Add tests to validate PolicyContextHandlers are set correctly.

dev/com.ibm.ws.ejbcontainer.security.jacc_fat/fat/src/com/ibm/ws/ejbcontainer/security/jacc_fat/EJBAnnTestBase.java

@@ -24,8 +24,10 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
 
 import org.junit.After;
 import org.junit.AfterClass;
@@ -177,6 +179,7 @@ protected void verifyResponseWithoutDeprecated(String response, String getCaller
         mustContain(response, getCallerPrincipal);
         mustContain(response, isCallerInRoleManager);
         mustContain(response, isCallerInRoleEmployee);
+        verifyPolicyContextHandlers(response);
     }
 
     protected void verifyResponse(String response, String getCallerPrincipal, String getCallerIdentity, String isCallerInRoleManager, String isCallerInRoleEmployee) {
@@ -192,13 +195,93 @@ protected void verifyResponse(String response, String getCallerPrincipal, String
             mustContain(response, getCallerIdentity);
             mustContain(response, isCallerInRoleManager);
             mustContain(response, isCallerInRoleEmployee);
+            verifyPolicyContextHandlers(response);
+        }
+    }
+
+    private static final Map<String, Set<String>> expectedHandlers = new HashMap<>();
+    private static final Map<String, Set<String>> notExpectedHandlers = new HashMap<>();
+    private static final String EE7_8 = "EE7_8";
+    private static final String EE9_10 = "EE9_10";
+    private static final String EE11 = "EE11";
+    static {
+        Set<String> ee7_8expectedHandlers = new HashSet<>();
+        Set<String> ee7_8notExpectedHandlers = new HashSet<>();
+        Set<String> ee9_10expectedHandlers = new HashSet<>();
+        Set<String> ee9_10notExpectedHandlers = new HashSet<>();
+        Set<String> ee11expectedHandlers = new HashSet<>();
+        Set<String> ee11notExpectedHandlers = new HashSet<>();
+
+        String commonPolicyContextHandler = "javax.security.auth.Subject.container";
+        String principalMapperContextHandler = "jakarta.security.jacc.PrincipalMapper";
+        String[] soapMessagePolicyContextHandlers = new String[] { "javax.xml.soap.SOAPMessage", "jakarta.xml.soap.SOAPMessage" };
+        String[] httpServletRequestPolicyContextHandlers = new String[] { "javax.servlet.http.HttpServletRequest", "jakarta.servlet.http.HttpServletRequest" };
+        String[] ejbPolicyContextHandlers = new String[] { "javax.ejb.EnterpriseBean", "jakarta.ejb.EnterpriseBean" };
+        String[] ejbArgumentsPolicyContextHandlers = new String[] { "javax.ejb.arguments", "jakarta.ejb.arguments" };
+        int JAVAX_INDEX = 0;
+        int JAKARTA_INDEX = 1;
+
+        // javax.security.auth.Subject.container is expected in all of versions
+        ee7_8expectedHandlers.add(commonPolicyContextHandler);
+        ee9_10expectedHandlers.add(commonPolicyContextHandler);
+        ee11expectedHandlers.add(commonPolicyContextHandler);
+
+        // jakarta.security.jacc.PrincipalMapper is only expected with EE 11
+        ee7_8notExpectedHandlers.add(principalMapperContextHandler);
+        ee9_10notExpectedHandlers.add(principalMapperContextHandler);
+        ee11expectedHandlers.add(principalMapperContextHandler);
+
+        // For ejb.arguments handlers, the jakarta is expected for all versions, but the javax is expected for everything except EE 11
+        ee7_8expectedHandlers.add(ejbArgumentsPolicyContextHandlers[JAVAX_INDEX]);
+        ee9_10expectedHandlers.add(ejbArgumentsPolicyContextHandlers[JAVAX_INDEX]);
+        ee11notExpectedHandlers.add(ejbArgumentsPolicyContextHandlers[JAVAX_INDEX]);
+
+        ee7_8expectedHandlers.add(ejbArgumentsPolicyContextHandlers[JAKARTA_INDEX]);
+        ee9_10expectedHandlers.add(ejbArgumentsPolicyContextHandlers[JAKARTA_INDEX]);
+        ee11expectedHandlers.add(ejbArgumentsPolicyContextHandlers[JAKARTA_INDEX]);
+
+        // For all other handlers, the jakarta is expected for all versions and the javax one is only expected for EE 7_8
+        String[][] remainingContextHandlers = { soapMessagePolicyContextHandlers, httpServletRequestPolicyContextHandlers, ejbPolicyContextHandlers };
+        for (String[] handlers : remainingContextHandlers) {
+            ee7_8expectedHandlers.add(handlers[JAVAX_INDEX]);
+            ee9_10notExpectedHandlers.add(handlers[JAVAX_INDEX]);
+            ee11notExpectedHandlers.add(handlers[JAVAX_INDEX]);
+
+            ee7_8expectedHandlers.add(handlers[JAKARTA_INDEX]);
+            ee9_10expectedHandlers.add(handlers[JAKARTA_INDEX]);
+            ee11expectedHandlers.add(handlers[JAKARTA_INDEX]);
+        }
+
+        expectedHandlers.put(EE7_8, ee7_8expectedHandlers);
+        expectedHandlers.put(EE9_10, ee9_10expectedHandlers);
+        expectedHandlers.put(EE11, ee11expectedHandlers);
+
+        notExpectedHandlers.put(EE7_8, ee7_8notExpectedHandlers);
+        notExpectedHandlers.put(EE9_10, ee9_10notExpectedHandlers);
+        notExpectedHandlers.put(EE11, ee11notExpectedHandlers);
+    }
+
+    private void verifyPolicyContextHandlers(String response) {
+        String key = JakartaEEAction.isEE11OrLaterActive() ? EE11 : JakartaEEAction.isEE9OrLaterActive() ? EE9_10 : EE7_8;
+        Set<String> expected = expectedHandlers.get(key);
+        Set<String> notExpected = notExpectedHandlers.get(key);
+
+        for (String exp : expected) {
+            mustContain(response, "handlerKey(" + exp + ")=true");
+        }
+        for (String notExp : notExpected) {
+            mustNotContain(response, "handlerKey(" + notExp + ")=true");
         }
     }
 
     private void mustContain(String response, String target) {
         assertTrue(target + " not found in response", response.contains(target));
     }
 
+    private void mustNotContain(String response, String target) {
+        assertTrue(target + " found in response", !response.contains(target));
+    }
+
     protected void verifyResponse(String response, String getCallerPrincipal, String getCallerIdentity, String isCallerInRoleManager, String isCallerInRoleEmployee,
                                   String isDeclaredRole) {
         verifyResponse(response, getCallerPrincipal, getCallerIdentity, isCallerInRoleManager, isCallerInRoleEmployee);
@@ -223,4 +306,4 @@ protected void verifyExceptionWithUserAndRole(String response, String exMsg, Str
         assertTrue("Failed to find user name " + user + " in authorization failed message", response.contains(user));
         assertTrue("Failed to find method " + method + " in authorization failed message for user not granted access ", response.contains(method));
     }
-}
+}

dev/com.ibm.ws.ejbcontainer.security_test.servlets/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2020, 2022 IBM Corporation and others.
+# Copyright (c) 2020, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at
@@ -24,6 +24,7 @@ test.project: true
 	com.ibm.websphere.javaee.ejb.3.1;version=latest,\
 	com.ibm.websphere.javaee.annotation.1.1;version=latest,\
 	com.ibm.websphere.javaee.servlet.3.1;version=latest,\
+	com.ibm.websphere.javaee.jacc.1.5;version=latest,\
 	com.ibm.websphere.security;version=latest,\
 	com.ibm.ws.security.jaas.common;version=latest
 

dev/com.ibm.ws.ejbcontainer.security_test.servlets/src/com/ibm/ws/ejbcontainer/security/test/SecurityEJBBeanBase.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2012, 2020 IBM Corporation and others.
+ * Copyright (c) 2012, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -14,9 +14,11 @@
 package com.ibm.ws.ejbcontainer.security.test;
 
 import java.security.Principal;
+import java.util.Set;
 import java.util.logging.Logger;
 
 import javax.ejb.SessionContext;
+import javax.security.jacc.PolicyContext;
 
 /**
  *
@@ -65,6 +67,12 @@ protected String authenticate(String method, SessionContext context, Logger logg
             result.append("   isCallerInRole(**)=");
             result.append(context.isCallerInRole("**"));
             result.append("\n");
+            Set<String> handlerKeys = PolicyContext.getHandlerKeys();
+            for (String key : handlerKeys) {
+                result.append("handlerKey(");
+                result.append(key);
+                result.append(")=true\n");
+            }
             logger.info("result: " + result);
             return result.toString();
         }

dev/com.ibm.ws.ejbcontainer.security_test.servlets/src/com/ibm/ws/ejbcontainer/security/test/SecurityEJBX02Bean.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2020 IBM Corporation and others.
+ * Copyright (c) 2020, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -14,6 +14,7 @@
 package com.ibm.ws.ejbcontainer.security.test;
 
 import java.security.Principal;
+import java.util.Set;
 import java.util.logging.Logger;
 
 import javax.annotation.Resource;
@@ -23,6 +24,7 @@
 import javax.ejb.SessionContext;
 import javax.ejb.Stateful;
 import javax.ejb.StatefulTimeout;
+import javax.security.jacc.PolicyContext;
 
 /**
  * Bean implementation class for Stateful Enterprise Bean to be used in
@@ -193,6 +195,12 @@ protected String authenticate(String method) {
         result.append("   isCallerInRole(Emp)=");
         result.append(isEmp);
         result.append("\n");
+        Set<String> handlerKeys = PolicyContext.getHandlerKeys();
+        for (String key : handlerKeys) {
+            result.append("handlerKey(");
+            result.append(key);
+            result.append(")=true\n");
+        }
         logger.info("result: " + result);
         return result.toString();
     }

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/BasicAuthDenyTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2020 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -90,6 +90,8 @@ public static void setUp() throws Exception {
 
         client = new BasicAuthClient(server);
         mySSLClient = new SSLBasicAuthClient(server);
+        client.setJaccValidation(true);
+        mySSLClient.setJaccValidation(true);
 
         assertNotNull("The application did not report is was started",
                       server.waitForStringInLog("CWWKZ0001I"));

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/BasicAuthJSPTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2020 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -59,6 +59,8 @@ public static void setUp() throws Exception {
 
         myClient = new BasicAuthClient(myServer, BasicAuthClient.DEFAULT_REALM, BasicAuthClient.DEFAULT_JSP_NAME, BasicAuthClient.DEFAULT_JSP_CONTEXT_ROOT);
         mySSLClient = new SSLBasicAuthClient(myServer, BasicAuthClient.DEFAULT_REALM, BasicAuthClient.DEFAULT_JSP_NAME, BasicAuthClient.DEFAULT_JSP_CONTEXT_ROOT);
+        myClient.setJaccValidation(true);
+        mySSLClient.setJaccValidation(true);
 
     }
 

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/BasicAuthTest.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2020 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -68,6 +68,8 @@ public static LibertyServer serverSetUp(ServerMode mode) throws Exception {
         JACCFatUtils.transformApps(myServer, "basicauth.war", "basicauthXMI.ear", "basicauthXMInoAuthz.ear", "basicauthXML.ear", "basicauthXMLnoAuthz.ear");
         myClient = new BasicAuthClient(myServer);
         mySSLClient = new SSLBasicAuthClient(myServer);
+        myClient.setJaccValidation(true);
+        mySSLClient.setJaccValidation(true);
         return myServer;
     }
 

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/BasicAuthWithCustomRegistryTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2020 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -60,6 +60,8 @@ public static void setUp() throws Exception {
 
         myClient = new BasicAuthClient(myServer);
         mySSLClient = new SSLBasicAuthClient(myServer);
+        myClient.setJaccValidation(true);
+        mySSLClient.setJaccValidation(true);
     }
 
     public BasicAuthWithCustomRegistryTest() {

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/ClientCertTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2020 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -838,6 +838,7 @@ private static ClientCertAuthClient setupClient(String certFile, boolean secure)
         } else {
             client = new ClientCertAuthClient(myServer.getHostname(), myServer.getHttpDefaultSecurePort(), false, myServer, CLIENT_CERT_SERVLET, "/clientcert", null, null);
         }
+        client.setJaccValidation(true);
         return client;
     }
 

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/ConfigurableOptionsTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2020 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -187,6 +187,8 @@ public static void setUp() throws Exception {
 
         client = new FormLoginClient(server);
         sslClient = new SSLFormLoginClient(server);
+        client.setJaccValidation(true);
+        sslClient.setJaccValidation(true);
 
         String methodName = "setUp";
         try {

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/DynamicAnnotationsTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2011, 2022 IBM Corporation and others.
+ * Copyright (c) 2011, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -121,6 +121,9 @@ public static void setUp() throws Exception {
         basicAuthClient = new BasicAuthClient(server, BasicAuthClient.DEFAULT_REALM, DYNAMIC_ANNOTATIONS_PURE_SERVLET, DYNAMIC_ANNOTATIONS_PURE_CONTEXT_ROOT);
         secureBasicAuthClient = new SSLBasicAuthClient(server, BasicAuthClient.DEFAULT_REALM, DYNAMIC_ANNOTATIONS_PURE_SERVLET, DYNAMIC_ANNOTATIONS_PURE_CONTEXT_ROOT);
         conflictBasicAuthClient = new BasicAuthClient(server, BasicAuthClient.DEFAULT_REALM, DYNAMIC_ANNOTATIONS_CONFLICT_SERVLET, DYNAMIC_ANNOTATIONS_CONFLICT_CONTEXT_ROOT);
+        basicAuthClient.setJaccValidation(true);
+        secureBasicAuthClient.setJaccValidation(true);
+        conflictBasicAuthClient.setJaccValidation(true);
     }
 
     protected static void verifyServerStartedWithJaccFeature(LibertyServer server) {

dev/com.ibm.ws.webcontainer.security.jacc.1.5_fat/fat/src/com/ibm/ws/webcontainer/security/jacc15/fat/FormLoginJSPTest.java

@@ -1,10 +1,10 @@
 /*******************************************************************************
- * Copyright (c) 2014, 2020 IBM Corporation and others.
+ * Copyright (c) 2014, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
+ *
  * SPDX-License-Identifier: EPL-2.0
  *
  * Contributors:
@@ -74,6 +74,8 @@ public static void setUp() throws Exception {
 
         myClient = new FormLoginJSPClient(myServer, FormLoginClient.DEFAULT_JSP_NAME, FormLoginClient.DEFAULT_JSP_CONTEXT_ROOT);
         mySSLClient = new SSLFormLoginClient(myServer, SSLFormLoginClient.DEFAULT_JSP_NAME, SSLFormLoginClient.DEFAULT_JSP_CONTEXT_ROOT);
+        myClient.setJaccValidation(true);
+        mySSLClient.setJaccValidation(true);
     }
 
     public FormLoginJSPTest() {