org.apache.catalina.realm
public class JAASRealm extends RealmBase
Implmentation of Realm that authenticates users via the Java
Authentication and Authorization Service (JAAS). JAAS support requires
either JDK 1.4 (which includes it as part of the standard platform) or
JDK 1.3 (with the plug-in jaas.jar
file).
The value configured for the appName
property is passed to
the javax.security.auth.login.LoginContext
constructor, to
specify the application name used to select the set of relevant
LoginModules
required.
The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject
instance, which can contain zero
or more java.security.Principal
objects in the return value
of the Subject.getPrincipals()
method. However, it provides
no guidance on how to distinguish Principals that describe the individual
user (and are thus appropriate to return as the value of
request.getUserPrincipal() in a web application) from the Principal(s)
that describe the authorized roles for this user. To maintain as much
independence as possible from the underlying LoginMethod
implementation executed by JAAS, the following policy is implemented by
this Realm:
LoginModule
is assumed to return a
Subject
with at least one Principal
instance
representing the user himself or herself, and zero or more separate
Principals
representing the security roles authorized
for this user.Principal
representing the user, the Principal
name is an appropriate value to return via the Servlet API method
HttpServletRequest.getRemoteUser()
.Principals
representing the security roles, the
name is the name of the authorized security role.java.security.Principal
- one that identifies class(es)
representing a user, and one that identifies class(es) representing
a security role.Principals
returned by
Subject.getPrincipals()
, it will identify the first
Principal
that matches the "user classes" list as the
Principal
for this user.Princpals
returned by
Subject.getPrincipals()
, it will accumulate the set of
all Principals
matching the "role classes" list as
identifying the security roles for this user.Subject
without a Principal
that
matches the "user classes" list.Catalina { org.foobar.auth.DatabaseLoginModule REQUIRED JNDI_RESOURCE=jdbc/AuthDB USER_TABLE=users USER_ID_COLUMN=id USER_NAME_COLUMN=name USER_CREDENTIAL_COLUMN=password ROLE_TABLE=roles ROLE_NAME_COLUMN=name PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory; };
CATALINA_OPTS
environment variable
similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
CallbackHandler
,
called (unsurprisingly) JAASCallbackHandler
. This handler supplies the
HTTP requests's username and credentials to the user-supplied LoginModule
Realm
implementations, digested passwords are supported if
the <Realm>
element in server.xml
contains a
digest
attribute; JAASCallbackHandler
will digest the password
prior to passing it back to the LoginModule
Version: $Revision: 892553 $ $Date: 2009-12-20 03:32:53 +0100 (Sun, 20 Dec 2009) $
Field Summary | |
---|---|
protected String | appName
The application name passed to the JAAS LoginContext ,
which uses it to select the set of relevant LoginModule s. |
protected static String | info
Descriptive information about this Realm implementation. |
protected static String | name
Descriptive information about this Realm implementation. |
protected List<String> | roleClasses
The list of role class names, split out for easy processing. |
protected String | roleClassNames
Comma-delimited list of java.security.Principal classes
that represent security roles. |
protected static StringManager | sm
The string manager for this package. |
protected boolean | useContextClassLoader
Whether to use context ClassLoader or default ClassLoader.
|
protected List<String> | userClasses
The set of user class names, split out for easy processing. |
protected String | userClassNames
Comma-delimited list of java.security.Principal classes
that represent individual users. |
Method Summary | |
---|---|
Principal | authenticate(String username, String credentials)
Return the Principal associated with the specified username
and credentials, if there is one; otherwise return null .
|
Principal | authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2)
Return the Principal associated with the specified username
and digest, if there is one; otherwise return null .
|
protected Principal | authenticate(String username, CallbackHandler callbackHandler)
Perform the actual JAAS authentication |
protected Principal | createPrincipal(String username, Subject subject) |
protected Principal | createPrincipal(String username, Subject subject, LoginContext loginContext)
Identify and return a java.security.Principal instance
representing the authenticated user for the specified Subject .
|
String | getAppName()
getter for the appName member variable |
protected String | getName()
Return a short name for this Realm implementation. |
protected String | getPassword(String username)
Return the password associated with the given principal's user name. |
protected Principal | getPrincipal(String username)
Return the Principal associated with the given user name. |
String | getRoleClassNames() |
String | getUserClassNames() |
boolean | isUseContextClassLoader()
Returns whether to use the context or default ClassLoader.
|
protected String | makeLegalForJAAS(String src)
Ensure the given name is legal for JAAS configuration.
|
protected void | parseClassNames(String classNamesString, List<String> classNamesList)
Parses a comma-delimited list of class names, and store the class names
in the provided List. |
void | setAppName(String name)
setter for the appName member variable |
void | setContainer(Container container) |
void | setRoleClassNames(String roleClassNames)
Sets the list of comma-delimited classes that represent roles. |
void | setUseContextClassLoader(boolean useContext)
Sets whether to use the context or default ClassLoader.
|
void | setUserClassNames(String userClassNames)
Sets the list of comma-delimited classes that represent individual
users. |
void | start()
Prepare for active use of the public methods of this Component .
|
void | stop()
Gracefully shut down active use of the public methods of this Component .
|
LoginContext
,
which uses it to select the set of relevant LoginModule
s.Realm
implementation.Realm
implementation.java.security.Principal
classes
that represent security roles.java.security.Principal
classes
that represent individual users.Principal
associated with the specified username
and credentials, if there is one; otherwise return null
.
Parameters: username Username of the Principal
to look up credentials Password or other credentials to use in
authenticating this username
Principal
associated with the specified username
and digest, if there is one; otherwise return null
.
Parameters: username Username of the Principal
to look up clientDigest Digest to use in authenticating this username nonce Server generated nonce nc Nonce count cnonce Client generated nonce qop Quality of protection aplied to the message realmName Realm name md5a2 Second MD5 digest used to calculate the digest
MD5(Method + ":" + uri)
Deprecated: Use JAASRealm
java.security.Principal
instance
representing the authenticated user for the specified Subject
.
The Principal is constructed by scanning the list of Principals returned
by the JAASLoginModule. The first Principal
object that matches
one of the class names supplied as a "user class" is the user Principal.
This object is returned to the caller.
Any remaining principal objects returned by the LoginModules are mapped to
roles, but only if their respective classes match one of the "role class" classes.
If a user Principal cannot be constructed, return null
.Parameters: subject The Subject
representing the logged-in user loginContext Associated with the Principal so
LoginContext#logout() can be called later
appName
member variableRealm
implementation.Principal
associated with the given user name.Returns: The value of useContextClassLoader
Parameters: src The name to validate
Returns: A string that's a valid JAAS realm name
java.security.Principal
.
Parameters: classNamesString a comma-delimited list of fully qualified class names. classNamesList the list in which the class names will be stored. The list is cleared before being populated.
Deprecated: JAAS should use the Engine
(domain) name and webpp/host overrides
appName
member variablejava.security.Principal
.
The supplied list of classes will be parsed when start is
called.Parameters: useContext True means use context ClassLoader
java.security.Principal
. The supplied list of classes will
be parsed when start is called.Component
.
Throws: LifecycleException if this component detects a fatal error that prevents it from being started
Component
.
Throws: LifecycleException if this component detects a fatal error that needs to be reported