Package org.apache.catalina
Interface Realm
- All Superinterfaces:
Contained
- All Known Implementing Classes:
AuthenticatedUserRealm
,CombinedRealm
,DataSourceRealm
,JAASMemoryLoginModule
,JAASRealm
,JDBCRealm
,JNDIRealm
,LockOutRealm
,MemoryRealm
,NullRealm
,RealmBase
,UserDatabaseRealm
A Realm is a read-only facade for an underlying security realm used to authenticate individual users, and
identify the security roles associated with those users. Realms can be attached at any Container level, but will
typically only be attached to a Context, or higher level, Container.
- Author:
- Craig R. McClanahan
-
Method Summary
Modifier and TypeMethodDescriptionvoid
Add a property change listener to this component.authenticate
(String username) Try to authenticate with the specified username.authenticate
(String username, String credentials) Try to authenticate using the specified username and credentials.authenticate
(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2) Deprecated.Unused.default Principal
authenticate
(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.authenticate
(X509Certificate[] certs) Try to authenticate using a chain ofX509Certificate
s.authenticate
(GSSContext gssContext, boolean storeCreds) Try to authenticate using aGSSContext
.default Principal
authenticate
(GSSName gssName, GSSCredential gssCredential) Try to authenticate using aGSSName
.void
Execute a periodic task, such as reloading, etc.findSecurityConstraints
(Request request, Context context) Find the SecurityConstraints configured to guard the request URI for this request.String[]
Deprecated.This will be removed in Tomcat 10.boolean
hasResourcePermission
(Request request, Response response, SecurityConstraint[] constraint, Context context) Perform access control based on the specified authorization constraint.boolean
Check if the specified Principal has the specified security role, within the context of this Realm.boolean
hasUserDataPermission
(Request request, Response response, SecurityConstraint[] constraint) Enforce any user data constraint required by the security constraint guarding this request URI.default boolean
Return the availability of the realm for authentication.void
Remove a property change listener from this component.void
setCredentialHandler
(CredentialHandler credentialHandler) Set the CredentialHandler to be used by this Realm.Methods inherited from interface org.apache.catalina.Contained
getContainer, setContainer
-
Method Details
-
getCredentialHandler
CredentialHandler getCredentialHandler()- Returns:
- the CredentialHandler configured for this Realm.
-
setCredentialHandler
Set the CredentialHandler to be used by this Realm.- Parameters:
credentialHandler
- theCredentialHandler
to use
-
addPropertyChangeListener
Add a property change listener to this component.- Parameters:
listener
- The listener to add
-
authenticate
Try to authenticate with the specified username.- Parameters:
username
- Username of the Principal to look up- Returns:
- the associated principal, or
null
if none is associated.
-
authenticate
Try to authenticate using the specified username and credentials.- Parameters:
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username- Returns:
- the associated principal, or
null
if there is none
-
authenticate
@Deprecated Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2) Deprecated.Unused. Useauthenticate(String, String, String, String, String, String, String, String, String)
. Will be removed in Tomcat 11.Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2617 (which is a superset of RFC 2069).- Parameters:
username
- Username of the Principal to look updigest
- Digest which has been submitted by the clientnonce
- Unique (or supposedly unique) token which has been used for this requestnc
- the nonce countercnonce
- the client chosen nonceqop
- the "quality of protection" (nc
andcnonce
will only be used, ifqop
is notnull
).realm
- Realm namedigestA2
- Second digest calculated as digest(Method + ":" + uri)- Returns:
- the associated principal, or
null
if there is none.
-
authenticate
default Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.The default implementation calls
authenticate(String, String, String, String, String, String, String, String)
for backwards compatibility which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.Implementations are expected to override the default implementation and take account of the algorithm parameter.
- Parameters:
username
- Username of the Principal to look updigest
- Digest which has been submitted by the clientnonce
- Unique (or supposedly unique) token which has been used for this requestnc
- the nonce countercnonce
- the client chosen nonceqop
- the "quality of protection" (nc
andcnonce
will only be used, ifqop
is notnull
).realm
- Realm namedigestA2
- Second digest calculated as digest(Method + ":" + uri)algorithm
- The message digest algorithm to use- Returns:
- the associated principal, or
null
if there is none.
-
authenticate
Try to authenticate using aGSSContext
.- Parameters:
gssContext
- The gssContext processed by theAuthenticator
.storeCreds
- Should the realm attempt to store the delegated credentials in the returned Principal?- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Try to authenticate using aGSSName
. Note that this default method will be turned into an abstract one in Tomcat 10.- Parameters:
gssName
- TheGSSName
of the principal to look upgssCredential
- TheGSSCredential
of the principal, may benull
- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Try to authenticate using a chain ofX509Certificate
s.- Parameters:
certs
- Array of client certificates, with the first one in the array being the certificate of the client itself.- Returns:
- the associated principal, or
null
if there is none
-
backgroundProcess
void backgroundProcess()Execute a periodic task, such as reloading, etc. This method will be invoked inside the classloading context of this container. Unexpected throwables will be caught and logged. -
findSecurityConstraints
Find the SecurityConstraints configured to guard the request URI for this request.- Parameters:
request
- Request we are processingcontext
- Context the Request is mapped to- Returns:
- the configured
SecurityConstraint
, ornull
if there is none
-
hasResourcePermission
boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] constraint, Context context) throws IOException Perform access control based on the specified authorization constraint.- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraint
- Security constraint we are enforcingcontext
- The Context to which client of this class is attached.- Returns:
true
if this constraint is satisfied and processing should continue, orfalse
otherwise- Throws:
IOException
- if an input/output error occurs
-
hasRole
Check if the specified Principal has the specified security role, within the context of this Realm.- Parameters:
wrapper
- wrapper context for evaluating roleprincipal
- Principal for whom the role is to be checkedrole
- Security role to be checked- Returns:
true
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
.
-
hasUserDataPermission
boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraint) throws IOException Enforce any user data constraint required by the security constraint guarding this request URI.- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraint
- Security constraint being checked- Returns:
true
if this constraint was not violated and processing should continue, orfalse
if we have created a response already.- Throws:
IOException
- if an input/output error occurs
-
removePropertyChangeListener
Remove a property change listener from this component.- Parameters:
listener
- The listener to remove
-
getRoles
Deprecated.This will be removed in Tomcat 10.Return roles associated with given principal- Parameters:
principal
- thePrincipal
to get the roles for.- Returns:
- principal roles
-
isAvailable
default boolean isAvailable()Return the availability of the realm for authentication.- Returns:
true
if the realm is able to perform authentication
-