Fix WebPrincipal not serializable - tests

Add tests for Jakarta Security authentication
- test for a custom principal
- test for serialization of the internal securityContext, which is transferred across SSO instances

Some refactoring
- remove redundant empty lines from SimpleMultiRoleMappingTest
- add an alternative to test HTTP resources with Java Http Client to GlassFishTestEnvironment

Author: OndroMih

appserver/itest-tools/src/main/java/org/glassfish/main/itest/tools/GlassFishTestEnvironment.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, 2024 Eclipse Foundation and/or its affiliates.
+ * Copyright (c) 2022, 2025 Eclipse Foundation and/or its affiliates.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License v. 2.0, which is available at
@@ -27,22 +27,35 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.time.Duration;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 import org.glassfish.admin.rest.client.ClientWrapper;
 import org.glassfish.main.itest.tools.asadmin.Asadmin;
 import org.glassfish.main.itest.tools.asadmin.AsadminResult;
 import org.glassfish.main.itest.tools.asadmin.StartServ;
 
+import static java.net.http.HttpResponse.BodyHandlers.ofString;
 import static org.glassfish.main.itest.tools.asadmin.AsadminResultMatcher.asadminOK;
 import static org.hamcrest.MatcherAssert.assertThat;
 
@@ -73,6 +86,7 @@ public class GlassFishTestEnvironment {
 
     private static final int ASADMIN_START_DOMAIN_TIMEOUT = 30_000;
     private static final int ASADMIN_START_DOMAIN_TIMEOUT_FOR_DEBUG = 300_000;
+    private static HttpClient client = null;
 
     static {
         LOG.log(Level.INFO, "Using basedir: {0}", BASEDIR);
@@ -228,6 +242,26 @@ public static <T extends HttpURLConnection> T openConnection(final boolean secur
         return connection;
     }
 
+    /**
+     * Creates a {@link HttpURLConnection} for the given port and context.
+     *
+     * @param secured true for https, false for http
+     * @param port
+     * @param context - part of the url behind the <code>http://localhost:[port]</code>
+     * @return a new disconnected {@link HttpURLConnection}.
+     * @throws IOException
+     */
+    public static HttpResponse<String> getHttpResource(final boolean secured, final int port, final String context)
+        throws Exception {
+        final String protocol = secured ? "https" : "http";
+        URI uri = URI.create(protocol + "://localhost:" + port + context);
+        final HttpRequest request = HttpRequest.newBuilder(uri)
+                .timeout(Duration.ofSeconds(15))
+                .header("X-Requested-By", "JUnit5Test")
+                .build();
+        return newInsecureHttpClient().send(request, ofString(StandardCharsets.UTF_8));
+    }
+
     public static URI webSocketUri(final int port, final String context) throws URISyntaxException {
         return webSocketUri(false, port, context);
     }
@@ -415,4 +449,37 @@ private interface IOAction {
 
         void execute() throws IOException;
     }
+
+    private static HttpClient newInsecureHttpClient() throws KeyManagementException, NoSuchAlgorithmException {
+        if (client == null) {
+            // Java 17 doesn't allow to close http client, so we reuse a global one.
+            // Once we start using Java 21, client should be created for every call and returned instance should be closed
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, trustAllCerts, new SecureRandom());
+            client = HttpClient.newBuilder()
+                    .sslContext(sslContext)
+                    .connectTimeout(Duration.ofMillis(100))
+                    .build();
+        }
+        return client;
+    }
+
+    private static final TrustManager[] trustAllCerts = new TrustManager[]{
+        new X509TrustManager() {
+            @Override
+            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+                return null;
+            }
+
+            @Override
+            public void checkClientTrusted(
+                    java.security.cert.X509Certificate[] certs, String authType) {
+            }
+
+            @Override
+            public void checkServerTrusted(
+                    java.security.cert.X509Certificate[] certs, String authType) {
+            }
+        }
+    };
 }

appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2021, 2024 Contributors to the Eclipse Foundation.
+ * Copyright 2021, 2025 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the

appserver/tests/application/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation. All rights reserved.
+    Copyright (c) 2023, 2025 Contributors to the Eclipse Foundation. All rights reserved.
 
     This program and the accompanying materials are made available under the
     terms of the Eclipse Public License v. 2.0, which is available at
@@ -108,6 +108,11 @@
             <artifactId>jakarta.authentication-api</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>jakarta.security.enterprise</groupId>
+            <artifactId>jakarta.security.enterprise-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>jakarta.xml.ws</groupId>
             <artifactId>jakarta.xml.ws-api</artifactId>
@@ -159,6 +164,12 @@
             <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.glassfish.main.security</groupId>
+            <artifactId>security</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
 
         <dependency>
             <groupId>org.glassfish.tyrus</groupId>

appserver/tests/application/src/main/java/org/glassfish/main/test/app/security/jakartasecurity/CustomPrincipal.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.main.test.app.security.jakartasecurity;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+public class CustomPrincipal implements Principal, Serializable {
+
+    private static final long serialVersionUID = 1L;
+    private final String name;
+
+    public CustomPrincipal(String name) {
+        this.name = name;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+}

appserver/tests/application/src/main/java/org/glassfish/main/test/app/security/jakartasecurity/CustomPrincipalServlet.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.main.test.app.security.jakartasecurity;
+
+import jakarta.annotation.security.DeclareRoles;
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.SecurityContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import static jakarta.security.enterprise.authentication.mechanism.http.AuthenticationParameters.withParams;
+
+/**
+ * Test Servlet that authenticates the request and returns
+ * the class name of the caller principal
+ */
+@DeclareRoles("admin")
+@WebServlet("/customPrincipal")
+public class CustomPrincipalServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Inject
+    private SecurityContext securityContext;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        securityContext.authenticate(request, response, withParams());
+
+        response.setContentType("text/plain");
+
+        final Principal callerPrincipal = securityContext.getCallerPrincipal();
+
+        response.getWriter().write(callerPrincipal.getClass().getName() + ",");
+        Principal applicationPrincipal = securityContext.getPrincipalsByType(CustomPrincipal.class)
+                .toArray(new CustomPrincipal[0])[0];
+
+        response.getWriter().write(applicationPrincipal.getClass().getName() + ": " + applicationPrincipal.getName());
+    }
+
+}

appserver/tests/application/src/main/java/org/glassfish/main/test/app/security/jakartasecurity/SerializableCoreSecurityContextServlet.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.main.test.app.security.jakartasecurity;
+
+import jakarta.annotation.security.DeclareRoles;
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.SecurityContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+
+import static jakarta.security.enterprise.authentication.mechanism.http.AuthenticationParameters.withParams;
+
+/**
+ * Test Servlet that authenticates that authenticates the request and verifies that GlassFish SecurityContext can be serialized
+ */
+@DeclareRoles("admin")
+@WebServlet("/serializableCoreSecurityContext")
+public class SerializableCoreSecurityContextServlet extends HttpServlet {
+
+    private static final long serialVersionUID = 1L;
+
+    @Inject
+    private SecurityContext securityContext;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        securityContext.authenticate(request, response, withParams());
+
+        response.setContentType("text/plain");
+
+        final ObjectOutputStream oos = new ObjectOutputStream(new ByteArrayOutputStream());
+
+        try {
+        // verify internal core security context is serializable so that it can be used in SSO
+        oos.writeObject(com.sun.enterprise.security.SecurityContext.getCurrent());
+        } catch (Exception e) {
+            response.setStatus(500);
+            response.getWriter().write("Exception " + e);
+            return;
+        }
+
+        response.getWriter().write("OK");
+    }
+
+}

appserver/tests/application/src/main/java/org/glassfish/main/test/app/security/jakartasecurity/TestAuthenticationMechanism.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package org.glassfish.main.test.app.security.jakartasecurity;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.security.enterprise.AuthenticationException;
+import jakarta.security.enterprise.AuthenticationStatus;
+import jakarta.security.enterprise.authentication.mechanism.http.AutoApplySession;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
+import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import static java.util.Collections.singleton;
+
+@ApplicationScoped
+@AutoApplySession
+public class TestAuthenticationMechanism implements HttpAuthenticationMechanism {
+
+    @Override
+    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException {
+
+        httpMessageContext.notifyContainerAboutLogin(
+            new CustomPrincipal("admin" + System.currentTimeMillis()),
+            singleton("admin"));
+
+        return AuthenticationStatus.SUCCESS;
+    }
+
+}