SingleSignOn (Apache Tomcat 7.0.109 API Documentation)

java.lang.Object
- org.apache.catalina.util.LifecycleBase
- - org.apache.catalina.util.LifecycleMBeanBase
  - - org.apache.catalina.valves.ValveBase
    - - org.apache.catalina.authenticator.SingleSignOn

All Implemented Interfaces:

MBeanRegistration, Contained, JmxEnabled, Lifecycle, Valve

Direct Known Subclasses:

ClusterSingleSignOn
```
public class SingleSignOn
extends ValveBase
```
A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain. For successful use, the following requirements must be met:
- This Valve must be configured on the Container that represents a virtual host (typically an implementation of Host).
- The Realm that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level.
- The web applications themselves must use one of the standard Authenticators found in the org.apache.catalina.authenticator package.
Author:

Craig R. McClanahan

Nested Class Summary
- Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
  Lifecycle.SingleUse

Field Summary

Fields
Modifier and Type	Field and Description
`protected Map<String,SingleSignOnEntry>`	`cache` The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
`protected static String`	`info` Descriptive information about this Valve implementation.
`protected static boolean`	`LAST_ACCESS_AT_START`

Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next

Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver

Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT

Constructor Summary

Constructors
Constructor and Description

SingleSignOn()

Constructors
Constructor and Description
`SingleSignOn()`

Method Summary

Methods
Modifier and Type	Method and Description
`protected boolean`	`associate(String ssoId, Session session)` Associate the specified single sign on identifier with the specified Session.
`protected void`	`deregister(String ssoId)` Deregister the specified single sign on identifier, and invalidate any associated sessions.
`String`	`getCookieDomain()` Returns the optional cookie domain.
`String`	`getInfo()` Return descriptive information about this Valve implementation.
`boolean`	`getRequireReauthentication()` Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security `Realm`, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with the `Realm`.
`protected SessionListener`	`getSessionListener(String ssoId)`
`void`	`invoke(Request request, Response response)` Perform single-sign-on support processing for this request.
`protected boolean`	`reauthenticate(String ssoId, Realm realm, Request request)` Attempts reauthentication to the given `Realm` using the credentials associated with the single sign-on session identified by argument `ssoId`.
`protected void`	`register(String ssoId, Principal principal, String authType, String username, String password)` Register the specified Principal as being associated with the specified value for the single sign on identifier.
`protected void`	`removeSession(String ssoId, Session session)` Remove a single Session from a SingleSignOn.
`void`	`sessionDestroyed(String ssoId, Session session)` Process a session destroyed event by removing references to that session from the caches and - if the session destruction is the result of a logout - destroy the associated SSO session.
`void`	`setCookieDomain(String cookieDomain)` Sets the domain to be used for sso cookies.
`void`	`setRequireReauthentication(boolean required)` Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security `Realm`, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with the `Realm`.
`protected void`	`startInternal()` Start this component and implement the requirements of `LifecycleBase.startInternal()`.
`protected void`	`stopInternal()` Stop this component and implement the requirements of `LifecycleBase.stopInternal()`.
`protected boolean`	`update(String ssoId, Principal principal, String authType, String username, String password)` Updates any `SingleSignOnEntry` found under key `ssoId` with the given authentication data.

Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, event, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setContainer, setNext, toString

Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister

Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

- Field Detail
  - LAST_ACCESS_AT_START
```
protected static final boolean LAST_ACCESS_AT_START
```
  - cache
```
protected Map<String,SingleSignOnEntry> cache
```
    The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
  - info
```
protected static final String info
```
    Descriptive information about this Valve implementation.
    
    See Also:
    Constant Field Values
- Constructor Detail
  - SingleSignOn
```
public SingleSignOn()
```
- Method Detail
  - getCookieDomain
```
public String getCookieDomain()
```
    Returns the optional cookie domain. May return null.
    
    Returns:
    The cookie domain
  - setCookieDomain
```
public void setCookieDomain(String cookieDomain)
```
    Sets the domain to be used for sso cookies.
    
    Parameters:
    cookieDomain - cookie domain name
  - getRequireReauthentication
```
public boolean getRequireReauthentication()
```
    Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with the Realm.
    
    Returns:
    true if it is required that a downstream Authenticator reauthenticate each request before calls to HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made; false if the Valve can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
    See Also:
    setRequireReauthentication(boolean)
  - setRequireReauthentication
```
public void setRequireReauthentication(boolean required)
```
    Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with the Realm.
    If this property is false (the default), this Valve will bind a UserPrincipal and AuthType to the request if a valid SSO entry is associated with the request. It will not notify the security Realm of the incoming request.
    This property should be set to true if the overall server configuration requires that the Realm reauthenticate each request thread. An example of such a configuration would be one where the Realm implementation provides security for both a web tier and an associated EJB tier, and needs to set security credentials on each request thread in order to support EJB access.
    If this property is set to true, this Valve will set flags on the request notifying the downstream Authenticator that the request is associated with an SSO session. The Authenticator will then call its reauthenticateFromSSO method to attempt to reauthenticate the request to the Realm, using any credentials that were cached with this Valve.
    The default value of this property is false, in order to maintain backward compatibility with previous versions of Tomcat.
    
    Parameters:
    required - true if it is required that a downstream Authenticator reauthenticate each request before calls to HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made; false if the Valve can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
    See Also:
    AuthenticatorBase.reauthenticateFromSSO(java.lang.String, org.apache.catalina.connector.Request)
  - getInfo
```
public String getInfo()
```
    Return descriptive information about this Valve implementation.
    
    Specified by:
    
    getInfo in interface Valve
    
    Overrides:
    
    getInfo in class ValveBase
    
    Returns:
    descriptive information about this Valve implementation.
  - invoke
```
public void invoke(Request request,
          Response response)
            throws IOException,
                   ServletException
```
    Perform single-sign-on support processing for this request.
    
    Specified by:
    
    invoke in interface Valve
    
    Specified by:
    
    invoke in class ValveBase
    
    Parameters:
    request - The servlet request we are processing
    response - The servlet response we are creating
    
    Throws:
    
    IOException - if an input/output error occurs
    
    ServletException - if a servlet error occurs
  - sessionDestroyed
```
public void sessionDestroyed(String ssoId,
                    Session session)
```
    Process a session destroyed event by removing references to that session from the caches and - if the session destruction is the result of a logout - destroy the associated SSO session.
    
    Parameters:
    ssoId - The ID of the SSO session which which the destroyed session was associated
    session - The session that has been destroyed
  - associate
```
protected boolean associate(String ssoId,
                Session session)
```
    Associate the specified single sign on identifier with the specified Session.
    
    Parameters:
    ssoId - Single sign on identifier
    session - Session to be associated
    
    Returns:
    true if the session was associated to the given SSO session, otherwise false
  - deregister
```
protected void deregister(String ssoId)
```
    Deregister the specified single sign on identifier, and invalidate any associated sessions.
    
    Parameters:
    ssoId - Single sign on identifier to deregister
  - reauthenticate
```
protected boolean reauthenticate(String ssoId,
                     Realm realm,
                     Request request)
```
    Attempts reauthentication to the given Realm using the credentials associated with the single sign-on session identified by argument ssoId.
    If reauthentication is successful, the Principal and authorization type associated with the SSO session will be bound to the given Request object via calls to Request.setAuthType() and Request.setUserPrincipal()
    
    Parameters:
    ssoId - identifier of SingleSignOn session with which the caller is associated
    realm - Realm implementation against which the caller is to be authenticated
    request - the request that needs to be authenticated
    
    Returns:
    true if reauthentication was successful, false otherwise.
  - register
```
protected void register(String ssoId,
            Principal principal,
            String authType,
            String username,
            String password)
```
    Register the specified Principal as being associated with the specified value for the single sign on identifier.
    
    Parameters:
    ssoId - Single sign on identifier to register
    principal - Associated user principal that is identified
    authType - Authentication type used to authenticate this user principal
    username - Username used to authenticate this user
    password - Password used to authenticate this user
  - update
```
protected boolean update(String ssoId,
             Principal principal,
             String authType,
             String username,
             String password)
```
    Updates any SingleSignOnEntry found under key ssoId with the given authentication data.
    The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.
    NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate() returns false; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.
    
    Parameters:
    ssoId - identifier of Single sign to be updated
    principal - the Principal returned by the latest call to Realm.authenticate.
    authType - the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
    username - the username (if any) used for the authentication
    password - the password (if any) used for the authentication
    
    Returns:
    true if the credentials were updated, otherwise false
  - removeSession
```
protected void removeSession(String ssoId,
                 Session session)
```
    Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.
    
    Parameters:
    ssoId - Single sign on identifier from which to remove the session.
    session - the session to be removed.
  - getSessionListener
```
protected SessionListener getSessionListener(String ssoId)
```
  - startInternal
```
protected void startInternal()
                      throws LifecycleException
```
    Description copied from class: ValveBase
    
    Start this component and implement the requirements of LifecycleBase.startInternal().
    
    Overrides:
    
    startInternal in class ValveBase
    
    Throws:
    
    LifecycleException - if this component detects a fatal error that prevents this component from being used
  - stopInternal
```
protected void stopInternal()
                     throws LifecycleException
```
    Description copied from class: ValveBase
    
    Stop this component and implement the requirements of LifecycleBase.stopInternal().
    
    Overrides:
    
    stopInternal in class ValveBase
    
    Throws:
    
    LifecycleException - if this component detects a fatal error that prevents this component from being used

Class SingleSignOn

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle

Field Summary

Fields inherited from class org.apache.catalina.valves.ValveBase

Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase

Fields inherited from interface org.apache.catalina.Lifecycle

Constructor Summary

Method Summary

Methods inherited from class org.apache.catalina.valves.ValveBase

Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase

Methods inherited from class org.apache.catalina.util.LifecycleBase

Methods inherited from class java.lang.Object

Field Detail

LAST_ACCESS_AT_START

cache

info

Constructor Detail

SingleSignOn

Method Detail

getCookieDomain

setCookieDomain

getRequireReauthentication

setRequireReauthentication

getInfo

invoke

sessionDestroyed

associate

deregister

reauthenticate

register

update

removeSession

getSessionListener

startInternal

stopInternal