Field Detail

• container

  protected Container container

  The Container with which this Realm is associated.

• containerLog

  protected Log containerLog

  Container log

• digest

  @Deprecated
  protected java.lang.String digest

  Deprecated. Unused. Will be removed in Tomcat 8.5.x onwards.
  Digest algorithm used in storing passwords in a non-plaintext format. Valid values are those accepted for the algorithm name by the MessageDigest class, or null if no digesting should be performed.

• digestEncoding

  @Deprecated
  protected java.lang.String digestEncoding

  Deprecated. Unused. Will be removed in Tomcat 8.5.x onwards.
  The encoding charset for the digest.

• md

  @Deprecated
  protected volatile java.security.MessageDigest md

  Deprecated. Unused. Will be removed in Tomcat 8.5.x onwards.
  The MessageDigest object for digesting user credentials (passwords).

• md5Helper

  @Deprecated
  protected static volatile java.security.MessageDigest md5Helper

  Deprecated. Unused. Will be removed in Tomcat 8.5.x onwards.
  MD5 message digest provider.

• sm

  protected static final StringManager sm

  The string manager for this package.

• support

  protected final java.beans.PropertyChangeSupport support

  The property change support for this component.

• validate

  protected boolean validate

  Should we validate client certificate chains when they are presented?

• x509UsernameRetrieverClassName

  protected java.lang.String x509UsernameRetrieverClassName

  The name of the class to use for retrieving user names from X509 certificates.

• x509UsernameRetriever

  protected X509UsernameRetriever x509UsernameRetriever

  The object that will extract user names from X509 client certificates.

• allRolesMode

  protected RealmBase.AllRolesMode allRolesMode

  The all role mode.

• stripRealmForGss

  protected boolean stripRealmForGss

  When processing users authenticated via the GSS-API, should any "@..." be stripped from the end of the user name?

• realmPath

  protected java.lang.String realmPath

Constructor Detail

• RealmBase

  public RealmBase()

Method Detail

• getTransportGuaranteeRedirectStatus

  public int getTransportGuaranteeRedirectStatus()

  Returns:

  The HTTP status code used when the container needs to issue an HTTP redirect to meet the requirements of a configured transport guarantee.

• setTransportGuaranteeRedirectStatus

  public void setTransportGuaranteeRedirectStatus(int transportGuaranteeRedirectStatus)

  Set the HTTP status code used when the container needs to issue an HTTP redirect to meet the requirements of a configured transport guarantee.

  Parameters:

  transportGuaranteeRedirectStatus - The status to use. This value is not validated

• getCredentialHandler

  public CredentialHandler getCredentialHandler()

  Specified by:

  getCredentialHandler in interface Realm

  Returns:

  the CredentialHandler configured for this Realm.

• setCredentialHandler

  public void setCredentialHandler(CredentialHandler credentialHandler)

  Description copied from interface: Realm
  Set the CredentialHandler to be used by this Realm.

  Specified by:

  setCredentialHandler in interface Realm

  Parameters:

  credentialHandler - the CredentialHandler to use

• getContainer

  public Container getContainer()

  Return the Container with which this Realm has been associated.

  Specified by:

  getContainer in interface Realm

  Returns:

  the Container with which this Realm has been associated.

• setContainer

  public void setContainer(Container container)

  Set the Container with which this Realm has been associated.

  Specified by:

  setContainer in interface Realm

  Parameters:

  container - The associated Container

• getAllRolesMode

  public java.lang.String getAllRolesMode()

  Return the all roles mode.

  Returns:

  A string representation of the current all roles mode

• setAllRolesMode

  public void setAllRolesMode(java.lang.String allRolesMode)

  Set the all roles mode.

  Parameters:

  allRolesMode - A string representation of the new all roles mode

• getDigest

  @Deprecated
  public java.lang.String getDigest()

  Deprecated. This will be removed in Tomcat 8.5.x as it has been replaced by the CredentialHandler
  Return the digest algorithm used for storing credentials.

  Returns:

  The currently configured algorithm used to digest stored credentials

• setDigest

  @Deprecated
  public void setDigest(java.lang.String digest)

  Deprecated. This will be removed in Tomcat 8.5.x as it has been replaced by the CredentialHandler
  Set the digest algorithm used for storing credentials.

  Parameters:

  digest - The new digest algorithm

• getDigestEncoding

  @Deprecated
  public java.lang.String getDigestEncoding()

  Deprecated. This will be removed in Tomcat 8.5.x as it has been replaced by the CredentialHandler
  Returns the digest encoding charset.

  Returns:

  The charset (may be null) for platform default

• setDigestEncoding

  @Deprecated
  public void setDigestEncoding(java.lang.String charset)

  Deprecated. This will be removed in Tomcat 8.5.x as it has been replaced by the CredentialHandler
  Sets the digest encoding charset.

  Parameters:

  charset - The charset (null for platform default)

• getDigestCharset

  @Deprecated
  protected java.nio.charset.Charset getDigestCharset()
                                               throws java.io.UnsupportedEncodingException

  Deprecated. This will be removed in Tomcat 8.5.x as it has been replaced by the CredentialHandler

  Throws:

  java.io.UnsupportedEncodingException

• getValidate

  public boolean getValidate()

  Return the "validate certificate chains" flag.

  Returns:

  The value of the validate certificate chains flag

• setValidate

  public void setValidate(boolean validate)

  Set the "validate certificate chains" flag.

  Parameters:

  validate - The new validate certificate chains flag

• getX509UsernameRetrieverClassName

  public java.lang.String getX509UsernameRetrieverClassName()

  Gets the name of the class that will be used to extract user names from X509 client certificates.

  Returns:

  The name of the class that will be used to extract user names from X509 client certificates.

• setX509UsernameRetrieverClassName

  public void setX509UsernameRetrieverClassName(java.lang.String className)

  Sets the name of the class that will be used to extract user names from X509 client certificates. The class must implement X509UsernameRetriever.

  Parameters:

  className - The name of the class that will be used to extract user names from X509 client certificates.

  See Also:

  X509UsernameRetriever

• isStripRealmForGss

  public boolean isStripRealmForGss()

• setStripRealmForGss

  public void setStripRealmForGss(boolean stripRealmForGss)

• addPropertyChangeListener

  public void addPropertyChangeListener(java.beans.PropertyChangeListener listener)

  Add a property change listener to this component.

  Specified by:

  addPropertyChangeListener in interface Realm

  Parameters:

  listener - The listener to add

• authenticate

  public java.security.Principal authenticate(java.lang.String username)

  Return the Principal associated with the specified username, if there is one; otherwise return null.

  Specified by:

  authenticate in interface Realm

  Parameters:

  username - Username of the Principal to look up

  Returns:

  the associated principal, or null if none is associated.

• authenticate

  public java.security.Principal authenticate(java.lang.String username,
                                     java.lang.String credentials)

  Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.

  Specified by:

  authenticate in interface Realm

  Parameters:

  username - Username of the Principal to look up

  credentials - Password or other credentials to use in authenticating this username

  Returns:

  the associated principal, or null if there is none.

• authenticate

  public java.security.Principal authenticate(java.lang.String username,
                                     java.lang.String clientDigest,
                                     java.lang.String nonce,
                                     java.lang.String nc,
                                     java.lang.String cnonce,
                                     java.lang.String qop,
                                     java.lang.String realm,
                                     java.lang.String md5a2)

  Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2617 (which is a superset of RFC 2069).

  Specified by:

  authenticate in interface Realm

  Parameters:

  username - Username of the Principal to look up

  clientDigest - Digest which has been submitted by the client

  nonce - Unique (or supposedly unique) token which has been used for this request

  nc - the nonce counter

  cnonce - the client chosen nonce

  qop - the "quality of protection" (nc and cnonce will only be used, if qop is not null).

  realm - Realm name

  md5a2 - Second MD5 digest used to calculate the digest : MD5(Method + ":" + uri)

  Returns:

  the associated principal, or null if there is none.

• authenticate

  public java.security.Principal authenticate(java.security.cert.X509Certificate[] certs)

  Return the Principal associated with the specified chain of X509 client certificates. If there is none, return null.

  Specified by:

  authenticate in interface Realm

  Parameters:

  certs - Array of client certificates, with the first one in the array being the certificate of the client itself.

  Returns:

  the associated principal, or null if there is none

• authenticate

  public java.security.Principal authenticate(org.ietf.jgss.GSSContext gssContext,
                                     boolean storeCreds)

  Try to authenticate using a GSSContext

  Specified by:

  authenticate in interface Realm

  Parameters:

  gssContext - The gssContext processed by the Authenticator.

  storeCreds - Should the realm attempt to store the delegated credentials in the returned Principal?

  Returns:

  the associated principal, or null if there is none

• compareCredentials

  @Deprecated
  protected boolean compareCredentials(java.lang.String userCredentials,
                                      java.lang.String serverCredentials)

  Deprecated. Unused. Will be removed in Tomcat 8.5.x onwards.

• backgroundProcess

  public void backgroundProcess()

  Execute a periodic task, such as reloading, etc. This method will be invoked inside the classloading context of this container. Unexpected throwables will be caught and logged.

  Specified by:

  backgroundProcess in interface Realm

• findSecurityConstraints

  public SecurityConstraint[] findSecurityConstraints(Request request,
                                             Context context)

  Return the SecurityConstraints configured to guard the request URI for this request, or null if there is no such constraint.

  Specified by:

  findSecurityConstraints in interface Realm

  Parameters:

  request - Request we are processing

  context - Context the Request is mapped to

  Returns:

  the configured SecurityConstraint, of null if there is none

• hasResourcePermission

  public boolean hasResourcePermission(Request request,
                              Response response,
                              SecurityConstraint[] constraints,
                              Context context)
                                throws java.io.IOException

  Perform access control based on the specified authorization constraint. Return true if this constraint is satisfied and processing should continue, or false otherwise.

  Specified by:

  hasResourcePermission in interface Realm

  Parameters:

  request - Request we are processing

  response - Response we are creating

  constraints - Security constraint we are enforcing

  context - The Context to which client of this class is attached.

  Returns:

  true if this constraint is satisfied and processing should continue, or false otherwise

  Throws:

  java.io.IOException - if an input/output error occurs

• hasRole

  public boolean hasRole(Wrapper wrapper,
                java.security.Principal principal,
                java.lang.String role)

  Return true if the specified Principal has the specified security role, within the context of this Realm; otherwise return false. This method can be overridden by Realm implementations, but the default is adequate when an instance of GenericPrincipal is used to represent authenticated Principals from this Realm.

  Specified by:

  hasRole in interface Realm

  Parameters:

  principal - Principal for whom the role is to be checked

  role - Security role to be checked

  wrapper - wrapper context for evaluating role

  Returns:

  true if the specified Principal has the specified security role, within the context of this Realm; otherwise return false.

• hasUserDataPermission

  public boolean hasUserDataPermission(Request request,
                              Response response,
                              SecurityConstraint[] constraints)
                                throws java.io.IOException

  Enforce any user data constraint required by the security constraint guarding this request URI. Return true if this constraint was not violated and processing should continue, or false if we have created a response already.

  Specified by:

  hasUserDataPermission in interface Realm

  Parameters:

  request - Request we are processing

  response - Response we are creating

  constraints - Security constraint being checked

  Returns:

  true if this constraint was not violated and processing should continue, or false if we have created a response already.

  Throws:

  java.io.IOException - if an input/output error occurs

• removePropertyChangeListener

  public void removePropertyChangeListener(java.beans.PropertyChangeListener listener)

  Remove a property change listener from this component.

  Specified by:

  removePropertyChangeListener in interface Realm

  Parameters:

  listener - The listener to remove

• initInternal

  protected void initInternal()
                       throws LifecycleException

  Description copied from class: LifecycleMBeanBase
  Sub-classes wishing to perform additional initialization should override this method, ensuring that super.initInternal() is the first call in the overriding method.

  Overrides:

  initInternal in class LifecycleMBeanBase

  Throws:

  LifecycleException

• startInternal

  protected void startInternal()
                        throws LifecycleException

  Prepare for the beginning of active use of the public methods of this component and implement the requirements of LifecycleBase.startInternal().

  Specified by:

  startInternal in class LifecycleBase

  Throws:

  LifecycleException - if this component detects a fatal error that prevents this component from being used

• stopInternal

  protected void stopInternal()
                       throws LifecycleException

  Gracefully terminate the active use of the public methods of this component and implement the requirements of LifecycleBase.stopInternal().

  Specified by:

  stopInternal in class LifecycleBase

  Throws:

  LifecycleException - if this component detects a fatal error that needs to be reported

• toString

  public java.lang.String toString()

  Return a String representation of this component.

  Overrides:

  toString in class java.lang.Object

• digest

  @Deprecated
  protected java.lang.String digest(java.lang.String credentials)

  Deprecated. Used. Will be removed in Tomcat 9.
  Digest the password using the specified algorithm and convert the result to a corresponding hexadecimal string. If exception, the plain credentials string is returned.

  Parameters:

  credentials - Password or other credentials to use in authenticating this username

• hasMessageDigest

  protected boolean hasMessageDigest()

• getDigest

  protected java.lang.String getDigest(java.lang.String username,
                           java.lang.String realmName)

  Return the digest associated with given principal's user name.

  Parameters:

  username - the user name

  realmName - the realm name

  Returns:

  the digest for the specified user

• getName

  protected abstract java.lang.String getName()

  Returns:

  a short name for this Realm implementation, for use in log messages.

• getPassword

  protected abstract java.lang.String getPassword(java.lang.String username)

  Get the password for the specified user.

  Parameters:

  username - The user name

  Returns:

  the password associated with the given principal's user name.

• getPrincipal

  protected java.security.Principal getPrincipal(java.security.cert.X509Certificate usercert)

  Get the principal associated with the specified certificate.

  Parameters:

  usercert - The user certificate

  Returns:

  the Principal associated with the given certificate.

• getPrincipal

  protected abstract java.security.Principal getPrincipal(java.lang.String username)

  Get the principal associated with the specified user.

  Parameters:

  username - The user name

  Returns:

  the Principal associated with the given user name.

• getPrincipal

  protected java.security.Principal getPrincipal(java.lang.String username,
                                     org.ietf.jgss.GSSCredential gssCredential)

• getServer

  protected Server getServer()

  Return the Server object that is the ultimate parent for the container with which this Realm is associated. If the server cannot be found (eg because the container hierarchy is not complete), null is returned.

  Returns:

  the Server associated with the realm

• Digest

  @Deprecated
  public static final java.lang.String Digest(java.lang.String credentials,
                                   java.lang.String algorithm,
                                   java.lang.String encoding)

  Deprecated. Unused. This will be removed in Tomcat 9.
  Digest password using the algorithm specified and convert the result to a corresponding hex string.

  Parameters:

  credentials - Password or other credentials to use in authenticating this username

  algorithm - Algorithm used to do the digest

  encoding - Character encoding of the string to digest

  Returns:

  The digested credentials as a hex string or the original plain text credentials if an error occurs.

• main

  public static void main(java.lang.String[] args)

  Generate a stored credential string for the given password and associated parameters.

  The following parameters are supported:

  • -a - The algorithm to use to generate the stored credential. If not specified a default of SHA-512 will be used.
  • -e - The encoding to use for any byte to/from character conversion that may be necessary. If not specified, the system encoding (Charset.defaultCharset()) will be used.
  • -i - The number of iterations to use when generating the stored credential. If not specified, the default for the CredentialHandler will be used.
  • -s - The length (in bytes) of salt to generate and store as part of the credential. If not specified, the default for the CredentialHandler will be used.
  • -k - The length (in bits) of the key(s), if any, created while generating the credential. If not specified, the default for the CredentialHandler will be used.
  • -h - The fully qualified class name of the CredentialHandler to use. If not specified, the built-in handlers will be tested in turn and the first one to accept the specified algorithm will be used.

  This generation process currently supports the following CredentialHandlers, the correct one being selected based on the algorithm specified:

  • MessageDigestCredentialHandler
  • SecretKeyCredentialHandler

  Parameters:

  args - The parameters passed on the command line

• getObjectNameKeyProperties

  public java.lang.String getObjectNameKeyProperties()

  Description copied from class: LifecycleMBeanBase
  Allow sub-classes to specify the key properties component of the ObjectName that will be used to register this component.

  Specified by:

  getObjectNameKeyProperties in class LifecycleMBeanBase

  Returns:

  The string representation of the key properties component of the desired ObjectName

• getDomainInternal

  public java.lang.String getDomainInternal()

  Description copied from class: LifecycleMBeanBase
  Method implemented by sub-classes to identify the domain in which MBeans should be registered.

  Specified by:

  getDomainInternal in class LifecycleMBeanBase

  Returns:

  The name of the domain to use to register MBeans.

• getRealmPath

  public java.lang.String getRealmPath()

• setRealmPath

  public void setRealmPath(java.lang.String theRealmPath)

• getRealmSuffix

  protected java.lang.String getRealmSuffix()