Class RealmAdapter
- java.lang.Object
-
- org.apache.catalina.realm.RealmBase
-
- com.sun.web.security.RealmAdapter
-
- All Implemented Interfaces:
RealmInitializer
,Lifecycle
,Realm
,org.glassfish.hk2.api.PostConstruct
@Service @PerLookup public class RealmAdapter extends RealmBase implements RealmInitializer, org.glassfish.hk2.api.PostConstruct
This is the realm adapter used to authenticate users and authorize access to web resources. The authenticate method is called by Tomcat to authenticate users. The hasRole method is called by Tomcat during the authorization process.- Author:
- Harpreet Singh, JeanFrancois Arcand
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
RealmAdapter.IOSupplier<T>
-
Field Summary
Fields Modifier and Type Field Description static String
BASIC
static String
FORM
protected boolean
isCurrentURIincluded
protected JaccWebAuthorizationManager
jaccWebAuthorizationManager
AJaccWebAuthorizationManager
object associated with a jaccContextIdprotected static String
name
Descriptive information about this Realm implementation.protected ReadWriteLock
rwLock
static String
SECURITY_CONTEXT
protected WebSecurityManagerFactory
webSecurityManagerFactory
The factory used for creatingJaccWebAuthorizationManager
object.-
Fields inherited from class org.apache.catalina.realm.RealmBase
checkIfRequestIsSecure, container, controller, debug, digest, digestEncoding, info, lifecycle, log, md, md5Encoder, md5Helper, rb, started, support, validate
-
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT
-
Fields inherited from interface org.apache.catalina.Realm
AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED
-
-
Constructor Summary
Constructors Constructor Description RealmAdapter()
RealmAdapter(String realmName, String moduleID)
Create for WS EJB endpoint authentication.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
authenticate(WebPrincipal principal)
Used by SecurityServiceImplPrincipal
authenticate(jakarta.servlet.http.HttpServletRequest httpServletRequest)
Authenticates and sets the SecurityContext in the TLS.Principal
authenticate(String username, char[] password)
Authenticates and sets the SecurityContext in the TLS.Principal
authenticate(X509Certificate[] certificates)
Authenticates and sets the SecurityContext in the TLS.Principal
createFailOveredPrincipal(String username)
This method is added to create a Principal based on the username only.void
destroy()
SecurityConstraint[]
findSecurityConstraints(String requestPathMB, String httpMethod, Context context)
Returns null if there are no security constraints defined on any of the web resources within the contextSecurityConstraint[]
findSecurityConstraints(HttpRequest request, Context context)
One of the initial operations being done to apply security to a request, is to find out if there are security constraints for a request.JaccWebAuthorizationManager
getJaccWebAuthorizationManager(boolean logNull)
Utility method to get the web security manager.protected String
getName()
Return a short name for this Realm implementation, for use in log messages.protected char[]
getPassword(String username)
Return the password associated with the given principal's user name.protected Principal
getPrincipal(String username)
Return the Principal associated with the given user name.String
getRealmName()
Returns the name of the associated realm.boolean
hasResourcePermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, Context context)
Perform access control based on the specified authorization constraint.boolean
hasRole(String servletName, Principal principal, String role)
boolean
hasRole(HttpRequest request, HttpResponse response, Principal principal, String role)
Check if the given principal has the provided role.boolean
hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints)
Enforce any user data constraint required by the security constraint guarding this request URI.boolean
hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method)
Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied.void
initializeRealm(Object bundleDescriptor, boolean isSystemApp, String defaultRealmName)
Initializes the internal state of this instance with provided parameters.boolean
invokeAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context, Authenticator authenticator, boolean calledFromAuthenticate)
Authenticates the user making this request, based on the specified authentication mechanism.boolean
invokePostAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context)
Post authentication for given request and response.boolean
isSecurityExtensionEnabled(jakarta.servlet.ServletContext context)
Return true if JASPIC is available.void
logout()
Clean up security and policy context.void
logout(HttpRequest httpRequest)
Logs out.void
postConstruct()
void
postSetRunAsIdentity(ComponentInvocation invocation)
Attempts to restore old SecurityContext (but fails).int
preAuthenticateCheck(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled)
Checks whether or not authentication is needed.void
preSetRunAsIdentity(ComponentInvocation inv)
Set the run-as principal into the SecurityContext when needed.void
setCurrentSecurityContext(Principal principal)
void
setCurrentSecurityContextWithWebPrincipal(Principal principal)
void
setVirtualServer(Object container)
Sets the realm's virtual server container.void
updateWebSecurityManager()
Reinitializes the web security manager.-
Methods inherited from class org.apache.catalina.realm.RealmBase
addLifecycleListener, addPropertyChangeListener, authenticate, backgroundProcess, digest, disableProxyCaching, findLifecycleListeners, getAlternateAuthType, getAlternatePrincipal, getContainer, getController, getDebug, getDigest, getDigest, getDigestEncoding, getInfo, getValidate, hasMessageDigest, hasRole, log, log, removeLifecycleListener, removePropertyChangeListener, setContainer, setController, setDebug, setDigest, setDigestEncoding, setRealmName, setValidate, start, stop
-
-
-
-
Field Detail
-
SECURITY_CONTEXT
public static final String SECURITY_CONTEXT
- See Also:
- Constant Field Values
-
BASIC
public static final String BASIC
- See Also:
- Constant Field Values
-
FORM
public static final String FORM
- See Also:
- Constant Field Values
-
name
protected static final String name
Descriptive information about this Realm implementation.- See Also:
- Constant Field Values
-
jaccWebAuthorizationManager
protected volatile JaccWebAuthorizationManager jaccWebAuthorizationManager
AJaccWebAuthorizationManager
object associated with a jaccContextId
-
isCurrentURIincluded
protected boolean isCurrentURIincluded
-
rwLock
protected final ReadWriteLock rwLock
-
webSecurityManagerFactory
@Inject protected WebSecurityManagerFactory webSecurityManagerFactory
The factory used for creatingJaccWebAuthorizationManager
object.
-
-
Method Detail
-
initializeRealm
public void initializeRealm(Object bundleDescriptor, boolean isSystemApp, String defaultRealmName)
Initializes the internal state of this instance with provided parameters.- Specified by:
initializeRealm
in interfaceRealmInitializer
- Parameters:
bundleDescriptor
- must be an instance ofWebBundleDescriptor
isSystemApp
- - realm may have different behavior for system applicationsdefaultRealmName
- - this realm name will be used as a default if there is not any other configured in the descriptor.
-
isSecurityExtensionEnabled
public boolean isSecurityExtensionEnabled(jakarta.servlet.ServletContext context)
Return true if JASPIC is available.- Specified by:
isSecurityExtensionEnabled
in interfaceRealm
- Overrides:
isSecurityExtensionEnabled
in classRealmBase
- Parameters:
context
- the ServletContext- Returns:
- true if JASPIC is available. 1171
-
findSecurityConstraints
public SecurityConstraint[] findSecurityConstraints(HttpRequest request, Context context)
One of the initial operations being done to apply security to a request, is to find out if there are security constraints for a request. Returns null 1. if there are no security constraints defined on any of the web resources within the context, or 2. if the target is a form login related page or target.See SJSAS 6232464 6202703 otherwise return an empty array of SecurityConstraint.
- Specified by:
findSecurityConstraints
in interfaceRealm
- Overrides:
findSecurityConstraints
in classRealmBase
- Parameters:
request
- Request we are processingcontext
- Context the Request is mapped to
-
findSecurityConstraints
public SecurityConstraint[] findSecurityConstraints(String requestPathMB, String httpMethod, Context context)
Returns null if there are no security constraints defined on any of the web resources within the contextSee SJSAS 6232464 6202703 otherwise return an empty array of SecurityConstraint.
- Specified by:
findSecurityConstraints
in interfaceRealm
- Overrides:
findSecurityConstraints
in classRealmBase
- Parameters:
requestPathMB
- the request URI (minus the context Path)httpMethod
- the request methodcontext
- the context- Returns:
- the security constraints configured by the given context for the given request URI and method, or null
-
hasUserDataPermission
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints) throws IOException
Enforce any user data constraint required by the security constraint guarding this request URI.- Specified by:
hasUserDataPermission
in interfaceRealm
- Overrides:
hasUserDataPermission
in classRealmBase
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint being checked- Returns:
true
if this constraint was not violated and processing should continue, orfalse
if we have created a response already- Throws:
IOException
- if an input/output error occurs
-
hasUserDataPermission
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) throws IOException
Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied.If uri and method are null, then the URI and method of the given request are checked.
If a user-data-constraint exists that is not satisfied, then the given request will be redirected to HTTPS.
- Specified by:
hasUserDataPermission
in interfaceRealm
- Overrides:
hasUserDataPermission
in classRealmBase
- Parameters:
request
- the request that may be redirectedresponse
- the response that may be redirectedconstraints
- the security constraints to check againsturi
- the request URI (minus the context path) to checkmethod
- the request method to check- Returns:
- true if the request URI and method are not the target of any unsatisfied user-data-constraint with a transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected to HTTPS)
- Throws:
IOException
-
preAuthenticateCheck
public int preAuthenticateCheck(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled) throws IOException
Checks whether or not authentication is needed. If JASPIC / JSR 196 is active, authentication is always done.Returns an int, one of:
- AUTHENTICATE_NOT_NEEDED,
- AUTHENTICATE_NEEDED
- AUTHENTICATED_NOT_AUTHORIZED
See SJSAS 6202703
- Specified by:
preAuthenticateCheck
in interfaceRealm
- Overrides:
preAuthenticateCheck
in classRealmBase
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint we are enforcingdisableProxyCaching
- whether or not to disable proxy caching for protected resources.securePagesWithPragma
- true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.ssoEnabled
- true if sso is enabled- Throws:
IOException
- if an input/output error occurs
-
invokeAuthenticateDelegate
public boolean invokeAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context, Authenticator authenticator, boolean calledFromAuthenticate) throws IOException
Authenticates the user making this request, based on the specified authentication mechanism. Returntrue
if any specified requirements have been satisfied, orfalse
if we have created a response challenge already.- Specified by:
invokeAuthenticateDelegate
in interfaceRealm
- Overrides:
invokeAuthenticateDelegate
in classRealmBase
- Parameters:
request
- Request we are processingresponse
- Response we are creatingcontext
- The Context to which client of this class is attached.authenticator
- the current authenticator.calledFromAuthenticate
- if the calls to this method comes from a call to HttpServletRequest.authenticate- Returns:
- Throws:
IOException
- if an input/output error occurs
-
getName
protected String getName()
Description copied from class:RealmBase
Return a short name for this Realm implementation, for use in log messages.
-
getRealmName
public String getRealmName()
Description copied from class:RealmBase
Returns the name of the associated realm.- Specified by:
getRealmName
in interfaceRealm
- Overrides:
getRealmName
in classRealmBase
- Returns:
- realm name or null if not set.
-
setVirtualServer
public void setVirtualServer(Object container)
Sets the realm's virtual server container.- Specified by:
setVirtualServer
in interfaceRealmInitializer
- Parameters:
container
- - must be an instance ofContainer
-
updateWebSecurityManager
public void updateWebSecurityManager()
Description copied from interface:RealmInitializer
Reinitializes the web security manager.- Specified by:
updateWebSecurityManager
in interfaceRealmInitializer
-
authenticate
public Principal authenticate(String username, char[] password)
Authenticates and sets the SecurityContext in the TLS.This username/password authenticate variant is primarily used by the Basic- and FormAuthenticator.
- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- the user name.password
- the password.- Returns:
- the authenticated principal.
-
authenticate
public Principal authenticate(jakarta.servlet.http.HttpServletRequest httpServletRequest)
Authenticates and sets the SecurityContext in the TLS. This HttpServletRequest authenticate variant is primarily used by the DigestAuthenticator- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
httpServletRequest
- HTTP servlet request.
-
authenticate
public Principal authenticate(X509Certificate[] certificates)
Authenticates and sets the SecurityContext in the TLS. This HttpServletRequest authenticate variant is primarily used by the SSLAuthenticator- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
certificates
- Array of client certificates, with the first one in the array being the certificate of the client itself.
-
hasResourcePermission
public boolean hasResourcePermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, Context context) throws IOException
Perform access control based on the specified authorization constraint. Returntrue
if this constraint is satisfied and processing should continue, orfalse
otherwise.- Specified by:
hasResourcePermission
in interfaceRealm
- Overrides:
hasResourcePermission
in classRealmBase
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint we are enforcingcontext
- The Context to which client of this class is attached.- Throws:
IOException
- if an input/output error occurs
-
invokePostAuthenticateDelegate
public boolean invokePostAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context) throws IOException
Post authentication for given request and response.- Specified by:
invokePostAuthenticateDelegate
in interfaceRealm
- Overrides:
invokePostAuthenticateDelegate
in classRealmBase
- Parameters:
request
- Request we are processingresponse
- Response we are creatingcontext
- The Context to which client of this class is attached.- Throws:
IOException
- if an input/output error occurs
-
hasRole
public boolean hasRole(HttpRequest request, HttpResponse response, Principal principal, String role)
Check if the given principal has the provided role. Returns true if the principal has the specified role, false otherwise.
-
logout
public void logout(HttpRequest httpRequest)
Description copied from interface:Realm
Logs out.
-
logout
public void logout()
Description copied from interface:RealmInitializer
Clean up security and policy context.- Specified by:
logout
in interfaceRealmInitializer
-
authenticate
public boolean authenticate(WebPrincipal principal)
Used by SecurityServiceImpl
-
getJaccWebAuthorizationManager
public JaccWebAuthorizationManager getJaccWebAuthorizationManager(boolean logNull)
Utility method to get the web security manager.This will log a warning if the manager is not found in the factory, and logNull is true.
-
createFailOveredPrincipal
public Principal createFailOveredPrincipal(String username)
This method is added to create a Principal based on the username only. Hercules stores the username as part of authentication failover and needs to create a Principal based on username onlySee IASRI 4809144 - Parameters:
username
-- Returns:
- Principal for the user username HERCULES:add
-
preSetRunAsIdentity
public void preSetRunAsIdentity(ComponentInvocation inv)
Set the run-as principal into the SecurityContext when needed.This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be one since this gets called also during internal processing (not clear..) not just part of servlet requests. However, if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is taken.
If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If one is set, the SecurityContext is switched to this principal.
See IASRI 4747594
- Parameters:
inv
- The invocation object to process.
-
postSetRunAsIdentity
public void postSetRunAsIdentity(ComponentInvocation invocation)
Attempts to restore old SecurityContext (but fails).In theory this method seems to attempt to check if a run-as principal was set by preSetRunAsIdentity() (based on the indirect assumption that if the servlet in the given invocation has a run-as this must've been the case). If so, it retrieves the oldSecurityContext from the invocation object and set it in the SecurityContext.
The problem is that the invocation object is not the same object as was passed in to preSetRunAsIdentity() so it will never contain the right info - see bug 4757733.
In practice it means this method only ever sets the SecurityContext to null (if run-as matched) or does nothing. In particular note the implication that it will be set to null after a run-as invocation completes. This behavior will be retained for the time being for consistency with RI. It must be fixed later.
- Parameters:
invocation
- The invocation object to process.
-
getPassword
protected char[] getPassword(String username)
Description copied from class:RealmBase
Return the password associated with the given principal's user name.- Specified by:
getPassword
in classRealmBase
-
getPrincipal
protected Principal getPrincipal(String username)
Description copied from class:RealmBase
Return the Principal associated with the given user name.- Specified by:
getPrincipal
in classRealmBase
-
setCurrentSecurityContextWithWebPrincipal
public void setCurrentSecurityContextWithWebPrincipal(Principal principal)
-
setCurrentSecurityContext
public void setCurrentSecurityContext(Principal principal)
-
postConstruct
public void postConstruct()
- Specified by:
postConstruct
in interfaceorg.glassfish.hk2.api.PostConstruct
-
-