Class JAASRealm
- java.lang.Object
-
- org.apache.catalina.realm.RealmBase
-
- org.apache.catalina.realm.JAASRealm
-
public class JAASRealm extends RealmBase
Implementation of Realm that authenticates users via the Java Authentication and Authorization Service (JAAS). JAAS support requires either JDK 1.4 (which includes it as part of the standard platform) or JDK 1.3 (with the plug-in
jaas.jar
file).The value configured for the
appName
property is passed to thejavax.security.auth.login.LoginContext
constructor, to specify the application name used to select the set of relevantLoginModules
required.The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject
instance, which can contain zero or morejava.security.Principal
objects in the return value of theSubject.getPrincipals()
method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlyingLoginMethod
implementation executed by JAAS, the following policy is implemented by this Realm:- The JAAS
LoginModule
is assumed to return aSubject with at least one
Principal
instance representing the user himself or herself, and zero or more separatePrincipals
representing the security roles authorized for this user. - On the
Principal
representing the user, the Principal name is an appropriate value to return via the Servlet API methodHttpServletRequest.getRemoteUser()
. - On the
Principals
representing the security roles, the name is the name of the authorized security role. - This Realm will be configured with two lists of fully qualified Java
class names of classes that implement
java.security.Principal
- one that identifies class(es) representing a user, and one that identifies class(es) representing a security role. - As this Realm iterates over the
Principals
returned bySubject.getPrincipals()
, it will identify the firstPrincipal
that matches the "user classes" list as thePrincipal
for this user. - As this Realm iterates over the
Principals
returned bySubject.getPrincipals()
, it will accumulate the set of allPrincipals
matching the "role classes" list as identifying the security roles for this user. - It is a configuration error for the JAAS login method to return a
validated
Subject
without aPrincipal
that matches the "user classes" list.
- Version:
- $Revision: 1.3 $ $Date: 2006/03/12 01:27:04 $
- Author:
- Craig R. McClanahan
- The JAAS
-
-
Field Summary
Fields Modifier and Type Field Description protected String
appName
The application name passed to the JAASLoginContext
, which uses it to select the set of relevantLoginModules
.protected static String
info
Descriptive information about this Realm implementation.protected static String
name
Descriptive information about this Realm implementation.protected ArrayList<String>
roleClasses
The list of role class names, split out for easy processing.protected String
roleClassNames
Comma-delimited list ofjavax.security.Principal
classes that represent security roles.protected ArrayList<String>
userClasses
The set of user class names, split out for easy processing.protected String
userClassNames
Comma-delimited list ofjavax.security.Principal
classes that represent individual users.-
Fields inherited from class org.apache.catalina.realm.RealmBase
checkIfRequestIsSecure, container, controller, debug, digest, digestEncoding, lifecycle, log, md, md5Encoder, md5Helper, rb, started, support, validate
-
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT
-
Fields inherited from interface org.apache.catalina.Realm
AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED
-
-
Constructor Summary
Constructors Constructor Description JAASRealm()
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description Principal
authenticate(String username, char[] credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull
.protected Principal
createPrincipal(String username, Subject subject)
Construct and return ajava.security.Principal
instance representing the authenticated user for the specified Subject.String
getAppName()
getter for the appName member variableprotected String
getName()
Return a short name for this Realm implementation.protected char[]
getPassword(String username)
Return the password associated with the given principal's user name.protected Principal
getPrincipal(String username)
Return the Principal associated with the given user name.String
getRoleClassNames()
String
getUserClassNames()
void
setAppName(String name)
Deprecated.JAAS should use the Engine ( domain ) name and webpp/host overridesvoid
setContainer(Container container)
Set the Container with which this Realm has been associated.void
setRoleClassNames(String roleClassNames)
void
setUserClassNames(String userClassNames)
void
start()
Prepare for active use of the public methods of this Component.void
stop()
Gracefully shut down active use of the public methods of this Component.-
Methods inherited from class org.apache.catalina.realm.RealmBase
addLifecycleListener, addPropertyChangeListener, authenticate, authenticate, authenticate, backgroundProcess, destroy, digest, disableProxyCaching, findLifecycleListeners, findSecurityConstraints, findSecurityConstraints, getAlternateAuthType, getAlternatePrincipal, getContainer, getController, getDebug, getDigest, getDigest, getDigestEncoding, getInfo, getRealmName, getValidate, hasMessageDigest, hasResourcePermission, hasRole, hasRole, hasUserDataPermission, hasUserDataPermission, invokeAuthenticateDelegate, invokePostAuthenticateDelegate, isSecurityExtensionEnabled, log, log, logout, preAuthenticateCheck, removeLifecycleListener, removePropertyChangeListener, setController, setDebug, setDigest, setDigestEncoding, setRealmName, setValidate
-
-
-
-
Field Detail
-
appName
protected String appName
The application name passed to the JAASLoginContext
, which uses it to select the set of relevantLoginModules
.
-
info
protected static final String info
Descriptive information about this Realm implementation.- See Also:
- Constant Field Values
-
name
protected static final String name
Descriptive information about this Realm implementation.- See Also:
- Constant Field Values
-
roleClasses
protected ArrayList<String> roleClasses
The list of role class names, split out for easy processing.
-
userClasses
protected ArrayList<String> userClasses
The set of user class names, split out for easy processing.
-
roleClassNames
protected String roleClassNames
Comma-delimited list ofjavax.security.Principal
classes that represent security roles.
-
userClassNames
protected String userClassNames
Comma-delimited list ofjavax.security.Principal
classes that represent individual users.
-
-
Method Detail
-
setAppName
public void setAppName(String name)
Deprecated.JAAS should use the Engine ( domain ) name and webpp/host overridessetter for the appName member variable
-
getAppName
public String getAppName()
getter for the appName member variable
-
setContainer
public void setContainer(Container container)
Description copied from class:RealmBase
Set the Container with which this Realm has been associated.- Specified by:
setContainer
in interfaceRealm
- Overrides:
setContainer
in classRealmBase
- Parameters:
container
- The associated Container
-
getRoleClassNames
public String getRoleClassNames()
-
setRoleClassNames
public void setRoleClassNames(String roleClassNames)
-
getUserClassNames
public String getUserClassNames()
-
setUserClassNames
public void setUserClassNames(String userClassNames)
-
authenticate
public Principal authenticate(String username, char[] credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull
. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.- Specified by:
authenticate
in interfaceRealm
- Overrides:
authenticate
in classRealmBase
- Parameters:
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username
-
getName
protected String getName()
Return a short name for this Realm implementation.
-
getPassword
protected char[] getPassword(String username)
Return the password associated with the given principal's user name.- Specified by:
getPassword
in classRealmBase
-
getPrincipal
protected Principal getPrincipal(String username)
Return the Principal associated with the given user name.- Specified by:
getPrincipal
in classRealmBase
-
createPrincipal
protected Principal createPrincipal(String username, Subject subject)
Construct and return ajava.security.Principal
instance representing the authenticated user for the specified Subject. If no such Principal can be constructed, returnnull
.- Parameters:
subject
- The Subject representing the logged in user
-
start
public void start() throws LifecycleException
Prepare for active use of the public methods of this Component.- Specified by:
start
in interfaceLifecycle
- Overrides:
start
in classRealmBase
- Throws:
LifecycleException
- if this component detects a fatal error that prevents it from being started
-
stop
public void stop() throws LifecycleException
Gracefully shut down active use of the public methods of this Component.- Specified by:
stop
in interfaceLifecycle
- Overrides:
stop
in classRealmBase
- Throws:
LifecycleException
- if this component detects a fatal error that needs to be reported
-
-