|
Apache Tomcat 7.0.28 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.catalina.util.LifecycleBase org.apache.catalina.util.LifecycleMBeanBase org.apache.catalina.realm.RealmBase org.apache.catalina.realm.JAASRealm
public class JAASRealm
Implementation of Realm that authenticates users via the Java
Authentication and Authorization Service (JAAS). JAAS support requires
either JDK 1.4 (which includes it as part of the standard platform) or
JDK 1.3 (with the plug-in jaas.jar
file).
The value configured for the appName
property is passed to
the javax.security.auth.login.LoginContext
constructor, to
specify the application name used to select the set of relevant
LoginModules
required.
The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject
instance, which can contain zero
or more java.security.Principal
objects in the return value
of the Subject.getPrincipals()
method. However, it provides
no guidance on how to distinguish Principals that describe the individual
user (and are thus appropriate to return as the value of
request.getUserPrincipal() in a web application) from the Principal(s)
that describe the authorized roles for this user. To maintain as much
independence as possible from the underlying LoginMethod
implementation executed by JAAS, the following policy is implemented by
this Realm:
LoginModule
is assumed to return a
Subject
with at least one Principal
instance
representing the user himself or herself, and zero or more separate
Principals
representing the security roles authorized
for this user.Principal
representing the user, the Principal
name is an appropriate value to return via the Servlet API method
HttpServletRequest.getRemoteUser()
.Principals
representing the security roles, the
name is the name of the authorized security role.java.security.Principal
- one that identifies class(es)
representing a user, and one that identifies class(es) representing
a security role.Principals
returned by
Subject.getPrincipals()
, it will identify the first
Principal
that matches the "user classes" list as the
Principal
for this user.Principals
returned by
Subject.getPrincipals()
, it will accumulate the set of
all Principals
matching the "role classes" list as
identifying the security roles for this user.Subject
without a Principal
that
matches the "user classes" list.Catalina { org.foobar.auth.DatabaseLoginModule REQUIRED JNDI_RESOURCE=jdbc/AuthDB USER_TABLE=users USER_ID_COLUMN=id USER_NAME_COLUMN=name USER_CREDENTIAL_COLUMN=password ROLE_TABLE=roles ROLE_NAME_COLUMN=name PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory; };
CATALINA_OPTS
environment variable
similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
CallbackHandler
,
called (unsurprisingly) JAASCallbackHandler
. This handler supplies the
HTTP requests's username and credentials to the user-supplied LoginModule
Realm
implementations, digested passwords are supported if
the <Realm>
element in server.xml
contains a
digest
attribute; JAASCallbackHandler
will digest the password
prior to passing it back to the LoginModule
Nested Class Summary |
---|
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase |
---|
RealmBase.AllRolesMode |
Field Summary | |
---|---|
protected String |
appName
The application name passed to the JAAS LoginContext ,
which uses it to select the set of relevant LoginModule s. |
protected static String |
info
Descriptive information about this Realm implementation. |
protected static String |
name
Descriptive information about this Realm implementation. |
protected List<String> |
roleClasses
The list of role class names, split out for easy processing. |
protected String |
roleClassNames
Comma-delimited list of java.security.Principal classes
that represent security roles. |
protected boolean |
useContextClassLoader
Whether to use context ClassLoader or default ClassLoader. |
protected List<String> |
userClasses
The set of user class names, split out for easy processing. |
protected String |
userClassNames
Comma-delimited list of java.security.Principal classes
that represent individual users. |
Fields inherited from class org.apache.catalina.realm.RealmBase |
---|
allRolesMode, container, containerLog, digest, digestEncoding, md, md5Encoder, md5Helper, realmPath, sm, stripRealmForGss, support, validate, x509UsernameRetriever, x509UsernameRetrieverClassName |
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase |
---|
mserver |
Fields inherited from interface org.apache.catalina.Lifecycle |
---|
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT |
Constructor Summary | |
---|---|
JAASRealm()
|
Method Summary | |
---|---|
protected Principal |
authenticate(String username,
CallbackHandler callbackHandler)
Perform the actual JAAS authentication |
Principal |
authenticate(String username,
String credentials)
Return the Principal associated with the specified username
and credentials, if there is one; otherwise return null . |
Principal |
authenticate(String username,
String clientDigest,
String nonce,
String nc,
String cnonce,
String qop,
String realmName,
String md5a2)
Return the Principal associated with the specified username
and digest, if there is one; otherwise return null . |
protected Principal |
createPrincipal(String username,
Subject subject,
LoginContext loginContext)
Identify and return a java.security.Principal instance
representing the authenticated user for the specified Subject . |
String |
getAppName()
getter for the appName member variable |
String |
getInfo()
Return descriptive information about this Realm implementation and the corresponding version number, in the format <description>/<version> . |
protected String |
getName()
Return a short name for this Realm implementation. |
protected String |
getPassword(String username)
Return the password associated with the given principal's user name. |
protected Principal |
getPrincipal(String username)
Return the Principal associated with the given user name. |
String |
getRoleClassNames()
|
String |
getUserClassNames()
|
boolean |
isUseContextClassLoader()
Returns whether to use the context or default ClassLoader. |
protected String |
makeLegalForJAAS(String src)
Ensure the given name is legal for JAAS configuration. |
protected void |
parseClassNames(String classNamesString,
List<String> classNamesList)
Parses a comma-delimited list of class names, and store the class names in the provided List. |
void |
setAppName(String name)
Deprecated. JAAS should use the Engine (domain) name and webpp/host overrides |
void |
setContainer(Container container)
Set the Container with which this Realm has been associated. |
void |
setRoleClassNames(String roleClassNames)
Sets the list of comma-delimited classes that represent roles. |
void |
setUseContextClassLoader(boolean useContext)
Sets whether to use the context or default ClassLoader. |
void |
setUserClassNames(String userClassNames)
Sets the list of comma-delimited classes that represent individual users. |
protected void |
startInternal()
Prepare for the beginning of active use of the public methods of this component and implement the requirements of LifecycleBase.startInternal() . |
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase |
---|
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister |
Methods inherited from class org.apache.catalina.util.LifecycleBase |
---|
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, init, removeLifecycleListener, setState, setState, start, stop |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Field Detail |
---|
protected String appName
LoginContext
,
which uses it to select the set of relevant LoginModule
s.
protected static final String info
Realm
implementation.
protected static final String name
Realm
implementation.
protected List<String> roleClasses
protected List<String> userClasses
protected boolean useContextClassLoader
protected String roleClassNames
java.security.Principal
classes
that represent security roles.
protected String userClassNames
java.security.Principal
classes
that represent individual users.
Constructor Detail |
---|
public JAASRealm()
Method Detail |
---|
@Deprecated public void setAppName(String name)
Engine
(domain) name and webpp/host overrides
appName
member variable
public String getAppName()
appName
member variable
public void setUseContextClassLoader(boolean useContext)
useContext
- True means use context ClassLoaderpublic boolean isUseContextClassLoader()
public void setContainer(Container container)
RealmBase
setContainer
in interface Realm
setContainer
in class RealmBase
container
- The associated Containerpublic String getRoleClassNames()
public void setRoleClassNames(String roleClassNames)
java.security.Principal
.
The supplied list of classes will be parsed when LifecycleBase.start()
is
called.
protected void parseClassNames(String classNamesString, List<String> classNamesList)
java.security.Principal
.
classNamesString
- a comma-delimited list of fully qualified class names.classNamesList
- the list in which the class names will be stored.
The list is cleared before being populated.public String getUserClassNames()
public void setUserClassNames(String userClassNames)
java.security.Principal
. The supplied list of classes will
be parsed when LifecycleBase.start()
is called.
public String getInfo()
<description>/<version>
.
getInfo
in interface Realm
getInfo
in class RealmBase
public Principal authenticate(String username, String credentials)
Principal
associated with the specified username
and credentials, if there is one; otherwise return null
.
authenticate
in interface Realm
authenticate
in class RealmBase
username
- Username of the Principal
to look upcredentials
- Password or other credentials to use in
authenticating this usernamepublic Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2)
Principal
associated with the specified username
and digest, if there is one; otherwise return null
.
authenticate
in interface Realm
authenticate
in class RealmBase
username
- Username of the Principal
to look upclientDigest
- Digest to use in authenticating this usernamenonce
- Server generated noncenc
- Nonce countcnonce
- Client generated nonceqop
- Quality of protection applied to the messagerealmName
- Realm namemd5a2
- Second MD5 digest used to calculate the digest
MD5(Method + ":" + uri)protected Principal authenticate(String username, CallbackHandler callbackHandler)
protected String getName()
Realm
implementation.
getName
in class RealmBase
protected String getPassword(String username)
getPassword
in class RealmBase
protected Principal getPrincipal(String username)
Principal
associated with the given user name.
getPrincipal
in class RealmBase
protected Principal createPrincipal(String username, Subject subject, LoginContext loginContext)
java.security.Principal
instance
representing the authenticated user for the specified Subject
.
The Principal is constructed by scanning the list of Principals returned
by the JAASLoginModule. The first Principal
object that matches
one of the class names supplied as a "user class" is the user Principal.
This object is returned to the caller.
Any remaining principal objects returned by the LoginModules are mapped to
roles, but only if their respective classes match one of the "role class" classes.
If a user Principal cannot be constructed, return null
.
subject
- The Subject
representing the logged-in userloginContext
- Associated with the Principal so
LoginContext.logout()
can be called laterprotected String makeLegalForJAAS(String src)
src
- The name to validate
protected void startInternal() throws LifecycleException
LifecycleBase.startInternal()
.
startInternal
in class RealmBase
LifecycleException
- if this component detects a fatal error
that prevents this component from being used
|
Apache Tomcat 7.0.28 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |