Package org.apache.catalina.realm
Class CombinedRealm
java.lang.Object
org.apache.catalina.util.LifecycleBase
org.apache.catalina.util.LifecycleMBeanBase
org.apache.catalina.realm.RealmBase
org.apache.catalina.realm.CombinedRealm
- All Implemented Interfaces:
MBeanRegistration
,Contained
,JmxEnabled
,Lifecycle
,Realm
- Direct Known Subclasses:
LockOutRealm
Realm implementation that contains one or more realms. Authentication is attempted for each realm in the order they
were configured. If any realm authenticates the user then the authentication succeeds. When combining realms
usernames should be unique across all combined realms.
-
Nested Class Summary
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase
RealmBase.AllRolesMode
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
Field Summary
Modifier and TypeFieldDescriptionThe list of Realms contained by this Realm.Fields inherited from class org.apache.catalina.realm.RealmBase
allRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, USER_ATTRIBUTES_DELIMITER, USER_ATTRIBUTES_WILDCARD, userAttributes, userAttributesList, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
Add a realm to the list of realms that will be used to authenticate users.authenticate
(String username) Try to authenticate with the specified username.authenticate
(String username, String credentials) Try to authenticate using the specified username and credentials.authenticate
(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String digestA2, String algorithm) Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.authenticate
(X509Certificate[] certs) Try to authenticate using a chain ofX509Certificate
s.authenticate
(GSSContext gssContext, boolean storeCred) Try to authenticate using aGSSContext
.authenticate
(GSSName gssName, GSSCredential gssCredential) Try to authenticate using aGSSName
.void
Delegate the backgroundProcess call to all sub-realms.protected void
Ensure child Realms are destroyed when this Realm is destroyed.Realm[]
protected String
getPassword
(String username) Get the password for the specified user.protected Principal
getPrincipal
(String username) Get the principal associated with the specified user.boolean
Check if the specified Principal has the specified security role, within the context of this Realm.boolean
Return the availability of the realm for authentication.void
setContainer
(Container container) Set theContainer
with which this instance is associated.void
setCredentialHandler
(CredentialHandler credentialHandler) Set the CredentialHandler to be used by this Realm.protected void
Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal()
.protected void
Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal()
.Methods inherited from class org.apache.catalina.realm.RealmBase
addPropertyChangeListener, authenticate, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getRoles, getServer, getTransportGuaranteeRedirectStatus, getUserAttributes, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRoleInternal, hasUserDataPermission, initInternal, isStripRealmForGss, main, parseUserAttributes, removePropertyChangeListener, setAllRolesMode, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setUserAttributes, setValidate, setX509UsernameRetrieverClassName, toString
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Field Details
-
realms
The list of Realms contained by this Realm.
-
-
Constructor Details
-
CombinedRealm
public CombinedRealm()
-
-
Method Details
-
addRealm
Add a realm to the list of realms that will be used to authenticate users.- Parameters:
theRealm
- realm which should be wrapped by the combined realm
-
getRealms
- Returns:
- the set of Realms that this Realm is wrapping
-
getNestedRealms
- Returns:
- the list of Realms contained by this Realm.
-
authenticate
public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String digestA2, String algorithm) Description copied from interface:Realm
Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.The default implementation calls
Realm.authenticate(String, String, String, String, String, String, String, String)
for backwards compatibility which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.Implementations are expected to override the default implementation and take account of the algorithm parameter.
- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look upclientDigest
- Digest which has been submitted by the clientnonce
- Unique (or supposedly unique) token which has been used for this requestnc
- the nonce countercnonce
- the client chosen nonceqop
- the "quality of protection" (nc
andcnonce
will only be used, ifqop
is notnull
).realmName
- Realm namedigestA2
- Second digest calculated as digest(Method + ":" + uri)algorithm
- The message digest algorithm to use- Returns:
- the associated principal, or
null
if there is none.
-
authenticate
Description copied from interface:Realm
Try to authenticate with the specified username.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look up- Returns:
- the associated principal, or
null
if none is associated.
-
authenticate
Description copied from interface:Realm
Try to authenticate using the specified username and credentials.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username- Returns:
- the associated principal, or
null
if there is none
-
setContainer
Description copied from interface:Contained
Set theContainer
with which this instance is associated.- Specified by:
setContainer
in interfaceContained
- Overrides:
setContainer
in classRealmBase
- Parameters:
container
- The Container instance with which this instance is to be associated, ornull
to disassociate this instance from any Container
-
startInternal
Description copied from class:RealmBase
Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal()
.- Overrides:
startInternal
in classRealmBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
stopInternal
Description copied from class:RealmBase
Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal()
.- Overrides:
stopInternal
in classRealmBase
- Throws:
LifecycleException
- if this component detects a fatal error that needs to be reported
-
destroyInternal
Ensure child Realms are destroyed when this Realm is destroyed.- Overrides:
destroyInternal
in classLifecycleMBeanBase
- Throws:
LifecycleException
- If the destruction fails
-
backgroundProcess
public void backgroundProcess()Delegate the backgroundProcess call to all sub-realms.- Specified by:
backgroundProcess
in interfaceRealm
- Overrides:
backgroundProcess
in classRealmBase
-
authenticate
Description copied from interface:Realm
Try to authenticate using a chain ofX509Certificate
s.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
certs
- Array of client certificates, with the first one in the array being the certificate of the client itself.- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Description copied from interface:Realm
Try to authenticate using aGSSContext
.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
gssContext
- The gssContext processed by theAuthenticator
.storeCred
- Should the realm attempt to store the delegated credentials in the returned Principal?- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Description copied from interface:Realm
Try to authenticate using aGSSName
. Note that this default method will be turned into an abstract one in Tomcat 10.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
gssName
- TheGSSName
of the principal to look upgssCredential
- TheGSSCredential
of the principal, may benull
- Returns:
- the associated principal, or
null
if there is none
-
hasRole
Description copied from class:RealmBase
Check if the specified Principal has the specified security role, within the context of this Realm.This method or
RealmBase.hasRoleInternal(Principal, String)
can be overridden by Realm implementations, but the default is adequate when an instance ofGenericPrincipal
is used to represent authenticated Principals from this Realm.- Specified by:
hasRole
in interfaceRealm
- Overrides:
hasRole
in classRealmBase
- Parameters:
wrapper
- wrapper context for evaluating roleprincipal
- Principal for whom the role is to be checkedrole
- Security role to be checked- Returns:
true
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
.
-
getPassword
Description copied from class:RealmBase
Get the password for the specified user.- Specified by:
getPassword
in classRealmBase
- Parameters:
username
- The user name- Returns:
- the password associated with the given principal's user name.
-
getPrincipal
Description copied from class:RealmBase
Get the principal associated with the specified user.- Specified by:
getPrincipal
in classRealmBase
- Parameters:
username
- The user name- Returns:
- the Principal associated with the given user name.
-
isAvailable
public boolean isAvailable()Description copied from interface:Realm
Return the availability of the realm for authentication.- Returns:
true
if the realm is able to perform authentication
-
setCredentialHandler
Description copied from interface:Realm
Set the CredentialHandler to be used by this Realm.- Specified by:
setCredentialHandler
in interfaceRealm
- Overrides:
setCredentialHandler
in classRealmBase
- Parameters:
credentialHandler
- theCredentialHandler
to use
-