Hi all! So, I couldn't take a look at the TomEE for a while. >From what I recall I couldn't get any further because the annotation scanning wasn't looking for security annotations in Servlets, only EJBs.
If someone could continue the work would be great. I've spent some time on it, but as I couldn't progress, I guess I can learn from the solution. Em seg., 4 de jan. de 2021 às 09:55, Jean-Louis Monteiro < [email protected]> escreveu: > Hey Thiago, > > Happy new year. > Wanted to check if you got any change to move something forward, or if you > need something from us? > > Thanks > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Wed, Dec 16, 2020 at 6:51 PM Jean-Louis Monteiro < > [email protected]> wrote: > > > In a meeting and about to get the kids for diner. I'll answer later. > > > > In regards to the debug, the deployment class does not run on the server. > > Check out the runtest script. At the beginning, there are a couple of > > flags you can use to debug the server, the javatest, the harness (ds, dj, > > dh ...). > > it gives the ports you can connect to. > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > On Wed, Dec 16, 2020 at 6:04 PM Thiago Henrique Hupner <[email protected] > > > > wrote: > > > >> Well, the AnnotationDeployer does in fact run on servlet classes, > however > >> it doesn't process the security > >> annotations in the deploy method: > >> > >> > https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/config/AnnotationDeployer.java#L1084 > >> > >> I'll keep looking around. > >> > >> Thanks > >> > >> Em qua., 16 de dez. de 2020 às 13:48, Thiago Henrique Hupner < > >> [email protected]> escreveu: > >> > >> > Hi. > >> > > >> > I tried to debug the DeploymentImpl however I wasn't able. Do you know > >> if > >> > this class is only used by the > >> > full TCK run or if it used by single run? > >> > > >> > I'm running the TCK with: > >> > ./runtests -sql skip -ds --web tomee-plume > >> > com.sun.ts.tests.servlet.ee.spec.security.runAs > >> > And attaching the debugger to port 5005. > >> > > >> > I also find something weird: looks like the AnnotationDeployer class > is > >> > not run on Servlet classes. > >> > From what I can tell, only the EJBs are been scanned. The > >> > com.sun.ts.tests.servlet.ee.spec.security.runAs.ServletTwo doesn't > >> reach > >> > there and the applications > >> > doesn't know about the RunAs("Manager"). > >> > > >> > About the DeploymentImpl probably I'll need to get more information to > >> > understand how it works. > >> > For now, I've applied a patch to the DeployerEjb: > >> > > >> > if (slash > 0) { > >> > String moduleId = name.substring(0, slash); > >> > // To remove ".war" from the module name > >> > moduleId = moduleId.substring(0, moduleId.length() - 4); > >> > name = name.substring(slash + 1); > >> > module = modules.get(moduleId); > >> > } > >> > > >> > Probably I'll revisit it before sending some official patch. > >> > > >> > Thanks! > >> > > >> > Em qua., 16 de dez. de 2020 às 10:39, Jean-Louis Monteiro < > >> > [email protected]> escreveu: > >> > > >> >> Hi Thiago, > >> >> > >> >> That is astonishing how deep you got in such a little amount of time. > >> >> You have nothing to worry about or to be sorry about. > >> >> > >> >> We all truly appreciate the help. > >> >> > >> >> You are right on. > >> >> Here are some pointers for debugging. > >> >> > >> >> Here is where we get notified by TCK stack about deployments and > >> >> descriptors. > >> >> > >> >> > >> > https://github.com/apache/tomee-tck/blob/master/src/main/java/org/apache/openejb/cts/DeploymentImpl.java#L170 > >> >> > >> >> L182, I added a hack the other day to support overriding the context > >> from > >> >> the sun descriptor. > >> >> I acknowledge it was a hack but changing the DeployerEjb is a bit > >> tricky > >> >> and can break too many things > >> >> A solution would be to fork it in TomEE TCK and clean it up so we can > >> >> support all deployment descriptors for EAR, WAR packagings. > >> >> > >> >> We would use the TCK specific version to deploy and configure > (finer). > >> >> > >> >> What do you think? > >> >> > >> >> > >> >> > >> >> -- > >> >> Jean-Louis Monteiro > >> >> http://twitter.com/jlouismonteiro > >> >> http://www.tomitribe.com > >> >> > >> >> > >> >> On Wed, Dec 16, 2020 at 12:14 PM Thiago Henrique Hupner < > >> [email protected] > >> >> > > >> >> wrote: > >> >> > >> >> > Hi all! > >> >> > > >> >> > I started taking a look to get a feeling of the whole process. > >> >> > I guess I was able to configure the TCK because I'm able to use the > >> >> > "runtests" script and debug in my IDE. > >> >> > > >> >> > So, as far as I could tell, there isn't any processing of security > >> for > >> >> any > >> >> > sun-*.xml. > >> >> > > >> >> > Another thing that I noticed is that the > >> >> > `webModule.getAltDDs().get("sun-web.xml");` is returning null. The > >> >> process > >> >> > of > >> >> > including the in the "altDDs" > >> >> (org.apache.openejb.assembler.DeployerEjb) is > >> >> > trying to find the module > >> >> > "servlet_ee_spec_security_runAs_second_module_web.war" > >> >> > while the correct (I guess) is > >> >> > "servlet_ee_spec_security_runAs_second_module_web" (because > there's a > >> >> entry > >> >> > with this key). > >> >> > > >> >> > Sorry if I'm taking a lot of time to process all this information > and > >> >> thank > >> >> > you for helping me. > >> >> > > >> >> > Em ter., 15 de dez. de 2020 às 12:41, Jonathan Gallimore < > >> >> > [email protected]> escreveu: > >> >> > > >> >> > > There's a similar issue for some of the JAX-RS tests as well > which > >> I > >> >> had > >> >> > > been meaning to tackle in the same way - if you have some joy > with > >> the > >> >> > > Servlet tests, you'll likely fix the JAX-RS tests too. > >> >> > > > >> >> > > Thanks for looking at this Thiago - let us know how you're > getting > >> on! > >> >> > > > >> >> > > Jon > >> >> > > > >> >> > > On Tue, Dec 15, 2020 at 1:02 PM Jean-Louis Monteiro < > >> >> > > [email protected]> wrote: > >> >> > > > >> >> > > > Hi Thiago, > >> >> > > > > >> >> > > > No the TCK setup is unfortunately a bit more complex. > >> >> > > > You can have a look at the readme from this repo > >> >> > > > https://github.com/apache/tomee-tck > >> >> > > > > >> >> > > > What I would recommend is either create a unit test in > >> openejb-core > >> >> to > >> >> > > > reproduce the issue. > >> >> > > > Or at least create an example (starting from > >> >> > > examples/alternate-descriptors > >> >> > > > is probably good). > >> >> > > > > >> >> > > > The TCK is very simple. > >> >> > > > This is where you can find it > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/eclipse-ee4j/jakartaee-tck/tree/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs > >> >> > > > > >> >> > > > Basically ServletTwo is secured and called with a user j2ee > with > >> >> > > > Administrator role. > >> >> > > > It has @RunAs("Manager"), so it can call the EJB with Manager > >> >> > > > @RolesAllowed. > >> >> > > > > >> >> > > > The goal is to map j2ee with javajoe which has Manager role. > >> >> > > > Check out the comments for the following method > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/Client.java#L211 > >> >> > > > > >> >> > > > If you want to go the junit simple test, have a look at > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/apache/tomee/tree/master/container/openejb-core/src/test/java/org/apache/openejb/config > >> >> > > > You can find a couple of Sun...Test files. > >> >> > > > > >> >> > > > The goal is pretty simple in essence. > >> >> > > > In here > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/apache/tomee/tree/master/container/openejb-jee/src/main/java/org/apache/openejb/jee > >> >> > > > You have all descriptors supported. > >> >> > > > > >> >> > > > Under sun package, you will find deployment descriptors JAXB > >> tree, > >> >> for > >> >> > > > instance to parse > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/servlet_ee_spec_security_runAs_second_module_web.war.sun-web.xml > >> >> > > > The role mapping is here > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/sun/Servlet.java > >> >> > > > > >> >> > > > You need to convert to the JAXB tree under oejb3. > >> >> > > > The role mapping is here > >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/oejb3/RoleMapping.java > >> >> > > > > >> >> > > > Small trick to solve, for glassfish the mapping is done from > >> servlet > >> >> > name > >> >> > > > to principal. > >> >> > > > For OpenEJB/TomEE the mapping is done from role to principal > >> >> > > > > >> >> > > > Hope it helps > >> >> > > > > >> >> > > > -- > >> >> > > > Jean-Louis Monteiro > >> >> > > > http://twitter.com/jlouismonteiro > >> >> > > > http://www.tomitribe.com > >> >> > > > > >> >> > > > > >> >> > > > On Tue, Dec 15, 2020 at 1:46 PM Thiago Henrique Hupner < > >> >> > [email protected] > >> >> > > > > >> >> > > > wrote: > >> >> > > > > >> >> > > > > I can have a look at the RunAs tests. > >> >> > > > > > >> >> > > > > I just want to know, if I make a change in the TomEE, using > >> `mvn > >> >> > clean > >> >> > > > > install` would be enough to the tomee-tck use the new jars or > >> >> > > > > do I need to setup anything else? > >> >> > > > > > >> >> > > > > Thanks > >> >> > > > > > >> >> > > > > Em ter., 15 de dez. de 2020 às 08:16, Jean-Louis Monteiro < > >> >> > > > > [email protected]> escreveu: > >> >> > > > > > >> >> > > > > > Hi community, > >> >> > > > > > > >> >> > > > > > I was working on the Servlet, I I have been able to bring > it > >> >> down > >> >> > to > >> >> > > > > > > >> >> > > > > > > >> >> > > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://tck.work/tomee/tests?build=1607984842299&path=com.sun.ts.tests.servlet > >> >> > > > > > > >> >> > > > > > 22 remaining failures. > >> >> > > > > > > >> >> > > > > > Based on Tomcat's following page > >> >> > > > > > > >> >> https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+4.0 > >> >> > > > > > > >> >> > > > > > I added some excludes for tests which were fix because of > >> known > >> >> > bugs > >> >> > > > > > See > >> >> > > > > > > >> >> > > > > > > >> >> > > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > https://github.com/apache/tomee-tck/blob/master/src/test/resources/ts.jtx#L24 > >> >> > > > > > > >> >> > > > > > On the 22, we still have some pending tests as explained in > >> the > >> >> > > Tomcat > >> >> > > > > > wiki. > >> >> > > > > > I haven't excluded them because they aren't flagged as bugs > >> on > >> >> the > >> >> > > TCK, > >> >> > > > > so > >> >> > > > > > until the challenge is accepted and fixed, we should leave > >> them > >> >> in > >> >> > my > >> >> > > > > > opinion. > >> >> > > > > > > >> >> > > > > > I'm trying to get some of the permission fixed as well by > >> adding > >> >> > the > >> >> > > > > > security manager. > >> >> > > > > > > >> >> > > > > > > >> >> > > > > > - > >> com.sun.ts.tests.servlet.spec.security.clientcert.Client (1 > >> >> > > > > > failure)--> JDK issue fixed with 1.8u221 - I already > >> updated > >> >> the > >> >> > > > > > certificates because they were expired > >> >> > > > > > - com.sun.ts.tests.servlet.ee > >> >> .spec.security.permissiondd.Client > >> >> > > (14 > >> >> > > > > > failures) --> We need the security manager with Tomcat > >> >> > > > > > - com.sun.ts.tests.servlet.ee > .spec.security.runAs.Client > >> (2 > >> >> > > > failures) > >> >> > > > > > --> we need a role mapping so user can switch from j2ee > to > >> >> > > javajoe. > >> >> > > > We > >> >> > > > > > do > >> >> > > > > > support role mapping but with openejb-jar.xml (not > >> standard > >> >> way > >> >> > - > >> >> > > > each > >> >> > > > > > container has its own). As the TCK provides Glassfish > role > >> >> > mapping > >> >> > > > > > already, > >> >> > > > > > we should be able to easily pass this by just improving > >> the > >> >> > > > > > SunConversion > >> >> > > > > > class to read and map the roles to our internal model. > >> >> > > > > > - > >> >> com.sun.ts.tests.servlet.api.javax_servlet.srevent.URLClient > >> >> > (1 > >> >> > > > > > failure) > >> >> > > > > > - > >> >> > > com.sun.ts.tests.servlet.api.javax_servlet.asynccontext.URLClient > >> >> > > > (2 > >> >> > > > > > failures) > >> >> > > > > > - com.sun.ts.tests.servlet.spec.security.secbasic.Client > >> (2 > >> >> > > > failures) > >> >> > > > > > --> known. Under discussion > >> >> > > > > > > >> >> > > > > > If someone wants to take the RunAs, it's an easy one to > do. I > >> >> can > >> >> > > > provide > >> >> > > > > > some guidance. > >> >> > > > > > > >> >> > > > > > -- > >> >> > > > > > Jean-Louis Monteiro > >> >> > > > > > http://twitter.com/jlouismonteiro > >> >> > > > > > http://www.tomitribe.com > >> >> > > > > > > >> >> > > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> > > >> > > >
