Class SingleSignOn
- All Implemented Interfaces:
MBeanRegistration
,Contained
,JmxEnabled
,Lifecycle
,Valve
- Direct Known Subclasses:
ClusterSingleSignOn
- This Valve must be configured on the Container that represents a virtual host (typically an implementation of
Host
). - The
Realm
that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level. - The web applications themselves must use one of the standard Authenticators found in the
org.apache.catalina.authenticator
package.
- Author:
- Craig R. McClanahan
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
Field Summary
Modifier and TypeFieldDescriptionprotected Map<String,
SingleSignOnEntry> The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.Fields inherited from class org.apache.catalina.valves.ValveBase
asyncSupported, container, containerLog, next
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
Associate the specified single sign on identifier with the specified Session.protected void
deregister
(String ssoId) Deregister the specified single sign on identifier, and invalidate any associated sessions.Returns the optional cookie domain.boolean
Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm
, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with theRealm
.protected SessionListener
getSessionListener
(String ssoId) void
Perform single-sign-on support processing for this request.protected boolean
reauthenticate
(String ssoId, Realm realm, Request request) Attempts reauthentication to the givenRealm
using the credentials associated with the single sign-on session identified by argumentssoId
.protected void
Register the specified Principal as being associated with the specified value for the single sign on identifier.protected void
removeSession
(String ssoId, Session session) Remove a single Session from a SingleSignOn.void
sessionDestroyed
(String ssoId, Session session) Process a session destroyed event by removing references to that session from the caches and - if the session destruction is the result of a logout - destroy the associated SSO session.void
setCookieDomain
(String cookieDomain) Sets the domain to be used for sso cookies.void
setCookieName
(String cookieName) Set the cookie name that will be used for the SSO cookie.void
setRequireReauthentication
(boolean required) Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm
, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with theRealm
.protected void
Start this component and implement the requirements ofLifecycleBase.startInternal()
.protected void
Stop this component and implement the requirements ofLifecycleBase.stopInternal()
.protected boolean
Updates anySingleSignOnEntry
found under keyssoId
with the given authentication data.Methods inherited from class org.apache.catalina.valves.ValveBase
backgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setContainer, setNext, toString
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
cache
The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
-
-
Constructor Details
-
SingleSignOn
public SingleSignOn()
-
-
Method Details
-
getCookieDomain
Returns the optional cookie domain. May return null.- Returns:
- The cookie domain
-
setCookieDomain
Sets the domain to be used for sso cookies.- Parameters:
cookieDomain
- cookie domain name
-
getCookieName
- Returns:
- the cookie name
-
setCookieName
Set the cookie name that will be used for the SSO cookie.- Parameters:
cookieName
- the cookieName to set
-
getRequireReauthentication
public boolean getRequireReauthentication()Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm
, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with theRealm
.- Returns:
true
if it is required that a downstream Authenticator reauthenticate each request before calls toHttpServletRequest.setUserPrincipal()
andHttpServletRequest.setAuthType()
are made;false
if theValve
can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.- See Also:
-
setRequireReauthentication
public void setRequireReauthentication(boolean required) Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm
, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with theRealm
.If this property is
false
(the default), thisValve
will bind a UserPrincipal and AuthType to the request if a valid SSO entry is associated with the request. It will not notify the securityRealm
of the incoming request.This property should be set to
true
if the overall server configuration requires that theRealm
reauthenticate each request thread. An example of such a configuration would be one where theRealm
implementation provides security for both a web tier and an associated EJB tier, and needs to set security credentials on each request thread in order to support EJB access.If this property is set to
true
, this Valve will set flags on the request notifying the downstream Authenticator that the request is associated with an SSO session. The Authenticator will then call itsreauthenticateFromSSO
method to attempt to reauthenticate the request to theRealm
, using any credentials that were cached with this Valve.The default value of this property is
false
, in order to maintain backward compatibility with previous versions of Tomcat.- Parameters:
required
-true
if it is required that a downstream Authenticator reauthenticate each request before calls toHttpServletRequest.setUserPrincipal()
andHttpServletRequest.setAuthType()
are made;false
if theValve
can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.- See Also:
-
invoke
Perform single-sign-on support processing for this request.- Parameters:
request
- The servlet request we are processingresponse
- The servlet response we are creating- Throws:
IOException
- if an input/output error occursServletException
- if a servlet error occurs
-
sessionDestroyed
Process a session destroyed event by removing references to that session from the caches and - if the session destruction is the result of a logout - destroy the associated SSO session.- Parameters:
ssoId
- The ID of the SSO session which which the destroyed session was associatedsession
- The session that has been destroyed
-
associate
Associate the specified single sign on identifier with the specified Session.- Parameters:
ssoId
- Single sign on identifiersession
- Session to be associated- Returns:
true
if the session was associated to the given SSO session, otherwisefalse
-
deregister
Deregister the specified single sign on identifier, and invalidate any associated sessions.- Parameters:
ssoId
- Single sign on identifier to deregister
-
reauthenticate
Attempts reauthentication to the givenRealm
using the credentials associated with the single sign-on session identified by argumentssoId
.If reauthentication is successful, the
Principal
and authorization type associated with the SSO session will be bound to the givenRequest
object via calls toRequest.setAuthType()
andRequest.setUserPrincipal()
- Parameters:
ssoId
- identifier of SingleSignOn session with which the caller is associatedrealm
- Realm implementation against which the caller is to be authenticatedrequest
- the request that needs to be authenticated- Returns:
true
if reauthentication was successful,false
otherwise.
-
register
protected void register(String ssoId, Principal principal, String authType, String username, String password) Register the specified Principal as being associated with the specified value for the single sign on identifier.- Parameters:
ssoId
- Single sign on identifier to registerprincipal
- Associated user principal that is identifiedauthType
- Authentication type used to authenticate this user principalusername
- Username used to authenticate this userpassword
- Password used to authenticate this user
-
update
protected boolean update(String ssoId, Principal principal, String authType, String username, String password) Updates anySingleSignOnEntry
found under keyssoId
with the given authentication data.The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.
NOTE: Only updates the SSO entry if a call to
SingleSignOnEntry.getCanReauthenticate()
returnsfalse
; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.- Parameters:
ssoId
- identifier of Single sign to be updatedprincipal
- thePrincipal
returned by the latest call toRealm.authenticate
.authType
- the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)username
- the username (if any) used for the authenticationpassword
- the password (if any) used for the authentication- Returns:
true
if the credentials were updated, otherwisefalse
-
removeSession
Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.- Parameters:
ssoId
- Single sign on identifier from which to remove the session.session
- the session to be removed.
-
getSessionListener
-
startInternal
Description copied from class:ValveBase
Start this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classValveBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
stopInternal
Description copied from class:ValveBase
Stop this component and implement the requirements ofLifecycleBase.stopInternal()
.- Overrides:
stopInternal
in classValveBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-