javaee-samples · arjantijms · Sep 8, 2017 · Sep 7, 2017 · Sep 7, 2017
diff --git a/pom.xml b/pom.xml
@@ -180,6 +180,13 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>javax.json</groupId>
+            <artifactId>javax.json-api</artifactId>
+            <version>1.1</version>
+            <scope>provided</scope>
+        </dependency>
+
         <dependency>
             <groupId>javax.annotation</groupId>
             <artifactId>javax.annotation-api</artifactId>

diff --git a/security/jwt/README.md b/security/jwt/README.md
@@ -0,0 +1,33 @@
+# Java EE Security 1.0 JWT Example
+Sample to demonstrate JWT integration with Java EE Security 1.0 (Soteria RI)
+
+### Sample Users
+Username | Password | Roles
+--- | --- | ---
+payara | fish | ADMIN_ROLE, USER_ROLE
+duke | secret | USER_ROLE
+
+### Login EndPoint
+http://localhost:8080/security-jwt-example/api/auth/login?name=duke&password=secret&rememberme=false
+
+### Protected REST EndPoint
+
+EndPoint | HTTP Method | Roles Allowed
+--- | --- | ---
+http://localhost:8080/security-jwt-example/api/sample/read | GET | ANONYMOUS, USER_ROLE, ADMIN_ROLE
+http://localhost:8080/security-jwt-example/api/sample/write | POST | USER_ROLE, ADMIN_ROLE
+http://localhost:8080/security-jwt-example/api/sample/delete | DELETE | ADMIN_ROLE
+
+
+#### rememberme=false
+
+Whenever the user wants to access a protected resource, the user agent send the JWT in the Authorization header using the Bearer schema. The content of the header should look like the following:
+
+`Authorization: Bearer <token>`
+
+This is a stateless authentication mechanism as the user state is never saved in server memory. 
+The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.
+
+#### rememberme=true
+Whenever the user wants to access a protected resource, the user agent would automatically include the JWT in the cookie with `JREMEMBERMEID` key. 
+It does not require state to be stored on the server because the JWT encapsulates everything the server needs to serve the request.
diff --git a/security/jwt/pom.xml b/security/jwt/pom.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.javaee8</groupId>
+        <artifactId>security</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>jwt</artifactId>
+    <packaging>war</packaging>
+    <name>Java EE 8 Samples: Security - JWT</name>
+
+    <properties>
+        <version.jsonwebtoken>0.6.0</version.jsonwebtoken>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>${version.jsonwebtoken}</version>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/security/jwt/src/main/java/org/javaee8/security/jwt/AuthenticationIdentityStore.java b/security/jwt/src/main/java/org/javaee8/security/jwt/AuthenticationIdentityStore.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2017 Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.javaee8.security.jwt;
+
+import static java.util.Collections.singleton;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.PostConstruct;
+import javax.enterprise.context.RequestScoped;
+import javax.security.enterprise.credential.Credential;
+import javax.security.enterprise.credential.UsernamePasswordCredential;
+import javax.security.enterprise.identitystore.CredentialValidationResult;
+import static javax.security.enterprise.identitystore.CredentialValidationResult.INVALID_RESULT;
+import static javax.security.enterprise.identitystore.CredentialValidationResult.NOT_VALIDATED_RESULT;
+import javax.security.enterprise.identitystore.IdentityStore;
+import javax.security.enterprise.identitystore.IdentityStore.ValidationType;
+import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.VALIDATE;
+
+@RequestScoped
+public class AuthenticationIdentityStore implements IdentityStore {
+
+    private Map<String, String> callerToPassword;
+
+    @PostConstruct
+    public void init() {
+        callerToPassword = new HashMap<>();
+        callerToPassword.put("payara", "fish");
+        callerToPassword.put("duke", "secret");
+    }
+
+    @Override
+    public CredentialValidationResult validate(Credential credential) {
+        CredentialValidationResult result;
+
+        if (credential instanceof UsernamePasswordCredential) {
+            UsernamePasswordCredential usernamePassword = (UsernamePasswordCredential) credential;
+            String expectedPW = callerToPassword.get(usernamePassword.getCaller());
+            if (expectedPW != null && expectedPW.equals(usernamePassword.getPasswordAsString())) {
+                result = new CredentialValidationResult(usernamePassword.getCaller());
+            } else {
+                result = INVALID_RESULT;
+            }
+        } else {
+            result = NOT_VALIDATED_RESULT;
+        }
+        return result;
+    }
+
+    @Override
+    public Set<ValidationType> validationTypes() {
+        return singleton(VALIDATE);
+    }
+}
diff --git a/security/jwt/src/main/java/org/javaee8/security/jwt/AuthorizationIdentityStore.java b/security/jwt/src/main/java/org/javaee8/security/jwt/AuthorizationIdentityStore.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2017 Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.javaee8.security.jwt;
+
+import static org.javaee8.security.jwt.Constants.ADMIN;
+import static org.javaee8.security.jwt.Constants.USER;
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptySet;
+import static java.util.Collections.singleton;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.PostConstruct;
+import javax.enterprise.context.RequestScoped;
+import javax.security.enterprise.identitystore.CredentialValidationResult;
+import javax.security.enterprise.identitystore.IdentityStore;
+import javax.security.enterprise.identitystore.IdentityStore.ValidationType;
+import static javax.security.enterprise.identitystore.IdentityStore.ValidationType.PROVIDE_GROUPS;
+
+@RequestScoped
+public class AuthorizationIdentityStore implements IdentityStore {
+
+    private Map<String, Set<String>> groupsPerCaller;
+
+    @PostConstruct
+    public void init() {
+        groupsPerCaller = new HashMap<>();
+        groupsPerCaller.put("payara", new HashSet<>(asList(USER, ADMIN)));
+        groupsPerCaller.put("duke", singleton(USER));
+    }
+
+    @Override
+    public Set<String> getCallerGroups(CredentialValidationResult validationResult) {
+        Set<String> result = groupsPerCaller.get(validationResult.getCallerPrincipal().getName());
+        if (result == null) {
+            result = emptySet();
+        }
+        return result;
+    }
+
+    @Override
+    public Set<ValidationType> validationTypes() {
+        return singleton(PROVIDE_GROUPS);
+    }
+
+}
diff --git a/security/jwt/src/main/java/org/javaee8/security/jwt/Constants.java b/security/jwt/src/main/java/org/javaee8/security/jwt/Constants.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2017 Payara Foundation and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://github.com/payara/Payara/blob/master/LICENSE.txt
+ * See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at glassfish/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * The Payara Foundation designates this particular file as subject to the "Classpath"
+ * exception as provided by the Payara Foundation in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package org.javaee8.security.jwt;
+
+public final class Constants {
+
+    public static final String AUTHORIZATION_HEADER = "Authorization";
+
+    public static final String BEARER = "Bearer ";
+
+    public static final String ADMIN = "ROLE_ADMIN";
+
+    public static final String USER = "ROLE_USER";
+
+    public static final int REMEMBERME_VALIDITY_SECONDS = 24 * 60 * 60; //24 hours
+
+    // Load the TokenProvider configuration[secretKey,tokenValidity] and REMEMBERME_VALIDITY_SECONDS from config
+}