Field Detail

• sm

  protected static final StringManager sm

  The string manager for this package.

• AUTH_HEADER_NAME

  protected static final String AUTH_HEADER_NAME

  Authentication header

  See Also:

  Constant Field Values

• REALM_NAME

  protected static final String REALM_NAME

  Default authentication realm name.

  See Also:

  Constant Field Values

• alwaysUseSession

  protected boolean alwaysUseSession

  Should a session always be used once a user is authenticated? This may offer some performance benefits since the session can then be used to cache the authenticated Principal, hence removing the need to authenticate the user via the Realm on every request. This may be of help for combinations such as BASIC authentication used with the JNDIRealm or DataSourceRealms. However there will also be the performance cost of creating and GC'ing the session. By default, a session will not be created.

• cache

  protected boolean cache

  Should we cache authenticated Principals if the request is part of an HTTP session?

• changeSessionIdOnAuthentication

  protected boolean changeSessionIdOnAuthentication

  Should the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack?

• context

  protected Context context

  The Context to which this Valve is attached.

• info

  protected static final String info

  Descriptive information about this implementation.

  See Also:

  Constant Field Values

• disableProxyCaching

  protected boolean disableProxyCaching

  Flag to determine if we disable proxy caching, or leave the issue up to the webapp developer.

• securePagesWithPragma

  protected boolean securePagesWithPragma

  Flag to determine if we disable proxy caching with headers incompatible with IE.

• secureRandomClass

  protected String secureRandomClass

  The Java class name of the secure random number generator class to be used when generating SSO session identifiers. The random number generator class must be self-seeding and have a zero-argument constructor. If not specified, an instance of SecureRandom will be generated.

• secureRandomAlgorithm

  protected String secureRandomAlgorithm

  The name of the algorithm to use to create instances of SecureRandom which are used to generate SSO session IDs. If no algorithm is specified, SHA1PRNG is used. To use the platform default (which may be SHA1PRNG), specify the empty string. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults.

• secureRandomProvider

  protected String secureRandomProvider

  The name of the provider to use to create instances of SecureRandom which are used to generate session SSO IDs. If no algorithm is specified the of SHA1PRNG default is used. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults.

• sendAuthInfoResponseHeaders

  protected boolean sendAuthInfoResponseHeaders

  Should the auth information (remote user and auth type) be returned as response headers for a forwarded/proxied request? When the RemoteIpValve or RemoteIpFilter mark a forwarded request with the Globals.REQUEST_FORWARDED_ATTRIBUTE this authenticator can return the values of HttpServletRequest.getRemoteUser() and HttpServletRequest.getAuthType() as response headers remote-user and auth-type to a reverse proxy. This is useful, e.g., for access log consistency or other decisions to make.

• sessionIdGenerator

  protected SessionIdGeneratorBase sessionIdGenerator

• sso

  protected SingleSignOn sso

  The SingleSignOn implementation in our request processing chain, if there is one.

Constructor Detail

• AuthenticatorBase

  public AuthenticatorBase()

Method Detail

• getAllowCorsPreflight

  public String getAllowCorsPreflight()

• setAllowCorsPreflight

  public void setAllowCorsPreflight(String allowCorsPreflight)

• getAlwaysUseSession

  public boolean getAlwaysUseSession()

• setAlwaysUseSession

  public void setAlwaysUseSession(boolean alwaysUseSession)

• getCache

  public boolean getCache()

  Return the cache authenticated Principals flag.

  Returns:

  true if authenticated Principals will be cached, otherwise false

• setCache

  public void setCache(boolean cache)

  Set the cache authenticated Principals flag.

  Parameters:

  cache - The new cache flag

• getContainer

  public Container getContainer()

  Return the Container to which this Valve is attached.

  Specified by:

  getContainer in interface Contained

  Overrides:

  getContainer in class ValveBase

  Returns:

  The Container with which this instance is associated or null if not associated with a Container

• setContainer

  public void setContainer(Container container)

  Set the Container to which this Valve is attached.

  Specified by:

  setContainer in interface Contained

  Overrides:

  setContainer in class ValveBase

  Parameters:

  container - The container to which we are attached

• getInfo

  public String getInfo()

  Return descriptive information about this Valve implementation.

  Specified by:

  getInfo in interface Valve

  Overrides:

  getInfo in class ValveBase

  Returns:

  descriptive information about this Valve implementation.

• getDisableProxyCaching

  public boolean getDisableProxyCaching()

  Return the flag that states if we add headers to disable caching by proxies.

  Returns:

  true if the headers will be added, otherwise false

• setDisableProxyCaching

  public void setDisableProxyCaching(boolean nocache)

  Set the value of the flag that states if we add headers to disable caching by proxies.

  Parameters:

  nocache - true if we add headers to disable proxy caching, false if we leave the headers alone.

• getSecurePagesWithPragma

  public boolean getSecurePagesWithPragma()

  Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.

  Returns:

  true if a Pragma header should be used, otherwise false

• setSecurePagesWithPragma

  public void setSecurePagesWithPragma(boolean securePagesWithPragma)

  Set the value of the flag that states what headers we add to disable proxy caching.

  Parameters:

  securePagesWithPragma - true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.

• getChangeSessionIdOnAuthentication

  public boolean getChangeSessionIdOnAuthentication()

  Return the flag that states if we should change the session ID of an existing session upon successful authentication.

  Returns:

  true to change session ID upon successful authentication, false to do not perform the change.

• setChangeSessionIdOnAuthentication

  public void setChangeSessionIdOnAuthentication(boolean changeSessionIdOnAuthentication)

  Set the value of the flag that states if we should change the session ID of an existing session upon successful authentication.

  Parameters:

  changeSessionIdOnAuthentication - true to change session ID upon successful authentication, false to do not perform the change.

• getSecureRandomClass

  public String getSecureRandomClass()

  Return the secure random number generator class name.

  Returns:

  The fully qualified name of the SecureRandom implementation to use

• setSecureRandomClass

  public void setSecureRandomClass(String secureRandomClass)

  Set the secure random number generator class name.

  Parameters:

  secureRandomClass - The new secure random number generator class name

• getSecureRandomAlgorithm

  public String getSecureRandomAlgorithm()

  Return the secure random number generator algorithm name.

  Returns:

  The name of the SecureRandom algorithm used

• setSecureRandomAlgorithm

  public void setSecureRandomAlgorithm(String secureRandomAlgorithm)

  Set the secure random number generator algorithm name.

  Parameters:

  secureRandomAlgorithm - The new secure random number generator algorithm name

• getSecureRandomProvider

  public String getSecureRandomProvider()

  Return the secure random number generator provider name.

  Returns:

  The name of the SecureRandom provider

• setSecureRandomProvider

  public void setSecureRandomProvider(String secureRandomProvider)

  Set the secure random number generator provider name.

  Parameters:

  secureRandomProvider - The new secure random number generator provider name

• isSendAuthInfoResponseHeaders

  public boolean isSendAuthInfoResponseHeaders()

  Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.

  Returns:

  true if response headers shall be sent, false otherwise

• setSendAuthInfoResponseHeaders

  public void setSendAuthInfoResponseHeaders(boolean sendAuthInfoResponseHeaders)

  Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.

  Parameters:

  sendAuthInfoResponseHeaders - true if response headers shall be sent, false otherwise

• invoke

  public void invoke(Request request,
            Response response)
              throws IOException,
                     ServletException

  Enforce the security restrictions in the web application deployment descriptor of our associated Context.

  Specified by:

  invoke in interface Valve

  Specified by:

  invoke in class ValveBase

  Parameters:

  request - Request to be processed

  response - Response to be processed

  Throws:

  IOException - if an input/output error occurs

  ServletException - if thrown by a processing element

• allowCorsPreflightBypass

  protected boolean allowCorsPreflightBypass(Request request)

• authenticate

  public boolean authenticate(Request request,
                     HttpServletResponse httpResponse)
                       throws IOException

  Description copied from interface: Authenticator
  Authenticate the user making this request, based on the login configuration of the Context with which this Authenticator is associated.

  Specified by:

  authenticate in interface Authenticator

  Parameters:

  request - Request we are processing

  httpResponse - Response we are populating

  Returns:

  true if any specified constraints have been satisfied, or false if one more constraints were not satisfied (in which case an authentication challenge will have been written to the response).

  Throws:

  IOException - if an input/output error occurs

• authenticate

  public abstract boolean authenticate(Request request,
                     HttpServletResponse response,
                     LoginConfig config)
                                throws IOException

  Description copied from interface: Authenticator
  Authenticate the user making this request, based on the specified login configuration.

  Specified by:

  authenticate in interface Authenticator

  Parameters:

  request - Request we are processing

  response - Response we are populating

  config - Login configuration describing how authentication should be performed

  Returns:

  true if any specified constraints have been satisfied, or false if one more constraints were not satisfied (in which case an authentication challenge will have been written to the response).

  Throws:

  IOException - if an input/output error occurs

• isContinuationRequired

  protected boolean isContinuationRequired(Request request)

  Does this authenticator require that authenticate(Request, HttpServletResponse) is called to continue an authentication process that started in a previous request?

  Parameters:

  request - The request currently being processed

  Returns:

  true if authenticate() must be called, otherwise false

• getRequestCertificates

  protected X509Certificate[] getRequestCertificates(Request request)
                                              throws IllegalStateException

  Look for the X509 certificate chain in the Request under the key javax.servlet.request.X509Certificate. If not found, trigger extracting the certificate chain from the Coyote request.

  Parameters:

  request - Request to be processed

  Returns:

  The X509 certificate chain if found, null otherwise.

  Throws:

  IllegalStateException

• associate

  protected void associate(String ssoId,
               Session session)

  Associate the specified single sign on identifier with the specified Session.

  Parameters:

  ssoId - Single sign on identifier

  session - Session to be associated

• checkForCachedAuthentication

  protected boolean checkForCachedAuthentication(Request request,
                                     HttpServletResponse response,
                                     boolean useSSO)

  Check to see if the user has already been authenticated earlier in the processing chain or if there is enough information available to authenticate the user without requiring further user interaction.

  Parameters:

  request - The current request

  response - The current response

  useSSO - Should information available from SSO be used to attempt to authenticate the current user?

  Returns:

  true if the user was authenticated via the cache, otherwise false

• reauthenticateFromSSO

  protected boolean reauthenticateFromSSO(String ssoId,
                              Request request)

  Attempts reauthentication to the Realm using the credentials included in argument entry.

  Parameters:

  ssoId - identifier of SingleSignOn session with which the caller is associated

  request - the request that needs to be authenticated

  Returns:

  true if the reauthentication from SSL occurred

• register

  public void register(Request request,
              HttpServletResponse response,
              Principal principal,
              String authType,
              String username,
              String password)

  Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.

  Parameters:

  request - The servlet request we are processing

  response - The servlet response we are generating

  principal - The authenticated Principal to be registered

  authType - The authentication type to be registered

  username - Username used to authenticate (if any)

  password - Password used to authenticate (if any)

• changeSessionID

  protected String changeSessionID(Request request,
                       Session session)

• login

  public void login(String username,
           String password,
           Request request)
             throws ServletException

  Specified by:

  login in interface Authenticator

  Throws:

  ServletException

• getAuthMethod

  protected abstract String getAuthMethod()

• doLogin

  protected Principal doLogin(Request request,
                  String username,
                  String password)
                       throws ServletException

  Process the login request.

  Parameters:

  request - Associated request

  username - The user

  password - The password

  Returns:

  The authenticated Principal

  Throws:

  ServletException - No principal was authenticated with the specified credentials

• logout

  public void logout(Request request)
              throws ServletException

  Specified by:

  logout in interface Authenticator

  Throws:

  ServletException

• startInternal

  protected void startInternal()
                        throws LifecycleException

  Start this component and implement the requirements of LifecycleBase.startInternal().

  Overrides:

  startInternal in class ValveBase

  Throws:

  LifecycleException - if this component detects a fatal error that prevents this component from being used

• stopInternal

  protected void stopInternal()
                       throws LifecycleException

  Stop this component and implement the requirements of LifecycleBase.stopInternal().

  Overrides:

  stopInternal in class ValveBase

  Throws:

  LifecycleException - if this component detects a fatal error that prevents this component from being used