Class RealmBase
- All Implemented Interfaces:
MBeanRegistration
,Contained
,JmxEnabled
,Lifecycle
,Realm
- Direct Known Subclasses:
AuthenticatedUserRealm
,CombinedRealm
,DataSourceRealm
,JAASRealm
,JDBCRealm
,JNDIRealm
,MemoryRealm
,NullRealm
,UserDatabaseRealm
- Author:
- Craig R. McClanahan
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
Field Summary
Modifier and TypeFieldDescriptionprotected RealmBase.AllRolesMode
The all role mode.protected Container
The Container with which this Realm is associated.protected Log
Container logprotected String
protected static final StringManager
The string manager for this package.protected boolean
When processing users authenticated via the GSS-API, should any "@..." be stripped from the end of the user name?protected final PropertyChangeSupport
The property change support for this component.protected static final String
The character used for delimiting user attribute names.protected static final String
The character used as wildcard in user attribute lists.protected String
The comma separated names of user attributes to additionally query from the realm.The list of user attributes to additionally query from the realm.protected boolean
Should we validate client certificate chains when they are presented?protected X509UsernameRetriever
The object that will extract user names from X509 client certificates.protected String
The name of the class to use for retrieving user names from X509 certificates.Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
Add a property change listener to this component.authenticate
(String username) Try to authenticate with the specified username.authenticate
(String username, String credentials) Try to authenticate using the specified username and credentials.authenticate
(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2) Deprecated.authenticate
(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.authenticate
(X509Certificate[] certs) Try to authenticate using a chain ofX509Certificate
s.authenticate
(GSSContext gssContext, boolean storeCred) Try to authenticate using aGSSContext
.authenticate
(GSSName gssName, GSSCredential gssCredential) Try to authenticate using aGSSName
.void
Execute a periodic task, such as reloading, etc.findSecurityConstraints
(Request request, Context context) Find the SecurityConstraints configured to guard the request URI for this request.Return the all roles mode.Get theContainer
with which this instance is associated.protected String
Deprecated.Unused.protected String
Return the digest associated with given principal's user name.Method implemented by sub-classes to identify the domain in which MBeans should be registered.Allow sub-classes to specify the key properties component of theObjectName
that will be used to register this component.protected abstract String
getPassword
(String username) Get the password for the specified user.protected abstract Principal
getPrincipal
(String username) Get the principal associated with the specified user.protected Principal
getPrincipal
(String username, GSSCredential gssCredential) Deprecated.This will be removed in Tomcat 10 onwards.protected Principal
getPrincipal
(X509Certificate usercert) Get the principal associated with the specified certificate.protected Principal
getPrincipal
(GSSName gssName, GSSCredential gssCredential) Get the principal associated with the specifiedGSSName
.protected Principal
getPrincipal
(GSSName gssName, GSSCredential gssCredential, GSSContext gssContext) Get the principal associated with the specifiedGSSName
.protected String
String[]
Return roles associated with given principalprotected Server
Return the Server object that is the ultimate parent for the container with which this Realm is associated.int
boolean
Return the "validate certificate chains" flag.Gets the name of the class that will be used to extract user names from X509 client certificates.protected boolean
hasMessageDigest
(String algorithm) boolean
hasResourcePermission
(Request request, Response response, SecurityConstraint[] constraints, Context context) Perform access control based on the specified authorization constraint.boolean
Check if the specified Principal has the specified security role, within the context of this Realm.protected boolean
hasRoleInternal
(Principal principal, String role) Check if the specified Principal has the specified security role, within the context of this Realm.boolean
hasUserDataPermission
(Request request, Response response, SecurityConstraint[] constraints) Enforce any user data constraint required by the security constraint guarding this request URI.protected void
Sub-classes implement this method to perform any instance initialisation required.boolean
static void
Generate a stored credential string for the given password and associated parameters.parseUserAttributes
(String userAttributes) Parse the specified delimiter separated attribute names and return a list of that names ornull
, if no attributes have been specified.void
Remove a property change listener from this component.void
setAllRolesMode
(String allRolesMode) Set the all roles mode.void
setContainer
(Container container) Set theContainer
with which this instance is associated.void
setCredentialHandler
(CredentialHandler credentialHandler) Set the CredentialHandler to be used by this Realm.void
setRealmPath
(String theRealmPath) void
setStripRealmForGss
(boolean stripRealmForGss) void
setTransportGuaranteeRedirectStatus
(int transportGuaranteeRedirectStatus) Set the HTTP status code used when the container needs to issue an HTTP redirect to meet the requirements of a configured transport guarantee.void
setUserAttributes
(String userAttributes) Set the comma separated names of user attributes to additionally query from the realm.void
setValidate
(boolean validate) Set the "validate certificate chains" flag.void
setX509UsernameRetrieverClassName
(String className) Sets the name of the class that will be used to extract user names from X509 client certificates.protected void
Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal()
.protected void
Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal()
.toString()
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface org.apache.catalina.Realm
isAvailable
-
Field Details
-
USER_ATTRIBUTES_DELIMITER
The character used for delimiting user attribute names.Applies to some of the Realm implementations only.
- See Also:
-
USER_ATTRIBUTES_WILDCARD
The character used as wildcard in user attribute lists. Using it means query all available user attributes.Applies to some of the Realm implementations only.
- See Also:
-
container
The Container with which this Realm is associated. -
containerLog
Container log -
sm
The string manager for this package. -
support
The property change support for this component. -
validate
protected boolean validateShould we validate client certificate chains when they are presented? -
x509UsernameRetrieverClassName
The name of the class to use for retrieving user names from X509 certificates. -
x509UsernameRetriever
The object that will extract user names from X509 client certificates. -
allRolesMode
The all role mode. -
stripRealmForGss
protected boolean stripRealmForGssWhen processing users authenticated via the GSS-API, should any "@..." be stripped from the end of the user name? -
userAttributes
The comma separated names of user attributes to additionally query from the realm. These will be provided to the user through the created Principal's attributes map. Support for this feature is optional. -
userAttributesList
The list of user attributes to additionally query from the realm. These will be provided to the user through the created Principal's attributes map. Support for this feature is optional. -
realmPath
-
-
Constructor Details
-
RealmBase
public RealmBase()
-
-
Method Details
-
getTransportGuaranteeRedirectStatus
public int getTransportGuaranteeRedirectStatus()- Returns:
- The HTTP status code used when the container needs to issue an HTTP redirect to meet the requirements of a configured transport guarantee.
-
setTransportGuaranteeRedirectStatus
public void setTransportGuaranteeRedirectStatus(int transportGuaranteeRedirectStatus) Set the HTTP status code used when the container needs to issue an HTTP redirect to meet the requirements of a configured transport guarantee.- Parameters:
transportGuaranteeRedirectStatus
- The status to use. This value is not validated
-
getCredentialHandler
- Specified by:
getCredentialHandler
in interfaceRealm
- Returns:
- the CredentialHandler configured for this Realm.
-
setCredentialHandler
Description copied from interface:Realm
Set the CredentialHandler to be used by this Realm.- Specified by:
setCredentialHandler
in interfaceRealm
- Parameters:
credentialHandler
- theCredentialHandler
to use
-
getContainer
Description copied from interface:Contained
Get theContainer
with which this instance is associated.- Specified by:
getContainer
in interfaceContained
- Returns:
- The Container with which this instance is associated or
null
if not associated with a Container
-
setContainer
Description copied from interface:Contained
Set theContainer
with which this instance is associated.- Specified by:
setContainer
in interfaceContained
- Parameters:
container
- The Container instance with which this instance is to be associated, ornull
to disassociate this instance from any Container
-
getAllRolesMode
Return the all roles mode.- Returns:
- A string representation of the current all roles mode
-
setAllRolesMode
Set the all roles mode.- Parameters:
allRolesMode
- A string representation of the new all roles mode
-
getValidate
public boolean getValidate()Return the "validate certificate chains" flag.- Returns:
- The value of the validate certificate chains flag
-
setValidate
public void setValidate(boolean validate) Set the "validate certificate chains" flag.- Parameters:
validate
- The new validate certificate chains flag
-
getX509UsernameRetrieverClassName
Gets the name of the class that will be used to extract user names from X509 client certificates.- Returns:
- The name of the class that will be used to extract user names from X509 client certificates.
-
setX509UsernameRetrieverClassName
Sets the name of the class that will be used to extract user names from X509 client certificates. The class must implement X509UsernameRetriever.- Parameters:
className
- The name of the class that will be used to extract user names from X509 client certificates.- See Also:
-
isStripRealmForGss
public boolean isStripRealmForGss() -
setStripRealmForGss
public void setStripRealmForGss(boolean stripRealmForGss) -
getUserAttributes
- Returns:
- the comma separated names of user attributes to additionally query from realm
-
setUserAttributes
Set the comma separated names of user attributes to additionally query from the realm. These will be provided to the user through the created Principal's attributes map. In this map, each field value is bound to the field's name, that is, the name of the field serves as the key of the mapping.If set to the wildcard character, or, if the wildcard character is part of the comma separated list, all available attributes - except the password attribute (as specified by
userCredCol
) - are queried. The wildcard character is defined by constantUSER_ATTRIBUTES_WILDCARD
. It defaults to the asterisk (*) character.- Parameters:
userAttributes
- the comma separated names of user attributes
-
addPropertyChangeListener
Description copied from interface:Realm
Add a property change listener to this component.- Specified by:
addPropertyChangeListener
in interfaceRealm
- Parameters:
listener
- The listener to add
-
authenticate
Description copied from interface:Realm
Try to authenticate with the specified username.- Specified by:
authenticate
in interfaceRealm
- Parameters:
username
- Username of the Principal to look up- Returns:
- the associated principal, or
null
if none is associated.
-
authenticate
Description copied from interface:Realm
Try to authenticate using the specified username and credentials.- Specified by:
authenticate
in interfaceRealm
- Parameters:
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username- Returns:
- the associated principal, or
null
if there is none
-
authenticate
@Deprecated public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2) Deprecated.Description copied from interface:Realm
Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2617 (which is a superset of RFC 2069).- Specified by:
authenticate
in interfaceRealm
- Parameters:
username
- Username of the Principal to look upclientDigest
- Digest which has been submitted by the clientnonce
- Unique (or supposedly unique) token which has been used for this requestnc
- the nonce countercnonce
- the client chosen nonceqop
- the "quality of protection" (nc
andcnonce
will only be used, ifqop
is notnull
).realm
- Realm namedigestA2
- Second digest calculated as digest(Method + ":" + uri)- Returns:
- the associated principal, or
null
if there is none.
-
authenticate
public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realm, String digestA2, String algorithm) Description copied from interface:Realm
Try to authenticate with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 7616.The default implementation calls
Realm.authenticate(String, String, String, String, String, String, String, String)
for backwards compatibility which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.Implementations are expected to override the default implementation and take account of the algorithm parameter.
- Specified by:
authenticate
in interfaceRealm
- Parameters:
username
- Username of the Principal to look upclientDigest
- Digest which has been submitted by the clientnonce
- Unique (or supposedly unique) token which has been used for this requestnc
- the nonce countercnonce
- the client chosen nonceqop
- the "quality of protection" (nc
andcnonce
will only be used, ifqop
is notnull
).realm
- Realm namedigestA2
- Second digest calculated as digest(Method + ":" + uri)algorithm
- The message digest algorithm to use- Returns:
- the associated principal, or
null
if there is none.
-
authenticate
Description copied from interface:Realm
Try to authenticate using a chain ofX509Certificate
s.- Specified by:
authenticate
in interfaceRealm
- Parameters:
certs
- Array of client certificates, with the first one in the array being the certificate of the client itself.- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Description copied from interface:Realm
Try to authenticate using aGSSContext
.- Specified by:
authenticate
in interfaceRealm
- Parameters:
gssContext
- The gssContext processed by theAuthenticator
.storeCred
- Should the realm attempt to store the delegated credentials in the returned Principal?- Returns:
- the associated principal, or
null
if there is none
-
authenticate
Description copied from interface:Realm
Try to authenticate using aGSSName
. Note that this default method will be turned into an abstract one in Tomcat 10.- Specified by:
authenticate
in interfaceRealm
- Parameters:
gssName
- TheGSSName
of the principal to look upgssCredential
- TheGSSCredential
of the principal, may benull
- Returns:
- the associated principal, or
null
if there is none
-
backgroundProcess
public void backgroundProcess()Execute a periodic task, such as reloading, etc. This method will be invoked inside the classloading context of this container. Unexpected throwables will be caught and logged.The default implementation is NO-OP.
- Specified by:
backgroundProcess
in interfaceRealm
-
findSecurityConstraints
Description copied from interface:Realm
Find the SecurityConstraints configured to guard the request URI for this request.- Specified by:
findSecurityConstraints
in interfaceRealm
- Parameters:
request
- Request we are processingcontext
- Context the Request is mapped to- Returns:
- the configured
SecurityConstraint
, ornull
if there is none
-
hasResourcePermission
public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] constraints, Context context) throws IOException Description copied from interface:Realm
Perform access control based on the specified authorization constraint.- Specified by:
hasResourcePermission
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint we are enforcingcontext
- The Context to which client of this class is attached.- Returns:
true
if this constraint is satisfied and processing should continue, orfalse
otherwise- Throws:
IOException
- if an input/output error occurs
-
hasRole
Check if the specified Principal has the specified security role, within the context of this Realm.This method or
hasRoleInternal(Principal, String)
can be overridden by Realm implementations, but the default is adequate when an instance ofGenericPrincipal
is used to represent authenticated Principals from this Realm.- Specified by:
hasRole
in interfaceRealm
- Parameters:
wrapper
- wrapper context for evaluating roleprincipal
- Principal for whom the role is to be checkedrole
- Security role to be checked- Returns:
true
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
.
-
parseUserAttributes
Parse the specified delimiter separated attribute names and return a list of that names ornull
, if no attributes have been specified.If a wildcard character is found, return a list consisting of a single wildcard character only.
- Parameters:
userAttributes
- comma separated names of attributes to parse- Returns:
- a list containing the parsed attribute names or
null
, if no attributes have been specified
-
hasRoleInternal
Check if the specified Principal has the specified security role, within the context of this Realm. This method orhasRoleInternal(Principal, String)
can be overridden by Realm implementations, but the default is adequate when an instance ofGenericPrincipal
is used to represent authenticated Principals from this Realm.- Parameters:
principal
- Principal for whom the role is to be checkedrole
- Security role to be checked- Returns:
true
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
.
-
hasUserDataPermission
public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraints) throws IOException Description copied from interface:Realm
Enforce any user data constraint required by the security constraint guarding this request URI.- Specified by:
hasUserDataPermission
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint being checked- Returns:
true
if this constraint was not violated and processing should continue, orfalse
if we have created a response already.- Throws:
IOException
- if an input/output error occurs
-
removePropertyChangeListener
Description copied from interface:Realm
Remove a property change listener from this component.- Specified by:
removePropertyChangeListener
in interfaceRealm
- Parameters:
listener
- The listener to remove
-
initInternal
Description copied from class:LifecycleBase
Sub-classes implement this method to perform any instance initialisation required.- Overrides:
initInternal
in classLifecycleMBeanBase
- Throws:
LifecycleException
- If the initialisation fails
-
startInternal
Prepare for the beginning of active use of the public methods of this component and implement the requirements ofLifecycleBase.startInternal()
.- Specified by:
startInternal
in classLifecycleBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
stopInternal
Gracefully terminate the active use of the public methods of this component and implement the requirements ofLifecycleBase.stopInternal()
.- Specified by:
stopInternal
in classLifecycleBase
- Throws:
LifecycleException
- if this component detects a fatal error that needs to be reported
-
toString
-
hasMessageDigest
-
getDigest
Deprecated.Unused. UsegetDigest(String, String, String)
. Will be removed in Tomcat 11.Return the digest associated with given principal's user name.- Parameters:
username
- The user namerealmName
- The realm name- Returns:
- the digest for the specified user
-
getDigest
Return the digest associated with given principal's user name.- Parameters:
username
- The user namerealmName
- The realm namealgorithm
- The name of the message digest algorithm to use- Returns:
- the digest for the specified user
-
getPassword
Get the password for the specified user.- Parameters:
username
- The user name- Returns:
- the password associated with the given principal's user name.
-
getPrincipal
Get the principal associated with the specified certificate.- Parameters:
usercert
- The user certificate- Returns:
- the Principal associated with the given certificate.
-
getPrincipal
Get the principal associated with the specified user.- Parameters:
username
- The user name- Returns:
- the Principal associated with the given user name.
-
getPrincipal
Deprecated.This will be removed in Tomcat 10 onwards. UsegetPrincipal(GSSName, GSSCredential)
instead.Get the principal associated with the specified user name.- Parameters:
username
- The user namegssCredential
- the GSS credential of the principal- Returns:
- the principal associated with the given user name.
-
getPrincipal
protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential, GSSContext gssContext) Get the principal associated with the specifiedGSSName
.- Parameters:
gssName
- The GSS namegssCredential
- the GSS credential of the principalgssContext
- the established GSS context- Returns:
- the principal associated with the given user name.
-
getPrincipal
Get the principal associated with the specifiedGSSName
.- Parameters:
gssName
- The GSS namegssCredential
- the GSS credential of the principal- Returns:
- the principal associated with the given user name.
-
getServer
Return the Server object that is the ultimate parent for the container with which this Realm is associated. If the server cannot be found (eg because the container hierarchy is not complete),null
is returned.- Returns:
- the Server associated with the realm
-
main
Generate a stored credential string for the given password and associated parameters.The following parameters are supported:
- -a - The algorithm to use to generate the stored credential. If not specified a default of SHA-512 will be used.
- -e - The encoding to use for any byte to/from character conversion that may be necessary. If not
specified, the system encoding (
Charset.defaultCharset()
) will be used. - -i - The number of iterations to use when generating the stored credential. If not specified, the default for the CredentialHandler will be used.
- -s - The length (in bytes) of salt to generate and store as part of the credential. If not specified, the default for the CredentialHandler will be used.
- -k - The length (in bits) of the key(s), if any, created while generating the credential. If not specified, the default for the CredentialHandler will be used.
- -h - The fully qualified class name of the CredentialHandler to use. If not specified, the built-in handlers will be tested in turn and the first one to accept the specified algorithm will be used.
- -f - The name of the file that contains passwords to encode. Each line in the file should contain only one password. Using this option ignores other password input.
This generation process currently supports the following CredentialHandlers, the correct one being selected based on the algorithm specified:
- Parameters:
args
- The parameters passed on the command line- Throws:
IOException
- If an error occurs reading the password file
-
getObjectNameKeyProperties
Description copied from class:LifecycleMBeanBase
Allow sub-classes to specify the key properties component of theObjectName
that will be used to register this component.- Specified by:
getObjectNameKeyProperties
in classLifecycleMBeanBase
- Returns:
- The string representation of the key properties component of the desired
ObjectName
-
getDomainInternal
Description copied from class:LifecycleMBeanBase
Method implemented by sub-classes to identify the domain in which MBeans should be registered.- Specified by:
getDomainInternal
in classLifecycleMBeanBase
- Returns:
- The name of the domain to use to register MBeans.
-
getRealmPath
-
setRealmPath
-
getRealmSuffix
-
getRoles
Description copied from interface:Realm
Return roles associated with given principal
-