NoBug: Security devtests for EL support in JSR 375 (#22255)

Author: SAMEER PANDIT

appserver/tests/appserv-tests/devtests/security/soteria/app-custom-identity-store-handler/src/main/java/org/glassfish/soteria/test/ConfigBean.java

@@ -0,0 +1,91 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.glassfish.soteria.test;
+
+import javax.security.enterprise.identitystore.IdentityStore.ValidationType;
+import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS;
+import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
+
+import javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope;
+import static javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope.ONE_LEVEL;
+import static javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope.SUBTREE;
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Named;
+
+@RequestScoped
+@Named
+public class ConfigBean {
+  private int priority300=300;
+  private int priority100=100;
+  private ValidationType[] useforBoth = {ValidationType.VALIDATE, ValidationType.PROVIDE_GROUPS};
+  private ValidationType[] useforValidate = {ValidationType.VALIDATE};
+  private ValidationType[] useforProvideGroup = {ValidationType.PROVIDE_GROUPS};
+  private LdapSearchScope searchScopeOneLevel = ONE_LEVEL;
+  private LdapSearchScope searchScopeSubTree = SUBTREE;
+
+  public int getPriority300(){
+    return priority300;
+  }
+
+  public int getPriority100(){
+    return priority100;
+  }
+
+  public ValidationType[] getUseforBoth(){
+    return useforBoth;
+  }
+
+  public ValidationType[] getUseforValidate(){
+    return useforValidate;
+  }
+
+  public ValidationType[] getUseforProvideGroup(){
+    return useforProvideGroup;
+  }
+
+  public LdapSearchScope getSearchScopeOneLevel(){
+    return ONE_LEVEL;
+  }
+
+  public LdapSearchScope getSearchScopeSubTree(){
+    return SUBTREE;
+  }
+}

appserver/tests/appserv-tests/devtests/security/soteria/app-custom-identity-store-handler/src/main/java/org/glassfish/soteria/test/GroupProviderIdentityStore.java

@@ -54,15 +54,21 @@
 import javax.security.enterprise.identitystore.CredentialValidationResult;
 import javax.security.enterprise.identitystore.IdentityStore;
 import javax.security.enterprise.identitystore.LdapIdentityStoreDefinition;
+import javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope;
+import javax.security.enterprise.identitystore.IdentityStore.ValidationType;
+import static javax.security.enterprise.identitystore.LdapIdentityStoreDefinition.LdapSearchScope.SUBTREE;
+import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
 
 /**
  *
  */
 @LdapIdentityStoreDefinition(
         url = "ldap://localhost:33389/",
         callerBaseDn = "ou=caller,dc=jsr375,dc=net",
+        callerSearchScope = LdapSearchScope.SUBTREE,
         groupSearchBase = "ou=group,dc=jsr375,dc=net",
-        useForExpression = "#{'VALIDATE'}" // usage of expression just for test
+        useForExpression = "#{'VALIDATE'}",
+        groupSearchScopeExpression = "${configBean.searchScopeOneLevel}"
 )
 @ApplicationScoped
 public class GroupProviderIdentityStore implements IdentityStore {

appserver/tests/appserv-tests/devtests/security/soteria/app-custom-rememberme/src/main/java/org/glassfish/soteria/test/RememberMeConfigBean.java

@@ -0,0 +1,72 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package org.glassfish.soteria.test;
+
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Named;
+
+@RequestScoped
+@Named
+public class RememberMeConfigBean {
+
+    private int maxAgeSeconds = 500;
+    private String cookieName = "GLASSFISHCOOKIE";
+    private boolean secureOnly = false;
+    private boolean httpOnly = true;
+
+    public int getMaxAgeSeconds() {
+        return maxAgeSeconds;
+    }
+
+    public String getCookieName() {
+        return cookieName;
+    }
+
+    public boolean isSecureOnly() {
+        return secureOnly;
+    }
+
+    public boolean isHttpOnly() {
+        return httpOnly;
+    }
+}
+

appserver/tests/appserv-tests/devtests/security/soteria/app-custom-rememberme/src/main/java/org/glassfish/soteria/test/TestAuthenticationMechanism.java

@@ -58,12 +58,21 @@
 import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID;
 
 @RememberMe(
-    cookieMaxAgeSeconds = 3600,
-    cookieSecureOnly = false,
+    cookieName = "#{self.rememberMeConfigBean.getCookieName()}",
+    cookieMaxAgeSecondsExpression = "#{self.rememberMeConfigBean.maxAgeSeconds}",
+    cookieSecureOnlyExpression = "#{self.rememberMeConfigBean.isSecureOnly()}",
+    cookieHttpOnlyExpression = "#{self.rememberMeConfigBean.httpOnly}",
     isRememberMeExpression ="#{self.isRememberMe(httpMessageContext)}"
 )
 @RequestScoped
 public class TestAuthenticationMechanism implements HttpAuthenticationMechanism {
+
+    public RememberMeConfigBean getRememberMeConfigBean() {
+        return rememberMeConfigBean;
+    }
+
+    @Inject
+    private RememberMeConfigBean rememberMeConfigBean;
 
     @Inject
     private IdentityStoreHandler identityStoreHandler;

appserver/tests/appserv-tests/devtests/security/soteria/app-custom-rememberme/src/test/java/org/glassfish/soteria/test/AppCustomRememberMeIT.java

@@ -77,17 +77,17 @@ public static Archive<?> createDeployment() {
 
 
     @Test
-    public void testHttpOnlyIsFalse() {
+    public void testHttpOnlyIsTrue() {
         readFromServer("/servlet?name=reza&password=secret1&rememberme=true");
 
-        assertTrue(getWebClient().getCookieManager().getCookie("JREMEMBERMEID").isHttpOnly());
+        assertTrue(getWebClient().getCookieManager().getCookie("GLASSFISHCOOKIE").isHttpOnly());
     }
 
     @Test
     public void testSecureOnlyIsFalse() {
         readFromServer("/servlet?name=reza&password=secret1&rememberme=true");
 
-        assertFalse(getWebClient().getCookieManager().getCookie("JREMEMBERMEID").isSecure());
+        assertFalse(getWebClient().getCookieManager().getCookie("GLASSFISHCOOKIE").isSecure());
     }
 
     @Test
@@ -180,7 +180,7 @@ public void testAuthenticatedRememberMe() {
         //    remember me cookie
 
         for (Cookie cookie : getWebClient().getCookieManager().getCookies()) {
-            if (!"JREMEMBERMEID".equals(cookie.getName())) {
+            if (!"GLASSFISHCOOKIE".equals(cookie.getName())) {
                 getWebClient().getCookieManager().removeCookie(cookie);
             }
         }

appserver/tests/appserv-tests/devtests/security/soteria/app-mem-form/pom.xml

@@ -0,0 +1,72 @@
+<!--
+
+    DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+
+    Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved.
+
+    The contents of this file are subject to the terms of either the GNU
+    General Public License Version 2 only ("GPL") or the Common Development
+    and Distribution License("CDDL") (collectively, the "License").  You
+    may not use this file except in compliance with the License.  You can
+    obtain a copy of the License at
+    https://oss.oracle.com/licenses/CDDL+GPL-1.1
+    or LICENSE.txt.  See the License for the specific
+    language governing permissions and limitations under the License.
+
+    When distributing the software, include this License Header Notice in each
+    file and include the License file at LICENSE.txt.
+
+    GPL Classpath Exception:
+    Oracle designates this particular file as subject to the "Classpath"
+    exception as provided by Oracle in the GPL Version 2 section of the License
+    file that accompanied this code.
+
+    Modifications:
+    If applicable, add the following below the License Header, with the fields
+    enclosed by brackets [] replaced by your own identifying information:
+    "Portions Copyright [year] [name of copyright owner]"
+
+    Contributor(s):
+    If you wish your version of this file to be governed by only the CDDL or
+    only the GPL Version 2, indicate your decision by adding "[Contributor]
+    elects to include this software in this distribution under the [CDDL or GPL
+    Version 2] license."  If you don't indicate a single choice of license, a
+    recipient has the option to distribute your version of this file under
+    either the CDDL, the GPL Version 2 or to extend the choice of license to
+    its licensees as provided above.  However, if you add GPL Version 2 code
+    and therefore, elected the GPL Version 2 license, then the option applies
+    only if the new code is made subject to such option by the copyright
+    holder.
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.glassfish.soteria.test</groupId>
+    <artifactId>soteria</artifactId>
+    <version>5.0-SNAPSHOT</version>
+  </parent>
+
+	<artifactId>app-mem-form</artifactId>
+	<packaging>war</packaging>
+	
+	<build>
+        <finalName>app-mem-form</finalName>
+	</build>
+
+    <properties>
+        <failOnMissingWebXml>false</failOnMissingWebXml>
+    </properties>
+    
+    <dependencies>
+        <dependency>
+            <groupId>org.glassfish.soteria.test</groupId>
+            <artifactId>common</artifactId>
+            <version>5.0-SNAPSHOT</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>

appserver/tests/appserv-tests/devtests/security/soteria/app-mem-form/src/main/java/org/glassfish/soteria/test/ApplicationConfig.java

@@ -0,0 +1,59 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package org.glassfish.soteria.test;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.inject.Named;
+
+
+@ApplicationScoped
+@Named("appConfig")
+public class ApplicationConfig {
+    public String getLoginPage(){
+        return login_page;
+    }
+    private String login_page = "/login-servlet";
+    private String error_page = "/login-error-servlet";
+
+    public String getErrorPage() {
+        return error_page;
+    }
+}