+ * If at the time of the call, the identified policy context does not exist in the provider, then the policy context + * will be created in the provider and the Object that implements the context's PolicyConfiguration Interface will be + * returned. If the state of the identified context is "deleted" or "inService" it will be transitioned to the "open" + * state as a result of the call. The states in the lifecycle of a policy context are defined by the PolicyConfiguration + * interface. + *
+ * For a given value of policy context identifier, this method must always return the same instance of + * PolicyConfiguration and there must be at most one actual instance of a PolicyConfiguration with a given policy + * context identifier (during a process context). + *
+ * To preserve the invariant that there be at most one PolicyConfiguration object for a given policy context, it may be + * necessary for this method to be thread safe. + *
+ * + * @param contextId A String identifying the policy context whose PolicyConfiguration interface is to be returned. The + * value passed to this parameter must not be null. + *
+ * @param remove A boolean value that establishes whether or not the policy statements of an existing policy context are + * to be removed before its PolicyConfiguration object is returned. If the value passed to this parameter is true, the + * policy statements of an existing policy context will be removed. If the value is false, they will not be removed. + * + * @return an Object that implements the PolicyConfiguration Interface matched to the Policy provider and corresponding + * to the identified policy context. + * + * @throws java.lang.SecurityException when called by an AccessControlContext that has not been granted the "setPolicy" + * SecurityPermission. + * + * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not + * been accounted for by the getPolicyConfiguration method signature. The exception thrown by the implementation class + * will be encapsulated (during construction) in the thrown PolicyContextException. + */ + + public PolicyConfiguration getPolicyConfiguration(String contextId, boolean remove) throws PolicyContextException { + if (logger.isLoggable(FINER)) { + logger.entering("PolicyConfigurationFactoryImpl", "getPolicyConfiguration"); + } + + PolicyConfiguration policyConfiguration = new TSPolicyConfigurationImpl(contextId, remove, logger); + + logger.log(INFO, "PolicyConfigurationFactory.getPolicyConfiguration() invoked"); + logger.log(FINER, "Getting PolicyConfiguration object with id = " + contextId); + + return policyConfiguration; + } + + /** + * This static method uses a system property to find and instantiate (via a public constructor) a provider specific + * factory implementation class. The name of the provider specific factory implementation class is obtained from the + * value of the system property, + *
+ *
+ * vendor.jakarta.security.jacc.PolicyConfigurationFactory.provider
+ *
+ * + * @return the singleton instance of the provider specific PolicyConfigurationFactory implementation class. + * + * @throws SecurityException when called by an AccessControlContext that has not been granted the "getPolicy" + * SecurityPermission. + * + * @throws PolicyContextException when the class named by the system property could not be found including because the + * value of the system property has not been set. + */ + + public static PolicyConfigurationFactory getPolicyConfigurationFactory() throws PolicyContextException { + if (policyConfigurationFactory != null) { + return policyConfigurationFactory; + } + + String classname = System.getProperty(FACTORY_NAME); + if (classname == null) { + logger.severe("factory.name.notset"); + throw new PolicyContextException("PolicyConfigurationFactory name not set!"); + } + + try { + policyConfigurationFactory = (PolicyConfigurationFactory) + TSPolicyConfigurationFactoryImpl.class + .getClassLoader() + .loadClass(classname) + .getDeclaredConstructor() + .newInstance(); + + if (policyConfigurationFactory != null) { + logger.log(INFO, "PolicyConfigurationFactory instantiated"); + } + } catch (Exception e) { + logger.log(SEVERE, "factory.instantiation.error", e); + throw new PolicyContextException(e); + } + + return policyConfigurationFactory; + } + + /** + * This method determines if the identified policy context exists with state "inService" in the Policy provider + * associated with the factory. + *
+ *
+ * @param contextId A string identifying a policy context
+ *
+ * @return true if the identified policy context exists within the provider and its state is "inService", false
+ * otherwise.
+ *
+ * @throws java.lang.SecurityException when called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the inService method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public boolean inService(String contextId) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "inService");
+ }
+ logger.log(INFO, "PolicyConfigurationFactory.inService() invoked");
+ logger.log(FINER, "PolicyConfiguration.inService() invoked for context id = " + contextId);
+
+ return policyConfigurationFactory.inService(contextId);
+ }
+
+ public PolicyConfiguration getPolicyConfiguration(String contextID) {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "getPolicyConfiguration(String)");
+ }
+
+ PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextID);
+ logger.log(INFO, "PolicyConfigurationFactory.getPolicyConfiguration(String) invoked");
+
+ return policyConfiguration;
+ }
+
+ public PolicyConfiguration getPolicyConfiguration() {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "getPolicyConfiguration()");
+ }
+
+ String contextId = PolicyContext.getContextID();
+ PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextId);
+ logger.log(INFO, "PolicyConfigurationFactory.getPolicyConfiguration(String) invoked");
+ logger.log(FINER, "Getting PolicyConfiguration object with id = " + contextId);
+
+ return policyConfiguration;
+ }
+
+}
diff --git a/tck/app-custom-trace-policyconfiguration/src/main/java/ee/jakarta/tck/authorization/test/TSPolicyConfigurationImpl.java b/tck/app-custom-trace-policyconfiguration/src/main/java/ee/jakarta/tck/authorization/test/TSPolicyConfigurationImpl.java
new file mode 100644
index 0000000..a6b7428
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/main/java/ee/jakarta/tck/authorization/test/TSPolicyConfigurationImpl.java
@@ -0,0 +1,872 @@
+/*
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2007, 2022 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+/*
+ * $Id$
+ *
+ * @author Raja Perumal
+ */
+
+package ee.jakarta.tck.authorization.test;
+
+import static java.util.logging.Level.FINER;
+import static java.util.logging.Level.INFO;
+
+import ee.jakarta.tck.authorization.util.logging.server.TSLogger;
+import jakarta.security.jacc.EJBMethodPermission;
+import jakarta.security.jacc.EJBRoleRefPermission;
+import jakarta.security.jacc.PolicyConfiguration;
+import jakarta.security.jacc.PolicyConfigurationFactory;
+import jakarta.security.jacc.PolicyContextException;
+import jakarta.security.jacc.WebResourcePermission;
+import jakarta.security.jacc.WebRoleRefPermission;
+import jakarta.security.jacc.WebUserDataPermission;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Map;
+import java.util.Vector;
+import java.util.logging.Level;
+
+/**
+ * Jakarta Authorization PolicyConfiguration delegates the policy configuration tasks
+ * to vendor's PolicyConfiguration implementation class.
+ */
+public class TSPolicyConfigurationImpl implements PolicyConfiguration {
+ private static TSLogger logger;
+
+ private PolicyConfigurationFactory policyConfigurationFactory;
+ private PolicyConfiguration policyConfiguration;
+
+ private String applicationContext;
+ private String appTime;
+
+ private Vector
+ * It is the job of the Policy provider to ensure that all the permissions added to a role are granted to principals
+ * "mapped to the role".
+ *
+ * @param roleName the name of the Role to which the permissions are to be added.
+ * @param permissions the collection of permissions to be added to the role. The collection may be either a homogenous
+ * or heterogenous collection.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the addToRole method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void addToRole(String roleName, PermissionCollection permissions) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "addToRole");
+ }
+ if (roleName == null || permissions == null) {
+ return;
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.addToRole(roleName, permissions);
+ assertStateNotInservice("addToRole");
+
+ if (logger.isLoggable(INFO)) {
+ StringBuffer sbuf = new StringBuffer("");
+ int bufLength = 0;
+ for (Enumeration
+ * It is the job of the Policy provider to ensure that all the permissions added to a role are granted to principals
+ * "mapped to the role".
+ *
+ *
+ * @param roleName the name of the Role to which the permission is to be added.
+ *
+ * @param permission the permission to be added to the role.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the addToRole method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void addToRole(String roleName, Permission permission) throws PolicyContextException {
+ String permissionType = null;
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "addToRole");
+ }
+ if (roleName == null || permission == null)
+ return;
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+
+ policyConfiguration.addToRole(roleName, permission);
+ assertStateNotInservice("addToRole");
+
+ // Get the permission type,
+ // valid permission types are
+ // 1) WebResourcePermission
+ // 2) WebUserDataPermission
+ // 3) WebRoleRefPermission
+ // 4) EJBMethodPermission
+ // 5) EJBRoleRefPermission
+ permissionType = getPermissionType(permission);
+ if (logger.isLoggable(INFO)) {
+ String sbuf = new String("addToRole :: " + applicationContext + " , " + appTime + " , " + permissionType + " , "
+ + permission.getName() + " , " + permission.getActions());
+ logger.log(INFO, sbuf);
+ }
+
+ if (permissionType.equals("WebResourcePermission") || permissionType.equals("WebRoleRefPermission")
+ || permissionType.equals("EJBMethodPermission") || permissionType.equals("EJBRoleRefPermission")) {
+ // logged so we can check roleNames and resourcePerms
+ logger.log(INFO,
+ "MSG_TAG :: " + permissionType + " :: " + roleName + " :: " + applicationContext + " :: " + permission.getName());
+ }
+
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "addToRole");
+ }
+ }
+
+ /**
+ * Used to add unchecked policy statements to this PolicyConfiguration.
+ *
+ *
+ * @param permissions the collection of permissions to be added as unchecked policy statements. The collection may be
+ * either a homogenous or heterogenous collection.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the addToUncheckedPolicy method signature. The exception thrown by the implementation class
+ * will be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void addToUncheckedPolicy(PermissionCollection permissions) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "addToUncheckedPolicy");
+ }
+ if (permissions == null) {
+ return;
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.addToUncheckedPolicy(permissions);
+ assertStateNotInservice("addToUncheckedPolicy");
+
+ if (logger.isLoggable(INFO)) {
+ StringBuffer sbuf = new StringBuffer("");
+ int bufLength = 0;
+
+ for (Enumeration
+ *
+ * @param permission the permission to be added to the unchecked policy statements.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the addToUncheckedPolicy method signature. The exception thrown by the implementation class
+ * will be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void addToUncheckedPolicy(Permission permission) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "addToUncheckedPolicy");
+ }
+
+ if (permission == null) {
+ return;
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.addToUncheckedPolicy(permission);
+ assertStateNotInservice("addToUncheckedPolicy");
+
+ // Get the permission type,
+ // valid permission types are
+ // 1) WebResourcePermission
+ // 2) WebUserDataPermission
+ // 3) WebRoleRefPermission
+ // 4) EJBMethodPermission
+ // 5) EJBRoleRefPermission
+ String permissionType = getPermissionType(permission);
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "unchecked :: " + applicationContext + " , " + appTime + " , " + permissionType + " , "
+ + permission.getName() + " , " + permission.getActions());
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "addToUncheckedPolicy");
+ }
+ }
+
+ /**
+ * Used to add excluded policy statements to this PolicyConfiguration.
+ *
+ *
+ * @param permissions the collection of permissions to be added to the excluded policy statements. The collection may be
+ * either a homogenous or heterogenous collection.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the addToExcludedPolicy method signature. The exception thrown by the implementation class will
+ * be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void addToExcludedPolicy(PermissionCollection permissions) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "addToExcludedPolicy");
+ }
+ if (permissions == null)
+ return;
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.addToExcludedPolicy(permissions);
+ assertStateNotInservice("addToExcludedPolicy");
+
+ if (logger.isLoggable(INFO)) {
+ StringBuffer sbuf = new StringBuffer("");
+ int bufLength = 0;
+ for (Enumeration
+ *
+ * @param permission the permission to be added to the excluded policy statements.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the addToExcludedPolicy method signature. The exception thrown by the implementation class will
+ * be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void addToExcludedPolicy(Permission permission) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "addToExcludedPolicy");
+ }
+ if (permission == null) {
+ return;
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.addToExcludedPolicy(permission);
+ assertStateNotInservice("addToExcludedPolicy");
+
+ // Get the permission type,
+ // valid permission types are
+ // 1) WebResourcePermission
+ // 2) WebUserDataPermission
+ // 3) WebRoleRefPermission
+ // 4) EJBMethodPermission
+ // 5) EJBRoleRefPermission
+ String permissionType = getPermissionType(permission);
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "excluded :: " + applicationContext + " , " + appTime + " , " + permissionType + " , "
+ + permission.getName() + " , " + permission.getActions());
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "addToExcludedPolicy");
+ }
+ }
+
+ /**
+ * Used to remove a role and all its permissions from this PolicyConfiguration.
+ *
+ *
+ * @param roleName the name of the Role to remove from this PolicyConfiguration.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the removeRole method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void removeRole(String roleName) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "removeRole");
+ }
+ if (roleName == null) {
+ return;
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.removeRole(roleName);
+ assertStateNotInservice("removeRole");
+
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "Removed Role :: " + roleName);
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "removeRole");
+ }
+ }
+
+ /**
+ * Used to remove any unchecked policy statements from this PolicyConfiguration.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the removeUncheckedPolicy method signature. The exception thrown by the implementation class
+ * will be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void removeUncheckedPolicy() throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "removeUncheckedPolicy");
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.removeUncheckedPolicy();
+ assertStateNotInservice("removeUncheckedPolicy");
+
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "Removed all unchecked policy statements");
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "removeUncheckedPolicy");
+ }
+ }
+
+ /**
+ * Used to remove any excluded policy statements from this PolicyConfiguration.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the removeExcludedPolicy method signature. The exception thrown by the implementation class
+ * will be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void removeExcludedPolicy() throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "removeExcludedPolicy");
+ }
+
+ policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(applicationContext, false);
+ policyConfiguration.removeExcludedPolicy();
+ assertStateNotInservice("removeExcludedPolicy");
+
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "Removed all excluded policy statements");
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "removeExcludedPolicy");
+ }
+ }
+
+ /**
+ * This method is used to set to "inService" the state of the policy context whose interface is this PolicyConfiguration
+ * Object. Only those policy contexts whose state is "inService" will be included in the policy contexts processed by
+ * the Policy.refresh method. A policy context whose state is "inService" may be returned to the "open" state by calling
+ * the getPolicyConfiguration method of the PolicyConfiguration factory with the policy context identifier of the policy
+ * context.
+ *
+ * When the state of a policy context is "inService", calling any method other than commit, delete, getContextID, or
+ * inService on its PolicyConfiguration Object will cause an UnsupportedOperationException to be thrown.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" when this method is called.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the commit method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void commit() throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "commit");
+ }
+
+ policyConfiguration.inService();
+ policyConfiguration.commit();
+
+ assertIsInserviceState("commit");
+
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "PolicyConfiguration.commit() called");
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "commit");
+ }
+ }
+
+ /**
+ * Creates a relationship between this configuration and another such that they share the same principal-to-role
+ * mappings. PolicyConfigurations are linked to apply a common principal-to-role mapping to multiple seperately
+ * manageable PolicyConfigurations, as is required when an application is composed of multiple modules.
+ *
+ * Note that the policy statements which comprise a role, or comprise the excluded or unchecked policy collections in a
+ * PolicyConfiguration are unaffected by the configuration being linked to another.
+ *
+ *
+ * @param link a reference to a different PolicyConfiguration than this PolicyConfiguration.
+ *
+ * The relationship formed by this method is symetric, transitive and idempotent. If the argument PolicyConfiguration
+ * does not have a different Policy context identifier than this PolicyConfiguration no relationship is formed, and an
+ * exception, as described below, is thrown.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws java.lang.UnsupportedOperationException if the state of the policy context whose interface is this
+ * PolicyConfiguration Object is "deleted" or "inService" when this method is called.
+ *
+ * @throws java.lang.IllegalArgumentException if called with an argument PolicyConfiguration whose Policy context is
+ * equivalent to that of this PolicyConfiguration.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the linkConfiguration method signature. The exception thrown by the implementation class will
+ * be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void linkConfiguration(PolicyConfiguration link) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "linkConfiguration");
+ }
+
+ if (link != null) {
+ String contextId = link.getContextID();
+
+ // Check if the application name already exists
+ if (applicationLinkTable != null) {
+
+ // Now add the contextId that is being linked to applicationLinkTable
+ if (!applicationLinkTable.contains(contextId)) {
+ applicationLinkTable.add(contextId);
+ }
+
+ // Now add this.applicationContextId to applicationLinkTable
+ if (!applicationLinkTable.contains(applicationContext)) {
+ applicationLinkTable.add(applicationContext);
+ }
+ }
+
+ if (logger.isLoggable(INFO)) {
+ StringBuffer sbuf = new StringBuffer("");
+ sbuf.append("link :: ");
+ for (Enumeration
+ * This operation has no affect on any linked PolicyConfigurations other than removing any links involving the deleted
+ * PolicyConfiguration.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the delete method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public void delete() throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "delete");
+ }
+
+ policyConfiguration.delete();
+ assertStateNotInservice("delete");
+
+ if (logger.isLoggable(INFO)) {
+ logger.log(INFO, "Deleted all policy statements");
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "delete");
+ }
+ }
+
+ /**
+ * This method is used to determine if the policy context whose interface is this PolicyConfiguration Object is in the
+ * "inService" state.
+ *
+ * @return true if the state of the associated policy context is "inService"; false otherwise.
+ *
+ * @throws java.lang.SecurityException if called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the inService method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public boolean inService() throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("TSPolicyConfigurationImpl", "inService");
+ }
+
+ boolean wasInservice = policyConfiguration.inService();
+
+ boolean ret = policyConfiguration.inService();
+
+ // If the state was inService befor our policyConfiguration.inService()
+ // call, then it must remain in that state as its next transitional
+ // state (per javadoc table)
+ if (wasInservice) {
+ assertIsInserviceState("inService");
+ } else {
+ // state was not inService so must've been OPEN or DELETED but
+ // either way, the next state must remain the same so we know
+ // we should NOT trasition to different state
+ assertStateNotInservice("inService");
+ }
+
+ if (logger.isLoggable(Level.FINE)) {
+ logger.log(Level.FINE, "PolicyConfiguration.inService() called");
+ }
+ if (logger.isLoggable(FINER)) {
+ logger.exiting("TSPolicyConfigurationImpl", "inService");
+ }
+
+ return ret;
+ }
+
+ public String getPermissionType(Permission permission) {
+ if (permission instanceof WebResourcePermission)
+ return "WebResourcePermission";
+ else if (permission instanceof WebUserDataPermission)
+ return "WebUserDataPermission";
+ else if (permission instanceof WebRoleRefPermission)
+ return "WebRoleRefPermission";
+ else if (permission instanceof EJBMethodPermission)
+ return "EJBMethodPermission";
+ else if (permission instanceof EJBRoleRefPermission)
+ return "EJBRoleRefPermission";
+ else
+ return null;
+ }
+
+ // This method process the input string and stuffs the character twice if
+ // the processed character is not an alphabet
+ public static String stuffData(String inputStr) {
+ char[] outStr = new char[2048];
+ char[] str = inputStr.toCharArray();
+ for (int i = 0, j = 0; i < str.length; i++) {
+ int a = Character.getNumericValue(str[i]);
+
+ // Don't stuff extra character if the character is an alphabet
+ //
+ // Numeric values for alphabets falls in 10 to 35, this includes
+ // both upper and lower cases
+ if (a > 9 && a < 36) {
+ outStr[j++] = str[i];
+
+ } else { // stuff the character
+ outStr[j++] = str[i];
+ outStr[j++] = str[i];
+ }
+ }
+ return new String(outStr).trim();
+ }
+
+ public PermissionCollection getExcludedPermissions() {
+ return policyConfiguration.getExcludedPermissions();
+ }
+
+ public PermissionCollection getUncheckedPermissions() {
+ return policyConfiguration.getUncheckedPermissions();
+ }
+
+ public Map
+ * This is a delegating PolicyConfigurationFactory which delegates the policy
+ * configurations to vendor implementation of PolicyConfigurationFactory class.
+ *
+ *
+ * It traces a few operations into a dedicated log, which the tests inspect.
+ *
+ */
+public class TSPolicyConfigurationFactoryImpl extends PolicyConfigurationFactory {
+
+ private static TSLogger logger = TSLogger.getTSLogger();
+
+ private static String FACTORY_NAME = "vendor.jakarta.security.jacc.PolicyConfigurationFactory.provider";
+
+ private static PolicyConfigurationFactory policyConfigurationFactory;
+
+ public TSPolicyConfigurationFactoryImpl() throws PolicyContextException {
+ try {
+ policyConfigurationFactory = TSPolicyConfigurationFactoryImpl.getPolicyConfigurationFactory();
+ } catch (PolicyContextException pce) {
+ if (logger != null) {
+ logger.severe("Failed to get PolicyConfigurationFactory");
+ }
+
+ throw new PolicyContextException(pce);
+ }
+ }
+
+ /**
+ * This method is used to obtain an instance of the provider specific class that implements the PolicyConfiguration
+ * interface that corresponds to the identified policy context within the provider. The methods of the
+ * PolicyConfiguration interface are used to define the policy statements of the identified policy context.
+ *
+ * If at the time of the call, the identified policy context does not exist in the provider, then the policy context
+ * will be created in the provider and the Object that implements the context's PolicyConfiguration Interface will be
+ * returned. If the state of the identified context is "deleted" or "inService" it will be transitioned to the "open"
+ * state as a result of the call. The states in the lifecycle of a policy context are defined by the PolicyConfiguration
+ * interface.
+ *
+ * For a given value of policy context identifier, this method must always return the same instance of
+ * PolicyConfiguration and there must be at most one actual instance of a PolicyConfiguration with a given policy
+ * context identifier (during a process context).
+ *
+ * To preserve the invariant that there be at most one PolicyConfiguration object for a given policy context, it may be
+ * necessary for this method to be thread safe.
+ *
+ *
+ * @param contextId A String identifying the policy context whose PolicyConfiguration interface is to be returned. The
+ * value passed to this parameter must not be null.
+ *
+ * @param remove A boolean value that establishes whether or not the policy statements of an existing policy context are
+ * to be removed before its PolicyConfiguration object is returned. If the value passed to this parameter is true, the
+ * policy statements of an existing policy context will be removed. If the value is false, they will not be removed.
+ *
+ * @return an Object that implements the PolicyConfiguration Interface matched to the Policy provider and corresponding
+ * to the identified policy context.
+ *
+ * @throws java.lang.SecurityException when called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the getPolicyConfiguration method signature. The exception thrown by the implementation class
+ * will be encapsulated (during construction) in the thrown PolicyContextException.
+ */
+
+ public PolicyConfiguration getPolicyConfiguration(String contextId, boolean remove) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "getPolicyConfiguration");
+ }
+
+ PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextId, remove);
+
+ logger.log(INFO, "PolicyConfigurationFactory.getPolicyConfiguration() invoked");
+ logger.log(FINER, "Getting PolicyConfiguration object with id = " + contextId);
+
+ return policyConfiguration;
+ }
+
+ /**
+ * This static method uses a system property to find and instantiate (via a public constructor) a provider specific
+ * factory implementation class. The name of the provider specific factory implementation class is obtained from the
+ * value of the system property,
+ *
+ *
+ *
+ * @return the singleton instance of the provider specific PolicyConfigurationFactory implementation class.
+ *
+ * @throws SecurityException when called by an AccessControlContext that has not been granted the "getPolicy"
+ * SecurityPermission.
+ *
+ * @throws PolicyContextException when the class named by the system property could not be found including because the
+ * value of the system property has not been set.
+ */
+
+ public static PolicyConfigurationFactory getPolicyConfigurationFactory() throws PolicyContextException {
+ if (policyConfigurationFactory != null) {
+ return policyConfigurationFactory;
+ }
+
+ String classname = System.getProperty(FACTORY_NAME);
+ if (classname == null) {
+ logger.severe("factory.name.notset");
+ throw new PolicyContextException("PolicyConfigurationFactory name not set!");
+ }
+
+ try {
+ policyConfigurationFactory = (PolicyConfigurationFactory)
+ TSPolicyConfigurationFactoryImpl.class
+ .getClassLoader()
+ .loadClass(classname)
+ .getDeclaredConstructor()
+ .newInstance();
+
+ if (policyConfigurationFactory != null) {
+ logger.log(INFO, "PolicyConfigurationFactory instantiated");
+ }
+ } catch (Exception e) {
+ logger.log(SEVERE, "factory.instantiation.error", e);
+ throw new PolicyContextException(e);
+ }
+
+ return policyConfigurationFactory;
+ }
+
+ /**
+ * This method determines if the identified policy context exists with state "inService" in the Policy provider
+ * associated with the factory.
+ *
+ *
+ * @param contextId A string identifying a policy context
+ *
+ * @return true if the identified policy context exists within the provider and its state is "inService", false
+ * otherwise.
+ *
+ * @throws java.lang.SecurityException when called by an AccessControlContext that has not been granted the "setPolicy"
+ * SecurityPermission.
+ *
+ * @throws jakarta.security.jacc.PolicyContextException if the implementation throws a checked exception that has not
+ * been accounted for by the inService method signature. The exception thrown by the implementation class will be
+ * encapsulated (during construction) in the thrown PolicyContextException.
+ */
+ public boolean inService(String contextId) throws PolicyContextException {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "inService");
+ }
+ logger.log(INFO, "PolicyConfigurationFactory.inService() invoked");
+ logger.log(FINER, "PolicyConfiguration.inService() invoked for context id = " + contextId);
+
+ return policyConfigurationFactory.inService(contextId);
+ }
+
+ public PolicyConfiguration getPolicyConfiguration(String contextID) {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "getPolicyConfiguration(String)");
+ }
+
+ PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextID);
+ logger.log(INFO, "PolicyConfigurationFactory.getPolicyConfiguration(String) invoked");
+
+ return policyConfiguration;
+ }
+
+ public PolicyConfiguration getPolicyConfiguration() {
+ if (logger.isLoggable(FINER)) {
+ logger.entering("PolicyConfigurationFactoryImpl", "getPolicyConfiguration()");
+ }
+
+ String contextId = PolicyContext.getContextID();
+ PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextId);
+ logger.log(INFO, "PolicyConfigurationFactory.getPolicyConfiguration(String) invoked");
+ logger.log(FINER, "Getting PolicyConfiguration object with id = " + contextId);
+
+ return policyConfiguration;
+ }
+
+}
diff --git a/tck/app-custom-trace-policyconfigurationfactory/src/main/webapp/WEB-INF/beans.xml b/tck/app-custom-trace-policyconfigurationfactory/src/main/webapp/WEB-INF/beans.xml
new file mode 100644
index 0000000..7b7b7ad
--- /dev/null
+++ b/tck/app-custom-trace-policyconfigurationfactory/src/main/webapp/WEB-INF/beans.xml
@@ -0,0 +1,24 @@
+
+
+
+ * If a new logger is created its log level will be configured based on the LogManager configuration and it will
+ * configured to also send logging output to its parent's handlers. It will be registered in the LogManager global
+ * namespace.
+ *
+ * @param name A name for the logger. This should be a dot-separated name and should normally be based on the package
+ * name or class name of the subsystem, such as java.net or javax.swing
+ * @return a suitable Logger
+ */
+ public static synchronized TSLogger getTSLogger(String name) {
+ TSLogger result = null;
+
+ LogManager manager = LogManager.getLogManager();
+
+ if (tsLogger != null) {
+ if (tsLogger.getName().equals(name)) {
+ result = tsLogger;
+ }
+ } else {
+ result = new TSLogger(name);
+ manager.addLogger(result);
+ }
+
+ return result;
+ }
+
+ /**
+ * Log a message, with no arguments.
+ *
+ * If the logger is currently enabled for the given message level then the given message is forwarded to all the
+ * registered output Handler objects.
+ *
+ *
+ * @param level One of the message level identifiers, e.g. SEVERE
+ * @param msg The string message (or a key in the message catalog)
+ */
+ @Override
+ public void log(Level level, String msg) {
+ // assign default context (jacc_ctx) to all messages ???
+ log(level, msg, "jacc_ctx");
+ }
+
+ /**
+ * Log a message, with no arguments.
+ *
+ * If the logger is currently enabled for the given message level then the given message is forwarded to all the
+ * registered output Handler objects.
+ *
+ *
+ * @param level One of the message level identifiers, e.g. SEVERE
+ * @param msg The string message (or a key in the message catalog)
+ * @param contextId the logging context Id
+ */
+ public void log(Level level, String msg, String contextId) {
+ if (level.intValue() < levelValue || levelValue == offValue) {
+ return;
+ }
+
+ TSLogRecord lr = new TSLogRecord(level, msg, contextId);
+ String rbn = null;
+
+ Logger target = this;
+ while (target != null) {
+ rbn = target.getResourceBundleName();
+ if (rbn != null) {
+ break;
+ }
+ target = target.getParent();
+ }
+
+ if (rbn != null) {
+ lr.setResourceBundleName(rbn);
+ }
+
+ log(lr);
+ }
+
+ /**
+ * Log a TSLogRecord.
+ *
+ * @param record the TSLogRecord to be published
+ */
+ public void log(TSLogRecord record) {
+ if (record.getLevel().intValue() < levelValue || levelValue == offValue) {
+ return;
+ }
+
+ synchronized (this) {
+ if (filter != null && !filter.isLoggable(record)) {
+ return;
+ }
+ }
+
+ // Post the LogRecord to all our Handlers, and then to
+ // our parents' handlers, all the way up the tree.
+
+ TSLogger logger = this;
+ while (logger != null) {
+ Handler targets[] = logger.getHandlers();
+
+ if (targets != null) {
+ for (int i = 0; i < targets.length; i++) {
+ // targets[i].publish(record);
+
+ // Publish record only if the
+ // handler is of type FileHandler
+ // Do not publish to all parent handler
+ // Parent handler may not be able to
+ // Format the TSLogRecord, because
+ // TSLogRecord is the custom record.
+ if (targets[i] instanceof FileHandler) {
+ targets[i].publish(record);
+ }
+ }
+ }
+
+ if (!logger.getUseParentHandlers()) {
+ break;
+ }
+
+ logger = null;
+ }
+ }
+
+}
diff --git a/tck/common/src/main/java/ee/jakarta/tck/authorization/util/logging/server/TSXMLFormatter.java b/tck/common/src/main/java/ee/jakarta/tck/authorization/util/logging/server/TSXMLFormatter.java
new file mode 100644
index 0000000..67056b2
--- /dev/null
+++ b/tck/common/src/main/java/ee/jakarta/tck/authorization/util/logging/server/TSXMLFormatter.java
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2007, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+/**
+ * $Id$
+ *
+ * @author Raja Perumal
+ * 07/13/02
+ */
+
+package ee.jakarta.tck.authorization.util.logging.server;
+
+import java.util.ResourceBundle;
+import java.util.logging.Handler;
+import java.util.logging.Level;
+import java.util.logging.LogRecord;
+import java.util.logging.XMLFormatter;
+
+/**
+ * TSXMLFormatter formats TSLogRecord in XML format.
+ *
+ */
+public class TSXMLFormatter extends XMLFormatter {
+
+ private String contextId;
+
+ /**
+ * Override parent class format method
+ *
+ * @param lrecord the LogRecord to be formatted.
+ * @return a formatted log record
+ */
+ @Override
+ public String format(LogRecord lrecord) {
+
+ String message = lrecord.getMessage();
+ Level level = lrecord.getLevel();
+ TSLogRecord record = new TSLogRecord(level, message);
+
+ return format(record);
+ }
+
+ /**
+ * Format the given message to XML.
+ *
+ * @param record the log record to be formatted.
+ * @return a formatted log record
+ */
+ public String format(TSLogRecord record) {
+
+ // TSLogRecord record = (TSLogRecord)lrecord;
+ StringBuffer sb = new StringBuffer(500);
+ sb.append("JSP with WildCard Auth Constraint
+
+ <%
+
+ out.println("The user principal is: " + request.getUserPrincipal().getName() + "
");
+ out.println("getRemoteUser(): " + request.getRemoteUser() + "
" );
+
+ if (request.isUserInRole("ADM")){
+ out.println("USR_IN_ROLE_ADM");
+ }else
+ out.println("USR_NOT_IN_ROLE_ADM");
+
+ if (request.isUserInRole("MGR")){
+ out.println("USR_IN_ROLE_MGR");
+ }else
+ out.println("USR_NOT_IN_ROLE_MGR");
+
+ if (request.isUserInRole("EMP")){
+ out.println("USR_IN_ROLE_EMP");
+ }else
+ out.println("USR_NOT_IN_ROLE_EMP");
+
+ if (request.isUserInRole("VP")){
+ out.println("USR_IN_ROLE_VP");
+ }else
+ out.println("USR_NOT_IN_ROLE_VP");
+
+ %>
+
+
+
diff --git a/tck/app-custom-trace-policyconfiguration/src/main/webapp/anyauthuser.jsp b/tck/app-custom-trace-policyconfiguration/src/main/webapp/anyauthuser.jsp
new file mode 100644
index 0000000..ab0c426
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/main/webapp/anyauthuser.jsp
@@ -0,0 +1,41 @@
+<%--
+
+ Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v. 2.0, which is available at
+ http://www.eclipse.org/legal/epl-2.0.
+
+ This Source Code may also be made available under the following Secondary
+ Licenses when the conditions for such availability set forth in the
+ Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ version 2 with the GNU Classpath Exception, which is available at
+ https://www.gnu.org/software/classpath/license.html.
+
+ SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+--%>
+
+
+<%@ page language="java" %>
+
+
+ JSP with Double-WildCard Auth Constraint
+
+ <%
+
+ out.println("The user principal is: " + request.getUserPrincipal().getName() + "
");
+ out.println("getRemoteUser(): " + request.getRemoteUser() + "
" );
+
+ if (request.isUserInRole("**")){
+ out.println("USR_IN_ROLE_STARSTAR");
+ } else {
+ out.println("USR_NOT_IN_ROLE_STARSTAR");
+ }
+
+ %>
+
+
+
diff --git a/tck/app-custom-trace-policyconfiguration/src/main/webapp/excluded.jsp b/tck/app-custom-trace-policyconfiguration/src/main/webapp/excluded.jsp
new file mode 100644
index 0000000..06aba36
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/main/webapp/excluded.jsp
@@ -0,0 +1,40 @@
+<%--
+
+ Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v. 2.0, which is available at
+ http://www.eclipse.org/legal/epl-2.0.
+
+ This Source Code may also be made available under the following Secondary
+ Licenses when the conditions for such availability set forth in the
+ Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ version 2 with the GNU Classpath Exception, which is available at
+ https://www.gnu.org/software/classpath/license.html.
+
+ SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+--%>
+
+
+
+<%@ page language="java" %>
+
+
+JSP used for excluded policy statement
+
+<%
+
+out.println("The user principal is: " + request.getUserPrincipal().getName() + "
");
+out.println("getRemoteUser(): " + request.getRemoteUser() + "
" );
+
+%>
+
+
+
+
+
diff --git a/tck/app-custom-trace-policyconfiguration/src/main/webapp/secured.jsp b/tck/app-custom-trace-policyconfiguration/src/main/webapp/secured.jsp
new file mode 100644
index 0000000..cd4e79b
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/main/webapp/secured.jsp
@@ -0,0 +1,48 @@
+<%--
+
+ Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v. 2.0, which is available at
+ http://www.eclipse.org/legal/epl-2.0.
+
+ This Source Code may also be made available under the following Secondary
+ Licenses when the conditions for such availability set forth in the
+ Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ version 2 with the GNU Classpath Exception, which is available at
+ https://www.gnu.org/software/classpath/license.html.
+
+ SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+--%>
+
+
+
+<%@ page language="java" %>
+
+
+JSP with Security Constraint
+
+<%
+
+out.println("The user principal is: " + request.getUserPrincipal().getName() + "
");
+out.println("getRemoteUser(): " + request.getRemoteUser() + "
" );
+
+// Surround these with !'s so they are easier to search for.
+// (i.e. we can search for !true! or !false!)
+out.println("isUserInRole(\"ADM\"): !" + request.isUserInRole("ADM") + "!
");
+out.println("isUserInRole(\"MGR\"): !" + request.isUserInRole("MGR") + "!
");
+out.println("isUserInRole(\"VP\"): !" + request.isUserInRole("VP") + "!
");
+out.println("isUserInRole(\"EMP\"): !" + request.isUserInRole("EMP") + "!
");
+out.println("isUserInRole(\"Administrator\"): !" + request.isUserInRole("Administrator") + "!
");
+
+%>
+
+
+
+
+
diff --git a/tck/app-custom-trace-policyconfiguration/src/main/webapp/sslprotected.jsp b/tck/app-custom-trace-policyconfiguration/src/main/webapp/sslprotected.jsp
new file mode 100644
index 0000000..74efe76
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/main/webapp/sslprotected.jsp
@@ -0,0 +1,40 @@
+<%--
+
+ Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v. 2.0, which is available at
+ http://www.eclipse.org/legal/epl-2.0.
+
+ This Source Code may also be made available under the following Secondary
+ Licenses when the conditions for such availability set forth in the
+ Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ version 2 with the GNU Classpath Exception, which is available at
+ https://www.gnu.org/software/classpath/license.html.
+
+ SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+--%>
+
+
+
+<%@ page language="java" %>
+
+
+SSL protected JSP
+
+<%
+
+out.println("The user principal is: " + request.getUserPrincipal().getName() + "
");
+out.println("getRemoteUser(): " + request.getRemoteUser() + "
" );
+
+%>
+
+
+
+
+
diff --git a/tck/app-custom-trace-policyconfiguration/src/main/webapp/unchecked.jsp b/tck/app-custom-trace-policyconfiguration/src/main/webapp/unchecked.jsp
new file mode 100644
index 0000000..46537b6
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/main/webapp/unchecked.jsp
@@ -0,0 +1,40 @@
+<%--
+
+ Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v. 2.0, which is available at
+ http://www.eclipse.org/legal/epl-2.0.
+
+ This Source Code may also be made available under the following Secondary
+ Licenses when the conditions for such availability set forth in the
+ Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ version 2 with the GNU Classpath Exception, which is available at
+ https://www.gnu.org/software/classpath/license.html.
+
+ SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+
+--%>
+
+
+
+<%@ page language="java" %>
+
+
+JSP used for unchecked permission
+
+<%
+
+out.println("The user principal is: " + request.getUserPrincipal().getName() + "
");
+out.println("getRemoteUser(): " + request.getRemoteUser() + "
" );
+
+%>
+
+
+
+
+
diff --git a/tck/app-custom-trace-policyconfiguration/src/test/java/ee/jakarta/tck/authorization/test/AppCustomTracePolicyConfigurationIT.java b/tck/app-custom-trace-policyconfiguration/src/test/java/ee/jakarta/tck/authorization/test/AppCustomTracePolicyConfigurationIT.java
new file mode 100644
index 0000000..a4d76f1
--- /dev/null
+++ b/tck/app-custom-trace-policyconfiguration/src/test/java/ee/jakarta/tck/authorization/test/AppCustomTracePolicyConfigurationIT.java
@@ -0,0 +1,522 @@
+/*
+ * Copyright (c) 2024 Contributors to Eclipse Foundation.
+ * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package ee.jakarta.tck.authorization.test;
+
+import static ee.jakarta.tck.authorization.util.ShrinkWrap.mavenWar;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import ee.jakarta.tck.authorization.util.ArquillianBase;
+import ee.jakarta.tck.authorization.util.logging.client.LogFileProcessor;
+import jakarta.security.jacc.WebResourcePermission;
+import jakarta.security.jacc.WebRoleRefPermission;
+import jakarta.security.jacc.WebUserDataPermission;
+import java.security.Permissions;
+import java.util.logging.Logger;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.shrinkwrap.api.Archive;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(Arquillian.class)
+public class AppCustomTracePolicyConfigurationIT extends ArquillianBase {
+
+ Logger logger = Logger.getLogger(AppCustomTracePolicyConfigurationIT.class.getName());
+
+ @Deployment(testable = false)
+ public static Archive createDeployment() {
+ return mavenWar();
+ }
+
+ /**
+ * @testName: WebUserDataPermission
+ *
+ * @assertion_ids: JACC:SPEC:41; JACC:SPEC:42; JACC:JAVADOC:54;
+ * JACC:JAVADOC:56; JACC:JAVADOC:58; JACC:SPEC:27;
+ * JACC:SPEC:28; JACC:SPEC:34; JACC:SPEC:52
+ *
+ * @test_Strategy: 1. Register TS provider with the AppServer. (See User guide
+ * for Registering TS Provider with your AppServer ).
+ *
+ * 2. Deploy the application.
+ *
+ * 3. During deployment, appserver generates permissions for
+ * the J2EE components based on the given deployment
+ * descriptor
+ *
+ * 4. Retrieve server side logs and verify the generated
+ * unchecked permissions matches the expected permission
+ * collection
+ *
+ *
+ */
+ @Test
+ public void WebUserDataPermission() {
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+
+ // ----------UNCHECKED----------//
+ // 1) retrieve server generated unchecked policy statements
+ // 2) construct expected unchecked policy statements
+ // 3) verify expected policy statements with generated policy statements
+
+ // Get actual "unchecked" WebUserDataPermissions
+ Permissions uncheckedWebUserDataPermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificUnCheckedPermissions(), "WebUserDataPermission");
+
+ logger.info("Server generated unchecked WebUserDataPermissions");
+ logProcessor.printPermissionCollection(uncheckedWebUserDataPermissions);
+
+ // Construct the expected unchecked WebUserDataPermission
+ Permissions expectedUnCheckedPermissions = new Permissions();
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/sslprotected.jsp", "GET,POST:CONFIDENTIAL"));
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/excluded.jsp", "!GET,POST"));
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/sslprotected.jsp", "!GET,POST"));
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/secured.jsp", (String) null));
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/anyauthuser.jsp", "!GET,POST"));
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/:/unchecked.jsp:/secured.jsp:/sslprotected.jsp:/excluded.jsp:/anyauthuser.jsp", (String) null));
+ expectedUnCheckedPermissions.add(new WebUserDataPermission("/unchecked.jsp", (String) null));
+
+ logger.info("verifying unchecked policy statments:");
+
+ assertTrue(
+ "WebUserDataPermission failed: " + "unchecked policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedUnCheckedPermissions, uncheckedWebUserDataPermissions));
+
+
+
+ // ---------EXCLUDED----------//
+ // 1) retrieve server generated excluded policy statements
+ // 2) construct expected excluded policy statements
+ // 3) verify expected policy statements with generated policy statements
+
+ // Get actual "excluded" WebUserDataPermission
+ Permissions excludedWebUserDataPermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificExcludedPermissions(), "WebUserDataPermission");
+
+ logger.info("Server generated excluded WebUserDataPermission");
+ logProcessor.printPermissionCollection(excludedWebUserDataPermissions);
+
+ // Construct the expected excluded WebUserDataPermission
+ Permissions expectedExcludedPermissions = new Permissions();
+ expectedExcludedPermissions.add(new WebUserDataPermission("/excluded.jsp", "GET,POST"));
+
+ logger.info("verifying excluded policy statments:");
+
+ assertTrue(
+ "WebUserDataPermission failed: " + "excluded policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedExcludedPermissions, excludedWebUserDataPermissions));
+ }
+
+
+
+ /**
+ * @testName: WebResourcePermission
+ *
+ * @assertion_ids: JACC:SPEC:36; JACC:SPEC:72; JACC:SPEC:27; JACC:SPEC:28; JACC:SPEC:52; JACC:SPEC:128;
+ *
+ * @test_Strategy: 1. Register TS provider with the AppServer. (See User guide for Registering TS Provider with your
+ * AppServer ).
+ *
+ * 2. Deploy the application.
+ *
+ * 3. During deployment, appserver generates permissions for the EE components based on the given deployment
+ * descriptor
+ *
+ * 4. Retrieve server side logs and verify the generated permissions matches the expected permission collection
+ *
+ */
+ @Test
+ public void WebResourcePermission() {
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+ // ----------UNCHECKED----------//
+ // 1) retrieve server generated unchecked policy statements
+ // 2) construct expected unchecked policy statements
+ // 3) verify expected policy statements with generated policy statements
+
+ Permissions expectedUnCheckedPermissions = new Permissions();
+
+ // Get "unchecked" WebResourcePermissions
+ Permissions uncheckedWebResourcePermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificUnCheckedPermissions(), "WebResourcePermission");
+
+ System.out.println("\n\nServer generated unchecked WebResourcePermissions");
+ logProcessor.printPermissionCollection(uncheckedWebResourcePermissions);
+
+ // Construct the expected unchecked WebResourcePermission
+ expectedUnCheckedPermissions.add(new WebResourcePermission("/unchecked.jsp", (String) null));
+ expectedUnCheckedPermissions.add(new WebResourcePermission("/sslprotected.jsp", "!GET,POST"));
+ expectedUnCheckedPermissions.add(new WebResourcePermission("/:/secured.jsp:/unchecked.jsp:/excluded.jsp:/sslprotected.jsp:/anyauthuser.jsp", (String) null));
+ expectedUnCheckedPermissions.add(new WebResourcePermission("/excluded.jsp", "!GET,POST"));
+ expectedUnCheckedPermissions.add(new WebResourcePermission("/secured.jsp", "!GET,POST"));
+ expectedUnCheckedPermissions.add(new WebResourcePermission("/anyauthuser.jsp", "!GET,POST"));
+
+ System.out.println("verifying unchecked policy statments:");
+
+ assertTrue(
+ "WebResourcePermission failed: " + "unchecked policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedUnCheckedPermissions, uncheckedWebResourcePermissions));
+
+
+
+
+
+ // ---------EXCLUDED----------//
+ // 1) Retrieve server generated excluded policy statements
+ // 2) Construct expected excluded policy statements
+ // 3) Verify expected policy statements with generated policy statements
+
+
+
+ // Get actual "excluded" WebResourcePermissions
+ Permissions excludedWebResourcePermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificExcludedPermissions(), "WebResourcePermission");
+
+ System.out.println("\n\nServer generated excluded WebResourcePermissions");
+ logProcessor.printPermissionCollection(excludedWebResourcePermissions);
+
+ // Construct the expected excluded WebResourcePermission
+ Permissions expectedExcludedPermissions = new Permissions();
+ expectedExcludedPermissions.add(new WebResourcePermission("/excluded.jsp", "GET,POST"));
+
+ System.out.println("verifying excluded policy statments:");
+
+ assertTrue(
+ "WebResourcePermission failed: " + "excluded policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedExcludedPermissions, excludedWebResourcePermissions));
+
+
+
+
+
+ // ---------ADDTOROLE----------//
+ // 1) retrieve server generated addToRole policy statements
+ // 2) construct expected addToRole policy statements
+ // 3) verify expected policy statements with generated policy statements
+
+
+ // Get actual "addToRole" WebResourcePermissions
+ Permissions addToRoleWebResourcePermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificAddToRolePermissions(), "WebResourcePermission");
+
+ System.out.println("\n\nServer generated addToRole WebResourcePermissions");
+ logProcessor.printPermissionCollection(addToRoleWebResourcePermissions);
+
+ // Construct the expected excluded WebResourcePermission
+ Permissions expectedAddToRolePermissions = new Permissions();
+ expectedAddToRolePermissions.add(new WebResourcePermission("/secured.jsp", "GET,POST"));
+ expectedAddToRolePermissions.add(new WebResourcePermission("/sslprotected.jsp", "GET,POST"));
+ expectedAddToRolePermissions.add(new WebResourcePermission("/anyauthuser.jsp", "GET,POST"));
+
+ System.out.println("verifying addToRole policy statments:");
+
+ assertTrue(
+ "WebResourcePermission failed: " + "addToRole policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedAddToRolePermissions, addToRoleWebResourcePermissions));
+ }
+
+ /**
+ * @testName: WebResourcePermissionExcludedPolicy
+ *
+ * @assertion_ids: JACC:SPEC:37; JACC:SPEC:114; JACC:SPEC:111; JACC:SPEC:27;
+ * JACC:SPEC:28; JACC:SPEC:34; JACC:SPEC:52
+ *
+ * @test_Strategy: 1. Register TS provider with the AppServer. (See User guide
+ * for Registering TS Provider with your AppServer ).
+ *
+ * 2. Deploy the application.
+ *
+ * 3. During deployment, appserver generates permissions for
+ * the J2EE components based on the given deployment
+ * descriptor
+ *
+ * 4. Retrieve server side logs and verify the generated
+ * permissions matches the expected permission collection
+ *
+ */
+ @Test
+ public void WebResourcePermissionExcludedPolicy() {
+
+ // ---------EXCLUDED----------//
+ // 1) retrieve server generated excluded policy statements
+ // 2) construct expected excluded policy statements
+ // 3) verify expected policy statements with generated policy statements
+
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+ // Get "excluded" WebResourcePermissions
+ Permissions excludedWebResourcePermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificExcludedPermissions(), "WebResourcePermission");
+
+ logger.info("Server generated excluded WebResourcePermissions");
+
+ logProcessor.printPermissionCollection(excludedWebResourcePermissions);
+
+ // Construct the expected excluded WebResourcePermission
+ Permissions expectedExcludedPermissions = new Permissions();
+ expectedExcludedPermissions
+ .add(new WebResourcePermission("/excluded.jsp", "GET,POST"));
+
+ logger.info("verifying excluded policy statments:");
+
+ assertTrue(
+ "WebResourcePermissionExcludedPolicy failed: " + "excluded policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedExcludedPermissions, excludedWebResourcePermissions));
+ }
+
+ /**
+ * @testName: WebResourcePermissionUnCheckedPolicy
+ *
+ * @assertion_ids: JACC:SPEC:36; JACC:SPEC:39; JACC:SPEC:27; JACC:SPEC:28;
+ * JACC:SPEC:52; JACC:JAVADOC:17
+ *
+ * @test_Strategy: 1. Register TS provider with the AppServer. (See User guide
+ * for Registering TS Provider with your AppServer ).
+ *
+ * 2. Deploy the application.
+ *
+ * 3. During deployment, appserver generates permissions for
+ * the J2EE components based on the given deployment
+ * descriptor
+ *
+ * 4. Retrieve server side logs and verify the generated
+ * unchecked permissions matches the expected permission
+ * collection
+ */
+ @Test
+ public void WebResourcePermissionUnCheckedPolicy() {
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+
+ // Get "unchecked" WebResourcePermissions
+ Permissions uncheckedWebResourcePermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificUnCheckedPermissions(), "WebResourcePermission");
+
+ logger.info("Server generated unchecked WebResourcePermissions");
+ logProcessor.printPermissionCollection(uncheckedWebResourcePermissions);
+
+ // Construct the expected unchecked WebResourcePermission
+ Permissions expectedPermissions = new Permissions();
+ expectedPermissions.add(new WebResourcePermission("/unchecked.jsp", (String) null));
+ expectedPermissions.add(new WebResourcePermission("/sslprotected.jsp", "!GET,POST"));
+ expectedPermissions.add(new WebResourcePermission("/:/secured.jsp:/unchecked.jsp:/excluded.jsp:/sslprotected.jsp:/anyauthuser.jsp", (String) null));
+ expectedPermissions.add(new WebResourcePermission("/excluded.jsp", "!GET,POST"));
+ expectedPermissions.add(new WebResourcePermission("/secured.jsp", "!GET,POST"));
+ expectedPermissions.add(new WebResourcePermission("/anyauthuser.jsp", "!GET,POST"));
+
+ assertTrue(
+ "WebResourcePermissionUnCheckedPolicy failed",
+ logProcessor.verifyLogImplies(expectedPermissions, uncheckedWebResourcePermissions));
+ }
+
+
+ /**
+ * @testName: WebRoleRefPermission
+ *
+ * @assertion_ids: JACC:SPEC:36; JACC:SPEC:112; JACC:SPEC:38; JACC:SPEC:43;
+ * JACC:SPEC:44; JACC:JAVADOC:50; JACC:SPEC:27; JACC:SPEC:28;
+ * JACC:SPEC:45; JACC:SPEC:52; JACC:SPEC:75; JACC:SPEC:128;
+ * JACC:SPEC:131
+ *
+ * @test_Strategy: 1. Register TS provider with the AppServer. (See User guide
+ * for Registering TS Provider with your AppServer ). 2.
+ * Deploy the application.
+ *
+ * 3. During deployment, appserver generates permissions for
+ * the EE components based on the given deployment
+ * descriptor
+ *
+ * 4. Retrieve server side logs and verify the generated
+ * permissions matches the expected permission collection
+ */
+ @Test
+ public void WebRoleRefPermission() {
+
+ // ---------ADDTOROLE----------//
+ // 1) retrieve server generated addToRole policy statements
+ // 2) construct expected addToRole policy statements
+ // 3) verify expected policy statements with generated policy statements
+
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+ // Get actual "addToRole" WebRoleRefPermissions
+ Permissions addToRoleWebRoleRefPermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificAddToRolePermissions(), "WebRoleRefPermission");
+
+ logger.info("Server generated addToRole WebRoleRefPermissions");
+ logProcessor.printPermissionCollection(addToRoleWebRoleRefPermissions);
+
+ // Construct the expected excluded WebRoleRefPermission
+ Permissions expectedAddToRolePermissions = new Permissions();
+ expectedAddToRolePermissions.add(new jakarta.security.jacc.WebRoleRefPermission("secured", "ADM"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("secured", "Administrator"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("secured", "Manager"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("secured", "Employee"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("sslprotected", "MGR"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("sslprotected", "ADM"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("sslprotected", "Administrator"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("sslprotected", "Manager"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("sslprotected", "Employee"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("unchecked", "Manager"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("unchecked", "Administrator"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("unchecked", "Employee"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("excluded", "Manager"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("excluded", "Administrator"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("excluded", "Employee"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("anyauthuser", "Employee"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("anyauthuser", "Manager"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("anyauthuser", "Administrator"));
+
+ // JSR115 Maintenance Review changes
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("", "Administrator"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("", "Manager"));
+ expectedAddToRolePermissions.add(new WebRoleRefPermission("", "Employee"));
+
+ logger.info("verifying addToRole policy statments:");
+
+ assertTrue(
+ "WebRoleRefPermission failed: " + "addToRole policy statements verification failed",
+ logProcessor.verifyLogImplies(expectedAddToRolePermissions, addToRoleWebRoleRefPermissions));
+ }
+
+
+ /**
+ * @testName: AnyAuthUserWebRoleRef
+ *
+ * @assertion_ids: JACC:SPEC:130; JACC:SPEC:131;
+ *
+ * @test_Strategy: This is testing that: If the any authenticated user
+ * role-name, **, does not appear in a security-role-ref
+ * within the servlet, a WebRoleRefPermission must also be
+ * added for it. The name of each such WebRoleRefPermission
+ * must be the servlet-name of the corresponding servlet
+ * element. steps: 1. We have any-authenticated-user
+ * referenced in a security-constraint in our DD (for
+ * anyauthuser.jsp) We have a total of 5 servlets defined in
+ * our DD also.
+ *
+ * 2. Deploy the application.
+ *
+ * 3. During deployment, appserver generates permissions for
+ * the EE components based on the given deployment
+ * descriptor
+ *
+ * 4. Retrieve server side logs and verify the generated
+ * permissions matches the expected permission collection
+ */
+ @Test
+ public void AnyAuthUserWebRoleRef() {
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+ // Retrieve server generated addToRole policy statements
+ Permissions addToRoleWebRoleRefPermissions =
+ logProcessor.getSpecificPermissions(
+ logProcessor.getAppSpecificAddToRolePermissions(), "WebRoleRefPermission");
+
+ // For debug aid, print out server generated addToRole policy statements
+ logger.info("Server generated addToRole WebRoleRefPermissions");
+ logProcessor.printPermissionCollection(addToRoleWebRoleRefPermissions);
+
+ // According to the Jakarta Authorization 1.5 spec (chapter 3, section 3.1.3.3),
+ // it states that:
+ //
+ // "a WebRoleRefPermission must also be added for it" (meaning **)
+ // and that
+ // "The name of each such WebRoleRefPermission must be the servlet-name
+ // of the corresponding servlet element."
+ //
+ // This means for each servlet definition in our web.xml, there will need to
+ // exist a WebRoleRefPermission with that servlet name for the ** role.
+ //
+ Permissions expectedAddToRolePerms = new Permissions();
+ expectedAddToRolePerms.add(new WebRoleRefPermission("excluded", "**"));
+ expectedAddToRolePerms.add(new WebRoleRefPermission("unchecked", "**"));
+ expectedAddToRolePerms.add(new WebRoleRefPermission("sslprotected", "**"));
+ expectedAddToRolePerms.add(new WebRoleRefPermission("secured", "**"));
+ expectedAddToRolePerms.add(new WebRoleRefPermission("anyauthuser", "**"));
+
+ logger.info("verifying addToRole policy statments:");
+
+ assertTrue(
+ "AnyAuthUserWebRoleRef failed: " + "addToRole policy statements for any-authenticated-user (**) failed",
+ logProcessor.verifyLogImplies(expectedAddToRolePerms, addToRoleWebRoleRefPermissions));
+ }
+
+ /**
+ * @testName: validateNoInvalidStates
+ *
+ * @assertion_ids: JACC:SPEC:60;
+ *
+ * @test_Strategy: 1. Register TS provider with the AppServer. (See User guide
+ * for Registering TS Provider with your AppServer ).
+ *
+ * 2. Read the server side log to verify PolicyConfigurationFactory
+ * is called and instantiated in the server.
+ *
+ * Description:
+ *
+ * This method looks for occurrences of error
+ * message within JACCLog.txt where those error messages would
+ * only appear in JACCLog.txt if there was a
+ * policyConfiguration lifecycle state that was in the wrong
+ * state at the wrong time.
+ *
+ * This can ONLY test the state for being in the 'inService'
+ * state or not. So testing is done
+ * to make sure the PolicyConfigration state is correct wrt
+ * policyConfiguration.inService() for each of the methods
+ * defined in the PolicyConfiguration javadoc table.
+ *
+ * Again,
+ * this is not a complete validation of all states, but is
+ * only able to validate if the state is inService or not at
+ * each of the method calls based on the javadoc table.
+ * Occurrence of an ERROR message below would be a flag for a
+ * method being in an incorrect state.
+ */
+ @Test
+ public void validateNoInvalidStates() {
+ LogFileProcessor logProcessor = new LogFileProcessor("getAppSpecificRecordCollection|appId", "toolsContracts");
+
+ String errorMessage1 = "ERROR - our policy config should not be in the INSERVICE state.";
+
+ // Verify that the log contains no errors related to the inService state
+ assertFalse(
+ "validateNoInvalidStates failed : detected error message of: " + errorMessage1,
+ logProcessor.verifyLogContains(errorMessage1));
+
+
+ String errorMessage2 = "ERROR - our policy config should be in the INSERVICE state.";
+
+ assertFalse(
+ "validateNoInvalidStates failed : detected error message of: " + errorMessage2,
+ logProcessor.verifyLogContains(errorMessage2));
+ }
+
+
+}
diff --git a/tck/app-custom-trace-policyconfigurationfactory/pom.xml b/tck/app-custom-trace-policyconfigurationfactory/pom.xml
new file mode 100644
index 0000000..a07ba28
--- /dev/null
+++ b/tck/app-custom-trace-policyconfigurationfactory/pom.xml
@@ -0,0 +1,56 @@
+
+
+
+
+ * vendor.jakarta.security.jacc.PolicyConfigurationFactory.provider
+ *