Apache Tomcat 7.0.28

org.apache.catalina.authenticator
Class SingleSignOn

java.lang.Object
  extended by org.apache.catalina.util.LifecycleBase
      extended by org.apache.catalina.util.LifecycleMBeanBase
          extended by org.apache.catalina.valves.ValveBase
              extended by org.apache.catalina.authenticator.SingleSignOn
All Implemented Interfaces:
EventListener, MBeanRegistration, Contained, Lifecycle, SessionListener, Valve
Direct Known Subclasses:
ClusterSingleSignOn

public class SingleSignOn
extends ValveBase
implements SessionListener

A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain. For successful use, the following requirements must be met:

Version:
$Id: SingleSignOn.java 1188401 2011-10-24 21:50:26Z markt $
Author:
Craig R. McClanahan

Field Summary
protected  Map<String,SingleSignOnEntry> cache
          The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
protected static String info
          Descriptive information about this Valve implementation.
protected  Map<Session,String> reverse
          The cache of single sign on identifiers, keyed by the Session that is associated with them.
protected static StringManager sm
          Deprecated. 
 
Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next
 
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
 
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
Constructor Summary
SingleSignOn()
           
 
Method Summary
protected  void associate(String ssoId, Session session)
          Associate the specified single sign on identifier with the specified Session.
protected  void deregister(String ssoId)
          Deregister the specified single sign on identifier, and invalidate any associated sessions.
protected  void deregister(String ssoId, Session session)
          Deregister the specified session.
 String getCookieDomain()
          Returns the optional cookie domain.
 String getInfo()
          Return descriptive information about this Valve implementation.
 boolean getRequireReauthentication()
          Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with the Realm
 void invoke(Request request, Response response)
          Perform single-sign-on support processing for this request.
protected  SingleSignOnEntry lookup(String ssoId)
          Look up and return the cached SingleSignOn entry associated with this sso id value, if there is one; otherwise return null.
protected  boolean reauthenticate(String ssoId, Realm realm, Request request)
          Attempts reauthentication to the given Realm using the credentials associated with the single sign-on session identified by argument ssoId.
protected  void register(String ssoId, Principal principal, String authType, String username, String password)
          Register the specified Principal as being associated with the specified value for the single sign on identifier.
protected  void removeSession(String ssoId, Session session)
          Remove a single Session from a SingleSignOn.
 void sessionEvent(SessionEvent event)
          Acknowledge the occurrence of the specified event.
 void setCookieDomain(String cookieDomain)
          Sets the domain to be used for sso cookies.
 void setRequireReauthentication(boolean required)
          Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with the Realm
protected  void update(String ssoId, Principal principal, String authType, String username, String password)
          Updates any SingleSignOnEntry found under key ssoId with the given authentication data.
 
Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, event, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setContainer, setNext, startInternal, stopInternal, toString
 
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister
 
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, init, removeLifecycleListener, setState, setState, start, stop
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

cache

protected Map<String,SingleSignOnEntry> cache
The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.


info

protected static final String info
Descriptive information about this Valve implementation.

See Also:
Constant Field Values

reverse

protected Map<Session,String> reverse
The cache of single sign on identifiers, keyed by the Session that is associated with them.


sm

@Deprecated
protected static final StringManager sm
Deprecated. 
The string manager for this package.

Constructor Detail

SingleSignOn

public SingleSignOn()
Method Detail

getCookieDomain

public String getCookieDomain()
Returns the optional cookie domain. May return null.

Returns:
The cookie domain

setCookieDomain

public void setCookieDomain(String cookieDomain)
Sets the domain to be used for sso cookies.

Parameters:
cookieDomain - cookie domain name

getRequireReauthentication

public boolean getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with the Realm
Returns:
true if it is required that a downstream Authenticator reauthenticate each request before calls to HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made; false if the Valve can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
See Also:
setRequireReauthentication(boolean)

setRequireReauthentication

public void setRequireReauthentication(boolean required)
Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with the Realm If this property is false (the default), this Valve will bind a UserPrincipal and AuthType to the request if a valid SSO entry is associated with the request. It will not notify the security Realm of the incoming request.

This property should be set to true if the overall server configuration requires that the Realm reauthenticate each request thread. An example of such a configuration would be one where the Realm implementation provides security for both a web tier and an associated EJB tier, and needs to set security credentials on each request thread in order to support EJB access.

If this property is set to true, this Valve will set flags on the request notifying the downstream Authenticator that the request is associated with an SSO session. The Authenticator will then call its reauthenticateFromSSO method to attempt to reauthenticate the request to the Realm, using any credentials that were cached with this Valve.

The default value of this property is false, in order to maintain backward compatibility with previous versions of Tomcat.

Parameters:
required - true if it is required that a downstream Authenticator reauthenticate each request before calls to HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made; false if the Valve can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
See Also:
AuthenticatorBase.reauthenticateFromSSO(java.lang.String, org.apache.catalina.connector.Request)

sessionEvent

public void sessionEvent(SessionEvent event)
Acknowledge the occurrence of the specified event.

Specified by:
sessionEvent in interface SessionListener
Parameters:
event - SessionEvent that has occurred

getInfo

public String getInfo()
Return descriptive information about this Valve implementation.

Specified by:
getInfo in interface Valve
Overrides:
getInfo in class ValveBase

invoke

public void invoke(Request request,
                   Response response)
            throws IOException,
                   ServletException
Perform single-sign-on support processing for this request.

Specified by:
invoke in interface Valve
Specified by:
invoke in class ValveBase
Parameters:
request - The servlet request we are processing
response - The servlet response we are creating
Throws:
IOException - if an input/output error occurs
ServletException - if a servlet error occurs

associate

protected void associate(String ssoId,
                         Session session)
Associate the specified single sign on identifier with the specified Session.

Parameters:
ssoId - Single sign on identifier
session - Session to be associated

deregister

protected void deregister(String ssoId,
                          Session session)
Deregister the specified session. If it is the last session, then also get rid of the single sign on identifier

Parameters:
ssoId - Single sign on identifier
session - Session to be deregistered

deregister

protected void deregister(String ssoId)
Deregister the specified single sign on identifier, and invalidate any associated sessions.

Parameters:
ssoId - Single sign on identifier to deregister

reauthenticate

protected boolean reauthenticate(String ssoId,
                                 Realm realm,
                                 Request request)
Attempts reauthentication to the given Realm using the credentials associated with the single sign-on session identified by argument ssoId.

If reauthentication is successful, the Principal and authorization type associated with the SSO session will be bound to the given Request object via calls to Request.setAuthType() and Request.setUserPrincipal()

Parameters:
ssoId - identifier of SingleSignOn session with which the caller is associated
realm - Realm implementation against which the caller is to be authenticated
request - the request that needs to be authenticated
Returns:
true if reauthentication was successful, false otherwise.

register

protected void register(String ssoId,
                        Principal principal,
                        String authType,
                        String username,
                        String password)
Register the specified Principal as being associated with the specified value for the single sign on identifier.

Parameters:
ssoId - Single sign on identifier to register
principal - Associated user principal that is identified
authType - Authentication type used to authenticate this user principal
username - Username used to authenticate this user
password - Password used to authenticate this user

update

protected void update(String ssoId,
                      Principal principal,
                      String authType,
                      String username,
                      String password)
Updates any SingleSignOnEntry found under key ssoId with the given authentication data.

The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.

NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate() returns false; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.

Parameters:
ssoId - identifier of Single sign to be updated
principal - the Principal returned by the latest call to Realm.authenticate.
authType - the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
username - the username (if any) used for the authentication
password - the password (if any) used for the authentication

lookup

protected SingleSignOnEntry lookup(String ssoId)
Look up and return the cached SingleSignOn entry associated with this sso id value, if there is one; otherwise return null.

Parameters:
ssoId - Single sign on identifier to look up

removeSession

protected void removeSession(String ssoId,
                             Session session)
Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.

Parameters:
ssoId - Single sign on identifier from which to remove the session.
session - the session to be removed.

Apache Tomcat 7.0.28

Copyright © 2000-2012 Apache Software Foundation. All Rights Reserved.