|
Apache Tomcat 6.0.45 | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Objectorg.apache.catalina.realm.RealmBase
org.apache.catalina.realm.JAASRealm
public class JAASRealm
Implmentation of Realm that authenticates users via the Java
Authentication and Authorization Service (JAAS). JAAS support requires
either JDK 1.4 (which includes it as part of the standard platform) or
JDK 1.3 (with the plug-in jaas.jar file).
The value configured for the appName property is passed to
the javax.security.auth.login.LoginContext constructor, to
specify the application name used to select the set of relevant
LoginModules required.
The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject instance, which can contain zero
or more java.security.Principal objects in the return value
of the Subject.getPrincipals() method. However, it provides
no guidance on how to distinguish Principals that describe the individual
user (and are thus appropriate to return as the value of
request.getUserPrincipal() in a web application) from the Principal(s)
that describe the authorized roles for this user. To maintain as much
independence as possible from the underlying LoginMethod
implementation executed by JAAS, the following policy is implemented by
this Realm:
LoginModule is assumed to return a
Subject with at least one Principal instance
representing the user himself or herself, and zero or more separate
Principals representing the security roles authorized
for this user.Principal representing the user, the Principal
name is an appropriate value to return via the Servlet API method
HttpServletRequest.getRemoteUser().Principals representing the security roles, the
name is the name of the authorized security role.java.security.Principal - one that identifies class(es)
representing a user, and one that identifies class(es) representing
a security role.Principals returned by
Subject.getPrincipals(), it will identify the first
Principal that matches the "user classes" list as the
Principal for this user.Princpals returned by
Subject.getPrincipals(), it will accumulate the set of
all Principals matching the "role classes" list as
identifying the security roles for this user.Subject without a Principal that
matches the "user classes" list.Catalina {
org.foobar.auth.DatabaseLoginModule REQUIRED
JNDI_RESOURCE=jdbc/AuthDB
USER_TABLE=users
USER_ID_COLUMN=id
USER_NAME_COLUMN=name
USER_CREDENTIAL_COLUMN=password
ROLE_TABLE=roles
ROLE_NAME_COLUMN=name
PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory;
};CATALINA_OPTS environment variable
similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
CallbackHandler,
called (unsurprisingly) JAASCallbackHandler. This handler supplies the
HTTP requests's username and credentials to the user-supplied LoginModuleRealm implementations, digested passwords are supported if
the <Realm> element in server.xml contains a
digest attribute; JAASCallbackHandler will digest the password
prior to passing it back to the LoginModule
| Nested Class Summary |
|---|
| Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase |
|---|
RealmBase.AllRolesMode |
| Field Summary | |
|---|---|
protected java.lang.String |
appName
The application name passed to the JAAS LoginContext,
which uses it to select the set of relevant LoginModules. |
protected static java.lang.String |
info
Descriptive information about this Realm implementation. |
protected static java.lang.String |
name
Descriptive information about this Realm implementation. |
protected java.util.List<java.lang.String> |
roleClasses
The list of role class names, split out for easy processing. |
protected java.lang.String |
roleClassNames
Comma-delimited list of java.security.Principal classes
that represent security roles. |
protected static StringManager |
sm
The string manager for this package. |
protected boolean |
useContextClassLoader
Whether to use context ClassLoader or default ClassLoader. |
protected java.util.List<java.lang.String> |
userClasses
The set of user class names, split out for easy processing. |
protected java.lang.String |
userClassNames
Comma-delimited list of java.security.Principal classes
that represent individual users. |
| Fields inherited from class org.apache.catalina.realm.RealmBase |
|---|
allRolesMode, container, containerLog, controller, digest, digestEncoding, domain, host, initialized, lifecycle, md, md5Encoder, md5Helper, mserver, oname, path, realmPath, started, support, type, validate, x509UsernameRetriever, x509UsernameRetrieverClassName |
| Fields inherited from interface org.apache.catalina.Lifecycle |
|---|
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, DESTROY_EVENT, INIT_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT |
| Constructor Summary | |
|---|---|
JAASRealm()
|
|
| Method Summary | |
|---|---|
protected java.security.Principal |
authenticate(java.lang.String username,
javax.security.auth.callback.CallbackHandler callbackHandler)
Perform the actual JAAS authentication |
java.security.Principal |
authenticate(java.lang.String username,
java.lang.String credentials)
Return the Principal associated with the specified username
and credentials, if there is one; otherwise return null. |
java.security.Principal |
authenticate(java.lang.String username,
java.lang.String clientDigest,
java.lang.String nonce,
java.lang.String nc,
java.lang.String cnonce,
java.lang.String qop,
java.lang.String realmName,
java.lang.String md5a2)
Return the Principal associated with the specified username
and digest, if there is one; otherwise return null. |
protected java.security.Principal |
createPrincipal(java.lang.String username,
javax.security.auth.Subject subject)
Deprecated. Use createPrincipal(String, Subject, LoginContext) |
protected java.security.Principal |
createPrincipal(java.lang.String username,
javax.security.auth.Subject subject,
javax.security.auth.login.LoginContext loginContext)
Identify and return a java.security.Principal instance
representing the authenticated user for the specified Subject. |
java.lang.String |
getAppName()
getter for the appName member variable |
java.lang.String |
getInfo()
Return descriptive information about this Realm implementation and the corresponding version number, in the format <description>/<version>. |
protected java.lang.String |
getName()
Return a short name for this Realm implementation. |
protected java.lang.String |
getPassword(java.lang.String username)
Return the password associated with the given principal's user name. |
protected java.security.Principal |
getPrincipal(java.lang.String username)
Return the Principal associated with the given user name. |
java.lang.String |
getRoleClassNames()
|
java.lang.String |
getUserClassNames()
|
boolean |
isUseContextClassLoader()
Returns whether to use the context or default ClassLoader. |
protected java.lang.String |
makeLegalForJAAS(java.lang.String src)
Ensure the given name is legal for JAAS configuration. |
protected void |
parseClassNames(java.lang.String classNamesString,
java.util.List<java.lang.String> classNamesList)
Parses a comma-delimited list of class names, and store the class names in the provided List. |
void |
setAppName(java.lang.String name)
Deprecated. JAAS should use the Engine (domain) name and webpp/host overrides |
void |
setContainer(Container container)
Set the Container with which this Realm has been associated. |
void |
setRoleClassNames(java.lang.String roleClassNames)
Sets the list of comma-delimited classes that represent roles. |
void |
setUseContextClassLoader(boolean useContext)
Sets whether to use the context or default ClassLoader. |
void |
setUserClassNames(java.lang.String userClassNames)
Sets the list of comma-delimited classes that represent individual users. |
void |
start()
Prepare for active use of the public methods of this Component. |
void |
stop()
Gracefully shut down active use of the public methods of this Component. |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
|---|
protected java.lang.String appName
LoginContext,
which uses it to select the set of relevant LoginModules.
protected static final java.lang.String info
Realm implementation.
protected static final java.lang.String name
Realm implementation.
protected java.util.List<java.lang.String> roleClasses
protected static final StringManager sm
protected java.util.List<java.lang.String> userClasses
protected boolean useContextClassLoader
protected java.lang.String roleClassNames
java.security.Principal classes
that represent security roles.
protected java.lang.String userClassNames
java.security.Principal classes
that represent individual users.
| Constructor Detail |
|---|
public JAASRealm()
| Method Detail |
|---|
public void setAppName(java.lang.String name)
Engine (domain) name and webpp/host overrides
appName member variable
public java.lang.String getAppName()
appName member variable
public void setUseContextClassLoader(boolean useContext)
useContext - True means use context ClassLoaderpublic boolean isUseContextClassLoader()
public void setContainer(Container container)
RealmBase
setContainer in interface RealmsetContainer in class RealmBasecontainer - The associated Containerpublic java.lang.String getRoleClassNames()
public void setRoleClassNames(java.lang.String roleClassNames)
java.security.Principal.
The supplied list of classes will be parsed when start() is
called.
protected void parseClassNames(java.lang.String classNamesString,
java.util.List<java.lang.String> classNamesList)
java.security.Principal.
classNamesString - a comma-delimited list of fully qualified class names.classNamesList - the list in which the class names will be stored.
The list is cleared before being populated.public java.lang.String getUserClassNames()
public void setUserClassNames(java.lang.String userClassNames)
java.security.Principal. The supplied list of classes will
be parsed when start() is called.
public java.lang.String getInfo()
<description>/<version>.
getInfo in interface RealmgetInfo in class RealmBase
public java.security.Principal authenticate(java.lang.String username,
java.lang.String credentials)
Principal associated with the specified username
and credentials, if there is one; otherwise return null.
authenticate in interface Realmauthenticate in class RealmBaseusername - Username of the Principal to look upcredentials - Password or other credentials to use in
authenticating this username
public java.security.Principal authenticate(java.lang.String username,
java.lang.String clientDigest,
java.lang.String nonce,
java.lang.String nc,
java.lang.String cnonce,
java.lang.String qop,
java.lang.String realmName,
java.lang.String md5a2)
Principal associated with the specified username
and digest, if there is one; otherwise return null.
authenticate in interface Realmauthenticate in class RealmBaseusername - Username of the Principal to look upclientDigest - Digest to use in authenticating this usernamenonce - Server generated noncenc - Nonce countcnonce - Client generated nonceqop - Quality of protection aplied to the messagerealmName - Realm namemd5a2 - Second MD5 digest used to calculate the digest
MD5(Method + ":" + uri)
protected java.security.Principal authenticate(java.lang.String username,
javax.security.auth.callback.CallbackHandler callbackHandler)
protected java.lang.String getName()
Realm implementation.
getName in class RealmBaseprotected java.lang.String getPassword(java.lang.String username)
getPassword in class RealmBaseprotected java.security.Principal getPrincipal(java.lang.String username)
Principal associated with the given user name.
getPrincipal in class RealmBase
protected java.security.Principal createPrincipal(java.lang.String username,
javax.security.auth.Subject subject)
createPrincipal(String, Subject, LoginContext)
protected java.security.Principal createPrincipal(java.lang.String username,
javax.security.auth.Subject subject,
javax.security.auth.login.LoginContext loginContext)
java.security.Principal instance
representing the authenticated user for the specified Subject.
The Principal is constructed by scanning the list of Principals returned
by the JAASLoginModule. The first Principal object that matches
one of the class names supplied as a "user class" is the user Principal.
This object is returned to the caller.
Any remaining principal objects returned by the LoginModules are mapped to
roles, but only if their respective classes match one of the "role class" classes.
If a user Principal cannot be constructed, return null.
subject - The Subject representing the logged-in userloginContext - Associated with the Principal so
LoginContext.logout() can be called laterprotected java.lang.String makeLegalForJAAS(java.lang.String src)
src - The name to validate
public void start()
throws LifecycleException
Component.
start in interface Lifecyclestart in class RealmBaseLifecycleException - if this component detects a fatal error
that prevents it from being started
public void stop()
throws LifecycleException
Component.
stop in interface Lifecyclestop in class RealmBaseLifecycleException - if this component detects a fatal error
that needs to be reported
|
Apache Tomcat 6.0.45 | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||