security validation (#23)

Signed-off-by: Maxim Nesen <maxim.nesen@oracle.com>

examples/config/changes/conf/secrets/password

@@ -1 +1 @@
-^ery$ecretP&ssword
+changeit

examples/config/sources/conf/secrets/password

@@ -1 +1 @@
-^ery$ecretP&ssword
+changeit

examples/config/sources/src/main/java/io/helidon/config/examples/sources/DirectorySourceExample.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2017, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,7 +50,7 @@ public static void main(String... args) {
 
         String password = secrets.get("password").asString().get();
         System.out.println("Password: " + password);
-        assert password.equals("^ery$ecretP&ssword");
+        assert password.equals("changeit");
     }
 
 }

examples/employee-app/src/main/java/io/helidon/service/employee/EmployeeRepositoryImplDB.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,7 +44,7 @@ final class EmployeeRepositoryImplDB implements EmployeeRepository {
         String driver = "oracle.jdbc.driver.OracleDriver";
 
         String dbUserName = config.get("app.user").asString().orElse("sys as SYSDBA");
-        String dbUserPassword = config.get("app.password").asString().orElse("password");
+        String dbUserPassword = config.get("app.password").asString().orElse("changeit");
         String dbHostURL = config.get("app.hosturl").asString().orElse("localhost:1521/xe");
 
         try {

examples/grpc/security-outbound/src/main/java/io/helidon/grpc/examples/security/outbound/SecureGreetClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -57,7 +57,7 @@ public static void main(String[] args) {
         // setting the properties used by the basic auth provider for user name and password
         GrpcClientSecurity clientSecurity = GrpcClientSecurity.builder(security.createContext("test.client"))
                 .property(EndpointConfig.PROPERTY_OUTBOUND_ID, "Bob")
-                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "password")
+                .property(EndpointConfig.PROPERTY_OUTBOUND_SECRET, "changeit")
                 .build();
 
         // create the GreetService client stub and use the GrpcClientSecurity call credentials

examples/grpc/security-outbound/src/main/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+# Copyright (c) 2019, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@ http-basic-auth:
       password: "secret"
       roles: ["user", "admin"]
     - login: "Bob"
-      password: "password"
+      password: "changeit"
       roles: ["user"]
   outbound:
     - name: propagate_all

examples/grpc/security/src/main/java/io/helidon/grpc/examples/security/SecureGreetClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,7 +52,7 @@ public static void main(String[] args) {
 
         // Obtain the user name and password from the program arguments
         String user = args.length >= 2 ? args[0] : "Ted";
-        String password = args.length >= 2 ? args[1] : "secret";
+        String password = args.length >= 2 ? args[1] : "changeit";
 
         Config config = Config.create();
 

examples/grpc/security/src/main/java/io/helidon/grpc/examples/security/SecureStringClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,7 +53,7 @@ public static void main(String[] args) {
 
         // Obtain the user name and password from the program arguments
         String user = args.length >= 2 ? args[0] : "Ted";
-        String password = args.length >= 2 ? args[1] : "secret";
+        String password = args.length >= 2 ? args[1] : "changeit";
 
         Config config = Config.create();
 

examples/grpc/security/src/main/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019, 2023 Oracle and/or its affiliates.
+# Copyright (c) 2019, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,8 +27,8 @@ webserver:
 http-basic-auth:
   users:
     - login: "Ted"
-      password: "secret"
+      password: "changeit"
       roles: ["user", "admin"]
     - login: "Bob"
-      password: "password"
+      password: "changeit"
       roles: ["user"]

examples/microprofile/idcs/src/main/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2018, 2022 Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ security:
     # This is a nice way to be able to override this with local properties or env-vars
     idcs-uri: "https://tenant-id.identity.oracle.com"
     idcs-client-id: "client-id"
-    idcs-client-secret: "client-secret"
+    idcs-client-secret: "changeit"
     # Used as a base for redirects back to us
     frontend-uri: "http://localhost:7987"
     proxy-host: "if you need proxy"

examples/microprofile/security/src/main/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2018, 2020 Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,13 +27,13 @@ security:
       realm: "helidon"
       users:
       - login: "jack"
-        password: "password"
+        password: "changeit"
         roles: ["user", "admin"]
       - login: "jill"
-        password: "password"
+        password: "changeit"
         roles: ["user"]
       - login: "john"
-        password: "password"
+        password: "changeit"
   web-server:
     paths:
     - path: "/static-cp[/{*}]"

examples/microprofile/tls/README.md

@@ -4,6 +4,16 @@ This examples shows how to configure server TLS using Helidon MP.
 
 Note: This example uses self-signed server certificate!
 
+### How to generate self-signed certificate (optional) 
+In this example the certificate is bundled so no special certificate is required.
+Required tools: keytool
+```bash
+keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=localhost" -validity 21650 -keystore server.jks -storepass changeit -keypass changeit -deststoretype pkcs12
+keytool -exportcert -keystore server.jks -storepass changeit -alias server -rfc -file server.cer
+keytool -certreq -keystore server.jks -alias server -keypass changeit -storepass changeit -keyalg rsa -file server.csr
+keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass changeit -deststorepass changeit
+```
+
 ## Build and run
 
 ```bash

examples/microprofile/tls/src/main/resources/META-INF/microprofile-config.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Oracle and/or its affiliates.
+# Copyright (c) 2020, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,9 +20,9 @@ server.host=0.0.0.0
 
 #Truststore setup
 server.tls.trust.keystore.resource.resource-path=server.p12
-server.tls.trust.keystore.passphrase=password
+server.tls.trust.keystore.passphrase=changeit
 server.tls.trust.keystore.trust-store=true
 
 #Keystore with private key and server certificate
 server.tls.private-key.keystore.resource.resource-path=server.p12
-server.tls.private-key.keystore.passphrase=password
+server.tls.private-key.keystore.passphrase=changeit

examples/security/basic-auth-with-static-content/README.md

@@ -23,9 +23,9 @@ Try the application:
 The application starts on a random port, the following assumes it is `56551`
 ```bash
 curl http://localhost:[PORT]/public
-curl -u "jill:password" http://localhost:[PORT]/noRoles
-curl -u "john:password" http://localhost:[PORT]/user
-curl -u "jack:password" http://localhost:[PORT]/admin
-curl -v -u "john:password" http://localhost:[PORT]/deny
-curl -u "jack:password" http://localhost:[PORT]/noAuthn
+curl -u "jill:changeit" http://localhost:[PORT]/noRoles
+curl -u "john:changeit" http://localhost:[PORT]/user
+curl -u "jack:changeit" http://localhost:[PORT]/admin
+curl -v -u "john:changeit" http://localhost:[PORT]/deny
+curl -u "jack:changeit" http://localhost:[PORT]/noAuthn
 ```

examples/security/basic-auth-with-static-content/src/main/java/io/helidon/security/examples/webserver/basic/BasicExampleBuilderMain.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,9 +42,9 @@ public final class BasicExampleBuilderMain {
     private static final Map<String, MyUser> USERS = new HashMap<>();
 
     static {
-        USERS.put("jack", new MyUser("jack", "password".toCharArray(), Set.of("user", "admin")));
-        USERS.put("jill", new MyUser("jill", "password".toCharArray(), Set.of("user")));
-        USERS.put("john", new MyUser("john", "password".toCharArray(), Set.of()));
+        USERS.put("jack", new MyUser("jack", "changeit".toCharArray(), Set.of("user", "admin")));
+        USERS.put("jill", new MyUser("jill", "changeit".toCharArray(), Set.of("user")));
+        USERS.put("john", new MyUser("john", "changeit".toCharArray(), Set.of()));
     }
 
     private BasicExampleBuilderMain() {

examples/security/basic-auth-with-static-content/src/main/java/io/helidon/security/examples/webserver/basic/BasicExampleUtil.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,9 +35,9 @@ static void startAndPrintEndpoints(Supplier<WebServer> startMethod) {
         System.out.printf("Started server on localhost:%d%n", webServer.port());
         System.out.println();
         System.out.println("Users:");
-        System.out.println("Jack/password in roles: user, admin");
-        System.out.println("Jill/password in roles: user");
-        System.out.println("John/password in no roles");
+        System.out.println("jack/changeit in roles: user, admin");
+        System.out.println("jill/changeit in roles: user");
+        System.out.println("john/changeit in no roles");
         System.out.println();
         System.out.println("***********************");
         System.out.println("** Endpoints:        **");

examples/security/basic-auth-with-static-content/src/main/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020, 2023 Oracle and/or its affiliates.
+# Copyright (c) 2020, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,13 +27,13 @@ security:
         realm: "helidon"
         users:
           - login: "jack"
-            password: "${CLEAR=password}"
+            password: "${CLEAR=changeit}"
             roles: [ "user", "admin" ]
           - login: "jill"
-            password: "${CLEAR=password}"
+            password: "${CLEAR=changeit}"
             roles: [ "user" ]
           - login: "john"
-            password: "${CLEAR=password}"
+            password: "${CLEAR=changeit}"
             roles: [ ]
   web-server:
     # Configuration of integration with web server

examples/security/basic-auth-with-static-content/src/test/java/io/helidon/security/examples/webserver/basic/BasicExampleTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -87,9 +87,9 @@ public void testNoRoles() {
         testNotAuthorized(url);
 
         //Must be accessible with authentication - to everybody
-        testProtected(url, "jack", "password", Set.of("admin", "user"), Set.of());
-        testProtected(url, "jill", "password", Set.of("user"), Set.of("admin"));
-        testProtected(url, "john", "password", Set.of(), Set.of("admin", "user"));
+        testProtected(url, "jack", "changeit", Set.of("admin", "user"), Set.of());
+        testProtected(url, "jill", "changeit", Set.of("user"), Set.of("admin"));
+        testProtected(url, "john", "changeit", Set.of(), Set.of("admin", "user"));
     }
 
     @Test
@@ -99,9 +99,9 @@ public void testUserRole() {
         testNotAuthorized(url);
 
         //Jack and Jill allowed (user role)
-        testProtected(url, "jack", "password", Set.of("admin", "user"), Set.of());
-        testProtected(url, "jill", "password", Set.of("user"), Set.of("admin"));
-        testProtectedDenied(url, "john", "password");
+        testProtected(url, "jack", "changeit", Set.of("admin", "user"), Set.of());
+        testProtected(url, "jill", "changeit", Set.of("user"), Set.of("admin"));
+        testProtectedDenied(url, "john", "changeit");
     }
 
     @Test
@@ -111,9 +111,9 @@ public void testAdminRole() {
         testNotAuthorized(url);
 
         //Only jack is allowed - admin role...
-        testProtected(url, "jack", "password", Set.of("admin", "user"), Set.of());
-        testProtectedDenied(url, "jill", "password");
-        testProtectedDenied(url, "john", "password");
+        testProtected(url, "jack", "changeit", Set.of("admin", "user"), Set.of());
+        testProtectedDenied(url, "jill", "changeit");
+        testProtectedDenied(url, "john", "changeit");
     }
 
     @Test
@@ -123,9 +123,9 @@ public void testDenyRole() {
         testNotAuthorized(url);
 
         // nobody has the correct role
-        testProtectedDenied(url, "jack", "password");
-        testProtectedDenied(url, "jill", "password");
-        testProtectedDenied(url, "john", "password");
+        testProtectedDenied(url, "jack", "changeit");
+        testProtectedDenied(url, "jill", "changeit");
+        testProtectedDenied(url, "john", "changeit");
     }
 
     @Test

examples/security/jersey/README.md

@@ -21,7 +21,7 @@ Try the endpoints:
 ```bash
 curl http://localhost:8080/rest
 curl -v http://localhost:8080/rest/protected
-curl -u "jack:password" http://localhost:8080/rest/protected
-curl -u "jack:password" http://localhost:8080/rest/protected
-curl -v -u "john:password" http://localhost:8080/rest/protected
+curl -u "jack:changeit" http://localhost:8080/rest/protected
+curl -u "jack:changeit" http://localhost:8080/rest/protected
+curl -v -u "john:changeit" http://localhost:8080/rest/protected
 ```

examples/security/jersey/src/main/java/io/helidon/security/examples/jersey/JerseyBuilderMain.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,9 +44,9 @@ public final class JerseyBuilderMain {
     private static volatile WebServer server;
 
     static {
-        addUser("jack", "password", List.of("user", "admin"));
-        addUser("jill", "password", List.of("user"));
-        addUser("john", "password", List.of());
+        addUser("jack", "changeit", List.of("user", "admin"));
+        addUser("jill", "changeit", List.of("user"));
+        addUser("john", "changeit", List.of());
     }
 
     private JerseyBuilderMain() {

examples/security/jersey/src/main/java/io/helidon/security/examples/jersey/JerseyUtil.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -55,9 +55,9 @@ static WebServer startIt(Supplier<? extends Routing> routing, int port) {
                 System.out.printf("Started server on localhost:%d%n", webServer.port());
                 System.out.println();
                 System.out.println("Users:");
-                System.out.println("jack/password in roles: user, admin");
-                System.out.println("jill/password in roles: user");
-                System.out.println("john/password in no roles");
+                System.out.println("jack/changeit in roles: user, admin");
+                System.out.println("jill/changeit in roles: user");
+                System.out.println("john/changeit in no roles");
                 System.out.println();
                 System.out.println("***********************");
                 System.out.println("** Endpoints:        **");