Merge pull request #24890 from arjantijms/8.0

Integrate Jakarta Authorization M4 API and other updated EE 11 APIs

appserver/deployment/dol/src/main/java/com/sun/enterprise/deployment/WebBundleDescriptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -82,6 +82,8 @@ public abstract class WebBundleDescriptor extends CommonResourceBundleDescriptor
     private boolean showArchivedRealPathEnabled = true;
     private JspConfigDefinitionDescriptor jspConfigDescriptor;
 
+    private ClassLoader applicationClassLoader;
+
     /**
      * An entry here, may be set to indicate additional processing.
      * This entry may be set, for example, by a Deployer.
@@ -384,6 +386,19 @@ public void setJspConfigDescriptor(JspConfigDefinitionDescriptor descriptor) {
         jspConfigDescriptor = descriptor;
     }
 
+    /**
+     * @return the applicationClassLoader
+     */
+    public ClassLoader getApplicationClassLoader() {
+        return applicationClassLoader;
+    }
+
+    /**
+     * @param applicationClassLoader the applicationClassLoader to set
+     */
+    public void setApplicationClassLoader(ClassLoader applicationClassLoader) {
+        this.applicationClassLoader = applicationClassLoader;
+    }
 
     /**
      * This property can be used to indicate a special processing to an extension.

appserver/deployment/dol/src/main/java/com/sun/enterprise/deployment/util/ComponentValidator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -17,6 +17,11 @@
 
 package com.sun.enterprise.deployment.util;
 
+import static com.sun.enterprise.deployment.MethodDescriptor.EJB_LOCAL;
+import static com.sun.enterprise.deployment.MethodDescriptor.EJB_REMOTE;
+import static com.sun.enterprise.util.Utility.isEmpty;
+import static org.glassfish.api.naming.SimpleJndiName.JNDI_CTX_JAVA_COMPONENT;
+
 import com.sun.enterprise.deployment.Application;
 import com.sun.enterprise.deployment.BundleDescriptor;
 import com.sun.enterprise.deployment.EjbBundleDescriptor;
@@ -35,12 +40,9 @@
 import com.sun.enterprise.deployment.types.EjbReference;
 import com.sun.enterprise.deployment.types.MessageDestinationReferencer;
 import com.sun.enterprise.util.LocalStringManagerImpl;
-
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
-import java.security.AccessController;
 import java.security.Principal;
-import java.security.PrivilegedAction;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -51,17 +53,11 @@
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
-
 import javax.security.auth.Subject;
-
 import org.glassfish.api.deployment.archive.ArchiveType;
 import org.glassfish.api.naming.SimpleJndiName;
 import org.glassfish.logging.annotation.LogMessageInfo;
 
-import static com.sun.enterprise.deployment.MethodDescriptor.EJB_LOCAL;
-import static com.sun.enterprise.deployment.MethodDescriptor.EJB_REMOTE;
-import static org.glassfish.api.naming.SimpleJndiName.JNDI_CTX_JAVA_COMPONENT;
-
 /**
  * @author  dochez
  */
@@ -138,12 +134,7 @@ private enum EjbIntfType {
     }
 
     private static class EjbIntfInfo {
-
         Set<EjbDescriptor> ejbs;
-
-        // Only set when there is one ejb in the set.
-        // Otherwise, value = NONE
-        EjbIntfType intfType;
     }
 
 
@@ -620,12 +611,9 @@ private void addIntfInfo(Map<String, EjbIntfInfo> intfInfoMap,
             EjbIntfInfo newInfo = new EjbIntfInfo();
             newInfo.ejbs = new HashSet<>();
             newInfo.ejbs.add(ejbDesc);
-            newInfo.intfType = intfType;
             intfInfoMap.put(intf, newInfo);
         } else {
             intfInfo.ejbs.add(ejbDesc);
-            // Since there's more than one match, reset intf type.
-            intfInfo.intfType = EjbIntfType.NONE;
         }
 
     }
@@ -785,38 +773,33 @@ protected void acceptWithoutCL(InjectionCapable injectable) {
      * @exception RuntimeException
      */
     protected void computeRunAsPrincipalDefault(RunAsIdentityDescriptor runAs, Application application) {
-        // for backward compatibile
-        if (runAs != null && (runAs.getRoleName() == null || runAs.getRoleName().isEmpty())) {
+        // For backward compatibility
+        if (runAs != null && isEmpty(runAs.getRoleName())) {
             LOG.log(Level.WARNING, "enterprise.deployment.backend.emptyRoleName");
             return;
         }
 
-        if (runAs != null && (runAs.getPrincipal() == null || runAs.getPrincipal().isEmpty()) && application != null
-            && application.getRoleMapper() != null) {
+        if (runAs != null && isEmpty(runAs.getPrincipal()) && application != null  && application.getRoleMapper() != null) {
 
             String principalName = null;
             String roleName = runAs.getRoleName();
-            final Subject fs = application.getRoleMapper().getRoleToSubjectMapping().get(roleName);
-            if (fs != null) {
-                PrivilegedAction<String> action = () -> {
-                    Set<Principal> pset = fs.getPrincipals();
-                    if (pset.isEmpty()) {
-                        return null;
-                    }
-                    String name = pset.iterator().next().getName();
+            Subject subject = application.getRoleMapper().getRoleToSubjectMapping().get(roleName);
+            if (subject != null) {
+                Set<Principal> principals = subject.getPrincipals();
+                if (!principals.isEmpty()) {
+                    principalName = principals.iterator().next().getName();
                     LOG.log(Level.WARNING,
                         "The run-as principal {0} was assigned by the deployment system based"
                             + " on the specified role. Please consider defining an explicit run-as principal"
                             + " in the sun-specific deployment descriptor.",
-                        name);
-                    return name;
-                };
-                principalName = AccessController.doPrivileged(action);
+                            principalName);
+                }
             }
 
-            if (principalName == null || principalName.isEmpty()) {
+            if (isEmpty(principalName)) {
                 throw new RuntimeException("The RunAs role \"" + roleName + "\" is not mapped to a principal.");
             }
+
             runAs.setPrincipal(principalName);
         }
     }

appserver/pom.xml

@@ -85,7 +85,7 @@
         <mojarra.version>4.1.0-M2</mojarra.version>
 
         <!-- Jakarta WebSocket -->
-        <jakarta.websocket-api.version>2.2.0-M1</jakarta.websocket-api.version>
+        <jakarta.websocket-api.version>2.2.0</jakarta.websocket-api.version>
         <tyrus.version>2.2.0-M1</tyrus.version>
 
         <!-- Jakarta Concurrency -->
@@ -98,11 +98,11 @@
         <!-- Jakarta Security + Authentication/Authorization -->
         <!-- APIs -->
         <jakarta.security-api.version>4.0.0-M2</jakarta.security-api.version>
-        <jakarta.authorization-api.version>3.0.0-M2</jakarta.authorization-api.version>
+        <jakarta.authorization-api.version>3.0.0-M4</jakarta.authorization-api.version>
         <jakarta.authentication-api.version>3.1.0-M1</jakarta.authentication-api.version>
         <!-- Implementations -->
         <soteria.version>4.0.0-M2</soteria.version>
-        <exousia.version>3.0.0-M2</exousia.version>
+        <exousia.version>3.0.0-M3</exousia.version>
         <epicyro.version>3.1.0-M1</epicyro.version>
         <!-- Dependencies -->
         <nimbus.version>9.38-rc3</nimbus.version>
@@ -138,7 +138,7 @@
         <yasson.version>3.0.3</yasson.version>
 
         <!-- Jakarta Pages and Jakarta Standard Tag Library -->
-        <jakarta.pages-api.version>4.0.0-M2</jakarta.pages-api.version>
+        <jakarta.pages-api.version>4.0.0</jakarta.pages-api.version>
         <jstl-api.version>3.0.0</jstl-api.version>
         <wasp.version>4.0.0-M1</wasp.version>
 

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/SecurityDeployer.java

@@ -175,6 +175,7 @@ protected void generateArtifacts(DeploymentContext deploymentContext) throws Dep
             }
 
             for (WebBundleDescriptor webBundleDescriptor : webBundleDescriptors) {
+                webBundleDescriptor.setApplicationClassLoader(deploymentContext.getFinalClassLoader());
                 loadWebPolicy(webBundleDescriptor, false);
             }
 

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -45,8 +45,10 @@
 import com.sun.enterprise.security.ee.authorize.cache.CachedPermissionImpl;
 import com.sun.enterprise.security.ee.authorize.cache.PermissionCache;
 import com.sun.enterprise.security.ee.authorize.cache.PermissionCacheFactory;
+import jakarta.security.jacc.PolicyConfigurationFactory;
 import jakarta.security.jacc.PolicyContext;
 import jakarta.security.jacc.PolicyContextException;
+import jakarta.security.jacc.PolicyFactory;
 import jakarta.security.jacc.WebResourcePermission;
 import jakarta.security.jacc.WebUserDataPermission;
 import jakarta.servlet.http.HttpServletRequest;
@@ -125,6 +127,20 @@ public class WebSecurityManager {
 
         initialise(appName);
 
+        webBundleDescriptor.getContextParameters()
+                           .stream()
+                           .filter(param -> param.getName().equals(PolicyConfigurationFactory.FACTORY_NAME))
+                           .findAny()
+                           .map(param -> loadFactory(webBundleDescriptor, param.getValue()))
+                           .ifPresent(clazz -> installPolicyConfigurationFactory(webBundleDescriptor, clazz));
+
+        webBundleDescriptor.getContextParameters()
+                           .stream()
+                           .filter(param -> param.getName().equals(PolicyFactory.FACTORY_NAME))
+                           .findAny()
+                           .map(param -> loadFactory(webBundleDescriptor, param.getValue()))
+                           .ifPresent(clazz -> installPolicyFactory(webBundleDescriptor, clazz));
+
         authorizationService = new AuthorizationService(
             getContextID(webBundleDescriptor),
             () -> SecurityContext.getCurrent().getSubject(),
@@ -144,8 +160,7 @@ public class WebSecurityManager {
             getSecurityRoleRefsFromBundle(webBundleDescriptor));
     }
 
-    // fix for CR 6155144
-    // used to get the policy context id. Also used by the RealmAdapter
+    // Used to get the policy context id. Also used by the RealmAdapter
     public static String getContextID(WebBundleDescriptor webBundleDescriptor) {
         return SecurityUtil.getContextID(webBundleDescriptor);
     }
@@ -362,6 +377,37 @@ private void initialise(String appName) throws PolicyContextException {
         initPermissionCache();
     }
 
+    private Class<?> loadFactory(WebBundleDescriptor webBundleDescriptor, String factoryClassName) {
+        try {
+            return
+                webBundleDescriptor.getApplicationClassLoader()
+                                   .loadClass(factoryClassName);
+
+        } catch (Exception e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    private void installPolicyConfigurationFactory(WebBundleDescriptor webBundleDescriptor, Class<?> factoryClass) {
+        ClassLoader existing = Thread.currentThread().getContextClassLoader();
+        try {
+            Thread.currentThread().setContextClassLoader(webBundleDescriptor.getApplicationClassLoader());
+            AuthorizationService.installPolicyConfigurationFactory(factoryClass);
+        } finally {
+            Thread.currentThread().setContextClassLoader(existing);
+        }
+    }
+
+    private void installPolicyFactory(WebBundleDescriptor webBundleDescriptor, Class<?> factoryClass) {
+        ClassLoader existing = Thread.currentThread().getContextClassLoader();
+        try {
+            Thread.currentThread().setContextClassLoader(webBundleDescriptor.getApplicationClassLoader());
+            AuthorizationService.installPolicyFactory(factoryClass);
+        } finally {
+            Thread.currentThread().setContextClassLoader(existing);
+        }
+    }
+
     private void initPermissionCache() {
         if (uncheckedPermissionCache == null) {
             if (register) {

nucleus/parent/pom.xml

@@ -74,10 +74,10 @@
         <expressly.version>6.0.0-M1</expressly.version>
 
         <!-- Jakarta Servlet -->
-        <jakarta.servlet-api.version>6.1.0-M2</jakarta.servlet-api.version>
+        <jakarta.servlet-api.version>6.1.0</jakarta.servlet-api.version>
 
         <!-- Jakarta Validation -->
-        <jakarta.validation-api.version>3.1.0-M1</jakarta.validation-api.version>
+        <jakarta.validation-api.version>3.1.0</jakarta.validation-api.version>
         <hibernate-validator.version>8.0.1.Final</hibernate-validator.version>
 
         <!-- Jakarta Web Services -->