users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Support for Liberty added to Soteria

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Sat, 1 Oct 2016 16:36:13 +0200

Hi,

I just added support for Liberty to Soteria and added it to the test
targets.

See: https://travis-ci.org/javaee-security-spec/soteria/builds/164267239

For this I used a proprietary feature of Weld where it's possible to do the
per-request setup somewhat earlier. Weld will make sure that when the
container (Liberty here) also asks for this initialisation later on, it's
properly ignored, but does record the request. When the container then
later on asks to destroy the per-request setup, it's again ignored so that
we also have the opportunity to destroy it later.

I introduced a small SPI for this that vendors can optionally implement.
For now I used reflection to call the Weld API if the server is detected to
be Liberty. It looks as follows:

    @Override
    public void init(HttpServletRequest request) {
        Object weldInitialListener =
request.getServletContext().getAttribute("org.jboss.weld.servlet.WeldInitialListener");
        ServletRequestEvent event = new
ServletRequestEvent(request.getServletContext(), request);

        ELProcessor elProcessor = new ELProcessor();
        elProcessor.defineBean("weldInitialListener", weldInitialListener);
        elProcessor.defineBean("event", event);
        elProcessor.eval("weldInitialListener.requestInitialized(event)");
    }

I also had to disable the DB identity store test for Liberty, since it
depends on an embedded datasource which Liberty does not support.

Further more, I had to disable the custom form tests for Liberty. It
depends on the HttpServletRequest#authenticate call, which the current
version of Liberty (16.0.03 and 2016.9) does not support (but Paul from the
Liberty team has internally implemented this so it should be available in a
next version).

Finally, a hack was needed for the form authentication. This makes use of
request wrapping, which unfortunately is also not well supported in Liberty
(but here too, Paul is already looking at it).

Most importantly, all other tests do run flawlessly, so the majority of the
implementation of JSR 375 now runs on Payara, JBoss (WildFly) and Liberty.
It should also be possible to run it on TomEE (although it too currently
doesn't support request.authenticate), and even on Tomcat with a CDI
implementation separately added.

Do note that from a spec viewpoint the RI implementation itself doesn't
necessarily has to be portable, but I think it's a nice property that it
largely is.

Kind regards,
Arjan Tijms
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.