EDR1 work in progress proposal and demo apps for EDR1 code.

Author: arjantijms

apps/app-custom-rememberme/pom.xml

@@ -0,0 +1,38 @@
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	
+    <parent>
+        <groupId>net.java.jsr375</groupId>
+        <artifactId>apps</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+	
+	<artifactId>app-custom-rememberme</artifactId>
+	
+	<packaging>war</packaging>
+	
+	<build>
+        <finalName>app-custom-rememberme</finalName>
+    
+		<plugins>
+			<plugin>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.3</version>
+				<configuration>
+					<source>1.8</source>
+					<target>1.8</target>
+				</configuration>
+			</plugin>
+			<plugin>
+				<artifactId>maven-war-plugin</artifactId>
+				<version>2.6</version>
+				<configuration>
+                    <warName>app-custom-rememberme</warName>
+					<failOnMissingWebXml>false</failOnMissingWebXml>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>

apps/app-custom-rememberme/src/main/java/test/Servlet.java

@@ -0,0 +1,50 @@
+package test;
+
+import java.io.IOException;
+
+import javax.annotation.security.DeclareRoles;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Test Servlet that prints out the name of the authenticated caller and whether
+ * this caller is in any of the roles {foo, bar, kaz}
+ * 
+ *
+ */
+@DeclareRoles({ "foo", "bar", "kaz" })
+@WebServlet("/servlet")
+public class Servlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+        if (request.getParameter("logout") != null) {
+            request.logout(); // slightly ill-defined, but only for current request
+            request.getSession().invalidate();
+        }
+        
+        response.getWriter().write("This is a servlet \n");
+
+        String webName = null;
+        if (request.getUserPrincipal() != null) {
+            webName = request.getUserPrincipal().getName();
+        }
+
+        response.getWriter().write("web username: " + webName + "\n");
+
+        response.getWriter().write("web user has role \"foo\": " + request.isUserInRole("foo") + "\n");
+        response.getWriter().write("web user has role \"bar\": " + request.isUserInRole("bar") + "\n");
+        response.getWriter().write("web user has role \"kaz\": " + request.isUserInRole("kaz") + "\n");
+        
+        String mechanismCalled = (String) request.getAttribute("authentication-mechanism-called");
+        
+        response.getWriter().write("\nauthentication mechanism called: " + (mechanismCalled != null? mechanismCalled : false) + "\n");
+    }
+
+}

apps/app-custom-rememberme/src/main/java/test/TestAuthenticationMechanism.java

@@ -0,0 +1,73 @@
+package test;
+
+import static javax.security.identitystore.CredentialValidationResult.Status.VALID;
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.authentication.mechanism.http.HttpAuthenticationMechanism;
+import javax.security.authentication.mechanism.http.HttpMessageContext;
+import javax.security.authentication.mechanism.http.annotation.RememberMe;
+import javax.security.identitystore.CredentialValidationResult;
+import javax.security.identitystore.IdentityStore;
+import javax.security.identitystore.credential.Password;
+import javax.security.identitystore.credential.UsernamePasswordCredential;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@RememberMe(
+    cookieMaxAgeSeconds = 3600,
+    isRememberMeExpression ="this.isRememberMe(httpMessageContext)"
+)
+@RequestScoped
+public class TestAuthenticationMechanism implements HttpAuthenticationMechanism {
+    
+    @Inject
+    private IdentityStore identityStore;
+
+    @Override
+    public AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException {
+
+        request.setAttribute("authentication-mechanism-called", "true");
+        
+        if (request.getParameter("name") != null && request.getParameter("password") != null) {
+
+            // Get the (caller) name and password from the request
+            // NOTE: This is for the smallest possible example only. In practice
+            // putting the password in a request query parameter is highly
+            // insecure
+            String name = request.getParameter("name");
+            Password password = new Password(request.getParameter("password"));
+
+            // Delegate the {credentials in -> identity data out} function to
+            // the Identity Store
+            CredentialValidationResult result = identityStore.validate(
+                new UsernamePasswordCredential(name, password));
+
+            if (result.getStatus() == VALID) {
+                // Communicate the details of the authenticated user to the
+                // container. In many cases the underlying handler will just store the details 
+                // and the container will actually handle the login after we return from 
+                // this method.
+                return httpMessageContext.notifyContainerAboutLogin(
+                    result.getCallerPrincipal(), result.getCallerGroups());
+            } else {
+                throw new AuthException("Login failed");
+            }
+        } 
+
+        return httpMessageContext.doNothing();
+    }
+    
+    public Boolean isRememberMe(HttpMessageContext httpMessageContext) {
+        return httpMessageContext.getRequest().getParameter("rememberme") != null;
+    }
+    
+    // Workaround for possible CDI bug; at least in Weld 2.3.2 default methods don't seem to be intercepted
+    @Override
+    public void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
+    	HttpAuthenticationMechanism.super.cleanSubject(request, response, httpMessageContext);
+    }
+    
+}

apps/app-custom-rememberme/src/main/java/test/TestIdentityStore.java

@@ -0,0 +1,43 @@
+package test;
+
+import static java.util.Arrays.asList;
+import static javax.security.identitystore.CredentialValidationResult.INVALID_RESULT;
+import static javax.security.identitystore.CredentialValidationResult.NOT_VALIDATED_RESULT;
+import static javax.security.identitystore.CredentialValidationResult.Status.VALID;
+
+import javax.enterprise.context.RequestScoped;
+import javax.security.CallerPrincipal;
+import javax.security.identitystore.CredentialValidationResult;
+import javax.security.identitystore.IdentityStore;
+import javax.security.identitystore.credential.Credential;
+import javax.security.identitystore.credential.UsernamePasswordCredential;
+
+@RequestScoped
+public class TestIdentityStore implements IdentityStore {
+    
+    public CredentialValidationResult validate(Credential credential) {
+        if (credential instanceof UsernamePasswordCredential) {
+            return validate((UsernamePasswordCredential) credential);
+        }
+
+        return NOT_VALIDATED_RESULT;
+    }
+    
+    public CredentialValidationResult validate(UsernamePasswordCredential usernamePasswordCredential) {
+        
+        if (usernamePasswordCredential.getCaller().equals("reza") && 
+            usernamePasswordCredential.getPassword().compareTo("secret1")) {
+            
+            return new CredentialValidationResult(
+                VALID, 
+                new CallerPrincipal("reza"), 
+                asList("foo", "bar")
+            );
+        }
+        
+        return INVALID_RESULT;
+    }
+    
+    
+    
+}

apps/app-custom-rememberme/src/main/java/test/TestRememberMeIdentityStore.java

@@ -0,0 +1,47 @@
+package test;
+
+import static javax.security.identitystore.CredentialValidationResult.INVALID_RESULT;
+import static javax.security.identitystore.CredentialValidationResult.Status.VALID;
+
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.security.CallerPrincipal;
+import javax.security.identitystore.CredentialValidationResult;
+import javax.security.identitystore.RememberMeIdentityStore;
+import javax.security.identitystore.credential.RememberMeCredential;
+
+@ApplicationScoped
+public class TestRememberMeIdentityStore implements RememberMeIdentityStore {
+
+	private final Map<String, CredentialValidationResult> identities = new ConcurrentHashMap<>();
+	
+	@Override
+	public CredentialValidationResult validate(RememberMeCredential credential) {
+		if (identities.containsKey(credential.getToken())) {
+			return identities.get(credential.getToken());
+		}
+		
+		 return INVALID_RESULT;
+	}
+	
+	@Override
+	public String generateLoginToken(CallerPrincipal callerPrincipal, List<String> groups) {
+		String token = UUID.randomUUID().toString();
+		
+		// NOTE: FOR EXAMPLE ONLY. AS TOKENKEY WOULD EFFECTIVELY BECOME THE REPLACEMENT PASSWORD
+		// IT SHOULD NORMALLY NOT BE STORED DIRECTLY BUT EG USING STRONG HASHING
+		identities.put(token, new CredentialValidationResult(VALID, callerPrincipal, groups));
+		
+		return token;
+	}
+	
+	@Override
+	public void removeLoginToken(String token) {
+		identities.remove(token);
+	}
+	
+}

apps/app-custom-rememberme/src/main/resources/empty.txt

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
+<glassfish-web-app>
+
+    <security-role-mapping>
+        <role-name>foo</role-name>
+        <group-name>foo</group-name>
+    </security-role-mapping>
+    
+    <security-role-mapping>
+        <role-name>bar</role-name>
+        <group-name>bar</group-name>
+    </security-role-mapping>
+    
+    <security-role-mapping>
+        <role-name>kaz</role-name>
+        <group-name>kaz</group-name>
+    </security-role-mapping>
+
+    <parameter-encoding default-charset="UTF-8" />
+
+</glassfish-web-app>

apps/app-custom-rememberme/src/main/webapp/WEB-INF/beans.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
+    xmlns="http://websphere.ibm.com/xml/ns/javaee"
+    version="1.2">
+
+    <security-role name="foo"> 
+        <group name="foo" />
+    </security-role>
+    
+    <security-role name="bar"> 
+        <group name="bar" />
+    </security-role>
+    
+    <security-role name="kaz"> 
+        <group name="kaz" />
+    </security-role>
+    
+
+</application-bnd>

apps/app-custom-rememberme/src/main/webapp/WEB-INF/glassfish-web.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+
+<jboss-web>
+    <security-domain>jaspitest</security-domain>
+</jboss-web>