Merge branch 'master' of github.com:apache/tomee-tck
diff --git a/src/test/script/openejb/tck/commands/JavaTestCommand.groovy b/src/test/script/openejb/tck/commands/JavaTestCommand.groovy
index 1b698dc..17e5fff 100644
--- a/src/test/script/openejb/tck/commands/JavaTestCommand.groovy
+++ b/src/test/script/openejb/tck/commands/JavaTestCommand.groovy
@@ -239,8 +239,8 @@
log.info("Enabling server security manager")
// -Djava.security.properties=conf/security.properties
- containerJavaOpts += "-Djava.security.manager " +
- "-Djava.security.policy==${project.basedir}/${openejbHome}/conf/catalina.policy " +
+ containerJavaOpts += " -Djava.security.manager -Dcts.home=${javaeeCtsHome} -Djava.security.debug=none " +
+ "-Djava.security.policy=${project.basedir}/${openejbHome}/conf/catalina.policy " +
"-Djava.security.properties=${project.basedir}/${openejbHome}/conf/security.properties"
}
if (options.contains('websocket')) {
diff --git a/src/test/tomee-plume/conf/ProviderConfiguration.xml b/src/test/tomee-plume/conf/ProviderConfiguration.xml
index ff72155..e21cbff 100644
--- a/src/test/tomee-plume/conf/ProviderConfiguration.xml
+++ b/src/test/tomee-plume/conf/ProviderConfiguration.xml
@@ -18,47 +18,47 @@
-->
<provider-config
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="http://java.oracle.com/xml/ns/jaspic"
- xsi:schemaLocation="http://java.oracle.com/xml/ns/jaspic provider-configuration.xsd">
- <provider-config-entry>
- <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProvider</provider-class>
- <properties version="1.0">
- <entry key="AuthStatus_SEND_SUCCESS">false</entry>
- <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
- </properties>
- <message-layer>SOAP</message-layer>
- <app-context-id>null</app-context-id>
- <reg-description>TestSuite JSR 196 Config Provider</reg-description>
- </provider-config-entry>
- <provider-config-entry>
- <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProvider</provider-class>
- <properties version="1.0">
- <entry key="AuthStatus_SEND_SUCCESS">false</entry>
- <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
- </properties>
- <message-layer>SOAP</message-layer>
- <app-context-id>Catalina/localhost /Hello_web/Hello</app-context-id>
- <reg-description>TestSuite JSR 196 Config Provider</reg-description>
- </provider-config-entry>
- <provider-config-entry>
- <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProviderServlet</provider-class>
- <properties version="1.0">
- <entry key="AuthStatus_SEND_SUCCESS">true</entry>
- <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
- </properties>
- <message-layer>HttpServlet</message-layer>
- <app-context-id>Catalina/localhost /spitests_servlet_web</app-context-id>
- <reg-description>Registration for TSAuthConfigProviderServlet using spitests_servlet_web</reg-description>
- </provider-config-entry>
- <provider-config-entry>
- <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProviderServlet</provider-class>
- <properties version="1.0">
- <entry key="AuthStatus_SEND_SUCCESS">true</entry>
- <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
- </properties>
- <message-layer>HttpServlet</message-layer>
- <app-context-id>Catalina/localhost /spitests_servlet_web/WrapperServlet</app-context-id>
- <reg-description>Registration for TSAuthConfigProviderServlet using spitests_servlet_web</reg-description>
- </provider-config-entry>
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://java.oracle.com/xml/ns/jaspic"
+ xsi:schemaLocation="http://java.oracle.com/xml/ns/jaspic provider-configuration.xsd">
+ <provider-config-entry>
+ <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProvider</provider-class>
+ <properties version="1.0">
+ <entry key="AuthStatus_SEND_SUCCESS">false</entry>
+ <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
+ </properties>
+ <message-layer>SOAP</message-layer>
+ <app-context-id>null</app-context-id>
+ <reg-description>TestSuite JSR 196 Config Provider</reg-description>
+ </provider-config-entry>
+ <provider-config-entry>
+ <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProvider</provider-class>
+ <properties version="1.0">
+ <entry key="AuthStatus_SEND_SUCCESS">false</entry>
+ <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
+ </properties>
+ <message-layer>SOAP</message-layer>
+ <app-context-id>Catalina/localhost /Hello_web/Hello</app-context-id>
+ <reg-description>TestSuite JSR 196 Config Provider</reg-description>
+ </provider-config-entry>
+ <provider-config-entry>
+ <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProviderServlet</provider-class>
+ <properties version="1.0">
+ <entry key="AuthStatus_SEND_SUCCESS">true</entry>
+ <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
+ </properties>
+ <message-layer>HttpServlet</message-layer>
+ <app-context-id>Catalina/localhost /spitests_servlet_web</app-context-id>
+ <reg-description>Registration for TSAuthConfigProviderServlet using spitests_servlet_web</reg-description>
+ </provider-config-entry>
+ <provider-config-entry>
+ <provider-class>com.sun.ts.tests.jaspic.tssv.config.TSAuthConfigProviderServlet</provider-class>
+ <properties version="1.0">
+ <entry key="AuthStatus_SEND_SUCCESS">true</entry>
+ <entry key="requestPolicy">USER_NAME_PASSWORD</entry>
+ </properties>
+ <message-layer>HttpServlet</message-layer>
+ <app-context-id>Catalina/localhost /spitests_servlet_web/WrapperServlet</app-context-id>
+ <reg-description>Registration for TSAuthConfigProviderServlet using spitests_servlet_web</reg-description>
+ </provider-config-entry>
</provider-config>
diff --git a/src/test/tomee-plume/conf/catalina.policy b/src/test/tomee-plume/conf/catalina.policy
index c18010f..4fb8777 100644
--- a/src/test/tomee-plume/conf/catalina.policy
+++ b/src/test/tomee-plume/conf/catalina.policy
@@ -62,8 +62,8 @@
// These permissions apply to the logging API
// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
// update this section accordingly.
-// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {
+// grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.io.FilePermission
"${java.home}${file.separator}lib${file.separator}logging.properties", "read";
@@ -90,6 +90,10 @@
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
+ // TomEE specific
+ permission java.util.PropertyPermission "tomee.*", "read";
+
+
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
@@ -115,9 +119,14 @@
// If using a per instance lib directory, i.e. ${catalina.base}/lib,
// then the following permission will need to be uncommented
-// grant codeBase "file:${catalina.base}/lib/-" {
-// permission java.security.AllPermission;
-// };
+grant codeBase "file:${catalina.base}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+// TomEE webapp for deployment
+grant codeBase "file:${catalina.base}/webapps/tomee/-" {
+ permission java.security.AllPermission;
+};
// ========== WEB APPLICATION PERMISSIONS =====================================
@@ -157,6 +166,27 @@
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
+ // TomEE
+ permission java.util.PropertyPermission "tomee.*", "read";
+ permission java.util.PropertyPermission "openejb.*", "read";
+ permission java.util.PropertyPermission "user.name", "read";
+ permission java.util.PropertyPermission "java.io.tmpdir", "read";
+ permission java.io.FilePermission "${catalina.base}/lib/-", "read"; // java ee api class, slf4j, owb, etc
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.loader"; // tomee
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core"; // tomee
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.realm"; // tomee
+ permission java.lang.RuntimePermission "setContextClassLoader"; // tomee
+ permission java.lang.RuntimePermission "accessDeclaredMembers"; // owb
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // owb
+ permission java.net.SocketPermission "localhost", "connect,resolve"; // jndi
+ permission java.net.SocketPermission "127.0.0.1", "connect,resolve"; // jndi
+ permission javax.security.auth.AuthPermission "doAsPrivileged"; // tomee security
+ permission javax.security.auth.AuthPermission "modifyPrincipals"; // tomee security
+ permission javax.security.auth.AuthPermission "modifyPrivateCredentials"; // tomee security
+
+ // TomEE for CTS classes in webapps
+ permission java.io.FilePermission "${cts.home}/dist/-", "read";
+
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
@@ -169,12 +199,14 @@
// Precompiled JSPs need access to these packages.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
- permission java.lang.RuntimePermission
- "accessClassInPackage.org.apache.jasper.runtime.*";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
// Applications using WebSocket need to be able to access these packages
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
+
+ // TomEE for CTS classes
+ permission java.lang.RuntimePermission "accessClassInPackage.com.sun.ts.*";
};
@@ -259,17 +291,36 @@
// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
// };
-// ================ Apache TomEE ============== (To be refined)
-grant codeBase "jar:file:${catalina.home}/lib/*!/-" {
- permission java.security.AllPermission;
+// TomEE for CTS configuration
+grant codeBase "file:${cts.home}/dist/com/sun/ts/tests/jaspic/-" {
+ permission java.io.FilePermission "${catalina.base}/conf/-", "read";
+ permission java.io.FilePermission "${catalina.base}/conf/jaspic-providers.xml", "read,write,delete"; // Tomcat ACF
+ permission java.io.FilePermission "${catalina.base}/conf/jaspic-providers.xml.new", "read,write,delete"; // Tomcat ACF
+ permission java.io.FilePermission "${catalina.base}/conf/jaspic-providers.xml.old", "read,write,delete"; // Tomcat ACF
+ permission java.io.FilePermission "${catalina.base}/temp/-", "read,write";
+ permission java.io.FilePermission "${catalina.base}/logs/-", "read,write";
+ permission java.io.FilePermission "${catalina.base}/work/-", "read,write";
+ permission java.util.PropertyPermission "*", "read,write"; // the log file
+ permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
+ permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.authenticator.jaspic";
+ permission java.util.logging.LoggingPermission "control";
};
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- permission java.security.AllPermission;
+grant codeBase "file:${cts.home}/dist/com/sun/ts/tests/servlet/ee/spec/security/permissiondd/servlet_ee_spec_security_permissiondd_web/-" {
+ permission java.util.PropertyPermission "cts.*", "read";
+
+ permission java.security.SecurityPermission "CTSPermission1_name";
+ permission java.security.SecurityPermission "CTSPermission1_name2";
+ permission java.security.SecurityPermission "CTSPermission2_name";
+ permission java.security.SecurityPermission "CTSPermission_second_name";
+
+ permission java.lang.RuntimePermission "loadLibrary.*";
+ permission java.lang.RuntimePermission "queuePrintJob";
+
+ permission java.net.SocketPermission "*", "connect";
+
+ permission java.io.FilePermission "*", "read";
+
+ permission java.util.PropertyPermission "*", "read";
};
-grant codeBase "file:${catalina.base}/lib/-" {
- permission java.security.AllPermission;
-};
-grant {
- // "standard" properties that can be read by anyone
- permission java.security.AllPermission ;
-};
\ No newline at end of file
+
diff --git a/src/test/tomee-plume/conf/context.xml b/src/test/tomee-plume/conf/context.xml
index 5d42cfe..3c422ef 100644
--- a/src/test/tomee-plume/conf/context.xml
+++ b/src/test/tomee-plume/conf/context.xml
@@ -30,14 +30,6 @@
-->
<Valve className="org.apache.openejb.cts.TransactionalWorkaroundLeakGuardValve"/>
- <!-- Rollback this because it causes some other tests to fail because they test the Form authentication and Tomcat
- Does not allow multiple authenticator valve
- We need to hear back or to find a way to only add this for jaspic webapp or tests
-
- <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
- jaspicCallbackHandlerClass="org.apache.openejb.cts.CallbackHandlerImpl"
- />
- -->
<Environment name="myUrl" value="http://google.com"
type="java.net.URL" override="false"/>
diff --git a/src/test/tomee-plume/conf/tomcat-users.xml b/src/test/tomee-plume/conf/tomcat-users.xml
index 7de2b4f..9ce0456 100644
--- a/src/test/tomee-plume/conf/tomcat-users.xml
+++ b/src/test/tomee-plume/conf/tomcat-users.xml
@@ -21,9 +21,9 @@
<user name="admin" password="admin" roles="manager"/>
<user name="jave_vi" password="javaee_vi" roles="staff"/>
<user name="javee_vi" password="javaee_vi" roles="staff"/>
- <user name="javajoe" password="javajoe" roles="Manager,Employee,guest"/>
+ <user name="javajoe" password="javajoe" roles="Manager,Employee,guest,OTHERROLE"/>
<user name="javaee" password="javaee" roles="Administrator,Employee,mgr,asadmin"/>
- <user name="j2ee" password="j2ee" roles="Administrator,Employee,mgr,asadmin,staff"/>
+ <user name="j2ee" password="j2ee" roles="Administrator,Employee,mgr,asadmin,staff,DIRECTOR"/>
<user name="CN=CTS, OU=Java Software, O=Sun Microsystems Inc., L=Burlington, ST=MA, C=US" roles="Administrator"/>
</tomcat-users>