Roles are ignored if not declared

[OndroMih]

If a user is authenticated via an IdentityStore with a group that doesn't have a matching role declared in the application, either in web.xml or with the @DeclaredRoles annotation, the group/role is ignored. The caller will not have the role assigned.

I didn't find any requirement in any specification that roles would work only if they are explicitly defined. There's no technical requirement to have roles declared. Roles are just strings - if IdentityStore adds a group with some name to CredentialValidationResult, the the roles are checked by name, the caller should simply have the role even without role being defined upfront. Declaring roles should be an optional step, not required for the application to work correctly.

Reproducer

This can be reproduced with this sample application: https://github.com/OmniFish-EE/jakartaee-examples/tree/ondromih-reproducer-roles-not-declared/focused/security/formAuth

1. Build and deploy on GlassFish

2. Access the protected resource, log in with admin/admin. The it should write "Is user: true"

3. Remove the definition of the user role in web.xml:

   user

4. Build and deploy on GlassFish and repeat step 2. Now it would write "Is user: false", because the role "user" is not defined.

[OndroMih]

When debugging, I found out the reason:

The class SimplePolicyConfiguration in Exousia, the doImplies method, only considers roles in roleTable, which is built from defined roles.

A possible fix would be to search the principal list and find an instance of org.glassfish.security.common.Group, and call new WebRoleRefPermission("", groupName).implies(permission), where groupName is the name of the Group principal.

However, Exousia doesn't have access to the Group class, which is in GlassFish. Maybe we need to extend the SimplePolicyConfiguration class in GlassFish.