Add servlet only tests from old TCK

tck/app-servlet-constraints/pom.xml

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Contributors to Eclipse Foundation.
+    Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+        <groupId>org.eclipse.ee4j.authorization.tck</groupId>
+        <artifactId>jakarta-authorization-tck</artifactId>
+        <version>4.0.0-SNAPSHOT</version>
+    </parent>
+
+	<artifactId>app-servlet-constraints</artifactId>
+	<packaging>war</packaging>
+
+	<description>
+        This module contain tests that do HTTP requests to several resources which are protected in different ways via constraints
+        in a Servlet web.xml.
+
+        The tests do no check anything specific to Jakarta Authorization, and as such the tests should also pass on
+        a Servlet container that does not use Jakarta Authorization at all, as the same behaviour is also specified 
+        by Servlet.
+
+        It is the responsibility of the compatible implementation that is being tested here to make sure that
+        Jakarta Authorization is indeed used, so that these tests indeed test the Jakarta Authorization implementation.
+    </description>
+
+	<properties>
+        <failOnMissingWebXml>false</failOnMissingWebXml>
+    </properties>
+
+	<dependencies>
+        <dependency>
+            <groupId>org.eclipse.ee4j.authorization.tck</groupId>
+            <artifactId>common</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+
+	<build>
+        <finalName>app-servlet-constraints</finalName>
+	</build>
+</project>

tck/app-servlet-constraints/src/main/webapp/WEB-INF/beans.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2024 Contributors to Eclipse Foundation.
+    Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+<beans xmlns="https://jakarta.ee/xml/ns/jakartaee"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/beans_3_0.xsd"
+       bean-discovery-mode="all" version="3.0">
+</beans>

tck/app-servlet-constraints/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,226 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+-->
+
+<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
+         version="6.0">
+
+    <!-- Data protection - can only be accessed using HTTPS -->
+    <servlet>
+        <display-name>sslprotected</display-name>
+        <servlet-name>sslprotected</servlet-name>
+        <jsp-file>/sslprotected.jsp</jsp-file>
+        <load-on-startup>0</load-on-startup>
+        <security-role-ref>
+            <role-name>ADM</role-name>
+            <role-link>Administrator</role-link>
+        </security-role-ref>
+        <security-role-ref>
+            <role-name>MGR</role-name>
+            <role-link>Manager</role-link>
+        </security-role-ref>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>sslprotected</servlet-name>
+        <url-pattern>/sslprotected.jsp</url-pattern>
+    </servlet-mapping>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>MySecureBit6</web-resource-name>
+            <url-pattern>/sslprotected.jsp</url-pattern>
+            <http-method>POST</http-method>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>Administrator</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+
+
+    <!-- Excluded: nobody can access this  -->
+    <servlet>
+        <display-name>excluded</display-name>
+        <servlet-name>excluded</servlet-name>
+        <jsp-file>/excluded.jsp</jsp-file>
+        <load-on-startup>0</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>excluded</servlet-name>
+        <url-pattern>/excluded.jsp</url-pattern>
+    </servlet-mapping>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>MySecureBit5</web-resource-name>
+            <url-pattern>/excluded.jsp</url-pattern>
+            <http-method>POST</http-method>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint/>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+
+
+    <!-- Unchecked: everyone can access this  -->
+    <servlet>
+        <display-name>unchecked</display-name>
+        <servlet-name>unchecked</servlet-name>
+        <jsp-file>/unchecked.jsp</jsp-file>
+        <load-on-startup>0</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>unchecked</servlet-name>
+        <url-pattern>/unchecked.jsp</url-pattern>
+    </servlet-mapping>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>MySecureBit4</web-resource-name>
+            <url-pattern>/unchecked.jsp</url-pattern>
+            <http-method>POST</http-method>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+
+
+
+    <!-- Authenticated *: any authenticated caller with any role can access this  -->
+    <servlet>
+        <display-name>accesstoall</display-name>
+        <servlet-name>accesstoall</servlet-name>
+        <jsp-file>/accesstoall.jsp</jsp-file>
+        <load-on-startup>0</load-on-startup>
+        <security-role-ref>
+            <role-name>ADM</role-name>
+            <role-link>Administrator</role-link>
+        </security-role-ref>
+        <security-role-ref>
+            <role-name>EMP</role-name>
+            <role-link>Employee</role-link>
+        </security-role-ref>
+        <security-role-ref>
+            <role-name>MGR</role-name>
+            <role-link>Manager</role-link>
+        </security-role-ref>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>accesstoall</servlet-name>
+        <url-pattern>/accesstoall.jsp</url-pattern>
+    </servlet-mapping>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>MySecureBit4a</web-resource-name>
+            <url-pattern>/accesstoall.jsp</url-pattern>
+            <http-method>POST</http-method>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+
+
+    <!-- Authenticated **: any authenticated caller can access this  -->
+    <servlet>
+        <display-name>anyauthuser</display-name>
+        <servlet-name>anyauthuser</servlet-name>
+        <jsp-file>/anyauthuser.jsp</jsp-file>
+        <load-on-startup>0</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>anyauthuser</servlet-name>
+        <url-pattern>/anyauthuser.jsp</url-pattern>
+    </servlet-mapping>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>MySecureBit5a</web-resource-name>
+            <url-pattern>/anyauthuser.jsp</url-pattern>
+            <http-method>GET</http-method>
+            <http-method>POST</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>**</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+
+
+    <!-- By role: authenticated caller in specified role can access  -->
+    <servlet>
+        <display-name>secured</display-name>
+        <servlet-name>secured</servlet-name>
+        <jsp-file>/secured.jsp</jsp-file>
+        <load-on-startup>0</load-on-startup>
+        <security-role-ref>
+            <role-name>ADM</role-name>
+            <role-link>Administrator</role-link>
+        </security-role-ref>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>secured</servlet-name>
+        <url-pattern>/secured.jsp</url-pattern>
+    </servlet-mapping>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>MySecureBit3</web-resource-name>
+            <url-pattern>/secured.jsp</url-pattern>
+            <http-method>POST</http-method>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>Administrator</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>NONE</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>default</realm-name>
+    </login-config>
+
+    <security-role>
+        <role-name>Administrator</role-name>
+    </security-role>
+    <security-role>
+        <role-name>Manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>Employee</role-name>
+    </security-role>
+</web-app>

tck/app-servlet-constraints/src/main/webapp/accesstoall.jsp

@@ -0,0 +1,58 @@
+<%--
+
+    Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0, which is available at
+    http://www.eclipse.org/legal/epl-2.0.
+
+    This Source Code may also be made available under the following Secondary
+    Licenses when the conditions for such availability set forth in the
+    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+    version 2 with the GNU Classpath Exception, which is available at
+    https://www.gnu.org/software/classpath/license.html.
+
+    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+--%>
+
+<!--
+  @(#)AccessToAll.jsp	1.2  06/02/19
+-->
+
+<%@ page language="java" %>
+
+<html>
+    <head><title>JSP with WildCard Auth Constraint</title></head>
+    <body>
+        <h2>JSP with WildCard Auth Constraint</h2>
+
+        <% 
+
+        out.println("The user principal is: " + request.getUserPrincipal().getName() + "<BR>");
+        out.println("getRemoteUser(): " + request.getRemoteUser() + "<BR>" );
+
+        if (request.isUserInRole("ADM")) {
+            out.println("USR_IN_ROLE_ADM");
+        } else
+            out.println("USR_NOT_IN_ROLE_ADM");
+
+        if (request.isUserInRole("MGR")) {
+            out.println("USR_IN_ROLE_MGR");
+        } else
+            out.println("USR_NOT_IN_ROLE_MGR");
+
+        if (request.isUserInRole("EMP")) {
+            out.println("USR_IN_ROLE_EMP");
+        } else
+            out.println("USR_NOT_IN_ROLE_EMP");
+
+        if (request.isUserInRole("VP")) {
+            out.println("USR_IN_ROLE_VP");
+        } else
+            out.println("USR_NOT_IN_ROLE_VP");
+
+        %>
+
+    </body>
+</html>