<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

<modelVersion>4.0.0</modelVersion>

<parent>

<groupId>org.javaee7</groupId>

<artifactId>jaspic</artifactId>

<version>1.0-SNAPSHOT</version>

<relativePath>../pom.xml</relativePath>

</parent>

<artifactId>jaspic-invoke-ejb-cdi</artifactId>

<packaging>war</packaging>

<name>Java EE 7 Sample: jaspic - invoke EJB and CDI</name>

<dependencies>

<dependency>

<groupId>org.javaee7</groupId>

<artifactId>jaspic-common</artifactId>

<version>1.0-SNAPSHOT</version>

</dependency>

</dependencies>

</project>

package org.javaee7.jaspic.invoke.bean;

import javax.enterprise.context.RequestScoped;

import javax.inject.Named;

public class CDIBean {

public String getText() {

return "Called from CDI";

}

}

package org.javaee7.jaspic.invoke.bean;

import javax.ejb.Stateless;

public class EJBBean {

public String getText() {

return "Called from EJB";

}

}

package org.javaee7.jaspic.invoke.sam;

import javax.servlet.ServletContextEvent;

import javax.servlet.annotation.WebListener;

import org.javaee7.jaspic.common.BaseServletContextListener;

import org.javaee7.jaspic.common.JaspicUtils;

public class SamAutoRegistrationListener extends BaseServletContextListener {

@Override

public void contextInitialized(ServletContextEvent sce) {

JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule());

}

}

package org.javaee7.jaspic.invoke.sam;

import static java.util.logging.Level.SEVERE;

import static javax.security.auth.message.AuthStatus.SEND_SUCCESS;

import static javax.security.auth.message.AuthStatus.SUCCESS;

import java.io.IOException;

import java.util.Map;

import java.util.logging.Logger;

import javax.enterprise.inject.spi.CDI;

import javax.naming.InitialContext;

import javax.security.auth.Subject;

import javax.security.auth.callback.Callback;

import javax.security.auth.callback.CallbackHandler;

import javax.security.auth.callback.UnsupportedCallbackException;

import javax.security.auth.message.AuthException;

import javax.security.auth.message.AuthStatus;

import javax.security.auth.message.MessageInfo;

import javax.security.auth.message.MessagePolicy;

import javax.security.auth.message.callback.CallerPrincipalCallback;

import javax.security.auth.message.callback.GroupPrincipalCallback;

import javax.security.auth.message.module.ServerAuthModule;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.javaee7.jaspic.invoke.bean.CDIBean;

import org.javaee7.jaspic.invoke.bean.EJBBean;

public class TestServerAuthModule implements ServerAuthModule {

private final static Logger logger = Logger.getLogger(TestServerAuthModule.class.getName());

private CallbackHandler handler;

private Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class, HttpServletResponse.class };

@Override

public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler,

@SuppressWarnings("rawtypes") Map options) throws AuthException {

this.handler = handler;

}

@Override

public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {

HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();

HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();

if ("cdi".equals(request.getParameter("tech"))) {

callCDIBean(response, "validateRequest");

} else if ("ejb".equals(request.getParameter("tech"))) {

callEJBBean(response, "validateRequest");

}

try {

handler.handle(new Callback[] {

new CallerPrincipalCallback(clientSubject, "test"),

new GroupPrincipalCallback(clientSubject, new String[] { "architect" })

});

return SUCCESS;

} catch (IOException | UnsupportedCallbackException e) {

throw (AuthException) new AuthException().initCause(e);

}

}

@Override

public Class<?>[] getSupportedMessageTypes() {

return supportedMessageTypes;

}

@Override

public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException {

HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();

HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();

if ("cdi".equals(request.getParameter("tech"))) {

callCDIBean(response, "secureResponse");

} else if ("ejb".equals(request.getParameter("tech"))) {

callEJBBean(response, "secureResponse");

}

return SEND_SUCCESS;

}

@Override

public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {

HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();

HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();

if ("cdi".equals(request.getParameter("tech"))) {

callCDIBean(response, "cleanSubject");

} else if ("ejb".equals(request.getParameter("tech"))) {

callEJBBean(response, "cleanSubject");

}

}

private void callCDIBean(HttpServletResponse response, String phase) {

try {

CDIBean cdiBean = CDI.current().select(CDIBean.class).get();

response.getWriter().write(phase + ": " + cdiBean.getText());

} catch (Exception e) {

logger.log(SEVERE, "", e);

}

}

private void callEJBBean(HttpServletResponse response, String phase) {

try {

EJBBean ejbBean = (EJBBean) new InitialContext().lookup("java:module/EJBBean");

response.getWriter().write(phase + ": " + ejbBean.getText());

} catch (Exception e) {

logger.log(SEVERE, "", e);

}

}

}

package org.javaee7.jaspic.invoke.servlet;

import java.io.IOException;

import javax.servlet.ServletException;

import javax.servlet.annotation.WebServlet;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

@WebServlet(urlPatterns = "/protected/servlet")

public class ProtectedServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

response.getWriter().write("Resource invoked\n");

request.logout();

}

}

package org.javaee7.jaspic.invoke.servlet;

import java.io.IOException;

import javax.servlet.ServletException;

import javax.servlet.annotation.WebServlet;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

@WebServlet(urlPatterns = "/public/servlet")

public class PublicServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

response.getWriter().write("Resource invoked\n");

request.logout();

}

}

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">

<glassfish-web-app>

<security-role-mapping>

<role-name>architect</role-name>

<group-name>architect</group-name>

</security-role-mapping>

<parameter-encoding default-charset="UTF-8" />

</glassfish-web-app>

<?xml version="1.0" encoding="UTF-8"?>

<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"

xmlns="http://websphere.ibm.com/xml/ns/javaee"

version="1.2">

<security-role name="architect">

<group name="architect" />

</security-role>

</application-bnd>

<?xml version="1.0"?>

<jboss-web>

<security-domain>jaspitest</security-domain>

</jboss-web>

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"

xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"

version="3.0">

<security-constraint>

<web-resource-collection>

<web-resource-name>Test</web-resource-name>

<url-pattern>/protected/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>architect</role-name>

</auth-constraint>

</security-constraint>

<security-role>

<role-name>architect</role-name>

</security-role>

</web-app>

package org.javaee7.jaspictest.invoke;

import static org.junit.Assert.assertTrue;

import org.javaee7.jaspic.common.ArquillianBase;

import org.jboss.arquillian.container.test.api.Deployment;

import org.jboss.arquillian.junit.Arquillian;

import org.jboss.shrinkwrap.api.Archive;

import org.junit.Test;

import org.junit.runner.RunWith;

@RunWith(Arquillian.class)

public class InvokeCDIBeanProtectedTest extends ArquillianBase {

@Deployment(testable = false)

public static Archive<?> createDeployment() {

return tryWrapEAR(

defaultWebArchive()

.addAsWebInfResource(resource("beans.xml"))

);

}

@Test

public void protectedInvokeCDIFromValidateRequest() {

String response = getFromServerPath("protected/servlet?tech=cdi");

assertTrue(

"Response did not contain output from CDI bean for validateRequest for protected resource. (note: this is not required by the spec)",

response.contains("validateRequest: Called from CDI")

);

}

@Test

public void protectedInvokeCDIFromCleanSubject() {

String response = getFromServerPath("protected/servlet?tech=cdi");

assertTrue(

"Response did not contain output from CDI bean for cleanSubject for protected resource. (note: this is not required by the spec)",

response.contains("cleanSubject: Called from CDI")

);

}

@Test

public void protectedInvokeCDIFromSecureResponse() {

String response = getFromServerPath("protected/servlet?tech=cdi");

assertTrue(

"Response did not contain output from CDI bean for secureResponse for protected resource. (note: this is not required by the spec)",

response.contains("secureResponse: Called from CDI")

);

}

}