diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/CdiInitEventHandler.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/CdiInitEventHandler.java index c5e0eba4d67..b3ecd78a8a9 100644 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/CdiInitEventHandler.java +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/CdiInitEventHandler.java @@ -106,6 +106,8 @@ */ public class CdiInitEventHandler { + private final static JsonWebTokenImpl emptyJsonWebToken = new JsonWebTokenImpl(null, Collections.emptyMap()); + public static void installAuthenticationMechanism(AfterBeanDiscovery afterBeanDiscovery) { afterBeanDiscovery.addBean(new PayaraCdiProducer() @@ -122,6 +124,14 @@ public static void installAuthenticationMechanism(AfterBeanDiscovery afterBeanDi .addToId("mechanism " + LoginConfig.class) .create(e -> new JWTAuthenticationMechanism())); + // MP-JWT 1.0 7.1.1. Injection of JsonWebToken + afterBeanDiscovery.addBean(new PayaraCdiProducer() + .scope(RequestScoped.class) + .beanClass(JsonWebToken.class) + .types(Object.class, JsonWebToken.class) + .addToId("token " + LoginConfig.class) + .create(e -> getJsonWebToken())); + // MP-JWT 1.0 7.1.2 for (JWTInjectableType injectableType : computeTypes()) { @@ -243,8 +253,17 @@ public static A getQualifier(InjectionPoint injectionPoin } public static JsonWebTokenImpl getJsonWebToken() { - JsonWebTokenImpl jsonWebToken = CdiUtils.getBeanReference(JsonWebTokenImpl.class); - return jsonWebToken; + SecurityContext context = CdiUtils.getBeanReference(SecurityContext.class); + Principal principal = context.getCallerPrincipal(); + if (principal instanceof JsonWebTokenImpl) { + return (JsonWebTokenImpl) principal; + } else { + Set principals = context.getPrincipalsByType(JsonWebTokenImpl.class); + if (!principals.isEmpty()) { + return principals.iterator().next(); + } + } + return emptyJsonWebToken; } public static String getClaimName(Claim claim) { diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JsonWebTokenProducer.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JsonWebTokenProducer.java deleted file mode 100644 index 74e9d18ea2a..00000000000 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JsonWebTokenProducer.java +++ /dev/null @@ -1,178 +0,0 @@ -/* - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - * - * Copyright (c) 2022 Payara Foundation and/or its affiliates. All rights reserved. - * - * The contents of this file are subject to the terms of either the GNU - * General Public License Version 2 only ("GPL") or the Common Development - * and Distribution License("CDDL") (collectively, the "License"). You - * may not use this file except in compliance with the License. You can - * obtain a copy of the License at - * https://github.com/payara/Payara/blob/master/LICENSE.txt - * See the License for the specific - * language governing permissions and limitations under the License. - * - * When distributing the software, include this License Header Notice in each - * file and include the License file at glassfish/legal/LICENSE.txt. - * - * GPL Classpath Exception: - * The Payara Foundation designates this particular file as subject to the "Classpath" - * exception as provided by the Payara Foundation in the GPL Version 2 section of the License - * file that accompanied this code. - * - * Modifications: - * If applicable, add the following below the License Header, with the fields - * enclosed by brackets [] replaced by your own identifying information: - * "Portions Copyright [year] [name of copyright owner]" - * - * Contributor(s): - * If you wish your version of this file to be governed by only the CDDL or - * only the GPL Version 2, indicate your decision by adding "[Contributor] - * elects to include this software in this distribution under the [CDDL or GPL - * Version 2] license." If you don't indicate a single choice of license, a - * recipient has the option to distribute your version of this file under - * either the CDDL, the GPL Version 2 or to extend the choice of license to - * its licensees as provided above. However, if you add GPL Version 2 code - * and therefore, elected the GPL Version 2 license, then the option applies - * only if the new code is made subject to such option by the copyright - * holder. - * - */ - -package fish.payara.microprofile.jwtauth.cdi; - -import java.security.Principal; -import java.util.Collections; -import java.util.HashMap; -import java.util.Map; -import java.util.Optional; -import java.util.Set; - -import jakarta.enterprise.context.RequestScoped; -import jakarta.enterprise.inject.Produces; -import jakarta.enterprise.inject.Typed; -import jakarta.json.JsonValue; -import jakarta.security.enterprise.SecurityContext; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.ws.rs.NotAuthorizedException; - -import fish.payara.microprofile.jwtauth.eesecurity.JWTAuthenticationMechanism; -import fish.payara.microprofile.jwtauth.jwt.JsonWebTokenImpl; -import org.eclipse.microprofile.jwt.Claims; -import org.eclipse.microprofile.jwt.JsonWebToken; - -@RequestScoped -class JsonWebTokenProducer { - @Produces - @RequestScoped - @Typed({JsonWebTokenImpl.class, JsonWebToken.class}) // so it's not eligible for injection as Principal - JsonWebTokenImpl currentJwt(SecurityContext securityContext, HttpServletRequest request) { - Principal principal = securityContext.getCallerPrincipal(); - if (principal != null && principal instanceof JsonWebTokenImpl) { - return (JsonWebTokenImpl) principal; - } - if (request.getAttribute(JWTAuthenticationMechanism.INVALID_JWT_TOKEN) != null) { - return INVALID_JWT_TOKEN; - } - return EMPTY_JWT_TOKEN; - } - - private final static JsonWebTokenImpl EMPTY_JWT_TOKEN = new JsonWebTokenImpl(null, Collections.emptyMap()); - - static final JsonWebTokenImpl INVALID_JWT_TOKEN = new JsonWebTokenImpl(null, Collections.emptyMap()) { - void throwOnInvalidToken() { - throw new NotAuthorizedException("Presented JWT token is invalid"); - } - - @Override - public Map getClaims() { - throwOnInvalidToken(); - return super.getClaims(); - } - - @Override - public T getClaim(String claimName) { - throwOnInvalidToken(); - return super.getClaim(claimName); - } - - @Override - public Set getClaimNames() { - throwOnInvalidToken(); - return super.getClaimNames(); - } - - @Override - public String getRawToken() { - throwOnInvalidToken(); - return super.getRawToken(); - } - - @Override - public String getIssuer() { - throwOnInvalidToken(); - return super.getIssuer(); - } - - @Override - public Set getAudience() { - throwOnInvalidToken(); - return super.getAudience(); - } - - @Override - public String getSubject() { - throwOnInvalidToken(); - return super.getSubject(); - } - - @Override - public String getTokenID() { - throwOnInvalidToken(); - return super.getTokenID(); - } - - @Override - public long getExpirationTime() { - throwOnInvalidToken(); - return super.getExpirationTime(); - } - - @Override - public long getIssuedAtTime() { - throwOnInvalidToken(); - return super.getIssuedAtTime(); - } - - @Override - public Set getGroups() { - throwOnInvalidToken(); - return super.getGroups(); - } - - @Override - public boolean containsClaim(String claimName) { - throwOnInvalidToken(); - return super.containsClaim(claimName); - } - - @Override - public T getClaim(Claims claim) { - throwOnInvalidToken(); - return super.getClaim(claim); - } - - @Override - public Optional claim(String claimName) { - throwOnInvalidToken(); - return super.claim(claimName); - } - - @Override - public Optional claim(Claims claim) { - throwOnInvalidToken(); - return super.claim(claim); - } - }; -} diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JwtAuthCdiExtension.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JwtAuthCdiExtension.java index 688ac2ffddf..dc6ba69045e 100644 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JwtAuthCdiExtension.java +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/cdi/JwtAuthCdiExtension.java @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 2017-2022 Payara Foundation and/or its affiliates. All rights reserved. + * Copyright (c) 2017-2021 Payara Foundation and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development @@ -91,14 +91,13 @@ public class JwtAuthCdiExtension implements Extension { public void register(@Observes BeforeBeanDiscovery beforeBean, BeanManager beanManager) { beforeBean.addAnnotatedType(beanManager.createAnnotatedType(InjectionPointGenerator.class), "JWT InjectionPointGenerator "); - beforeBean.addAnnotatedType(beanManager.createAnnotatedType(JsonWebTokenProducer.class), JsonWebTokenProducer.class.getName()); } /** * This method tries to find the LoginConfig annotation and if does flags that fact. * */ - public void findLoginConfigAnnotation(@Observes ProcessBean eventIn) { + public void findLoginConfigAnnotation(@Observes ProcessBean eventIn, BeanManager beanManager) { ProcessBean event = eventIn; // JDK8 u60 workaround @@ -113,7 +112,7 @@ public void findLoginConfigAnnotation(@Observes ProcessBean eventIn) { * declared later on. * */ - public void findRoles(@Observes ProcessManagedBean eventIn) { + public void findRoles(@Observes ProcessManagedBean eventIn, BeanManager beanManager) { ProcessManagedBean event = eventIn; // JDK8 u60 workaround @@ -134,7 +133,7 @@ public void findRoles(@Observes ProcessManagedBean eventIn) { } - public void checkInjectIntoRightScope(@Observes ProcessInjectionTarget eventIn) { + public void checkInjectIntoRightScope(@Observes ProcessInjectionTarget eventIn, BeanManager beanManager) { ProcessInjectionTarget event = eventIn; // JDK8 u60 workaround @@ -164,7 +163,7 @@ public void checkInjectIntoRightScope(@Observes ProcessInjectionTarget ev } } - public void installMechanismIfNeeded(@Observes AfterBeanDiscovery eventIn) { + public void installMechanismIfNeeded(@Observes AfterBeanDiscovery eventIn, BeanManager beanManager) { AfterBeanDiscovery afterBeanDiscovery = eventIn; // JDK8 u60 workaround diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.java index e2b3313e322..cc98d90b94b 100644 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.java +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.java @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) [2017-2022] Payara Foundation and/or its affiliates. All rights reserved. + * Copyright (c) [2017-2021] Payara Foundation and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development @@ -66,7 +66,6 @@ * @author Arjan Tijms */ public class JWTAuthenticationMechanism implements HttpAuthenticationMechanism { - public static String INVALID_JWT_TOKEN = JWTAuthenticationMechanism.class.getName()+".invalidJwt"; public static final String CONFIG_TOKEN_HEADER_AUTHORIZATION = "Authorization"; public static final String CONFIG_TOKEN_HEADER_COOKIE = "Cookie"; @@ -92,6 +91,8 @@ public JWTAuthenticationMechanism() { @Override public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException { + // Don't limit processing of JWT to protected pages (httpMessageContext.isProtected()) + // as MP TCK requires JWT being parsed (if provided) even if not in protected pages. IdentityStoreHandler identityStoreHandler = CDI.current().select(IdentityStoreHandler.class).get(); SignedJWTCredential credential = getCredential(request); @@ -106,13 +107,7 @@ public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServ return httpMessageContext.notifyContainerAboutLogin(result); } - - if (httpMessageContext.isProtected()) { - return httpMessageContext.responseUnauthorized(); - } - - // put validation result in an attribute in case unauthenticated endpoint want to touch the token - request.setAttribute(INVALID_JWT_TOKEN, true); + return httpMessageContext.responseUnauthorized(); } return httpMessageContext.doNothing(); diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JsonWebTokenImpl.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JsonWebTokenImpl.java index 338c1808aba..ed105ac00d9 100644 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JsonWebTokenImpl.java +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JsonWebTokenImpl.java @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 2017-2022 Payara Foundation and/or its affiliates. All rights reserved. + * Copyright (c) 2017-2021 Payara Foundation and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development @@ -40,8 +40,6 @@ package fish.payara.microprofile.jwtauth.jwt; import static java.util.Collections.singleton; - -import java.util.Collections; import java.util.HashSet; import java.util.Map; import java.util.Set; @@ -65,12 +63,6 @@ public class JsonWebTokenImpl extends CallerPrincipal implements JsonWebToken { private final Map claims; - protected JsonWebTokenImpl() { - // for proxying request-scoped bean - super(null); - claims = Collections.EMPTY_MAP; - } - public JsonWebTokenImpl(String callerName, Map claims) { super(callerName); this.claims = claims; diff --git a/appserver/tests/payara-samples/samples/microprofile-endpoints/secure/src/test/resources/post-boot-commands.txt b/appserver/tests/payara-samples/samples/microprofile-endpoints/secure/src/test/resources/post-boot-commands.txt index 992726fe10e..da12b48bf34 100644 --- a/appserver/tests/payara-samples/samples/microprofile-endpoints/secure/src/test/resources/post-boot-commands.txt +++ b/appserver/tests/payara-samples/samples/microprofile-endpoints/secure/src/test/resources/post-boot-commands.txt @@ -1,3 +1,3 @@ -set-metrics-configuration --securityenabled=true --endpoint=mpmetrics -set-microprofile-healthcheck-configuration --securityenabled=true --endpoint=mphealth -set-openapi-configuration --securityenabled=true --endpoint=openapi \ No newline at end of file +set-metrics-configuration --securityenabled=true +set-microprofile-healthcheck-configuration --securityenabled=true +set-openapi-configuration --securityenabled=true \ No newline at end of file diff --git a/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/JaxrsApplication.java b/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/JaxrsApplication.java deleted file mode 100644 index a797bc1b3d3..00000000000 --- a/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/JaxrsApplication.java +++ /dev/null @@ -1,63 +0,0 @@ -/* - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - * - * Copyright (c) 2022 Payara Foundation and/or its affiliates. All rights reserved. - * - * The contents of this file are subject to the terms of either the GNU - * General Public License Version 2 only ("GPL") or the Common Development - * and Distribution License("CDDL") (collectively, the "License"). You - * may not use this file except in compliance with the License. You can - * obtain a copy of the License at - * https://github.com/payara/Payara/blob/master/LICENSE.txt - * See the License for the specific - * language governing permissions and limitations under the License. - * - * When distributing the software, include this License Header Notice in each - * file and include the License file at glassfish/legal/LICENSE.txt. - * - * GPL Classpath Exception: - * The Payara Foundation designates this particular file as subject to the "Classpath" - * exception as provided by the Payara Foundation in the GPL Version 2 section of the License - * file that accompanied this code. - * - * Modifications: - * If applicable, add the following below the License Header, with the fields - * enclosed by brackets [] replaced by your own identifying information: - * "Portions Copyright [year] [name of copyright owner]" - * - * Contributor(s): - * If you wish your version of this file to be governed by only the CDDL or - * only the GPL Version 2, indicate your decision by adding "[Contributor] - * elects to include this software in this distribution under the [CDDL or GPL - * Version 2] license." If you don't indicate a single choice of license, a - * recipient has the option to distribute your version of this file under - * either the CDDL, the GPL Version 2 or to extend the choice of license to - * its licensees as provided above. However, if you add GPL Version 2 code - * and therefore, elected the GPL Version 2 license, then the option applies - * only if the new code is made subject to such option by the copyright - * holder. - * - */ - -package fish.payara.samples.mpjwt.fish6022; - -import java.util.Collections; -import java.util.Set; - -import jakarta.enterprise.context.ApplicationScoped; -import jakarta.ws.rs.ApplicationPath; -import jakarta.ws.rs.core.Application; - -import org.eclipse.microprofile.auth.LoginConfig; - - -@ApplicationPath("resources") -@LoginConfig(authMethod = "MP-JWT") -@ApplicationScoped -public class JaxrsApplication extends Application { - @Override - public Set> getClasses() { - return Collections.singleton(RootResource.class); - } -} diff --git a/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/PublicServlet.java b/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/PublicServlet.java deleted file mode 100644 index c032036446e..00000000000 --- a/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/PublicServlet.java +++ /dev/null @@ -1,69 +0,0 @@ -/* - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - * - * Copyright (c) 2022 Payara Foundation and/or its affiliates. All rights reserved. - * - * The contents of this file are subject to the terms of either the GNU - * General Public License Version 2 only ("GPL") or the Common Development - * and Distribution License("CDDL") (collectively, the "License"). You - * may not use this file except in compliance with the License. You can - * obtain a copy of the License at - * https://github.com/payara/Payara/blob/master/LICENSE.txt - * See the License for the specific - * language governing permissions and limitations under the License. - * - * When distributing the software, include this License Header Notice in each - * file and include the License file at glassfish/legal/LICENSE.txt. - * - * GPL Classpath Exception: - * The Payara Foundation designates this particular file as subject to the "Classpath" - * exception as provided by the Payara Foundation in the GPL Version 2 section of the License - * file that accompanied this code. - * - * Modifications: - * If applicable, add the following below the License Header, with the fields - * enclosed by brackets [] replaced by your own identifying information: - * "Portions Copyright [year] [name of copyright owner]" - * - * Contributor(s): - * If you wish your version of this file to be governed by only the CDDL or - * only the GPL Version 2, indicate your decision by adding "[Contributor] - * elects to include this software in this distribution under the [CDDL or GPL - * Version 2] license." If you don't indicate a single choice of license, a - * recipient has the option to distribute your version of this file under - * either the CDDL, the GPL Version 2 or to extend the choice of license to - * its licensees as provided above. However, if you add GPL Version 2 code - * and therefore, elected the GPL Version 2 license, then the option applies - * only if the new code is made subject to such option by the copyright - * holder. - * - */ - -package fish.payara.samples.mpjwt.fish6022; - -import java.io.IOException; - -import jakarta.inject.Inject; -import jakarta.servlet.ServletException; -import jakarta.servlet.annotation.WebServlet; -import jakarta.servlet.http.HttpServlet; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; - -import org.eclipse.microprofile.jwt.JsonWebToken; - -@WebServlet("/servlet") -public class PublicServlet extends HttpServlet { - @Inject - JsonWebToken jwt; - - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - if (req.getParameter("token") != null) { - resp.getWriter().println(jwt.getRawToken()); - } else { - resp.getWriter().println("ok"); - } - } -} diff --git a/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/RootResource.java b/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/RootResource.java deleted file mode 100644 index 8c60c0550b5..00000000000 --- a/appserver/tests/payara-samples/samples/reproducers/src/main/java/fish/payara/samples/mpjwt/fish6022/RootResource.java +++ /dev/null @@ -1,68 +0,0 @@ -/* - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - * - * Copyright (c) 2022 Payara Foundation and/or its affiliates. All rights reserved. - * - * The contents of this file are subject to the terms of either the GNU - * General Public License Version 2 only ("GPL") or the Common Development - * and Distribution License("CDDL") (collectively, the "License"). You - * may not use this file except in compliance with the License. You can - * obtain a copy of the License at - * https://github.com/payara/Payara/blob/master/LICENSE.txt - * See the License for the specific - * language governing permissions and limitations under the License. - * - * When distributing the software, include this License Header Notice in each - * file and include the License file at glassfish/legal/LICENSE.txt. - * - * GPL Classpath Exception: - * The Payara Foundation designates this particular file as subject to the "Classpath" - * exception as provided by the Payara Foundation in the GPL Version 2 section of the License - * file that accompanied this code. - * - * Modifications: - * If applicable, add the following below the License Header, with the fields - * enclosed by brackets [] replaced by your own identifying information: - * "Portions Copyright [year] [name of copyright owner]" - * - * Contributor(s): - * If you wish your version of this file to be governed by only the CDDL or - * only the GPL Version 2, indicate your decision by adding "[Contributor] - * elects to include this software in this distribution under the [CDDL or GPL - * Version 2] license." If you don't indicate a single choice of license, a - * recipient has the option to distribute your version of this file under - * either the CDDL, the GPL Version 2 or to extend the choice of license to - * its licensees as provided above. However, if you add GPL Version 2 code - * and therefore, elected the GPL Version 2 license, then the option applies - * only if the new code is made subject to such option by the copyright - * holder. - * - */ - -package fish.payara.samples.mpjwt.fish6022; - -import jakarta.enterprise.context.RequestScoped; -import jakarta.inject.Inject; -import jakarta.ws.rs.GET; -import jakarta.ws.rs.Path; - -import org.eclipse.microprofile.jwt.JsonWebToken; - -@Path("/") -@RequestScoped -public class RootResource { - @Inject - JsonWebToken jwt; - - @GET - public String get() { - return "everything's allright"; - } - - @Path("token") - @GET - public String tryReadingToken() { - return jwt.getRawToken(); - } -} diff --git a/appserver/tests/payara-samples/samples/reproducers/src/test/java/fish/payara/samples/mpjwt/fish6022/InvalidTokenOnPublicEndpointTest.java b/appserver/tests/payara-samples/samples/reproducers/src/test/java/fish/payara/samples/mpjwt/fish6022/InvalidTokenOnPublicEndpointTest.java deleted file mode 100644 index 10ed537d3ba..00000000000 --- a/appserver/tests/payara-samples/samples/reproducers/src/test/java/fish/payara/samples/mpjwt/fish6022/InvalidTokenOnPublicEndpointTest.java +++ /dev/null @@ -1,118 +0,0 @@ -/* - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. - * - * Copyright (c) 2022 Payara Foundation and/or its affiliates. All rights reserved. - * - * The contents of this file are subject to the terms of either the GNU - * General Public License Version 2 only ("GPL") or the Common Development - * and Distribution License("CDDL") (collectively, the "License"). You - * may not use this file except in compliance with the License. You can - * obtain a copy of the License at - * https://github.com/payara/Payara/blob/master/LICENSE.txt - * See the License for the specific - * language governing permissions and limitations under the License. - * - * When distributing the software, include this License Header Notice in each - * file and include the License file at glassfish/legal/LICENSE.txt. - * - * GPL Classpath Exception: - * The Payara Foundation designates this particular file as subject to the "Classpath" - * exception as provided by the Payara Foundation in the GPL Version 2 section of the License - * file that accompanied this code. - * - * Modifications: - * If applicable, add the following below the License Header, with the fields - * enclosed by brackets [] replaced by your own identifying information: - * "Portions Copyright [year] [name of copyright owner]" - * - * Contributor(s): - * If you wish your version of this file to be governed by only the CDDL or - * only the GPL Version 2, indicate your decision by adding "[Contributor] - * elects to include this software in this distribution under the [CDDL or GPL - * Version 2] license." If you don't indicate a single choice of license, a - * recipient has the option to distribute your version of this file under - * either the CDDL, the GPL Version 2 or to extend the choice of license to - * its licensees as provided above. However, if you add GPL Version 2 code - * and therefore, elected the GPL Version 2 license, then the option applies - * only if the new code is made subject to such option by the copyright - * holder. - * - */ - -package fish.payara.samples.mpjwt.fish6022; - - -import java.net.URI; - -import jakarta.persistence.criteria.Root; -import jakarta.ws.rs.client.Client; -import jakarta.ws.rs.client.ClientBuilder; -import jakarta.ws.rs.client.WebTarget; -import jakarta.ws.rs.core.Response; - -import org.jboss.arquillian.container.test.api.Deployment; -import org.jboss.arquillian.junit.Arquillian; -import org.jboss.arquillian.test.api.ArquillianResource; -import org.jboss.shrinkwrap.api.ShrinkWrap; -import org.jboss.shrinkwrap.api.asset.StringAsset; -import org.jboss.shrinkwrap.api.spec.WebArchive; -import org.junit.Test; -import org.junit.runner.RunWith; - -import static org.junit.Assert.assertEquals; - -@RunWith(Arquillian.class) -public class InvalidTokenOnPublicEndpointTest { - static final String MPCONFIG = "mp.jwt.verify.issuer=airhacks\n" - + "mp.jwt.verify" - + ".publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAin3fGoTp6LNzNd5NtITVrQUl2vxnKGr249mRbHw02cZhLStaUMMFt8DR2Z5HfM8upR" - + "+0Y6bnlrn3dQdm4kE5ri1vr05mWhjF1wGflKaux54VtXTR8Xuu1zeZzasxgxYeYp680r9pkYJw7kK4QYx4tEMo5FHKsitIOnTxxAT3+mpMVQEOPjTkt2r929p82XYO9WRR" - + "/OwLcHH28s9epY+eNfQIjZ2FHawF2NJeyN3fUyJqUdRsrKoodorOoog" - + "/mMFimYB1XbctBeZRBE8utLtbyP8hhR2NkvAzGcmy7d7bS9aRbdH236DCcREg5iDpNCt5rDcHLO7ScDKEMMz/jFJ9zwIDAQAB"; - - static final String AUTH = "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"; - - @Deployment - public static WebArchive deployment() { - return ShrinkWrap.create(WebArchive.class) - .addClasses(JaxrsApplication.class, RootResource.class, PublicServlet.class) - .addAsManifestResource(new StringAsset(MPCONFIG), "microprofile-config.properties"); - } - - @ArquillianResource - URI base; - - @Test - public void passesWithoutTokenAccess() { - WebTarget target = ClientBuilder.newClient().target(base).path("resources"); - - Response response = target.request().header("Authorization", AUTH).get(); - assertEquals(200, response.getStatus()); - } - - @Test - public void unauthorizedOnTokenAccess() { - WebTarget target = ClientBuilder.newClient().target(base).path("resources").path("token"); - - Response response = target.request().header("Authorization", AUTH).get(); - assertEquals(401, response.getStatus()); - } - - @Test - public void servletPassesWithoutTokenAccess() { - WebTarget target = ClientBuilder.newClient().target(base).path("servlet"); - - Response response = target.request().header("Authorization", AUTH).get(); - assertEquals(200, response.getStatus()); - } - - @Test - public void servletUnauthorizedOnTokenAccess() { - WebTarget target = ClientBuilder.newClient().target(base).path("servlet"); - - Response response = target.queryParam("token", "true").request().header("Authorization", AUTH).get(); - assertEquals(500, response.getStatus()); - } - -} diff --git a/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 420f30fa520..2d5d91f9d77 100644 --- a/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -768,9 +768,6 @@ protected void register(HttpRequest request, HttpResponse response, Principal pr assert (realm != null); sso.register(value, principal, authType, username, password, realm); // END S1AS8 PE 4856080,4918627 - if (session != null) { - sso.associate(value, 0, session); - } request.setNote(Constants.REQ_SSOID_NOTE, value); if (sso.isVersioningSupported()) { @@ -810,9 +807,6 @@ public void logout(HttpRequest request) throws ServletException { if (session != null) { session.setPrincipal(null); session.setAuthType(null); - if (session.getSsoId() != null) { - session.expire(); - } } // principal and authType set to null in the following diff --git a/appserver/web/web-glue/src/main/java/com/sun/enterprise/security/web/GlassFishSingleSignOn.java b/appserver/web/web-glue/src/main/java/com/sun/enterprise/security/web/GlassFishSingleSignOn.java index 680c4a5242d..55614bb0610 100644 --- a/appserver/web/web-glue/src/main/java/com/sun/enterprise/security/web/GlassFishSingleSignOn.java +++ b/appserver/web/web-glue/src/main/java/com/sun/enterprise/security/web/GlassFishSingleSignOn.java @@ -337,7 +337,7 @@ public int invoke(final Request request, final Response response) { } String realmName = realm.getRealmName(); - if (realmName == null || realmName.isEmpty()) { + if (realmName == null) { // S1AS8 6155481 START if (logger.isLoggable(Level.FINE)) { logger.log(Level.FINE, LogFacade.NO_REALM_CONFIGURED);