initial commit

.gitignore

@@ -0,0 +1,4 @@
+build/classes
+.settings/
+.classpath
+.project

README.md

@@ -0,0 +1,16 @@
+# PruebaJAAS
+
+Implementación de prueba del sistema nativo de seguridad de Java [JAAS](https://www.oracle.com/java/technologies/javase/javase-tech-security.html) (Java Authentication and Authorization Service)
+
+Prueba realizada con `Java 11` y despliegue con `Tomcat 10`
+
+### Credenciales de acceso
+
+```
+Usuario: user
+Password: pass
+```
+
+### Licencia
+
+MIT

src/main/java/jaas.conf

@@ -0,0 +1,3 @@
+PruebaJAAS {
+    jaas.JAASLoginModule required;
+};

src/main/java/jaas/InitialServlet.java

@@ -0,0 +1,27 @@
+package jaas;
+
+import javax.security.auth.login.Configuration;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServlet;
+
+/**
+ * Servlet implementation class InitialServlet
+ */
+public class InitialServlet extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public InitialServlet() {
+		super();
+	}
+
+	@Override
+	public void init() throws ServletException {
+		super.init();
+		System.setProperty("java.security.auth.login.config", "classpath:jaas.conf");
+		Configuration.getConfiguration().refresh();
+	}
+}

src/main/java/jaas/JAASLoginModule.java

@@ -0,0 +1,100 @@
+package jaas;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+public class JAASLoginModule implements LoginModule {
+
+	private CallbackHandler handler;
+	private Subject subject;
+	private UserPrincipal userPrincipal;
+	private RolePrincipal rolePrincipal;
+	private String login;
+	private List<String> userGroups;
+
+	@Override
+	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
+			Map<String, ?> options) {
+
+		handler = callbackHandler;
+		this.subject = subject;
+	}
+
+	@Override
+	public boolean login() throws LoginException {
+
+		Callback[] callbacks = new Callback[2];
+		callbacks[0] = new NameCallback("login");
+		callbacks[1] = new PasswordCallback("password", true);
+
+		try {
+			handler.handle(callbacks);
+			String name = ((NameCallback) callbacks[0]).getName();
+			String password = String.valueOf(((PasswordCallback) callbacks[1]).getPassword());
+
+			// Here we validate the credentials against some
+			// authentication/authorization provider.
+			// It can be a Database, an external LDAP,
+			// a Web Service, etc.
+			if (name != null && name.equals("user") && password != null && password.equals("pass")) {
+
+				// We store the username and roles
+				// fetched from the credentials provider
+				// to be used later in commit() method.
+				login = name;
+				userGroups = new ArrayList<String>();
+				userGroups.add("admin");
+				return true;
+			}
+
+			// If credentials are NOT OK we throw a LoginException
+			throw new LoginException("Authentication failed");
+
+		} catch (IOException e) {
+			throw new LoginException(e.getMessage());
+		} catch (UnsupportedCallbackException e) {
+			throw new LoginException(e.getMessage());
+		}
+
+	}
+
+	@Override
+	public boolean commit() throws LoginException {
+
+		userPrincipal = new UserPrincipal(login);
+		subject.getPrincipals().add(userPrincipal);
+
+		if (userGroups != null && userGroups.size() > 0) {
+			for (String groupName : userGroups) {
+				rolePrincipal = new RolePrincipal(groupName);
+				subject.getPrincipals().add(rolePrincipal);
+			}
+		}
+
+		return true;
+	}
+
+	@Override
+	public boolean abort() throws LoginException {
+		return false;
+	}
+
+	@Override
+	public boolean logout() throws LoginException {
+		subject.getPrincipals().remove(userPrincipal);
+		subject.getPrincipals().remove(rolePrincipal);
+		return true;
+	}
+
+}

src/main/java/jaas/RolePrincipal.java

@@ -0,0 +1,22 @@
+package jaas;
+
+import java.security.Principal;
+
+public class RolePrincipal implements Principal {
+
+	private String name;
+
+	public RolePrincipal(String name) {
+		super();
+		this.name = name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
+	@Override
+	public String getName() {
+		return name;
+	}
+}

src/main/java/jaas/UserPrincipal.java

@@ -0,0 +1,22 @@
+package jaas;
+
+import java.security.Principal;
+
+public class UserPrincipal implements Principal {
+
+	private String name;
+
+	public UserPrincipal(String name) {
+		super();
+		this.name = name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
+	@Override
+	public String getName() {
+		return name;
+	}
+}

src/main/webapp/META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Class-Path: 
+

src/main/webapp/META-INF/context.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+	<Realm className="org.apache.catalina.realm.JAASRealm"
+		appName="PruebaJAAS" userClassNames="jaas.UserPrincipal"
+		roleClassNames="jaas.RolePrincipal" />
+</Context>

src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="https://jakarta.ee/xml/ns/jakartaee"
+	xmlns:web="http://xmlns.jcp.org/xml/ns/javaee"
+	xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_5_0.xsd http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+	id="WebApp_ID" version="5.0">
+	<display-name>PruebaJAAS</display-name>
+	<servlet>
+		<display-name>InitialServlet</display-name>
+		<servlet-name>InitialServlet</servlet-name>
+		<servlet-class>jaas.InitialServlet</servlet-class>
+		<load-on-startup>1</load-on-startup>
+	</servlet>
+	<welcome-file-list>
+		<welcome-file>index.jsp</welcome-file>
+	</welcome-file-list>
+	<security-constraint>
+		<web-resource-collection>
+			<web-resource-name>Auth</web-resource-name>
+			<url-pattern>/*</url-pattern>
+		</web-resource-collection>
+		<auth-constraint>
+			<role-name>admin</role-name>
+		</auth-constraint>
+	</security-constraint>
+	<security-role>
+		<role-name>admin</role-name>
+	</security-role>
+	<login-config>
+		<auth-method>FORM</auth-method>
+		<form-login-config>
+			<form-login-page>/login.jsp</form-login-page>
+			<form-error-page>/error.jsp</form-error-page>
+		</form-login-config>
+	</login-config>
+</web-app>

src/main/webapp/error.jsp

@@ -0,0 +1,15 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+	pageEncoding="UTF-8"%>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>Error</title>
+</head>
+<body>
+	<h2>Error</h2>
+	<p>
+		Try <a href="login.jsp">again</a>.
+	</p>
+</body>
+</html>

src/main/webapp/index.jsp

@@ -0,0 +1,15 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+	pageEncoding="UTF-8"%>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>Index</title>
+</head>
+<body>
+	<h2>Index</h2>
+	<p>
+		Logged in as <b><%=request.getRemoteUser()%></b>. <a href="logout.jsp">Logout</a>
+	</p>
+</body>
+</html>

src/main/webapp/login.jsp

@@ -0,0 +1,24 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+	pageEncoding="UTF-8"%>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>JAAS Login</title>
+</head>
+<body>
+	<h2>Login</h2>
+	<form method=post action="j_security_check">
+		<p>
+			<span>Username:</span> <br /> <input type="text" name="j_username">
+		</p>
+		<p>
+			<span>Password:</span> <br /> <input type="password"
+				name="j_password">
+		</p>
+		<p>
+			<input type="submit" value="Login">
+		</p>
+	</form>
+</body>
+</html>

src/main/webapp/logout.jsp

@@ -0,0 +1,15 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+	pageEncoding="UTF-8"%>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>Logout</title>
+</head>
+<body>
+	<%
+	request.getSession().invalidate();
+	%>
+	<p>Logged out.</p>
+</body>
+</html>