Package com.sun.web.security

Class RealmAdapter

  • All Implemented Interfaces:
    RealmInitializer, Lifecycle, Realm, org.glassfish.hk2.api.PostConstruct
    @Service
@PerLookup
public class RealmAdapter
extends RealmBase
implements RealmInitializer, org.glassfish.hk2.api.PostConstruct
    This is the realm adapter used to authenticate users and authorize access to web resources. The authenticate method is called by Tomcat to authenticate users. The hasRole method is called by Tomcat during the authorization process.
    Author:
    Harpreet Singh, JeanFrancois Arcand

    • Constructor Detail

      • RealmAdapter

        public RealmAdapter()

      • RealmAdapter

        public RealmAdapter​(String realmName,
                    String moduleID)
        Create for WS EJB endpoint authentication. Roles related data is not available here.

    • Method Detail

      • initializeRealm

        public void initializeRealm​(Object bundleDescriptor,
                            boolean isSystemApp,
                            String defaultRealmName)
        Initializes the internal state of this instance with provided parameters.
        Specified by:
        initializeRealm in interface RealmInitializer
        Parameters:
        bundleDescriptor - must be an instance of WebBundleDescriptor
        isSystemApp - - realm may have different behavior for system applications
        defaultRealmName - - this realm name will be used as a default if there is not any other configured in the descriptor.

      • isSecurityExtensionEnabled

        public boolean isSecurityExtensionEnabled​(jakarta.servlet.ServletContext context)
        Return true if JASPIC is available.
        Specified by:
        isSecurityExtensionEnabled in interface Realm
        Overrides:
        isSecurityExtensionEnabled in class RealmBase
        Parameters:
        context - the ServletContext
        Returns:
        true if JASPIC is available. 1171

      • findSecurityConstraints

        public SecurityConstraint[] findSecurityConstraints​(HttpRequest request,
                                                    Context context)
        One of the initial operations being done to apply security to a request, is to find out if there are security constraints for a request. Returns null 1. if there are no security constraints defined on any of the web resources within the context, or 2. if the target is a form login related page or target.

        See SJSAS 6232464 6202703 otherwise return an empty array of SecurityConstraint.

        Specified by:
        findSecurityConstraints in interface Realm
        Overrides:
        findSecurityConstraints in class RealmBase
        Parameters:
        request - Request we are processing
        context - Context the Request is mapped to

      • findSecurityConstraints

        public SecurityConstraint[] findSecurityConstraints​(String requestPathMB,
                                                    String httpMethod,
                                                    Context context)
        Returns null if there are no security constraints defined on any of the web resources within the context

        See SJSAS 6232464 6202703 otherwise return an empty array of SecurityConstraint.

        Specified by:
        findSecurityConstraints in interface Realm
        Overrides:
        findSecurityConstraints in class RealmBase
        Parameters:
        requestPathMB - the request URI (minus the context Path)
        httpMethod - the request method
        context - the context
        Returns:
        the security constraints configured by the given context for the given request URI and method, or null

      • hasUserDataPermission

        public boolean hasUserDataPermission​(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint[] constraints)
                              throws IOException
        Enforce any user data constraint required by the security constraint guarding this request URI.
        Specified by:
        hasUserDataPermission in interface Realm
        Overrides:
        hasUserDataPermission in class RealmBase
        Parameters:
        request - Request we are processing
        response - Response we are creating
        constraints - Security constraint being checked
        Returns:
        true if this constraint was not violated and processing should continue, or false if we have created a response already
        Throws:
        IOException - if an input/output error occurs

      • hasUserDataPermission

        public boolean hasUserDataPermission​(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint[] constraints,
                                     String uri,
                                     String method)
                              throws IOException
        Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied.

        If uri and method are null, then the URI and method of the given request are checked.

        If a user-data-constraint exists that is not satisfied, then the given request will be redirected to HTTPS.

        Specified by:
        hasUserDataPermission in interface Realm
        Overrides:
        hasUserDataPermission in class RealmBase
        Parameters:
        request - the request that may be redirected
        response - the response that may be redirected
        constraints - the security constraints to check against
        uri - the request URI (minus the context path) to check
        method - the request method to check
        Returns:
        true if the request URI and method are not the target of any unsatisfied user-data-constraint with a transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected to HTTPS)
        Throws:
        IOException

      • preAuthenticateCheck

        public int preAuthenticateCheck​(HttpRequest request,
                                HttpResponse response,
                                SecurityConstraint[] constraints,
                                boolean disableProxyCaching,
                                boolean securePagesWithPragma,
                                boolean ssoEnabled)
                         throws IOException
        Checks whether or not authentication is needed. If JASPIC / JSR 196 is active, authentication is always done.

        Returns an int, one of:

        • AUTHENTICATE_NOT_NEEDED,
        • AUTHENTICATE_NEEDED
        • AUTHENTICATED_NOT_AUTHORIZED

        See SJSAS 6202703

        Specified by:
        preAuthenticateCheck in interface Realm
        Overrides:
        preAuthenticateCheck in class RealmBase
        Parameters:
        request - Request we are processing
        response - Response we are creating
        constraints - Security constraint we are enforcing
        disableProxyCaching - whether or not to disable proxy caching for protected resources.
        securePagesWithPragma - true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.
        ssoEnabled - true if sso is enabled
        Throws:
        IOException - if an input/output error occurs

      • invokeAuthenticateDelegate

        public boolean invokeAuthenticateDelegate​(HttpRequest request,
                                          HttpResponse response,
                                          Context context,
                                          Authenticator authenticator,
                                          boolean calledFromAuthenticate)
                                   throws IOException
        Authenticates the user making this request, based on the specified authentication mechanism. Return true if any specified requirements have been satisfied, or false if we have created a response challenge already.
        Specified by:
        invokeAuthenticateDelegate in interface Realm
        Overrides:
        invokeAuthenticateDelegate in class RealmBase
        Parameters:
        request - Request we are processing
        response - Response we are creating
        context - The Context to which client of this class is attached.
        authenticator - the current authenticator.
        calledFromAuthenticate - if the calls to this method comes from a call to HttpServletRequest.authenticate
        Returns:
        Throws:
        IOException - if an input/output error occurs

      • getName

        protected String getName()
        Description copied from class: RealmBase
        Return a short name for this Realm implementation, for use in log messages.
        Specified by:
        getName in class RealmBase

      • setVirtualServer

        public void setVirtualServer​(Object container)
        Sets the realm's virtual server container.
        Specified by:
        setVirtualServer in interface RealmInitializer
        Parameters:
        container - - must be an instance of Container

      • authenticate

        public Principal authenticate​(String username,
                              char[] password)
        Authenticates and sets the SecurityContext in the TLS.

        This username/password authenticate variant is primarily used by the Basic- and FormAuthenticator.

        Specified by:
        authenticate in interface Realm
        Overrides:
        authenticate in class RealmBase
        Parameters:
        username - the user name.
        password - the password.
        Returns:
        the authenticated principal.

      • authenticate

        public Principal authenticate​(jakarta.servlet.http.HttpServletRequest httpServletRequest)
        Authenticates and sets the SecurityContext in the TLS. This HttpServletRequest authenticate variant is primarily used by the DigestAuthenticator
        Specified by:
        authenticate in interface Realm
        Overrides:
        authenticate in class RealmBase
        Parameters:
        httpServletRequest - HTTP servlet request.

      • authenticate

        public Principal authenticate​(X509Certificate[] certificates)
        Authenticates and sets the SecurityContext in the TLS. This HttpServletRequest authenticate variant is primarily used by the SSLAuthenticator
        Specified by:
        authenticate in interface Realm
        Overrides:
        authenticate in class RealmBase
        Parameters:
        certificates - Array of client certificates, with the first one in the array being the certificate of the client itself.

      • hasResourcePermission

        public boolean hasResourcePermission​(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint[] constraints,
                                     Context context)
                              throws IOException
        Perform access control based on the specified authorization constraint. Return true if this constraint is satisfied and processing should continue, or false otherwise.
        Specified by:
        hasResourcePermission in interface Realm
        Overrides:
        hasResourcePermission in class RealmBase
        Parameters:
        request - Request we are processing
        response - Response we are creating
        constraints - Security constraint we are enforcing
        context - The Context to which client of this class is attached.
        Throws:
        IOException - if an input/output error occurs

      • hasRole

        public boolean hasRole​(HttpRequest request,
                       HttpResponse response,
                       Principal principal,
                       String role)
        Check if the given principal has the provided role. Returns true if the principal has the specified role, false otherwise.
        Specified by:
        hasRole in interface Realm
        Overrides:
        hasRole in class RealmBase
        Parameters:
        principal - the principal
        role - the role
        request - Request we are processing
        response - Response we are creating
        Returns:
        true if the principal has the specified role.

      • logout

        public void logout​(HttpRequest httpRequest)
        Description copied from interface: Realm
        Logs out.
        Specified by:
        logout in interface Realm
        Overrides:
        logout in class RealmBase
        Parameters:
        httpRequest - the HttpRequest

      • authenticate

        public boolean authenticate​(WebPrincipal principal)
        Used by SecurityServiceImpl

      • getJaccWebAuthorizationManager

        public JaccWebAuthorizationManager getJaccWebAuthorizationManager​(boolean logNull)
        Utility method to get the web security manager.

        This will log a warning if the manager is not found in the factory, and logNull is true.

      • createFailOveredPrincipal

        public Principal createFailOveredPrincipal​(String username)
        This method is added to create a Principal based on the username only. Hercules stores the username as part of authentication failover and needs to create a Principal based on username only See IASRI 4809144
        Parameters:
        username -
        Returns:
        Principal for the user username HERCULES:add

      • preSetRunAsIdentity

        public void preSetRunAsIdentity​(ComponentInvocation inv)
        Set the run-as principal into the SecurityContext when needed.

        This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be one since this gets called also during internal processing (not clear..) not just part of servlet requests. However, if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is taken.

        If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If one is set, the SecurityContext is switched to this principal.

        See IASRI 4747594

        Parameters:
        inv - The invocation object to process.

      • postSetRunAsIdentity

        public void postSetRunAsIdentity​(ComponentInvocation invocation)
        Attempts to restore old SecurityContext (but fails).

        In theory this method seems to attempt to check if a run-as principal was set by preSetRunAsIdentity() (based on the indirect assumption that if the servlet in the given invocation has a run-as this must've been the case). If so, it retrieves the oldSecurityContext from the invocation object and set it in the SecurityContext.

        The problem is that the invocation object is not the same object as was passed in to preSetRunAsIdentity() so it will never contain the right info - see bug 4757733.

        In practice it means this method only ever sets the SecurityContext to null (if run-as matched) or does nothing. In particular note the implication that it will be set to null after a run-as invocation completes. This behavior will be retained for the time being for consistency with RI. It must be fixed later.

        Parameters:
        invocation - The invocation object to process.

      • getPassword

        protected char[] getPassword​(String username)
        Description copied from class: RealmBase
        Return the password associated with the given principal's user name.
        Specified by:
        getPassword in class RealmBase

      • setCurrentSecurityContextWithWebPrincipal

        public void setCurrentSecurityContextWithWebPrincipal​(Principal principal)

      • setCurrentSecurityContext

        public void setCurrentSecurityContext​(Principal principal)

      • postConstruct

        public void postConstruct()
        Specified by:
        postConstruct in interface org.glassfish.hk2.api.PostConstruct