Added interface based authentication mechanism proposal

and example RI implementation

Author: arjantijms

authentication/authentication-mechanism/jaspic-cdi-interface/README.adoc

@@ -0,0 +1,18 @@
+# jaspic-cdi-interface
+
+Proposed early draft of API and example implementation for the authentication mechanism. 
+
+The API lives in javax.security.authentication.mechanism.http
+Implementation lives in org.glassfish.jsr375
+
+Main API class is javax.security.authentication.mechanism.http.HttpAuthenticationMechanism.
+
+The concept of this proposal is that a CDI extension detects the presence of an enabled bean that implements HttpAuthenticationMechanism,
+and if found installs a JASPIC bridge SAM. This bridge SAM uses CDI to obtain the HttpAuthenticationMechanism instance and delegate its methods
+to.
+
+This in effect causes CDI to be fully available in the HttpAuthenticationMechanism, but doesn't require the JASPIC SAM itself to
+be a CDI bean.
+
+HttpAuthenticationMechanism is based on the similarly named type from the jaspic-http-sam proposal, but here it's an interface and a type to which
+a SAM delegates, but is itself not a SAM.

authentication/authentication-mechanism/jaspic-cdi-interface/pom.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>net.java.jsr375</groupId>
+    <artifactId>authentication-mechanism</artifactId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>jaspic-cdi-interface</artifactId>
+
+</project>

authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/javax/security/authentication/mechanism/http/AuthenticationParameters.java

@@ -0,0 +1,41 @@
+package javax.security.authentication.mechanism.http;
+
+public interface AuthenticationParameters {
+
+    AuthenticationParameters username(String username);
+
+    AuthenticationParameters password(String passWord);
+
+    AuthenticationParameters rememberMe(boolean rememberMe);
+
+    AuthenticationParameters noPassword(boolean noPassword);
+
+    AuthenticationParameters authMethod(String authMethod);
+
+    AuthenticationParameters redirectUrl(String redirectUrl);
+
+    String getUsername();
+
+    void setUsername(String username);
+
+    String getPassword();
+
+    void setPassword(String password);
+
+    Boolean getRememberMe();
+
+    void setRememberMe(Boolean rememberMe);
+
+    String getAuthMethod();
+
+    void setAuthMethod(String authMethod);
+
+    String getRedirectUrl();
+
+    void setRedirectUrl(String redirectUrl);
+
+    Boolean getNoPassword();
+
+    void setNoPassword(Boolean noPassword);
+
+}

authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/javax/security/authentication/mechanism/http/HttpAuthenticationMechanism.java

@@ -0,0 +1,22 @@
+package javax.security.authentication.mechanism.http;
+
+import static javax.security.auth.message.AuthStatus.SEND_SUCCESS;
+
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public interface HttpAuthenticationMechanism {
+
+    AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException;
+   
+    default AuthStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException {
+        return SEND_SUCCESS;
+    }
+    
+    default void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
+        httpMessageContext.cleanClientSubject();
+    }
+
+}

authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/javax/security/authentication/mechanism/http/HttpMessageContext.java

@@ -0,0 +1,200 @@
+package javax.security.authentication.mechanism.http;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.security.auth.message.config.ServerAuthContext;
+import javax.security.auth.message.module.ServerAuthModule;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public interface HttpMessageContext {
+
+    /**
+     * Checks if the current request is to a protected resource or not. A protected resource
+     * is a resource (e.g. a Servlet, JSF page, JSP page etc) for which a constraint has been defined
+     * in e.g. <code>web.xml<code>.
+     * 
+     * @return true if a protected resource was requested, false if a public resource was requested.
+     */
+    boolean isProtected();
+
+    boolean isAuthenticationRequest();
+
+    /**
+     * Asks the container to register the given username and roles in order to make
+     * them available to the application for use with {@link HttpServletRequest#isUserInRole(String)} etc.
+     * <p>
+     * This will also ask the runtime to register an authentication session that will live as long as the
+     * HTTP session is valid. 
+     * <p>
+     * Note that after this call returned, the authenticated identity will not be immediately active. This
+     * will only take place (should not errors occur) after the {@link ServerAuthContext} or {@link ServerAuthModule}
+     * in which this call takes place return control back to the runtime.
+     * 
+     * @param username the user name that will become the caller principal
+     * @param roles the roles associated with the caller principal
+     */
+    void registerWithContainer(String username, List<String> roles);
+
+    /**
+     * Asks the container to register the given username and roles in order to make
+     * them available to the application for use with {@link HttpServletRequest#isUserInRole(String)} etc.
+     * <p>
+     * This will optionally (on the basis of the registerSession parameter) ask the runtime to register an 
+     * authentication session that will live as long as the HTTP session is valid. 
+     * <p>
+     * Note that after this call returned, the authenticated identity will not be immediately active. This
+     * will only take place (should not errors occur) after the {@link ServerAuthContext} or {@link ServerAuthModule}
+     * in which this call takes place return control back to the runtime.
+     * 
+     * @param username the user name that will become the caller principal
+     * @param roles the roles associated with the caller principal
+     * @param registerSession if true asks the container to register an authentication setting, if false does not ask this.
+     */
+    void registerWithContainer(String username, List<String> roles, boolean registerSession);
+
+    /**
+     * Checks if during the current request code has asked the runtime to register an authentication session.
+     * 
+     * @return true if code has asked to register an authentication session, false otherwise.
+     */
+    boolean isRegisterSession();
+
+    /**
+     * Asks the runtime to register an authentication session. This will automatically remember the logged-in status
+     * as long as the current HTTP session remains valid. Without this being asked, a SAM has to manually re-authenticate
+     * with the runtime at the start of each request.
+     * <p>
+     * Note that the user name and roles being asked is an implementation detail; there is no portable way to have
+     * an auth context read back the user name and roles that were processed by the {@link CallbackHandler}.
+     * 
+     * @param username the user name for which authentication should be be remembered
+     * @param roles the roles for which authentication should be remembered.
+     */
+    void setRegisterSession(String username, List<String> roles);
+
+    void cleanClientSubject();
+
+    /**
+     * Returns the parameters that were provided with the SecurityContect#authenticate(AuthParameters) call.
+     *  
+     * @return the parameters that were provided with the SecurityContect#authenticate(AuthParameters) call, or a default instance. Never null.
+     */
+    AuthenticationParameters getAuthParameters();
+
+    /**
+     * Returns the handler that the runtime provided to auth context.
+     * 
+     * @return the handler that the runtime provided to auth context.
+     */
+    CallbackHandler getHandler();
+
+    /**
+     * Returns the module options that were set on the auth module to which this context belongs.
+     * 
+     * @return the module options that were set on the auth module to which this context belongs.
+     */
+    Map<String, String> getModuleOptions();
+
+    /**
+     * Returns the named module option that was set on the auth module to which this context belongs.
+     * 
+     * @return the named module option that was set on the auth module to which this context belongs, or null if no option with that name was set.
+     */
+    String getModuleOption(String key);
+
+    /**
+     * Returns the message info instance for the current request.
+     * 
+     * @return the message info instance for the current request.
+     */
+    MessageInfo getMessageInfo();
+
+    /**
+     * Returns the subject for which authentication is to take place.
+     * 
+     * @return the subject for which authentication is to take place.
+     */
+    Subject getClientSubject();
+
+    /**
+     * Returns the request object associated with the current request.
+     * 
+     * @return the request object associated with the current request.
+     */
+    HttpServletRequest getRequest();
+
+    /**
+     * Returns the response object associated with the current request.
+     * 
+     * @return the response object associated with the current request.
+     */
+    HttpServletResponse getResponse();
+
+    /**
+     * Sets the response status to 401 (not found).
+     * <p>
+     * As a convenience this method returns SEND_FAILURE, so this method can be used in
+     * one fluent return statement from an auth module.
+     * 
+     * @return {@link AuthStatus#SEND_FAILURE}
+     */
+    AuthStatus responseUnAuthorized();
+
+    /**
+     * Sets the response status to 404 (not found).
+     * <p>
+     * As a convenience this method returns SEND_FAILURE, so this method can be used in
+     * one fluent return statement from an auth module.
+     * 
+     * @return {@link AuthStatus#SEND_FAILURE}
+     */
+    AuthStatus responseNotFound();
+
+    /**
+     * Asks the container to register the given username and roles in order to make
+     * them available to the application for use with {@link HttpServletRequest#isUserInRole(String)} etc.
+     *
+     * <p>
+     * Note that after this call returned, the authenticated identity will not be immediately active. This
+     * will only take place (should not errors occur) after the {@link ServerAuthContext} or {@link ServerAuthModule}
+     * in which this call takes place return control back to the runtime.
+     * 
+     * <p>
+     * As a convenience this method returns SUCCESS, so this method can be used in
+     * one fluent return statement from an auth module.
+     * 
+     * @param username the user name that will become the caller principal
+     * @param roles the roles associated with the caller principal
+     * @return {@link AuthStatus#SUCCESS}
+     *
+     */
+    AuthStatus notifyContainerAboutLogin(String username, List<String> roles);
+
+    /**
+     * Instructs the container to "do nothing".
+     * 
+     * <p>
+     * This is a somewhat peculiar requirement of JASPIC, which incidentally almost no containers actually require
+     * or enforce. 
+     * 
+     * <p>
+     * When intending to do nothing, most JASPIC auth modules simply return "SUCCESS", but according to
+     * the JASPIC spec the handler MUST have been used when returning that status. Because of this JASPIC
+     * implicitly defines a "protocol" that must be followed in this case; 
+     * invoking the CallerPrincipalCallback handler with a null as the username.
+     * 
+     * <p>
+     * As a convenience this method returns SUCCESS, so this method can be used in
+     * one fluent return statement from an auth module.
+     * 
+     * @return {@link AuthStatus#SUCCESS}
+     */
+    AuthStatus doNothing();
+
+}

authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/javax/security/authentication/mechanism/http/annotation/BasicAuthenticationMechanismDefinition.java

@@ -0,0 +1,13 @@
+package javax.security.authentication.mechanism.http.annotation;
+
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+@Retention(RUNTIME)
+@Target(TYPE)
+public @interface BasicAuthenticationMechanismDefinition {
+    String realmName() default "";
+}