Class AuthenticatorBase
java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.valves.ValveBase
org.apache.catalina.authenticator.AuthenticatorBase
- All Implemented Interfaces:
MBeanRegistration
,RegistrationListener
,Authenticator
,Contained
,JmxEnabled
,Lifecycle
,Valve
- Direct Known Subclasses:
BasicAuthenticator
,DigestAuthenticator
,FormAuthenticator
,NonLoginAuthenticator
,SpnegoAuthenticator
,SSLAuthenticator
public abstract class AuthenticatorBase
extends ValveBase
implements Authenticator, RegistrationListener
Basic implementation of the Valve interface that enforces the
<security-constraint>
elements in the web application deployment descriptor. This functionality is implemented as a Valve so that it can be
omitted in environments that do not require these features. Individual implementations of each supported
authentication method can subclass this base class as required.
USAGE CONSTRAINT: When this class is utilized, the Context to which it is attached (or a parent Container in a hierarchy) must have an associated Realm that can be used for authenticating users and enumerating the roles to which they have been assigned.
USAGE CONSTRAINT: This Valve is only useful when processing HTTP requests. Requests of any other type will simply be passed through.
- Author:
- Craig R. McClanahan
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
Field Summary
Modifier and TypeFieldDescriptionprotected boolean
Should a session always be used once a user is authenticated?protected static final String
Authentication headerprotected boolean
Should we cache authenticated Principals if the request is part of an HTTP session?protected boolean
Should the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack?protected Context
The Context to which this Valve is attached.protected boolean
Flag to determine if we disable proxy caching, or leave the issue up to the webapp developer.protected String
The name of the JASPIC callback handler class.protected static final String
Default authentication realm name.protected boolean
Flag to determine if we disable proxy caching with headers incompatible with IE.protected String
The name of the algorithm to use to create instances ofSecureRandom
which are used to generate SSO session IDs.protected String
The Java class name of the secure random number generator class to be used when generating SSO session identifiers.protected String
The name of the provider to use to create instances ofSecureRandom
which are used to generate session SSO IDs.protected boolean
Should the auth information (remote user and auth type) be returned as response headers for a forwarded/proxied request?protected SessionIdGeneratorBase
protected static final StringManager
The string manager for this package.protected SingleSignOn
The SingleSignOn implementation in our request processing chain, if there is one.Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
allowCorsPreflightBypass
(Request request) protected void
Associate the specified single sign on identifier with the specified Session.boolean
authenticate
(Request request, HttpServletResponse httpResponse) Authenticate the user making this request, based on the login configuration of theContext
with which this Authenticator is associated.protected String
changeSessionID
(Request request, Session session) protected boolean
checkForCachedAuthentication
(Request request, HttpServletResponse response, boolean useSSO) Check to see if the user has already been authenticated earlier in the processing chain or if there is enough information available to authenticate the user without requiring further user interaction.protected abstract boolean
doAuthenticate
(Request request, HttpServletResponse response) Provided for sub-classes to implement their specific authentication mechanism.protected Principal
Process the login request.boolean
protected abstract String
Return the authentication method, which is vendor-specific and not defined by HttpServletRequest.boolean
getCache()
Return the cache authenticated Principals flag.boolean
Return the flag that states if we should change the session ID of an existing session upon successful authentication.Get theContainer
with which this instance is associated.boolean
Return the flag that states if we add headers to disable caching by proxies.Return the JASPIC callback handler class nameprotected static String
getRealmName
(Context context) boolean
Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.Return the secure random number generator algorithm name.Return the secure random number generator class name.Return the secure random number generator provider name.void
Enforce the security restrictions in the web application deployment descriptor of our associated Context.protected boolean
isContinuationRequired
(Request request) Does this authenticator require thatauthenticate(Request, HttpServletResponse)
is called to continue an authentication process that started in a previous request?protected boolean
isPreemptiveAuthPossible
(Request request) Can the authenticator perform preemptive authentication for the given request?boolean
Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.void
void
void
protected boolean
reauthenticateFromSSO
(String ssoId, Request request) Attempts reauthentication to theRealm
using the credentials included in argumententry
.void
register
(Request request, HttpServletResponse response, Principal principal, String authType, String username, String password) Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one.protected void
register
(Request request, HttpServletResponse response, Principal principal, String authType, String username, String password, boolean alwaysUseSession, boolean cache) Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one.void
setAllowCorsPreflight
(String allowCorsPreflight) void
setAlwaysUseSession
(boolean alwaysUseSession) void
setCache
(boolean cache) Set the cache authenticated Principals flag.void
setChangeSessionIdOnAuthentication
(boolean changeSessionIdOnAuthentication) Set the value of the flag that states if we should change the session ID of an existing session upon successful authentication.void
setContainer
(Container container) Set theContainer
with which this instance is associated.void
setDisableProxyCaching
(boolean nocache) Set the value of the flag that states if we add headers to disable caching by proxies.void
setJaspicCallbackHandlerClass
(String jaspicCallbackHandlerClass) Set the JASPIC callback handler class namevoid
setSecurePagesWithPragma
(boolean securePagesWithPragma) Set the value of the flag that states what headers we add to disable proxy caching.void
setSecureRandomAlgorithm
(String secureRandomAlgorithm) Set the secure random number generator algorithm name.void
setSecureRandomClass
(String secureRandomClass) Set the secure random number generator class name.void
setSecureRandomProvider
(String secureRandomProvider) Set the secure random number generator provider name.void
setSendAuthInfoResponseHeaders
(boolean sendAuthInfoResponseHeaders) Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.protected void
Start this component and implement the requirements ofLifecycleBase.startInternal()
.protected void
Stop this component and implement the requirements ofLifecycleBase.stopInternal()
.Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
sm
The string manager for this package. -
AUTH_HEADER_NAME
Authentication header- See Also:
-
REALM_NAME
Default authentication realm name.- See Also:
-
alwaysUseSession
protected boolean alwaysUseSessionShould a session always be used once a user is authenticated? This may offer some performance benefits since the session can then be used to cache the authenticated Principal, hence removing the need to authenticate the user via the Realm on every request. This may be of help for combinations such as BASIC authentication used with the JNDIRealm or DataSourceRealms. However there will also be the performance cost of creating and GC'ing the session. By default, a session will not be created. -
cache
protected boolean cacheShould we cache authenticated Principals if the request is part of an HTTP session? -
changeSessionIdOnAuthentication
protected boolean changeSessionIdOnAuthenticationShould the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack? -
context
The Context to which this Valve is attached. -
disableProxyCaching
protected boolean disableProxyCachingFlag to determine if we disable proxy caching, or leave the issue up to the webapp developer. -
securePagesWithPragma
protected boolean securePagesWithPragmaFlag to determine if we disable proxy caching with headers incompatible with IE. -
secureRandomClass
The Java class name of the secure random number generator class to be used when generating SSO session identifiers. The random number generator class must be self-seeding and have a zero-argument constructor. If not specified, an instance ofSecureRandom
will be generated. -
secureRandomAlgorithm
The name of the algorithm to use to create instances ofSecureRandom
which are used to generate SSO session IDs. If no algorithm is specified, SHA1PRNG is used. If SHA1PRNG is not available, the platform default will be used. To use the platform default (which may be SHA1PRNG), specify the empty string. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults. -
secureRandomProvider
The name of the provider to use to create instances ofSecureRandom
which are used to generate session SSO IDs. If no provider is specified the platform default is used. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults. -
jaspicCallbackHandlerClass
The name of the JASPIC callback handler class. If none is specified the defaultCallbackHandlerImpl
will be used. -
sendAuthInfoResponseHeaders
protected boolean sendAuthInfoResponseHeadersShould the auth information (remote user and auth type) be returned as response headers for a forwarded/proxied request? When theRemoteIpValve
orRemoteIpFilter
mark a forwarded request with theGlobals.REQUEST_FORWARDED_ATTRIBUTE
this authenticator can return the values ofHttpServletRequest.getRemoteUser()
andHttpServletRequest.getAuthType()
as response headersremote-user
andauth-type
to a reverse proxy. This is useful, e.g., for access log consistency or other decisions to make. -
sessionIdGenerator
-
sso
The SingleSignOn implementation in our request processing chain, if there is one.
-
-
Constructor Details
-
AuthenticatorBase
public AuthenticatorBase()
-
-
Method Details
-
getRealmName
-
getAllowCorsPreflight
-
setAllowCorsPreflight
-
getAlwaysUseSession
public boolean getAlwaysUseSession() -
setAlwaysUseSession
public void setAlwaysUseSession(boolean alwaysUseSession) -
getCache
public boolean getCache()Return the cache authenticated Principals flag.- Returns:
true
if authenticated Principals will be cached, otherwisefalse
-
setCache
public void setCache(boolean cache) Set the cache authenticated Principals flag.- Parameters:
cache
- The new cache flag
-
getContainer
Description copied from interface:Contained
Get theContainer
with which this instance is associated.- Specified by:
getContainer
in interfaceContained
- Overrides:
getContainer
in classValveBase
- Returns:
- The Container with which this instance is associated or
null
if not associated with a Container
-
setContainer
Description copied from interface:Contained
Set theContainer
with which this instance is associated.- Specified by:
setContainer
in interfaceContained
- Overrides:
setContainer
in classValveBase
- Parameters:
container
- The Container instance with which this instance is to be associated, ornull
to disassociate this instance from any Container
-
getDisableProxyCaching
public boolean getDisableProxyCaching()Return the flag that states if we add headers to disable caching by proxies.- Returns:
true
if the headers will be added, otherwisefalse
-
setDisableProxyCaching
public void setDisableProxyCaching(boolean nocache) Set the value of the flag that states if we add headers to disable caching by proxies.- Parameters:
nocache
-true
if we add headers to disable proxy caching,false
if we leave the headers alone.
-
getSecurePagesWithPragma
public boolean getSecurePagesWithPragma()Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.- Returns:
true
if a Pragma header should be used, otherwisefalse
-
setSecurePagesWithPragma
public void setSecurePagesWithPragma(boolean securePagesWithPragma) Set the value of the flag that states what headers we add to disable proxy caching.- Parameters:
securePagesWithPragma
-true
if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.
-
getChangeSessionIdOnAuthentication
public boolean getChangeSessionIdOnAuthentication()Return the flag that states if we should change the session ID of an existing session upon successful authentication.- Returns:
true
to change session ID upon successful authentication,false
to do not perform the change.
-
setChangeSessionIdOnAuthentication
public void setChangeSessionIdOnAuthentication(boolean changeSessionIdOnAuthentication) Set the value of the flag that states if we should change the session ID of an existing session upon successful authentication.- Parameters:
changeSessionIdOnAuthentication
-true
to change session ID upon successful authentication,false
to do not perform the change.
-
getSecureRandomClass
Return the secure random number generator class name.- Returns:
- The fully qualified name of the SecureRandom implementation to use
-
setSecureRandomClass
Set the secure random number generator class name.- Parameters:
secureRandomClass
- The new secure random number generator class name
-
getSecureRandomAlgorithm
Return the secure random number generator algorithm name.- Returns:
- The name of the SecureRandom algorithm used
-
setSecureRandomAlgorithm
Set the secure random number generator algorithm name.- Parameters:
secureRandomAlgorithm
- The new secure random number generator algorithm name
-
getSecureRandomProvider
Return the secure random number generator provider name.- Returns:
- The name of the SecureRandom provider
-
setSecureRandomProvider
Set the secure random number generator provider name.- Parameters:
secureRandomProvider
- The new secure random number generator provider name
-
getJaspicCallbackHandlerClass
Return the JASPIC callback handler class name- Returns:
- The name of the JASPIC callback handler
-
setJaspicCallbackHandlerClass
Set the JASPIC callback handler class name- Parameters:
jaspicCallbackHandlerClass
- The new JASPIC callback handler class name
-
isSendAuthInfoResponseHeaders
public boolean isSendAuthInfoResponseHeaders()Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.- Returns:
true
if response headers shall be sent,false
otherwise
-
setSendAuthInfoResponseHeaders
public void setSendAuthInfoResponseHeaders(boolean sendAuthInfoResponseHeaders) Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.- Parameters:
sendAuthInfoResponseHeaders
-true
if response headers shall be sent,false
otherwise
-
invoke
Enforce the security restrictions in the web application deployment descriptor of our associated Context.- Specified by:
invoke
in interfaceValve
- Parameters:
request
- Request to be processedresponse
- Response to be processed- Throws:
IOException
- if an input/output error occursServletException
- if thrown by a processing element
-
allowCorsPreflightBypass
-
authenticate
Description copied from interface:Authenticator
Authenticate the user making this request, based on the login configuration of theContext
with which this Authenticator is associated.- Specified by:
authenticate
in interfaceAuthenticator
- Parameters:
request
- Request we are processinghttpResponse
- Response we are populating- Returns:
true
if any specified constraints have been satisfied, orfalse
if one more constraints were not satisfied (in which case an authentication challenge will have been written to the response).- Throws:
IOException
- if an input/output error occurs
-
doAuthenticate
protected abstract boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException Provided for sub-classes to implement their specific authentication mechanism.- Parameters:
request
- The request that triggered the authenticationresponse
- The response associated with the request- Returns:
true
if the the user was authenticated, otherwisefalse
, in which case an authentication challenge will have been written to the response- Throws:
IOException
- If an I/O problem occurred during the authentication process
-
isContinuationRequired
Does this authenticator require thatauthenticate(Request, HttpServletResponse)
is called to continue an authentication process that started in a previous request?- Parameters:
request
- The request currently being processed- Returns:
true
if authenticate() must be called, otherwisefalse
-
associate
Associate the specified single sign on identifier with the specified Session.- Parameters:
ssoId
- Single sign on identifiersession
- Session to be associated
-
checkForCachedAuthentication
protected boolean checkForCachedAuthentication(Request request, HttpServletResponse response, boolean useSSO) Check to see if the user has already been authenticated earlier in the processing chain or if there is enough information available to authenticate the user without requiring further user interaction.- Parameters:
request
- The current requestresponse
- The current responseuseSSO
- Should information available from SSO be used to attempt to authenticate the current user?- Returns:
true
if the user was authenticated via the cache, otherwisefalse
-
reauthenticateFromSSO
Attempts reauthentication to theRealm
using the credentials included in argumententry
.- Parameters:
ssoId
- identifier of SingleSignOn session with which the caller is associatedrequest
- the request that needs to be authenticated- Returns:
true
if the reauthentication from SSL occurred
-
register
public void register(Request request, HttpServletResponse response, Principal principal, String authType, String username, String password) Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.- Parameters:
request
- The servlet request we are processingresponse
- The servlet response we are generatingprincipal
- The authenticated Principal to be registeredauthType
- The authentication type to be registeredusername
- Username used to authenticate (if any)password
- Password used to authenticate (if any)
-
register
protected void register(Request request, HttpServletResponse response, Principal principal, String authType, String username, String password, boolean alwaysUseSession, boolean cache) Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.- Parameters:
request
- The servlet request we are processingresponse
- The servlet response we are generatingprincipal
- The authenticated Principal to be registeredauthType
- The authentication type to be registeredusername
- Username used to authenticate (if any)password
- Password used to authenticate (if any)alwaysUseSession
- Should a session always be used once a user is authenticated?cache
- Should we cache authenticated Principals if the request is part of an HTTP session?
-
changeSessionID
-
login
- Specified by:
login
in interfaceAuthenticator
- Throws:
ServletException
-
getAuthMethod
Return the authentication method, which is vendor-specific and not defined by HttpServletRequest.- Returns:
- the authentication method, which is vendor-specific and not defined by HttpServletRequest.
-
doLogin
protected Principal doLogin(Request request, String username, String password) throws ServletException Process the login request.- Parameters:
request
- Associated requestusername
- The userpassword
- The password- Returns:
- The authenticated Principal
- Throws:
ServletException
- No principal was authenticated with the specified credentials
-
logout
- Specified by:
logout
in interfaceAuthenticator
-
startInternal
Description copied from class:ValveBase
Start this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classValveBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
stopInternal
Description copied from class:ValveBase
Stop this component and implement the requirements ofLifecycleBase.stopInternal()
.- Overrides:
stopInternal
in classValveBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
isPreemptiveAuthPossible
Can the authenticator perform preemptive authentication for the given request?- Parameters:
request
- The request to check for credentials- Returns:
true
if preemptive authentication is possible, otherwisefalse
-
notify
- Specified by:
notify
in interfaceRegistrationListener
-