Package org.apache.catalina.ha.authenticator

Class ClusterSingleSignOn

  • All Implemented Interfaces:
    javax.management.MBeanRegistration, Contained, ClusterValve, JmxEnabled, Lifecycle, AbstractReplicatedMap.MapOwner, Valve
    public class ClusterSingleSignOn
extends SingleSignOn
implements ClusterValve, AbstractReplicatedMap.MapOwner
    A Valve that supports a "single sign on" user experience on each nodes of a cluster, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications and to other nodes cluster in the same security domain. For successful use, the following requirements must be met:
    • This Valve must be configured on the Container that represents a virtual host (typically an implementation of Host).
    • The Realm that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level.
    • The web applications themselves must use one of the standard Authenticators found in the org.apache.catalina.authenticator package.
    Author:
    Fabien Carrion

    • Constructor Detail

      • ClusterSingleSignOn

        public ClusterSingleSignOn()

    • Method Detail

      • setCluster

        public void setCluster​(CatalinaCluster cluster)
        Description copied from interface: ClusterValve
        Associates the cluster deployer with a cluster
        Specified by:
        setCluster in interface ClusterValve
        Parameters:
        cluster - CatalinaCluster

      • getRpcTimeout

        public long getRpcTimeout()

      • setRpcTimeout

        public void setRpcTimeout​(long rpcTimeout)

      • getMapSendOptions

        public int getMapSendOptions()

      • setMapSendOptions

        public void setMapSendOptions​(int mapSendOptions)

      • getTerminateOnStartFailure

        public boolean getTerminateOnStartFailure()

      • setTerminateOnStartFailure

        public void setTerminateOnStartFailure​(boolean terminateOnStartFailure)

      • getAccessTimeout

        public long getAccessTimeout()

      • setAccessTimeout

        public void setAccessTimeout​(long accessTimeout)

      • associate

        protected boolean associate​(java.lang.String ssoId,
                            Session session)
        Description copied from class: SingleSignOn
        Associate the specified single sign on identifier with the specified Session.
        Overrides:
        associate in class SingleSignOn
        Parameters:
        ssoId - Single sign on identifier
        session - Session to be associated
        Returns:
        true if the session was associated to the given SSO session, otherwise false

      • update

        protected boolean update​(java.lang.String ssoId,
                         java.security.Principal principal,
                         java.lang.String authType,
                         java.lang.String username,
                         java.lang.String password)
        Description copied from class: SingleSignOn
        Updates any SingleSignOnEntry found under key ssoId with the given authentication data.

        The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.

        NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate() returns false; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.

        Overrides:
        update in class SingleSignOn
        Parameters:
        ssoId - identifier of Single sign to be updated
        principal - the Principal returned by the latest call to Realm.authenticate.
        authType - the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
        username - the username (if any) used for the authentication
        password - the password (if any) used for the authentication
        Returns:
        true if the credentials were updated, otherwise false