Jetty 12.0.x core security

[gregw]

This is a core security mechanism, which will ultimately be the base of each of the EEn security handlers.

[gregw]

@janbartel @sbordet @lorban I've taken over @lachlan-roberts's core jetty-security work.

This is still draft, but I would really appreciate some early feedback, specially on names and APIs.

The plan is in this PR to get a cleaned up mechanism working with all the common login & identity services, plus the authenticators and authentications. This will be able to be used stand alone.
Only once we are happy with this mechanism as a stand along module, will I then update the eeN modules to actually use it.

Currently it is tested to BASIC auth and data constraints. Best place to start looking is in SecurityHandlerTest

@janbartel yeah I know there is no javadoc. I will write it once the basic API is agreed apon.

[gregw]

Note I have a parallel branch jetty-12.0.x-core-security-ee9, where I am applying this to ee9, very much more a WIP... but it preserves the git history of the moved files.

[sbordet]

@gregw perhaps we need to discuss my comments, I'm sure I'm missing important details.

[gregw]

@sbordet your comments are mostly clear.

I agree on most of the renamings, however I might delay some until this is merged with eeX implementations, so the refactor will catch them..... or perhaps I won't and we can keep old names in the ee facades over the new names... except for ee10 which will expose the new names. I'll ponder the timing.

Some of your comments are correctly pointing out complications inherited from the original implementation. I'll work to simplify to just what is needed; move to a common ee; or just remove if they really are legacy.

I think I'll change the Constraint to a true Builder pattern as the fluent-like API almost works, but is surprising with regards to naming.

So thanks for the review, it's pointed out more areas that need to be de-legacied and simplified. Lots to do on the plane trip :)

[sbordet]

A few more nits/renaming, almost there.

[sbordet]

Bump.

[sbordet]

Cannot be removed?

[gregw]

It should be able to be, but broke CI big time.
Jenkins is a mystery to me, so simplest to just leave it in:)

[gregw]

@sbordet thanks for all the reviews. I have fixed the last round and gone through and resolved the conversations that I think are fixed. There are still a few left (boms, TODOs, etc.) but I think most of those are problems already in HEAD, so I would like to go for a merge and create new issues to fix the TODOs, boms etc. So have a look at the remaining unresolved conversations and see which ones you'd like fixed before merge.

[sbordet]

@gregw I need one last rename, and then I'm good: Authorization.Configuration.getAuthMethod() -> getAuthenticationName() or similar, as long as it does not contain abbreviated "auth".

Also, there are now CI failures?

[sbordet]

I don't think this is right.
Elsewhere the authenticatorName is OPENID, while here is client_secret_post.
This should really be the client-side mechanism to use, so it should have a different name.
Perhaps authenticationMethod or clientAuthentication[Method|Mode]?

[gregw]

@lachlan-roberts HELP!!! what is "client_secret_post" about? Why can the openid authenticator change it's method name?

@sbordet I agree it looks strange.... but it started strange so maybe I open and issue, assign to Lachlan and we move on?

[sbordet]

Ditto.

[gregw]

@lachlan-roberts ditto

[sbordet]

Ditto.
This file has numerous occurrences of this to fix.

[gregw]

@lachlan-roberts ditto ditto ditto ditto

[sbordet]

Please rename this file to OpenIdRealmNameTest (not the missing l in Ream).

[gregw]

glad you pointed out the missing l. I read it 10 times and thought it was the same :)

[sbordet]

This method is never used.
_map.getAuthenticatorName() is only ever used here.
I think we can totally remove the field (and the logic) from MIMap, and that should also allow to remove the delegation by removing MIMap entirely, which in turn fixes the TODO present in the MIMap class (and hopefully also fixes the use of generics for the Map?).

[gregw]

I've removed the unused method, but for any other jaspi cleanup, I'd prefer to punt that to a new issue/PR. I think there is a lot that needs careful thought about JASPI, so I'd prefer not to delay this PR whilst I page in what the hell JASPI is again and do a clean up.

[sbordet]

@gregw just a reminder:

• Authenticator.getName() -> getAuthenticationType()
• OpenIdConfiguration.getAuthenticatorName() -> getAuthenticationMethod()

Almost there!