Apache Tomcat 6.0.43

org.apache.catalina.realm
Class JAASRealm

java.lang.Object
  extended by org.apache.catalina.realm.RealmBase
      extended by org.apache.catalina.realm.JAASRealm
All Implemented Interfaces:
javax.management.MBeanRegistration, Lifecycle, Realm

public class JAASRealm
extends RealmBase

Implmentation of Realm that authenticates users via the Java Authentication and Authorization Service (JAAS). JAAS support requires either JDK 1.4 (which includes it as part of the standard platform) or JDK 1.3 (with the plug-in jaas.jar file).

The value configured for the appName property is passed to the javax.security.auth.login.LoginContext constructor, to specify the application name used to select the set of relevant LoginModules required.

The JAAS Specification describes the result of a successful login as a javax.security.auth.Subject instance, which can contain zero or more java.security.Principal objects in the return value of the Subject.getPrincipals() method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlying LoginMethod implementation executed by JAAS, the following policy is implemented by this Realm:

Author:
Craig R. McClanahan, Yoav Shapira

Nested Class Summary
 
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase
RealmBase.AllRolesMode
 
Field Summary
protected  java.lang.String appName
          The application name passed to the JAAS LoginContext, which uses it to select the set of relevant LoginModules.
protected static java.lang.String info
          Descriptive information about this Realm implementation.
protected static java.lang.String name
          Descriptive information about this Realm implementation.
protected  java.util.List<java.lang.String> roleClasses
          The list of role class names, split out for easy processing.
protected  java.lang.String roleClassNames
          Comma-delimited list of java.security.Principal classes that represent security roles.
protected static StringManager sm
          The string manager for this package.
protected  boolean useContextClassLoader
          Whether to use context ClassLoader or default ClassLoader.
protected  java.util.List<java.lang.String> userClasses
          The set of user class names, split out for easy processing.
protected  java.lang.String userClassNames
          Comma-delimited list of java.security.Principal classes that represent individual users.
 
Fields inherited from class org.apache.catalina.realm.RealmBase
allRolesMode, container, containerLog, controller, digest, digestEncoding, domain, host, initialized, lifecycle, md, md5Encoder, md5Helper, mserver, oname, path, realmPath, started, support, type, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
 
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, DESTROY_EVENT, INIT_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
Constructor Summary
JAASRealm()
           
 
Method Summary
protected  java.security.Principal authenticate(java.lang.String username, javax.security.auth.callback.CallbackHandler callbackHandler)
          Perform the actual JAAS authentication
 java.security.Principal authenticate(java.lang.String username, java.lang.String credentials)
          Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.
 java.security.Principal authenticate(java.lang.String username, java.lang.String clientDigest, java.lang.String nonce, java.lang.String nc, java.lang.String cnonce, java.lang.String qop, java.lang.String realmName, java.lang.String md5a2)
          Return the Principal associated with the specified username and digest, if there is one; otherwise return null.
protected  java.security.Principal createPrincipal(java.lang.String username, javax.security.auth.Subject subject)
          Deprecated. Use createPrincipal(String, Subject, LoginContext)
protected  java.security.Principal createPrincipal(java.lang.String username, javax.security.auth.Subject subject, javax.security.auth.login.LoginContext loginContext)
          Identify and return a java.security.Principal instance representing the authenticated user for the specified Subject.
 java.lang.String getAppName()
          getter for the appName member variable
 java.lang.String getInfo()
          Return descriptive information about this Realm implementation and the corresponding version number, in the format <description>/<version>.
protected  java.lang.String getName()
          Return a short name for this Realm implementation.
protected  java.lang.String getPassword(java.lang.String username)
          Return the password associated with the given principal's user name.
protected  java.security.Principal getPrincipal(java.lang.String username)
          Return the Principal associated with the given user name.
 java.lang.String getRoleClassNames()
           
 java.lang.String getUserClassNames()
           
 boolean isUseContextClassLoader()
          Returns whether to use the context or default ClassLoader.
protected  java.lang.String makeLegalForJAAS(java.lang.String src)
          Ensure the given name is legal for JAAS configuration.
protected  void parseClassNames(java.lang.String classNamesString, java.util.List<java.lang.String> classNamesList)
          Parses a comma-delimited list of class names, and store the class names in the provided List.
 void setAppName(java.lang.String name)
          Deprecated. JAAS should use the Engine (domain) name and webpp/host overrides
 void setContainer(Container container)
          Set the Container with which this Realm has been associated.
 void setRoleClassNames(java.lang.String roleClassNames)
          Sets the list of comma-delimited classes that represent roles.
 void setUseContextClassLoader(boolean useContext)
          Sets whether to use the context or default ClassLoader.
 void setUserClassNames(java.lang.String userClassNames)
          Sets the list of comma-delimited classes that represent individual users.
 void start()
          Prepare for active use of the public methods of this Component.
 void stop()
          Gracefully shut down active use of the public methods of this Component.
 
Methods inherited from class org.apache.catalina.realm.RealmBase
addLifecycleListener, addPropertyChangeListener, authenticate, authenticate, backgroundProcess, destroy, digest, Digest, findLifecycleListeners, findSecurityConstraints, getAllRolesMode, getContainer, getController, getDigest, getDigest, getDigestEncoding, getDomain, getObjectName, getPrincipal, getRealmPath, getRealmSuffix, getType, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, init, main, postDeregister, postRegister, preDeregister, preRegister, removeLifecycleListener, removePropertyChangeListener, setAllRolesMode, setController, setDigest, setDigestEncoding, setRealmPath, setValidate, setX509UsernameRetrieverClassName
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

appName

protected java.lang.String appName
The application name passed to the JAAS LoginContext, which uses it to select the set of relevant LoginModules.


info

protected static final java.lang.String info
Descriptive information about this Realm implementation.

See Also:
Constant Field Values

name

protected static final java.lang.String name
Descriptive information about this Realm implementation.

See Also:
Constant Field Values

roleClasses

protected java.util.List<java.lang.String> roleClasses
The list of role class names, split out for easy processing.


sm

protected static final StringManager sm
The string manager for this package.


userClasses

protected java.util.List<java.lang.String> userClasses
The set of user class names, split out for easy processing.


useContextClassLoader

protected boolean useContextClassLoader
Whether to use context ClassLoader or default ClassLoader. True means use context ClassLoader, and True is the default value.


roleClassNames

protected java.lang.String roleClassNames
Comma-delimited list of java.security.Principal classes that represent security roles.


userClassNames

protected java.lang.String userClassNames
Comma-delimited list of java.security.Principal classes that represent individual users.

Constructor Detail

JAASRealm

public JAASRealm()
Method Detail

setAppName

public void setAppName(java.lang.String name)
Deprecated. JAAS should use the Engine (domain) name and webpp/host overrides

setter for the appName member variable


getAppName

public java.lang.String getAppName()
getter for the appName member variable


setUseContextClassLoader

public void setUseContextClassLoader(boolean useContext)
Sets whether to use the context or default ClassLoader. True means use context ClassLoader.

Parameters:
useContext - True means use context ClassLoader

isUseContextClassLoader

public boolean isUseContextClassLoader()
Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.

Returns:
The value of useContextClassLoader

setContainer

public void setContainer(Container container)
Description copied from class: RealmBase
Set the Container with which this Realm has been associated.

Specified by:
setContainer in interface Realm
Overrides:
setContainer in class RealmBase
Parameters:
container - The associated Container

getRoleClassNames

public java.lang.String getRoleClassNames()

setRoleClassNames

public void setRoleClassNames(java.lang.String roleClassNames)
Sets the list of comma-delimited classes that represent roles. The classes in the list must implement java.security.Principal. The supplied list of classes will be parsed when start() is called.


parseClassNames

protected void parseClassNames(java.lang.String classNamesString,
                               java.util.List<java.lang.String> classNamesList)
Parses a comma-delimited list of class names, and store the class names in the provided List. Each class must implement java.security.Principal.

Parameters:
classNamesString - a comma-delimited list of fully qualified class names.
classNamesList - the list in which the class names will be stored. The list is cleared before being populated.

getUserClassNames

public java.lang.String getUserClassNames()

setUserClassNames

public void setUserClassNames(java.lang.String userClassNames)
Sets the list of comma-delimited classes that represent individual users. The classes in the list must implement java.security.Principal. The supplied list of classes will be parsed when start() is called.


getInfo

public java.lang.String getInfo()
Return descriptive information about this Realm implementation and the corresponding version number, in the format <description>/<version>.

Specified by:
getInfo in interface Realm
Overrides:
getInfo in class RealmBase

authenticate

public java.security.Principal authenticate(java.lang.String username,
                                            java.lang.String credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.

Specified by:
authenticate in interface Realm
Overrides:
authenticate in class RealmBase
Parameters:
username - Username of the Principal to look up
credentials - Password or other credentials to use in authenticating this username

authenticate

public java.security.Principal authenticate(java.lang.String username,
                                            java.lang.String clientDigest,
                                            java.lang.String nonce,
                                            java.lang.String nc,
                                            java.lang.String cnonce,
                                            java.lang.String qop,
                                            java.lang.String realmName,
                                            java.lang.String md5a2)
Return the Principal associated with the specified username and digest, if there is one; otherwise return null.

Specified by:
authenticate in interface Realm
Overrides:
authenticate in class RealmBase
Parameters:
username - Username of the Principal to look up
clientDigest - Digest to use in authenticating this username
nonce - Server generated nonce
nc - Nonce count
cnonce - Client generated nonce
qop - Quality of protection aplied to the message
realmName - Realm name
md5a2 - Second MD5 digest used to calculate the digest MD5(Method + ":" + uri)

authenticate

protected java.security.Principal authenticate(java.lang.String username,
                                               javax.security.auth.callback.CallbackHandler callbackHandler)
Perform the actual JAAS authentication


getName

protected java.lang.String getName()
Return a short name for this Realm implementation.

Specified by:
getName in class RealmBase

getPassword

protected java.lang.String getPassword(java.lang.String username)
Return the password associated with the given principal's user name. This always returns null as the JAASRealm has no way of obtaining this information.

Specified by:
getPassword in class RealmBase

getPrincipal

protected java.security.Principal getPrincipal(java.lang.String username)
Return the Principal associated with the given user name.

Specified by:
getPrincipal in class RealmBase

createPrincipal

protected java.security.Principal createPrincipal(java.lang.String username,
                                                  javax.security.auth.Subject subject)
Deprecated. Use createPrincipal(String, Subject, LoginContext)


createPrincipal

protected java.security.Principal createPrincipal(java.lang.String username,
                                                  javax.security.auth.Subject subject,
                                                  javax.security.auth.login.LoginContext loginContext)
Identify and return a java.security.Principal instance representing the authenticated user for the specified Subject. The Principal is constructed by scanning the list of Principals returned by the JAASLoginModule. The first Principal object that matches one of the class names supplied as a "user class" is the user Principal. This object is returned to the caller. Any remaining principal objects returned by the LoginModules are mapped to roles, but only if their respective classes match one of the "role class" classes. If a user Principal cannot be constructed, return null.

Parameters:
subject - The Subject representing the logged-in user
loginContext - Associated with the Principal so LoginContext.logout() can be called later

makeLegalForJAAS

protected java.lang.String makeLegalForJAAS(java.lang.String src)
Ensure the given name is legal for JAAS configuration. Added for Bugzilla 30869, made protected for easy customization in case my implementation is insufficient, which I think is very likely.

Parameters:
src - The name to validate
Returns:
A string that's a valid JAAS realm name

start

public void start()
           throws LifecycleException
Prepare for active use of the public methods of this Component.

Specified by:
start in interface Lifecycle
Overrides:
start in class RealmBase
Throws:
LifecycleException - if this component detects a fatal error that prevents it from being started

stop

public void stop()
          throws LifecycleException
Gracefully shut down active use of the public methods of this Component.

Specified by:
stop in interface Lifecycle
Overrides:
stop in class RealmBase
Throws:
LifecycleException - if this component detects a fatal error that needs to be reported

Apache Tomcat 6.0.43

Copyright © 2000-2014 Apache Software Foundation. All Rights Reserved.