Initial implementation changes for Jakarta Authorization 3.0 #29402
Conversation
|
#build |
|
Please code review feature-related files, @OpenLiberty/delivery-approvers |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=63cc94e6-1a85-44ae-a4b3-7b3bb53f2482 Target locations of links might be accessible only to IBM employees. |
|
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_XKXWQFq0Ee-nla_L9rYqvA Target locations of links might be accessible only to IBM employees. |
|
The build jhanders34-29402-20240814-2122 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_XKXWQFq0Ee-nla_L9rYqvA |
|
#libby #build |
|
!pbbeta |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=fe73e6c2-0e8c-46bb-bd1e-a084f872f75a Target locations of links might be accessible only to IBM employees. |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=20bd7273-e016-49d4-be63-8bc5450be05c Target locations of links might be accessible only to IBM employees. |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=d56777b6-4253-403f-828d-bb4ffe59636e Target locations of links might be accessible only to IBM employees. |
|
!pbbeta |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=6e999583-d5f0-4dee-89ce-9d467556eaab Target locations of links might be accessible only to IBM employees. |
|
The build jhanders34-29402-20240815-1635 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_Olaz4FsbEe-nla_L9rYqvA |
|
!pbbeta |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=e5793d2a-b953-45b4-a7be-3a0aa34fb5ab Target locations of links might be accessible only to IBM employees. |
|
The build jhanders34-29402-20240815-2318 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_R-HTkFtTEe-nla_L9rYqvA |
|
!pbbeta |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=0c0d44b3-8f0e-444b-a1c5-76edc1b8ecf3 Target locations of links might be accessible only to IBM employees. |
|
The build jhanders34-29402-20240816-0304 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_DqOwsFtzEe-nla_L9rYqvA |
| Bundle-Name: WAS Security JACC 1.5 Service | ||
| Bundle-SymbolicName: com.ibm.ws.security.authorization.jacc | ||
| Bundle-Name: WAS Security JACC Service | ||
| Bundle-SymbolicName: com.ibm.ws.security.authorization.jacc.common |
There was a problem hiding this comment.
Noting that the BSN will no longer match the project name.
There was a problem hiding this comment.
That is correct. The package name still starts the bundle name so it can still be found whereas the transformed.bnd, 1.5.bnd and 2.0.bnd bundle names do not start with the project name which is why they are included in the cnf/build.bnd and in the testpath for the ejb and web bundle to point to the project that those bundles are from.
| /** | ||
| * @version 20.0 | ||
| */ | ||
| @org.osgi.annotation.versioning.Version("20.0") |
There was a problem hiding this comment.
I'm blanking - is there a specific reason for the version being 20.0?
There was a problem hiding this comment.
The original version was 1.0 and then we made it 10.0 for Jakarta EE 9+. This allows for APIs to have additional version updates between 1.0 and 10.0. Similarly for EE 9+, you could still have new versions of the API package of 11.0, 12.0, etc until you reach 20. It isn't perfect, but it allows for these types of changes without causing to run into conflict issues with the API package versions.
There was a problem hiding this comment.
#11497 (comment) in that issue gives some details about what we decided in that design issue.
There was a problem hiding this comment.
The other option is to start with a completely new API for Authorization 3.0. If we did such a thing, I would create one with io.openliberty package prefix.
- Abstract java.security.Policy references by adding and using a PolicyProxy interface - Abstract com.ibm.wsspi.security.authorization.jacc.ProviderService by adding and using a ProviderServiceProxy interface - Add new bundles for ProviderService and PolicyProxy and ProviderServiceProxy implementations - Update feature files to reference new bundles
- Add new extension API bundle for updated ProviderService interface to return Authorization Policy instead of java.security.Policy - Add bundle with PolicyProxy and ProviderServiceProxy implementations for 3.0 - Update feature file to reference new extension API and implementation bundle - Update transformation rules for new version of extension API
- Update 2.1 test jacc provider feature file to not tolerate 3.0 - Add new 3.0 test jacc provider
- Add EE 11 repeats and update FAT logic to use the new 3.0 test provider
|
#libby #build |
|
Your personal pipeline request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=79b9614e-f955-4190-b360-e93335773039 Target locations of links might be accessible only to IBM employees. |
|
Please code review feature-related files, @OpenLiberty/delivery-approvers |
|
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_JOMF4GDAEe-4wdAm7liz3w Target locations of links might be accessible only to IBM employees. |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
|
The build jhanders34-29402-20240822-2058 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_JOMF4GDAEe-4wdAm7liz3w |
Jakarta Authorization 3.0 updates to no longer use java.security.Policy. Now they introduced a jakarta.security.jacc.Policy object since java.security.Policy has been deprecated with the deprecation of Java SecurityManager. From an IBM API perspective ProviderService no longer will return a java.security.Policy and is updated with a new version of the API for Jakarta Authorization 3.0.
The changes in this PR handle this change by adding interfaces to proxy the Policy and ProviderService object since they are different between JACC / Authorization 1.0, 2.0 and 2.1 and Authorization 3.0. Additionally a new project is created for API because cannot easily transform for the ProviderService API changes. The changes were done this way to allow for most code to remain common.
Add abstraction to 1.5, 2.0 and 2.1 JACC implementation
Add Jakarta Authorization 3.0 implementation
Update test and sample jacc providers
Update Jakarta Authorization FATs to have EE 11 repeats
For #25420
release buglabel if applicable: https://github.com/OpenLiberty/open-liberty/wiki/Open-Liberty-Conventions).