http authentication factory to activate security backed by WildFly Elytron. 
+
+All web applications deployed to WildFly have a security domain which will be resolved in the following order: -
+
+. From the deployment descriptors / annotations of the deployment being deployed.
+. The value defined on the `default-security-domain` attribute on the Undertow subsystem.
+. Default to 'other'.
+
+An `application-security-domain` resource then needs to be added to map from the deployment's security domain.
+
+The simplest approach is to add a mapping for `other`, then no further configuration will be required and provided the deployment does not define it's own security domain and provided no alternative default is specified all deployments will match this mapping.
+
+[source, ruby]
+----
+/subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain, integrated-jaspi=false)
+----
+
+The EE Security API is built on JASPI.  Within JASPI we support two different modes of operation 'integrated', and 'non-integrated'.  In integrated mode any identity being established during authentication is expected to exist in the associated security domain.  With the EE Security APIs however it is quite likely an alternative store will be in use so configuration the mapping to use 'non-integrated' JASPI allows for identities to be dynamically created as required.
+
diff --git a/testsuite/integration/elytron/pom.xml b/testsuite/integration/elytron/pom.xml
@@ -54,6 +54,11 @@
     </properties>
 
     <dependencies>
+        <dependency>
+            <groupId>javax.security.enterprise</groupId>
+            <artifactId>javax.security.enterprise-api</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>
@@ -120,7 +125,7 @@
             <groupId>${project.groupId}</groupId>
             <artifactId>wildfly-batch-jberet</artifactId>
             <scope>test</scope>
-        </dependency>
+        </dependency>        
     </dependencies>
 
     <build>

diff --git a/...ron/src/test/java/org/wildfly/test/integration/elytron/jaspi/ConfiguredJaspiTestBase.java b/...ron/src/test/java/org/wildfly/test/integration/elytron/jaspi/ConfiguredJaspiTestBase.java
@@ -56,6 +56,7 @@
 import org.wildfly.security.auth.jaspi.Flag;
 import org.wildfly.test.security.common.AbstractElytronSetupTask;
 import org.wildfly.test.security.common.elytron.ConfigurableElement;
+import org.wildfly.test.undertow.common.UndertowApplicationSecurityDomain;
 
 /**
  * A base for the configured JASPI testing allowing us to repeat the same set of tests across a different set of server

diff --git a/...lytron/src/test/java/org/wildfly/test/integration/elytron/jaspi/DynamicJaspiTestCase.java b/...lytron/src/test/java/org/wildfly/test/integration/elytron/jaspi/DynamicJaspiTestCase.java
@@ -46,6 +46,7 @@
 import org.junit.runner.RunWith;
 import org.wildfly.test.security.common.AbstractElytronSetupTask;
 import org.wildfly.test.security.common.elytron.ConfigurableElement;
+import org.wildfly.test.undertow.common.UndertowApplicationSecurityDomain;
 
 /**
  * Test case testing a deployment secured using JASPI dynamically registered by the deployment.

diff --git a/.../elytron/src/test/java/org/wildfly/test/integration/elytron/jaspi/JaspiConfiguration.java b/.../elytron/src/test/java/org/wildfly/test/integration/elytron/jaspi/JaspiConfiguration.java
@@ -88,8 +88,6 @@ public void create(ModelControllerClient client, CLIWrapper cli) throws Exceptio
            modules.add(module);
        }
 
-       System.out.println(add);
-
        Utils.applyUpdate(add, client);
    }
 

diff --git a/...tron/src/test/java/org/wildfly/test/integration/elytron/jaspi/SimpleServerAuthModule.java b/...tron/src/test/java/org/wildfly/test/integration/elytron/jaspi/SimpleServerAuthModule.java
@@ -94,8 +94,6 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject
         final String roles = request.getHeader(ROLES_HEADER);
         final String session = request.getHeader(SESSION_HEADER);
 
-        System.out.println(String.format("authType=%s, username=%s, password=%s, roles=%s, session=%s", authType, username, password, roles, session));
-
         if (username == null || username.length() == 0 || ((password == null || password.length() == 0) && !ANONYMOUS.equals(username))) {
             sendChallenge(response);
             return AuthStatus.SEND_CONTINUE;

diff --git a/...ration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/Policy.java b/...ration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/Policy.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2018 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.test.integration.elytron.securityapi;
+
+import org.jboss.as.controller.PathAddress;
+import org.jboss.as.controller.client.ModelControllerClient;
+import org.jboss.as.controller.operations.common.Util;
+import org.jboss.as.test.integration.management.util.CLIWrapper;
+import org.jboss.as.test.integration.security.common.Utils;
+import org.jboss.dmr.ModelNode;
+import org.jboss.logging.Logger;
+import org.wildfly.test.security.common.elytron.AbstractConfigurableElement;
+
+import net.sf.ehcache.config.generator.model.elements.ConfigurationElement;
+
+/**
+ * A {@link ConfigurationElement} to add a policy definition to the Elytron subsystem.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+class Policy extends AbstractConfigurableElement {
+
+    private static final Logger LOGGER = Logger.getLogger(Utils.class);
+
+    private final PathAddress address;
+    private final boolean jaccPolicy;
+
+    Policy(Builder builder) {
+        super(builder);
+        this.address = PathAddress.pathAddress().append("subsystem", "elytron").append("policy", name);
+        this.jaccPolicy = builder.jaccPolicy;
+    }
+
+    @Override
+    public void create(ModelControllerClient client, CLIWrapper cli) throws Exception {
+        ModelNode add = Util.createAddOperation(address);
+        if (jaccPolicy) {
+            add.get("jacc-policy").setEmptyObject();
+        }
+        LOGGER.tracef("Adding policy (%s)", add.toString());
+
+        Utils.applyUpdate(add, client);
+    }
+
+    @Override
+    public void remove(ModelControllerClient client, CLIWrapper cli) throws Exception {
+        Utils.applyUpdate(Util.createRemoveOperation(address), client);
+    }
+
+    /**
+     * Create a new {@link Builder} to build a policy definition.
+     *
+     * @return a new {@link Builder} to build a policy definition.
+     */
+    static Builder builder() {
+        return new Builder();
+    }
+
+    /**
+     * Builder to build a policy resource in the elytron subsystem.
+     */
+    public static final class Builder extends AbstractConfigurableElement.Builder<Builder> {
+
+        private boolean jaccPolicy;
+
+        /**
+         * With an empty JACC policy.
+         *
+         * @return this {@link Builder} to allow method chaining.
+         */
+        public Builder withJaccPolicy() {
+            jaccPolicy = true;
+
+            return this;
+        }
+
+        /**
+         * Build a new Policy {@link ConfigurationElement}
+         *
+         * @return a new Policy {@link ConfigurationElement}
+         */
+        public Policy build() {
+            return new Policy(this);
+        }
+
+        @Override
+        protected Builder self() {
+            return this;
+        }
+
+    }
+
+}