Class AuthenticatorBase

    • Field Detail

      • sm

        protected static final StringManager sm
        The string manager for this package.
      • alwaysUseSession

        protected boolean alwaysUseSession
        Should a session always be used once a user is authenticated? This may offer some performance benefits since the session can then be used to cache the authenticated Principal, hence removing the need to authenticate the user via the Realm on every request. This may be of help for combinations such as BASIC authentication used with the JNDIRealm or DataSourceRealms. However there will also be the performance cost of creating and GC'ing the session. By default, a session will not be created.
      • cache

        protected boolean cache
        Should we cache authenticated Principals if the request is part of an HTTP session?
      • changeSessionIdOnAuthentication

        protected boolean changeSessionIdOnAuthentication
        Should the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack?
      • context

        protected Context context
        The Context to which this Valve is attached.
      • disableProxyCaching

        protected boolean disableProxyCaching
        Flag to determine if we disable proxy caching, or leave the issue up to the webapp developer.
      • securePagesWithPragma

        protected boolean securePagesWithPragma
        Flag to determine if we disable proxy caching with headers incompatible with IE.
      • secureRandomClass

        protected String secureRandomClass
        The Java class name of the secure random number generator class to be used when generating SSO session identifiers. The random number generator class must be self-seeding and have a zero-argument constructor. If not specified, an instance of SecureRandom will be generated.
      • secureRandomAlgorithm

        protected String secureRandomAlgorithm
        The name of the algorithm to use to create instances of SecureRandom which are used to generate SSO session IDs. If no algorithm is specified, SHA1PRNG is used. If SHA1PRNG is not available, the platform default will be used. To use the platform default (which may be SHA1PRNG), specify the empty string. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults.
      • secureRandomProvider

        protected String secureRandomProvider
        The name of the provider to use to create instances of SecureRandom which are used to generate session SSO IDs. If no provider is specified the platform default is used. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults.
      • jaspicCallbackHandlerClass

        protected String jaspicCallbackHandlerClass
        The name of the JASPIC callback handler class. If none is specified the default CallbackHandlerImpl will be used.
      • sso

        protected SingleSignOn sso
        The SingleSignOn implementation in our request processing chain, if there is one.
    • Constructor Detail

      • AuthenticatorBase

        public AuthenticatorBase()
    • Method Detail

      • getRealmName

        protected static String getRealmName​(Context context)
      • getAllowCorsPreflight

        public String getAllowCorsPreflight()
      • setAllowCorsPreflight

        public void setAllowCorsPreflight​(String allowCorsPreflight)
      • getAlwaysUseSession

        public boolean getAlwaysUseSession()
      • setAlwaysUseSession

        public void setAlwaysUseSession​(boolean alwaysUseSession)
      • getCache

        public boolean getCache()
        Return the cache authenticated Principals flag.
        Returns:
        true if authenticated Principals will be cached, otherwise false
      • setCache

        public void setCache​(boolean cache)
        Set the cache authenticated Principals flag.
        Parameters:
        cache - The new cache flag
      • getContainer

        public Container getContainer()
        Description copied from interface: Contained
        Get the Container with which this instance is associated.
        Specified by:
        getContainer in interface Contained
        Overrides:
        getContainer in class ValveBase
        Returns:
        The Container with which this instance is associated or null if not associated with a Container
      • setContainer

        public void setContainer​(Container container)
        Description copied from interface: Contained
        Set the Container with which this instance is associated.
        Specified by:
        setContainer in interface Contained
        Overrides:
        setContainer in class ValveBase
        Parameters:
        container - The Container instance with which this instance is to be associated, or null to disassociate this instance from any Container
      • getDisableProxyCaching

        public boolean getDisableProxyCaching()
        Return the flag that states if we add headers to disable caching by proxies.
        Returns:
        true if the headers will be added, otherwise false
      • setDisableProxyCaching

        public void setDisableProxyCaching​(boolean nocache)
        Set the value of the flag that states if we add headers to disable caching by proxies.
        Parameters:
        nocache - true if we add headers to disable proxy caching, false if we leave the headers alone.
      • getSecurePagesWithPragma

        public boolean getSecurePagesWithPragma()
        Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.
        Returns:
        true if a Pragma header should be used, otherwise false
      • setSecurePagesWithPragma

        public void setSecurePagesWithPragma​(boolean securePagesWithPragma)
        Set the value of the flag that states what headers we add to disable proxy caching.
        Parameters:
        securePagesWithPragma - true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.
      • getChangeSessionIdOnAuthentication

        public boolean getChangeSessionIdOnAuthentication()
        Return the flag that states if we should change the session ID of an existing session upon successful authentication.
        Returns:
        true to change session ID upon successful authentication, false to do not perform the change.
      • setChangeSessionIdOnAuthentication

        public void setChangeSessionIdOnAuthentication​(boolean changeSessionIdOnAuthentication)
        Set the value of the flag that states if we should change the session ID of an existing session upon successful authentication.
        Parameters:
        changeSessionIdOnAuthentication - true to change session ID upon successful authentication, false to do not perform the change.
      • getSecureRandomClass

        public String getSecureRandomClass()
        Return the secure random number generator class name.
        Returns:
        The fully qualified name of the SecureRandom implementation to use
      • setSecureRandomClass

        public void setSecureRandomClass​(String secureRandomClass)
        Set the secure random number generator class name.
        Parameters:
        secureRandomClass - The new secure random number generator class name
      • getSecureRandomAlgorithm

        public String getSecureRandomAlgorithm()
        Return the secure random number generator algorithm name.
        Returns:
        The name of the SecureRandom algorithm used
      • setSecureRandomAlgorithm

        public void setSecureRandomAlgorithm​(String secureRandomAlgorithm)
        Set the secure random number generator algorithm name.
        Parameters:
        secureRandomAlgorithm - The new secure random number generator algorithm name
      • getSecureRandomProvider

        public String getSecureRandomProvider()
        Return the secure random number generator provider name.
        Returns:
        The name of the SecureRandom provider
      • setSecureRandomProvider

        public void setSecureRandomProvider​(String secureRandomProvider)
        Set the secure random number generator provider name.
        Parameters:
        secureRandomProvider - The new secure random number generator provider name
      • getJaspicCallbackHandlerClass

        public String getJaspicCallbackHandlerClass()
        Return the JASPIC callback handler class name
        Returns:
        The name of the JASPIC callback handler
      • setJaspicCallbackHandlerClass

        public void setJaspicCallbackHandlerClass​(String jaspicCallbackHandlerClass)
        Set the JASPIC callback handler class name
        Parameters:
        jaspicCallbackHandlerClass - The new JASPIC callback handler class name
      • isSendAuthInfoResponseHeaders

        public boolean isSendAuthInfoResponseHeaders()
        Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.
        Returns:
        true if response headers shall be sent, false otherwise
      • setSendAuthInfoResponseHeaders

        public void setSendAuthInfoResponseHeaders​(boolean sendAuthInfoResponseHeaders)
        Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.
        Parameters:
        sendAuthInfoResponseHeaders - true if response headers shall be sent, false otherwise
      • invoke

        public void invoke​(Request request,
                           Response response)
                    throws IOException,
                           ServletException
        Enforce the security restrictions in the web application deployment descriptor of our associated Context.
        Specified by:
        invoke in interface Valve
        Parameters:
        request - Request to be processed
        response - Response to be processed
        Throws:
        IOException - if an input/output error occurs
        ServletException - if thrown by a processing element
      • allowCorsPreflightBypass

        protected boolean allowCorsPreflightBypass​(Request request)
      • authenticate

        public boolean authenticate​(Request request,
                                    HttpServletResponse httpResponse)
                             throws IOException
        Description copied from interface: Authenticator
        Authenticate the user making this request, based on the login configuration of the Context with which this Authenticator is associated.
        Specified by:
        authenticate in interface Authenticator
        Parameters:
        request - Request we are processing
        httpResponse - Response we are populating
        Returns:
        true if any specified constraints have been satisfied, or false if one more constraints were not satisfied (in which case an authentication challenge will have been written to the response).
        Throws:
        IOException - if an input/output error occurs
      • doAuthenticate

        protected abstract boolean doAuthenticate​(Request request,
                                                  HttpServletResponse response)
                                           throws IOException
        Provided for sub-classes to implement their specific authentication mechanism.
        Parameters:
        request - The request that triggered the authentication
        response - The response associated with the request
        Returns:
        true if the the user was authenticated, otherwise false, in which case an authentication challenge will have been written to the response
        Throws:
        IOException - If an I/O problem occurred during the authentication process
      • isContinuationRequired

        protected boolean isContinuationRequired​(Request request)
        Does this authenticator require that authenticate(Request, HttpServletResponse) is called to continue an authentication process that started in a previous request?
        Parameters:
        request - The request currently being processed
        Returns:
        true if authenticate() must be called, otherwise false
      • associate

        protected void associate​(String ssoId,
                                 Session session)
        Associate the specified single sign on identifier with the specified Session.
        Parameters:
        ssoId - Single sign on identifier
        session - Session to be associated
      • checkForCachedAuthentication

        protected boolean checkForCachedAuthentication​(Request request,
                                                       HttpServletResponse response,
                                                       boolean useSSO)
        Check to see if the user has already been authenticated earlier in the processing chain or if there is enough information available to authenticate the user without requiring further user interaction.
        Parameters:
        request - The current request
        response - The current response
        useSSO - Should information available from SSO be used to attempt to authenticate the current user?
        Returns:
        true if the user was authenticated via the cache, otherwise false
      • reauthenticateFromSSO

        protected boolean reauthenticateFromSSO​(String ssoId,
                                                Request request)
        Attempts reauthentication to the Realm using the credentials included in argument entry.
        Parameters:
        ssoId - identifier of SingleSignOn session with which the caller is associated
        request - the request that needs to be authenticated
        Returns:
        true if the reauthentication from SSL occurred
      • register

        public void register​(Request request,
                             HttpServletResponse response,
                             Principal principal,
                             String authType,
                             String username,
                             String password)
        Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.
        Parameters:
        request - The servlet request we are processing
        response - The servlet response we are generating
        principal - The authenticated Principal to be registered
        authType - The authentication type to be registered
        username - Username used to authenticate (if any)
        password - Password used to authenticate (if any)
      • register

        protected void register​(Request request,
                                HttpServletResponse response,
                                Principal principal,
                                String authType,
                                String username,
                                String password,
                                boolean alwaysUseSession,
                                boolean cache)
        Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.
        Parameters:
        request - The servlet request we are processing
        response - The servlet response we are generating
        principal - The authenticated Principal to be registered
        authType - The authentication type to be registered
        username - Username used to authenticate (if any)
        password - Password used to authenticate (if any)
        alwaysUseSession - Should a session always be used once a user is authenticated?
        cache - Should we cache authenticated Principals if the request is part of an HTTP session?
      • getAuthMethod

        protected abstract String getAuthMethod()
        Return the authentication method, which is vendor-specific and not defined by HttpServletRequest.
        Returns:
        the authentication method, which is vendor-specific and not defined by HttpServletRequest.
      • doLogin

        protected Principal doLogin​(Request request,
                                    String username,
                                    String password)
                             throws ServletException
        Process the login request.
        Parameters:
        request - Associated request
        username - The user
        password - The password
        Returns:
        The authenticated Principal
        Throws:
        ServletException - No principal was authenticated with the specified credentials
      • isPreemptiveAuthPossible

        protected boolean isPreemptiveAuthPossible​(Request request)
        Can the authenticator perform preemptive authentication for the given request?
        Parameters:
        request - The request to check for credentials
        Returns:
        true if preemptive authentication is possible, otherwise false