Another sync with master

Jenkinsfile

@@ -216,7 +216,7 @@ spec:
       }
       post {
         always {
-          archiveArtifacts artifacts: "**/server.log", onlyIfSuccessful: false
+          archiveArtifacts artifacts: "**/server.log*", onlyIfSuccessful: false
           junit testResults: '**/*-reports/*.xml', allowEmptyResults: false
         }
       }

appserver/deployment/dol/src/main/java/com/sun/enterprise/deployment/node/runtime/common/DescriptorPrincipalName.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package com.sun.enterprise.deployment.node.runtime.common;
+
+import java.io.Serializable;
+import java.security.Principal;
+import java.util.Objects;
+
+import org.glassfish.security.common.UserPrincipal;
+
+/**
+ * {@link Principal} loaded from XML descriptor.
+ * When the equals method is used, it compares just principal names and that the other object
+ * is an {@link Principal} instance too.
+ */
+// Must be UserPrincipal, because RoleMapper.internalAssignRole knows just that and Group.
+public class DescriptorPrincipalName implements UserPrincipal, Serializable {
+
+    private static final long serialVersionUID = -640182254691955451L;
+
+    private final String name;
+
+    /**
+     * @param name must not be null.
+     */
+    public DescriptorPrincipalName(String name) {
+        this.name = Objects.requireNonNull(name, "XML principal-name element must not be null.");
+    }
+
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+
+    @Override
+    public int hashCode() {
+        return name.hashCode();
+    }
+
+
+    /**
+     * We match user principals just by name.
+     * This is used in Jakarta Security to resolve authorisation.
+     */
+    @Override
+    public boolean equals(Object o) {
+        if (o instanceof Principal) {
+            Principal other = (Principal) o;
+            return getName().equals(other.getName());
+        }
+        return false;
+    }
+
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "[" + getName() + "]";
+    }
+}

appserver/deployment/dol/src/main/java/com/sun/enterprise/deployment/runtime/common/PrincipalNameDescriptor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -17,11 +17,12 @@
 
 package com.sun.enterprise.deployment.runtime.common;
 
+import com.sun.enterprise.deployment.node.runtime.common.DescriptorPrincipalName;
+
 import java.lang.reflect.Constructor;
 import java.security.Principal;
 
 import org.glassfish.deployment.common.Descriptor;
-import org.glassfish.security.common.UserNameAndPassword;
 
 /**
  * This is an in memory representation of the principal-name with its name of
@@ -53,7 +54,7 @@ public String getName() {
      */
     public String getClassName() {
         if (className == null) {
-            return UserNameAndPassword.class.getName();
+            return DescriptorPrincipalName.class.getName();
         }
         return className;
     }

appserver/itest-tools/src/main/java/org/glassfish/main/itest/tools/TestUtilities.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.main.itest.tools;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Tools useful just for tests, so they don't belong to any application code.
+ */
+public final class TestUtilities {
+
+    private TestUtilities() {
+        // hidden
+    }
+
+
+    /**
+     * Deletes files if they exist.
+     * If it existed but was not possible to delete the file, uses NIO to delete it again - NIO
+     * throws an exception in such case.
+     * <p>
+     * Attempts to delete all files and throws the {@link IOException} if any of them was not
+     * possible to delete. Therefore this method should be the last call in your cleanup method (ie.
+     * AfterEach or AfterAll)
+     *
+     * @param files files to delete
+     * @throws IOException some files were not deleted.
+     */
+    public static void delete(final File... files) throws IOException {
+        final Set<File> failed = new HashSet<>(files.length);
+        for (File file : files) {
+            if (file == null || !file.exists() || file.delete()) {
+                continue;
+            }
+            failed.add(file);
+        }
+        if (failed.isEmpty()) {
+            return;
+        }
+        final IOException failures = new IOException("Could not delete files: " + failed);
+        for (File file : failed) {
+            try {
+                Files.delete(file.toPath());
+            } catch (IOException e) {
+                failures.addSuppressed(e);
+            }
+        }
+        throw failures;
+    }
+}

appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/acl/RoleMapper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Contributors to the Eclipse Foundation
+ * Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -17,17 +17,10 @@
 
 package com.sun.enterprise.security.ee.acl;
 
-import static com.sun.enterprise.util.Utility.isEmpty;
-import static java.util.Collections.emptySet;
-import static java.util.Collections.enumeration;
-import static java.util.logging.Level.FINE;
-import static java.util.logging.Level.SEVERE;
-import static java.util.logging.Level.WARNING;
-import static java.util.stream.Collectors.toSet;
-
 import com.sun.enterprise.config.serverbeans.SecurityService;
 import com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential;
 import com.sun.logging.LogDomains;
+
 import java.io.Serializable;
 import java.security.Principal;
 import java.util.Enumeration;
@@ -36,9 +29,10 @@
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
-import java.util.logging.Level;
 import java.util.logging.Logger;
+
 import javax.security.auth.Subject;
+
 import org.glassfish.api.admin.ServerEnvironment;
 import org.glassfish.deployment.common.RootDeploymentDescriptor;
 import org.glassfish.deployment.common.SecurityRoleMapper;
@@ -48,6 +42,14 @@
 import org.glassfish.security.common.UserNameAndPassword;
 import org.glassfish.security.common.UserPrincipal;
 
+import static com.sun.enterprise.util.Utility.isEmpty;
+import static java.util.Collections.emptySet;
+import static java.util.Collections.enumeration;
+import static java.util.logging.Level.FINE;
+import static java.util.logging.Level.SEVERE;
+import static java.util.logging.Level.WARNING;
+import static java.util.stream.Collectors.toSet;
+
 /**
  * This Object maintains a mapping of users and groups to application specific Roles. Using this object this mapping
  * information could be maintained and queried at a later time. This is a complete rewrite of the previous RoleMapper
@@ -259,7 +261,6 @@ public void unassignPrincipalFromRole(Role role, Principal principal) {
         }
     }
 
-
     @Override
     public Iterator<String> getRoles() {
         return roleToSubject.keySet().iterator(); // All the roles
@@ -314,9 +315,6 @@ public String toString() {
             }
             s.append(")");
         }
-
-        LOG.log(Level.FINER, () -> s.toString());
-
         return s.toString();
     }
 
@@ -355,7 +353,7 @@ private String getDefaultPrincipalToRoleMappingClassName() {
 
             return className;
         } catch (Exception e) {
-            LOG.log(SEVERE, "pc.getDefaultP2RMappingClass: " + e);
+            LOG.log(SEVERE, "pc.getDefaultP2RMappingClass: " + className, e);
             return null;
         }
     }
@@ -383,8 +381,7 @@ public Principal getCallerPrincipal(Subject subject) {
             subject.getPublicCredentials()
                    .stream()
                    .filter(DistinguishedPrincipalCredential.class::isInstance)
-                   .map(DistinguishedPrincipalCredential.class::cast)
-                   .map(e -> e.getPrincipal())
+                   .map(Principal.class::cast)
                    .findAny()
                    .orElse(subject.getPrincipals()
                        .stream()
@@ -397,17 +394,15 @@ private Set<String> getCallerPrincipalNames(Subject subject) {
         return
             subject.getPrincipals()
                    .stream()
-                   .filter(e -> e instanceof UserNameAndPassword)
-                   .map(e -> e.getName())
+                   .filter(UserPrincipal.class::isInstance)
+                   .map(Principal::getName)
                    .collect(toSet());
     }
 
     // The method that does the work for assignRole().
     private void internalAssignRole(Principal principal, Role role) {
         String roleName = role.getName();
-        if (LOG.isLoggable(FINE)) {
-            LOG.log(FINE, "SECURITY:RoleMapper Assigning Role {0} to {1}", new Object[] {roleName, principal});
-        }
+        LOG.log(FINE, "SECURITY:RoleMapper Assigning Role {0} to {1}", new Object[] {roleName, principal});
 
         addRoleToSubject(principal, roleName);
 
@@ -464,19 +459,17 @@ private void checkAndAddMappings() {
 
             if (topLevelRoles != null && topLevelRoles.contains(role)) {
                 logConflictWarning();
-                LOG.log(FINE, () ->
-                        "Role " + role + " from module " + currentMapping.owner + " is being overridden by top-level mapping.");
-
+                LOG.log(FINE, "Role {0} from module {1} is being overridden by top-level mapping.",
+                    new Object[] {role, currentMapping.owner});
                 continue;
             }
 
             if (currentMapping.owner.equals(TOP_LEVEL)) {
                 topLevelRoles.add(role);
                 if (roleToSubject.keySet().contains(role.getName())) {
                     logConflictWarning();
-                    LOG.log(FINE, () ->
-                            "Role " + role + " from top-level mapping descriptor is " + "overriding existing role in sub module.");
-
+                    LOG.log(FINE,
+                        "Role {0} from top-level mapping descriptor is overriding existing role in sub module.", role);
                     unassignRole(role);
                 }
 
@@ -501,9 +494,8 @@ private void checkAndAddMappings() {
     private boolean roleConflicts(Role r, Set<Principal> ps) {
         // check to see if there has been a previous conflict
         if (conflictedRoles != null && conflictedRoles.contains(r)) {
-            LOG.log(FINE,
-                    () -> "Role " + r + " from module " + currentMapping.owner + " has already had a conflict with other modules.");
-
+            LOG.log(FINE, "Role {0} from module {1} has already had a conflict with other modules.",
+                new Object[] {r, currentMapping.owner});
             return true;
         }
 
@@ -520,10 +512,8 @@ private boolean roleConflicts(Role r, Set<Principal> ps) {
         actualNum += pSet == null ? 0 : pSet.size();
         actualNum += gSet == null ? 0 : gSet.size();
         if (targetNumPrin != actualNum) {
-            if (LOG.isLoggable(FINE)) {
-                LOG.log(FINE, "Module " + currentMapping.owner + " has different number of mappings for role " + r.getName()
-                        + " than other mapping files");
-            }
+            LOG.log(FINE, "Module {0} has different number of mappings for role {1} than other mapping files",
+                new Object[] {currentMapping.owner, r.getName()});
 
             if (conflictedRoles == null) {
                 conflictedRoles = new HashSet<>();
@@ -546,9 +536,8 @@ private boolean roleConflicts(Role r, Set<Principal> ps) {
             }
 
             if (fail) {
-                if (LOG.isLoggable(FINE)) {
-                    LOG.log(FINE, "Role " + r + " in module " + currentMapping.owner + " is not included in other modules.");
-                }
+                LOG.log(FINE, "Role {0} in module {1} is not included in other modules.",
+                    new Object[] {r, currentMapping.owner});
 
                 if (conflictedRoles == null) {
                     conflictedRoles = new HashSet<>();