Package org.apache.catalina.realm

Class JAASRealm

  • All Implemented Interfaces:
    Lifecycle, Realm
    public class JAASRealm
extends RealmBase

    Implementation of Realm that authenticates users via the Java Authentication and Authorization Service (JAAS). JAAS support requires either JDK 1.4 (which includes it as part of the standard platform) or JDK 1.3 (with the plug-in jaas.jar file).

    The value configured for the appName property is passed to the javax.security.auth.login.LoginContext constructor, to specify the application name used to select the set of relevant LoginModules required.

    The JAAS Specification describes the result of a successful login as a javax.security.auth.Subject instance, which can contain zero or more java.security.Principal objects in the return value of the Subject.getPrincipals() method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlying LoginMethod implementation executed by JAAS, the following policy is implemented by this Realm:

    • The JAAS LoginModule is assumed to return a Subject with at least one Principal instance representing the user himself or herself, and zero or more separate Principals representing the security roles authorized for this user.
    • On the Principal representing the user, the Principal name is an appropriate value to return via the Servlet API method HttpServletRequest.getRemoteUser().
    • On the Principals representing the security roles, the name is the name of the authorized security role.
    • This Realm will be configured with two lists of fully qualified Java class names of classes that implement java.security.Principal - one that identifies class(es) representing a user, and one that identifies class(es) representing a security role.
    • As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will identify the first Principal that matches the "user classes" list as the Principal for this user.
    • As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will accumulate the set of all Principals matching the "role classes" list as identifying the security roles for this user.
    • It is a configuration error for the JAAS login method to return a validated Subject without a Principal that matches the "user classes" list.
    Version:
    $Revision: 1.3 $ $Date: 2006/03/12 01:27:04 $
    Author:
    Craig R. McClanahan

    • Field Detail

      • appName

        protected String appName
        The application name passed to the JAAS LoginContext, which uses it to select the set of relevant LoginModules.

      • roleClasses

        protected ArrayList<String> roleClasses
        The list of role class names, split out for easy processing.

      • userClasses

        protected ArrayList<String> userClasses
        The set of user class names, split out for easy processing.

      • roleClassNames

        protected String roleClassNames
        Comma-delimited list of javax.security.Principal classes that represent security roles.

      • userClassNames

        protected String userClassNames
        Comma-delimited list of javax.security.Principal classes that represent individual users.

    • Constructor Detail

      • JAASRealm

        public JAASRealm()

    • Method Detail

      • setAppName

        public void setAppName​(String name)
        Deprecated.
        JAAS should use the Engine ( domain ) name and webpp/host overrides
        setter for the appName member variable

      • getAppName

        public String getAppName()
        getter for the appName member variable

      • setContainer

        public void setContainer​(Container container)
        Description copied from class: RealmBase
        Set the Container with which this Realm has been associated.
        Specified by:
        setContainer in interface Realm
        Overrides:
        setContainer in class RealmBase
        Parameters:
        container - The associated Container

      • getRoleClassNames

        public String getRoleClassNames()

      • setRoleClassNames

        public void setRoleClassNames​(String roleClassNames)

      • getUserClassNames

        public String getUserClassNames()

      • setUserClassNames

        public void setUserClassNames​(String userClassNames)

      • authenticate

        public Principal authenticate​(String username,
                              char[] credentials)
        Return the Principal associated with the specified username and credentials, if there is one; otherwise return null. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.
        Specified by:
        authenticate in interface Realm
        Overrides:
        authenticate in class RealmBase
        Parameters:
        username - Username of the Principal to look up
        credentials - Password or other credentials to use in authenticating this username

      • getName

        protected String getName()
        Return a short name for this Realm implementation.
        Specified by:
        getName in class RealmBase

      • getPassword

        protected char[] getPassword​(String username)
        Return the password associated with the given principal's user name.
        Specified by:
        getPassword in class RealmBase

      • createPrincipal

        protected Principal createPrincipal​(String username,
                                    Subject subject)
        Construct and return a java.security.Principal instance representing the authenticated user for the specified Subject. If no such Principal can be constructed, return null.
        Parameters:
        subject - The Subject representing the logged in user