PAYARA-2081 Add in requested changes

api/payara-api/pom.xml

@@ -1,7 +1,7 @@
 <!--
   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  
-  Copyright (c) [2016-2017] Payara Foundation and/or its affiliates. All rights reserved.
+  Copyright (c) [2016-2018] Payara Foundation and/or its affiliates. All rights reserved.
  
   The contents of this file are subject to the terms of either the GNU
   General Public License Version 2 only ("GPL") or the Common Development
@@ -132,14 +132,14 @@
                                     javax.enterprise.util
                                 </Import-Package>
                                 <Export-Package>
+                                    fish.payara.cdi.auth.roles,
                                     fish.payara.cdi.jsr107.impl,
                                     fish.payara.cluster,
                                     fish.payara.micro.cdi,
                                     fish.payara.nucleus.requesttracing.api,
                                     fish.payara.notification.eventbus,
                                     fish.payara.nucleus.notification.domain,
-                                    fish.payara.nucleus.notification.service,
-                                    fish.payara.roles.api
+                                    fish.payara.nucleus.notification.service
                                 </Export-Package>
                             </instructions>
                         </configuration>

api/payara-api/src/main/java/fish/payara/cdi/auth/roles/LogicalOperator.java

@@ -0,0 +1,50 @@
+/*
+ *   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *  
+ *   Copyright (c) [2018] Payara Foundation and/or its affiliates. 
+ *   All rights reserved.
+ *  
+ *   The contents of this file are subject to the terms of either the GNU
+ *   General Public License Version 2 only ("GPL") or the Common Development
+ *   and Distribution License("CDDL") (collectively, the "License").  You
+ *   may not use this file except in compliance with the License.  You can
+ *   obtain a copy of the License at
+ *   https://github.com/payara/Payara/blob/master/LICENSE.txt
+ *   See the License for the specific
+ *   language governing permissions and limitations under the License.
+ *  
+ *   When distributing the software, include this License Header Notice in each
+ *   file and include the License file at glassfish/legal/LICENSE.txt.
+ *  
+ *   GPL Classpath Exception:
+ *   The Payara Foundation designates this particular file as subject to the 
+ *   "Classpath" exception as provided by the Payara Foundation in the GPL 
+ *   Version 2 section of the License file that accompanied this code.
+ *  
+ *   Modifications:
+ *   If applicable, add the following below the License Header, with the fields
+ *   enclosed by brackets [] replaced by your own identifying information:
+ *   "Portions Copyright [year] [name of copyright owner]"
+ *  
+ *   Contributor(s):
+ *   If you wish your version of this file to be governed by only the CDDL or
+ *   only the GPL Version 2, indicate your decision by adding "[Contributor]
+ *   elects to include this software in this distribution under the [CDDL or GPL
+ *   Version 2] license."  If you don't indicate a single choice of license, a
+ *   recipient has the option to distribute your version of this file under
+ *   either the CDDL, the GPL Version 2 or to extend the choice of license to
+ *   its licensees as provided above.  However, if you add GPL Version 2 code
+ *   and therefore, elected the GPL Version 2 license, then the option applies
+ *   only if the new code is made subject to such option by the copyright
+ *   holder.
+ */
+package fish.payara.cdi.auth.roles;
+
+/**
+ *
+ * @author Michael Ranaldo <michael@ranaldo.co.uk>
+ */
+public enum LogicalOperator {
+    OR,
+    AND
+}

api/payara-api/src/main/java/fish/payara/roles/api/Roles.java → api/payara-api/src/main/java/fish/payara/cdi/auth/roles/Roles.java

@@ -1,7 +1,7 @@
 /*
  *   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *  
- *   Copyright (c) [2017] Payara Foundation and/or its affiliates. 
+ *   Copyright (c) [2017-2018] Payara Foundation and/or its affiliates. 
  *   All rights reserved.
  *  
  *   The contents of this file are subject to the terms of either the GNU
@@ -38,8 +38,9 @@
  *   only if the new code is made subject to such option by the copyright
  *   holder.
  */
-package fish.payara.roles.api;
+package fish.payara.cdi.auth.roles;
 
+import static fish.payara.cdi.auth.roles.LogicalOperator.OR;
 import static java.lang.annotation.ElementType.METHOD;
 import static java.lang.annotation.ElementType.TYPE;
 import static java.lang.annotation.RetentionPolicy.RUNTIME;
@@ -48,29 +49,35 @@
 import java.lang.annotation.Target;
 import javax.enterprise.util.Nonbinding;
 import javax.interceptor.InterceptorBinding;
+import javax.validation.constraints.NotNull;
 
 /**
+ * Defines a list of roles which a caller must be in to access either methods within an annotated class, or a singular
+ * annotated method. Roles defined on a method level will always add to or overrule those defined on a class level.
  *
  * @author Michael Ranaldo <michael@ranaldo.co.uk>
  */
 @InterceptorBinding
-@Target({ TYPE, METHOD })
+@Target({TYPE, METHOD})
 @Retention(RUNTIME)
 public @interface Roles {
-    
+
     /**
-     * The roles which are allowed to access this method.
-     * Defaults to none.
+     * The roles which are allowed to access this method. Defaults to an empty string.
+     *
      * @return A String array of permitted roles.
      */
     @Nonbinding
+    @NotNull
     String[] allowed() default "";
-    
+
     /**
-     * Whether accessing users must be in all given roles (AND) or one of the given roles (OR)
-     * @return 
+     * Whether accessing users must be in any one of the given roles (OR) or all given roles (AND). Uses the
+     * LogicalOperator enum defined in the same package (fish.payara.cdi.auth.roles.LogicalOperator).
+     *
+     * @return
      * @default OR
      */
     @Nonbinding
-    String semantics() default "OR";
+    LogicalOperator semantics() default OR;
 }

appserver/featuresets/payara-web/pom.xml

@@ -40,7 +40,7 @@
     holder.
 -->
 
-<!-- Portions Copyright [2016-2017] [Payara Foundation and/or its affiliates] -->
+<!-- Portions Copyright [2016-2018] [Payara Foundation and/or its affiliates] -->
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -257,7 +257,7 @@
         <!-- roles api -->
         <dependency>
             <groupId>org.glassfish.main.packager</groupId>
-            <artifactId>roles-package</artifactId>
+            <artifactId>cdi-auth-roles</artifactId>
             <version>${project.version}</version>
             <type>zip</type>
         </dependency>

appserver/packager/roles-package/pom.xml → appserver/packager/cdi-auth-roles/pom.xml

@@ -38,17 +38,20 @@
    only if the new code is made subject to such option by the copyright
    holder.
 -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project 
+    xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.glassfish.main.packager</groupId>
         <artifactId>packages</artifactId>
         <version>4.1.2.181-SNAPSHOT</version>
     </parent>
-    <artifactId>roles-package</artifactId>
-    <name>Payara Roles Package</name>
+    <artifactId>cdi-auth-roles</artifactId>
+    <name>Payara CDI Auth Roles Package</name>
     <packaging>distribution-fragment</packaging>
-    <description>This pom describes how to assemble the Payara Roles package</description>
+    <description>This pom describes how to assemble the Payara CDI Auth Roles package</description>
 
     <properties>
         <temp.dir>${project.build.directory}/dependency</temp.dir>       
@@ -124,7 +127,7 @@
     <dependencies>
         <dependency>
             <groupId>fish.payara.appserver</groupId>
-            <artifactId>roles-api</artifactId>
+            <artifactId>cdi-auth-roles</artifactId>
             <version>${project.version}</version>
         </dependency>
     </dependencies>

appserver/packager/roles-package/src/main/resources/pkg_proto.py → appserver/packager/cdi-auth-roles/src/main/resources/pkg_proto.py

@@ -3,7 +3,7 @@
 #
 #  DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 #
-#  Copyright (c) [2016-2017] Payara Foundation and/or its affiliates. 
+#  Copyright (c) [2017-2018] Payara Foundation and/or its affiliates. 
 #  All rights reserved.
 #
 #  The contents of this file are subject to the terms of either the GNU
@@ -45,11 +45,11 @@
 conf = imp.load_source("pkg_conf", "../pkg_conf.py")
 
 pkg = {
-    "name"          : "roles-package",
+    "name"          : "cdi-auth-roles",
     "version"       : conf.glassfish_version,
     "attributes"    : {
-                        "pkg.summary" : "Roles API Integration",
-                        "pkg.description" : "Roles API modules",
+                        "pkg.summary" : "CDI Auth: Roles Integration",
+                        "pkg.description" : "CDI Auth: Roles modules",
                         "info.classification" : "OSGi Service Platform Release 4",
                       },
     "dirtrees"      : { "glassfish/modules" : {},

appserver/packager/pom.xml

@@ -40,7 +40,7 @@
     holder.
 
 -->
-<!-- Portions Copyright [2016-2017] [Payara Foundation and/or its affiliates] -->
+<!-- Portions Copyright [2016-2018] [Payara Foundation and/or its affiliates] -->
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -180,7 +180,7 @@
         <module>environment-warning</module>
         <module>payara-rest-endpoints</module>
         <module>rest-monitoring</module>
-        <module>roles-package</module>
+        <module>cdi-auth-roles</module>
     </modules>
 
     <profiles>

appserver/payara-appserver-modules/roles-api/pom.xml → appserver/payara-appserver-modules/cdi-auth-roles/pom.xml

@@ -3,7 +3,7 @@
 
     DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 
-    Copyright (c) 2017 Payara Foundation and/or its affiliates. All rights reserved.
+    Copyright (c) [2017-2018] Payara Foundation and/or its affiliates. All rights reserved.
 
     The contents of this file are subject to the terms of either the GNU
     General Public License Version 2 only ("GPL") or the Common Development
@@ -48,10 +48,10 @@
         <version>4.1.2.181-SNAPSHOT</version>
     </parent>
     <groupId>fish.payara.appserver</groupId>
-    <artifactId>roles-api</artifactId>
+    <artifactId>cdi-auth-roles</artifactId>
     <packaging>glassfish-jar</packaging>
-    <name>Roles CDI API</name>
-    <description>Roles CDI API</description>
+    <name>CDI Auth: Roles</name>
+    <description>CDI Auth: Roles</description>
     <build>
         <plugins>
             <plugin>
@@ -67,8 +67,8 @@
                         <configuration>
                             <instructions>
                                 <Export-Package>
-                                    fish.payara.appserver.roles.api,
-                                    fish.payara.appserver.roles.api.extension
+                                    fish.payara.appserver.cdi.auth.roles,
+                                    fish.payara.appserver.cdi.auth.roles.extension
                                 </Export-Package>
                             </instructions>
                         </configuration>

appserver/payara-appserver-modules/roles-api/src/main/java/fish/payara/appserver/roles/api/RolesCDIInterceptor.java → appserver/payara-appserver-modules/cdi-auth-roles/src/main/java/fish/payara/appserver/cdi/auth/roles/RolesCDIInterceptor.java

@@ -1,7 +1,7 @@
 /*
  *   DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *  
- *   Copyright (c) [2017] Payara Foundation and/or its affiliates. 
+ *   Copyright (c) [2017-2018] Payara Foundation and/or its affiliates. 
  *   All rights reserved.
  *  
  *   The contents of this file are subject to the terms of either the GNU
@@ -38,9 +38,11 @@
  *   only if the new code is made subject to such option by the copyright
  *   holder.
  */
-package fish.payara.appserver.roles.api;
+package fish.payara.appserver.cdi.auth.roles;
 
-import fish.payara.roles.api.Roles;
+import com.sun.enterprise.universal.i18n.LocalStringsImpl;
+import fish.payara.cdi.auth.roles.Roles;
+import fish.payara.cdi.auth.roles.LogicalOperator;
 import java.io.Serializable;
 import java.util.Arrays;
 import java.util.List;
@@ -52,57 +54,72 @@
 import javax.interceptor.Interceptor;
 import javax.interceptor.InvocationContext;
 import javax.security.enterprise.SecurityContext;
-import org.glassfish.security.common.Role;
+import javax.ws.rs.NotAuthorizedException;
 
 /**
+ * The Roles CDI Interceptor authenticates requests to methods and classes annotated with the @Roles annotation. If the
+ * security context cannot find a role within the requestor which matches either all (if using the AND semantic within
+ * the Roles annotation) or one of (if using the OR semantic within the Roles annotation), then a NotAuthorizedException
+ * is thrown.
  *
  * @author Michael Ranaldo <michael@ranaldo.co.uk>
  */
 @Interceptor
 @Roles
 @Priority(Interceptor.Priority.PLATFORM_AFTER)
 public class RolesCDIInterceptor implements Serializable {
-
+
+    private final static LocalStringsImpl STRINGS = new LocalStringsImpl(RolesCDIInterceptor.class);
+
     private final SecurityContext securityContext;
 
     public RolesCDIInterceptor() {
         this.securityContext = CDI.current().select(SecurityContext.class).get();
     }
-
-
 
+    /**
+     * Method invoked whenever a method annotated with @Roles, or a method within a class annotated with @Roles is
+     * called.
+     *
+     * @param invocationContext Context provided by Weld.
+     * @return Proceed to next interceptor in chain.
+     */
     @AroundInvoke
-    public Object method(InvocationContext ctx) {
-        Object result = null;
-        if (checkRoles(ctx.getMethod().getAnnotation(Roles.class))
-                || (ctx.getMethod().getAnnotation(Roles.class) == null
-                && checkRoles(ctx.getClass().getAnnotation(Roles.class)))) {
+    public Object method(InvocationContext invocationContext) {
+        if (checkRoles(invocationContext.getMethod().getAnnotation(Roles.class))
+                || (invocationContext.getMethod().getAnnotation(Roles.class) == null
+                && checkRoles(invocationContext.getClass().getAnnotation(Roles.class)))) {
             try {
-                result = ctx.proceed();
+                Object result = invocationContext.proceed();
+                return result;
             } catch (Exception ex) {
                 Logger.getLogger(RolesCDIInterceptor.class.getName()).log(Level.SEVERE, null, ex);
             }
         }
-        return result;
+        throw new NotAuthorizedException(STRINGS.get("access.restricted.resource.failed"));
     }
 
+    /**
+     * Check that the roles allowed by the class or method match the roles currently granted to the caller.
+     *
+     * @param roles The roles declared within the @Roles annotation.
+     * @return True or False
+     */
     public boolean checkRoles(Roles roles) {
-        if (roles != null) {
-            List<String> permittedRoles = Arrays.asList(roles.allowed());
-            if (roles.semantics().toUpperCase().equals("OR")) {
-                for (String role : permittedRoles) {
-                    if (securityContext.isCallerInRole(role)) {
-                        return true;
-                    }
+        List<String> permittedRoles = Arrays.asList(roles.allowed());
+        if (roles.semantics().equals(LogicalOperator.OR)) {
+            for (String role : permittedRoles) {
+                if (securityContext.isCallerInRole(role)) {
+                    return true;
                 }
-            } else if (roles.semantics().toUpperCase().equals("AND")) {
-                for (String role : permittedRoles) {
-                    if (!securityContext.isCallerInRole(role)) {
-                        return false;
-                    }
+            }
+        } else if (roles.semantics().equals(LogicalOperator.AND)) {
+            for (String role : permittedRoles) {
+                if (!securityContext.isCallerInRole(role)) {
+                    return false;
                 }
-                return true;
             }
+            return true;
         }
         return false;
     }