wildfly-security · darranl · Feb 13, 2025 · Feb 14, 2025
@@ -51,11 +51,15 @@ public URI createUri() throws URISyntaxException {
     }
 
     public URI createUri(String alternatePath) throws URISyntaxException {
+        return createUri(this.contextRoot, alternatePath);
+    }
+
+    public URI createUri(String contextRoot, String alternatePath) throws URISyntaxException {
         final String path;
         if (alternatePath != null) {
-            path = this.contextRoot + alternatePath;
+            path = contextRoot + alternatePath;
         } else {
-            path = this.contextRoot + this.path;
+            path = contextRoot + this.path;
         }
 
         System.out.println("My PATH " + path);

@@ -0,0 +1,221 @@
+/*
+ * Copyright 2025 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.elytron.web.undertow.server.servlet;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.wildfly.security.password.interfaces.ClearPassword.ALGORITHM_CLEAR;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicInteger;
+import java.util.function.Supplier;
+
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.BasicCookieStore;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.LaxRedirectStrategy;
+import org.apache.http.message.BasicNameValuePair;
+import org.junit.Test;
+import org.wildfly.common.function.ExceptionFunction;
+import org.wildfly.elytron.web.undertow.common.AbstractHttpServerMechanismTest;
+import org.wildfly.elytron.web.undertow.common.UndertowServer;
+import org.wildfly.elytron.web.undertow.server.servlet.util.UndertowServletServer;
+import org.wildfly.elytron.web.undertow.server.servlet.util.UndertowServletServer.Builder;
+import org.wildfly.security.auth.SupportLevel;
+import org.wildfly.security.auth.permission.LoginPermission;
+import org.wildfly.security.auth.realm.SimpleMapBackedSecurityRealm;
+import org.wildfly.security.auth.realm.SimpleRealmEntry;
+import org.wildfly.security.auth.server.RealmIdentity;
+import org.wildfly.security.auth.server.RealmUnavailableException;
+import org.wildfly.security.auth.server.SecurityDomain;
+import org.wildfly.security.auth.server.SecurityRealm;
+import org.wildfly.security.credential.Credential;
+import org.wildfly.security.credential.PasswordCredential;
+import org.wildfly.security.evidence.Evidence;
+import org.wildfly.security.password.PasswordFactory;
+import org.wildfly.security.password.spec.ClearPasswordSpec;
+import org.wildfly.security.permission.PermissionVerifier;
+
+/**
+ * Base class for the SSO testing.
+ *
+ * @author <a href="mailto:[email protected]">Farah Juma</a>
+ * @author <a href="mailto:[email protected]">Darran Lofthouse</a>
+ */
+public abstract class FormAuthenticationSSOBase extends AbstractHttpServerMechanismTest {
+
+    protected Supplier<KeyPair> keyPairSupplier;
+    protected AtomicInteger realmIdentityInvocationCount = new AtomicInteger(0);
+
+    @Override
+    protected String getMechanismName() {
+        return "FORM";
+    }
+
+        @Override
+    protected SecurityDomain doCreateSecurityDomain() throws Exception {
+        PasswordFactory passwordFactory = PasswordFactory.getInstance(ALGORITHM_CLEAR);
+        Map<String, SimpleRealmEntry> passwordMap = new HashMap<>();
+
+        passwordMap.put("ladybird",
+                new SimpleRealmEntry(Collections.singletonList(new PasswordCredential(passwordFactory.generatePassword(new ClearPasswordSpec("Coleoptera".toCharArray()))))));
+
+        SimpleMapBackedSecurityRealm delegate = new SimpleMapBackedSecurityRealm();
+
+        delegate.setPasswordMap(passwordMap);
+
+        SecurityRealm securityRealm = new SecurityRealm() {
+
+            @Override
+            public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
+                realmIdentityInvocationCount.incrementAndGet();
+                return delegate.getRealmIdentity(principal);
+            }
+
+            @Override
+            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName,
+                                                            AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
+                return delegate.getCredentialAcquireSupport(credentialType, algorithmName, algorithmParameterSpec);
+            }
+
+            @Override
+            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType,
+                                                         String algorithmName) throws RealmUnavailableException {
+                return delegate.getEvidenceVerifySupport(evidenceType, algorithmName);
+            }
+        };
+
+        SecurityDomain.Builder builder = SecurityDomain.builder()
+                .setDefaultRealmName("TestRealm");
+
+        builder.addRealm("TestRealm", securityRealm).build();
+        builder.setPermissionMapper((principal, roles) -> PermissionVerifier.from(new LoginPermission()));
+
+        return builder.build();
+    }
+
+    protected Builder createUndertowServerBuilder(int port) throws Exception {
+        return UndertowServletServer.builder()
+            .setAuthenticationMechanism(getMechanismName())
+            .setSecurityDomain(getSecurityDomain())
+            .setPort(port)
+            .setContextRoot("/" + port)
+            .setDeploymentName(String.valueOf(port))
+            .setHttpServerAuthenticationMechanismFactory(getHttpServerAuthenticationMechanismFactory(Collections.emptyMap()));
+    }
+
+    protected UndertowServer createUndertowServer(int port) throws Exception {
+        return createUndertowServerBuilder(port).build();
+    }
+
+    protected abstract URI createUriAppA(final String alternativePath) throws URISyntaxException;
+    protected abstract String getContextRootAppA();
+    protected abstract URI createUriAppB(final String alternativePath) throws URISyntaxException;
+    protected abstract String getContextRootAppB();
+
+    @Test
+    public void testSingleSignOnAcrossTwoAppsWithLogout() throws Exception {
+        BasicCookieStore cookieStore = new BasicCookieStore();
+        HttpClient httpClient = HttpClientBuilder.create()
+                .setDefaultCookieStore(cookieStore)
+                .setRedirectStrategy(new LaxRedirectStrategy())
+                .build();
+
+        assertLoginPage(httpClient.execute(new HttpGet(createUriAppA(null))));
+
+        assertFalse(cookieStore.getCookies().stream().filter(cookie -> cookie.getName().equals("JSESSIONSSOID")).findAny().isPresent());
+
+        // log into APP_A
+        HttpResponse execute = loginToApp(httpClient, this::createUriAppA, "ladybird", "Coleoptera");
+        assertTrue(cookieStore.getCookies().stream().filter(cookie -> cookie.getName().equals("JSESSIONSSOID")).findAny().isPresent());
+        assertSuccessfulResponse(execute, "ladybird");
+        String appOneSessionId = getSessionIdForApp(cookieStore, this::getContextRootAppA);
+
+        // can now access APP_B without logging in again
+        assertSuccessfulResponse(httpClient.execute(new HttpGet(createUriAppB(null))), "ladybird");
+        String appTwoSessionId = getSessionIdForApp(cookieStore, this::getContextRootAppB);
+
+        // log out of APP_A
+        httpClient.execute(new HttpGet(createUriAppA("/logout")));
+
+        // log into APP_A again
+        execute = loginToApp(httpClient, this::createUriAppA, "ladybird", "Coleoptera");
+        assertTrue(cookieStore.getCookies().stream().filter(cookie -> cookie.getName().equals("JSESSIONSSOID")).findAny().isPresent());
+        assertSuccessfulResponse(execute, "ladybird");
+        String appOneNewSessionId = getSessionIdForApp(cookieStore, this::getContextRootAppA);
+
+        // the session ID for APP_A should now be different from the initial session ID
+        assertTrue(appOneSessionId != null && appOneNewSessionId != null && ! appOneSessionId.equals(appOneNewSessionId));
+
+        // access APP_B without logging in again
+        assertSuccessfulResponse(httpClient.execute(new HttpGet(createUriAppB(null))), "ladybird");
+        String appTwoNewSessionId = getSessionIdForApp(cookieStore, this::getContextRootAppB);
+
+        // the session ID for APP_B should now be different from the initial session ID
+        assertTrue(appTwoSessionId != null && appTwoNewSessionId != null && ! appTwoSessionId.equals(appTwoNewSessionId));
+    }
+
+    private static HttpResponse loginToApp(HttpClient httpClient, ExceptionFunction<String, URI, Exception> uri, String username, String password) throws Exception {
+        assertLoginPage(httpClient.execute(new HttpGet(uri.apply(null))));
+        HttpPost httpAuthenticate = new HttpPost(uri.apply("/j_security_check"));
+        List<NameValuePair> parameters = new ArrayList<>(2);
+        parameters.add(new BasicNameValuePair("j_username", "ladybird"));
+        parameters.add(new BasicNameValuePair("j_password", "Coleoptera"));
+        httpAuthenticate.setEntity(new UrlEncodedFormEntity(parameters));
+        return httpClient.execute(httpAuthenticate);
+    }
+
+    private static String getSessionIdForApp(BasicCookieStore cookieStore, Supplier<String> contextRoot) {
+        return cookieStore.getCookies().stream().filter(cookie -> cookie.getName().equals("JSESSIONID")
+                && cookie.getPath().equals(contextRoot.get())).findAny().get().getValue();
+    }
+
+    class KeyPairSupplier implements Supplier<KeyPair> {
+
+        private final KeyPair keyPair;
+
+        KeyPairSupplier() {
+            try {
+                this.keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+            } catch (NoSuchAlgorithmException e) {
+                throw new IllegalStateException();
+            }
+        }
+
+        @Override
+        public KeyPair get() {
+            return this.keyPair;
+        }
+    }
+
+}
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2024 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.elytron.web.undertow.server.servlet;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+import org.infinispan.commons.configuration.ClassAllowList;
+import org.junit.Rule;
+import org.wildfly.elytron.web.undertow.common.UndertowServer;
+import org.wildfly.elytron.web.undertow.server.servlet.util.UndertowServletServer.Builder;
+import org.wildfly.security.http.HttpServerAuthenticationMechanismFactory;
+import org.wildfly.security.http.util.sso.DefaultSingleSignOnManager;
+import org.wildfly.security.http.util.sso.DefaultSingleSignOnSessionFactory;
+import org.wildfly.security.http.util.sso.DefaultSingleSignOnSessionIdentifierFactory;
+import org.wildfly.security.http.util.sso.SingleSignOnEntry;
+import org.wildfly.security.http.util.sso.SingleSignOnManager;
+import org.wildfly.security.http.util.sso.SingleSignOnServerMechanismFactory;
+import org.wildfly.security.http.util.sso.SingleSignOnSessionFactory;
+
+/**
+ * Test case to test HTTP FORM authentication where authentication is backed by Elytron and session replication is enabled.
+ *
+ * @author <a href="mailto:[email protected]">Farah Juma</a>
+ */
+public class FormServletAuthenticationStandaloneSSOTest extends FormAuthenticationSSOBase {
+
+    @Rule
+    public final UndertowServer serverA = createUndertowServer(7776);
+
+
+    public FormServletAuthenticationStandaloneSSOTest() throws Exception {
+    }
+
+    @Override
+    protected Builder createUndertowServerBuilder(int port) throws Exception {
+        return super.createUndertowServerBuilder(port)
+            .addAdditionalDeployment("second.war", getContextRootAppB());
+    }
+
+    @Override
+    protected URI createUriAppA(String alternativePath) throws URISyntaxException {
+        return serverA.createUri(alternativePath);
+    }
+
+    @Override
+    protected URI createUriAppB(String alternativePath) throws URISyntaxException {
+        return serverA.createUri(getContextRootAppB(), alternativePath);
+    }
+
+    @Override
+    protected String getContextRootAppA() {
+        return serverA.getContextRoot();
+    }
+
+    @Override
+    protected String getContextRootAppB() {
+        return "/second";
+    }
+
+    @Override
+    protected HttpServerAuthenticationMechanismFactory getHttpServerAuthenticationMechanismFactory(Map<String, ?> properties) {
+        HttpServerAuthenticationMechanismFactory delegate = super.getHttpServerAuthenticationMechanismFactory(properties);
+
+        ClassAllowList allowList = new ClassAllowList();
+        allowList.addRegexps(".*");
+
+        final ConcurrentMap<String, SingleSignOnEntry> cache = new ConcurrentHashMap<>();
+        SingleSignOnManager manager = new DefaultSingleSignOnManager(cache, new DefaultSingleSignOnSessionIdentifierFactory(), (id, entry) -> cache.put(id, entry));
+        SingleSignOnServerMechanismFactory.SingleSignOnConfiguration signOnConfiguration =
+                new SingleSignOnServerMechanismFactory.SingleSignOnConfiguration("JSESSIONSSOID", null,
+                        "/", false, false);
+
+        if (keyPairSupplier == null) {
+            keyPairSupplier = new KeyPairSupplier();
+        }
+        SingleSignOnSessionFactory singleSignOnSessionFactory = new DefaultSingleSignOnSessionFactory(manager, keyPairSupplier.get());
+
+        return new SingleSignOnServerMechanismFactory(delegate, singleSignOnSessionFactory, signOnConfiguration);
+    }
+
+}