Package com.sun.enterprise.security.auth.realm.certificate

Class CertificateRealm

java.lang.Object

com.sun.enterprise.security.auth.realm.AbstractRealm

com.sun.enterprise.security.auth.realm.AbstractStatefulRealm

com.sun.enterprise.security.auth.realm.Realm

com.sun.enterprise.security.BaseRealm

com.sun.enterprise.security.auth.realm.certificate.CertificateRealm

All Implemented Interfaces:

Comparable<Realm>

@Service
public final class CertificateRealm
extends BaseRealm

Realm wrapper for supporting certificate authentication.

The certificate realm provides the security-service functionality needed to process a client-cert authentication.

Since the SSL processing, and client certificate verification is done by NSS, no authentication is actually done by this realm. It only serves the purpose of being registered as the certificate handler realm and to service group membership requests during web container role checks.

There is no JAAS LoginModule corresponding to the certificate realm, therefore this realm does not require the jaas-context configuration parameter to be set. The purpose of a JAAS LoginModule is to implement the actual authentication processing, which for the case of this certificate realm is already done by the time execution gets to Java.

The certificate realm needs the following properties in its configuration: None.

The following optional properties can also be specified:

• assign-groups - a comma-separated list of group names which will be assigned to all users who present a cryptographically valid certificate.
• "common-name-as-principal-name" - if true, the CN from the client certificate will be used as a name of the principal
• "dn-parts-used-for-groups" a comma-separated list of OID names whose values in certificate's distinguished name will be used as a group names.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CertificateRealm.AppContextCallback	A LoginModule for CertificateRealm can instantiate and pass a AppContextCallback to handle method of the passed CallbackHandler to retrieve the application name information.

Field Summary

Fields

Modifier and Type	Field	Description
static String	AUTH_TYPE	Descriptive string of the authentication type of this realm.

Fields inherited from class com.sun.enterprise.security.BaseRealm

sm

Fields inherited from class com.sun.enterprise.security.auth.realm.Realm

_logger, JAAS_CONTEXT_PARAM, RI_DEFAULT

Fields inherited from class com.sun.enterprise.security.auth.realm.AbstractStatefulRealm

groupMapper, GROUPS_SEP, PARAM_DEFAULT_DIGEST_ALGORITHM, PARAM_GROUP_MAPPING, PARAM_GROUPS

Constructor Summary

Constructors

Constructor	Description
CertificateRealm()

Method Summary

Modifier and Type	Method	Description
String	authenticate(Subject subject, X500Principal principal)
String	getAuthType()	Returns a short (preferably less than fifteen characters) description of the kind of authentication which is supported by this realm.
Enumeration<String>	getGroupNames(String username)	WARN: does not have access to user's certificate, so it does not return groups based on certificate.
protected void	init(Properties props)	Initialize a realm with some properties.

Methods inherited from class com.sun.enterprise.security.BaseRealm

addUser, addUser, getGroupNames, getUser, getUserNames, persist, refresh, removeUser, supportsUserManagement, updateUser, updateUser

Methods inherited from class com.sun.enterprise.security.auth.realm.Realm

getDefaultInstance, getDefaultRealm, getInstance, getInstance, getRealmNames, getRealmStatsProvier, instantiate, instantiate, isValidRealm, isValidRealm, setDefaultRealm, unloadInstance, unloadInstance, updateInstance, updateInstance

Methods inherited from class com.sun.enterprise.security.auth.realm.AbstractStatefulRealm

addAssignGroups, compareTo, getDefaultDigestAlgorithm, getJAASContext, getMappedGroupNames, getName, getProperties, getProperty, refresh, setName, setProperty, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.lang.Comparable

compareTo

Field Detail

AUTH_TYPE

public static final String AUTH_TYPE

Descriptive string of the authentication type of this realm.

See Also:

Constant Field Values

Constructor Detail

CertificateRealm

public CertificateRealm()

Method Detail

init

protected void init(Properties props)
             throws BadRealmException,
                    NoSuchRealmException

Description copied from class: AbstractStatefulRealm

Initialize a realm with some properties. This can be used when instantiating realms from their descriptions. This method may only be called a single time.

Overrides:

init in class AbstractStatefulRealm

Parameters:

props - initialization parameters used by this realm.

Throws:

BadRealmException - if the configuration parameters identify a corrupt realm

NoSuchRealmException - if the configuration parameters specify a realm which doesn't exist

getAuthType

public String getAuthType()

Returns a short (preferably less than fifteen characters) description of the kind of authentication which is supported by this realm.

Specified by:

getAuthType in class AbstractRealm

Returns:

Description of the kind of authentication that is directly supported by this realm.

getGroupNames

public Enumeration<String> getGroupNames(String username)

WARN: does not have access to user's certificate, so it does not return groups based on certificate.

Specified by:

getGroupNames in class AbstractRealm

Parameters:

username - name of the user in this realm whose group listing is needed.

Returns:

enumeration of group names assigned to all users authenticated by this realm.

authenticate

public String authenticate(Subject subject,
                           X500Principal principal)

Parameters:

subject - The Subject object for the authentication request.

principal - The Principal object from the user certificate.

Returns:

principal's name