Package org.apache.catalina.realm
Class RealmBase
- java.lang.Object
-
- org.apache.catalina.realm.RealmBase
-
- Direct Known Subclasses:
JAASRealm
,RealmAdapter
public abstract class RealmBase extends Object implements Lifecycle, Realm
Simple implementation of Realm that reads an XML file to configure the valid users, passwords, and roles. The file format (and default file location) are identical to those currently supported by Tomcat 3.X.- Version:
- $Revision: 1.14 $ $Date: 2007/04/18 17:27:23 $
- Author:
- Craig R. McClanahan
-
-
Field Summary
Fields Modifier and Type Field Description protected boolean
checkIfRequestIsSecure
Flag indicating whether a check to see if the request is secure is required before adding Pragma and Cache-Control headers when proxy caching has been disabledprotected Container
container
The Container with which this Realm is associated.protected ObjectName
controller
protected int
debug
The debugging detail level for this component.protected String
digest
Digest algorithm used in storing passwords in a non-plaintext format.protected String
digestEncoding
The encoding charset for the digest.protected static String
info
Descriptive information about this Realm implementation.protected LifecycleSupport
lifecycle
The lifecycle event support for this component.protected static Logger
log
protected MessageDigest
md
The MessageDigest object for digesting user credentials (passwords).protected static MD5Encoder
md5Encoder
The MD5 helper object for this class.protected static MessageDigest
md5Helper
MD5 message digest provider.protected static ResourceBundle
rb
protected boolean
started
Has this component been started?protected PropertyChangeSupport
support
The property change support for this component.protected boolean
validate
Should we validate client certificate chains when they are presented?-
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT
-
Fields inherited from interface org.apache.catalina.Realm
AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED
-
-
Constructor Summary
Constructors Constructor Description RealmBase()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description void
addLifecycleListener(LifecycleListener listener)
Add a lifecycle event listener to this component.void
addPropertyChangeListener(PropertyChangeListener listener)
Add a property change listener to this component.Principal
authenticate(jakarta.servlet.http.HttpServletRequest hreq)
Does digest authentication and returns the Principal associated with the username in the HTTP header.Principal
authenticate(String username, char[] credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull
.Principal
authenticate(String username, char[] clientDigest, String nOnce, String nc, String cnonce, String qop, String realm, char[] md5a2)
Return the Principal associated with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2069; otherwise returnnull
.Principal
authenticate(X509Certificate[] certificates)
Return the Principal associated with the specified chain of X509 client certificates.void
backgroundProcess()
Execute a periodic task, such as reloading, etc.void
destroy()
protected char[]
digest(char[] credentials)
Digest the password using the specified algorithm and convert the result to a corresponding hexadecimal string.protected void
disableProxyCaching(HttpRequest request, HttpResponse response, boolean disableProxyCaching, boolean securePagesWithPragma)
List<LifecycleListener>
findLifecycleListeners()
Gets the (possibly empty) list of lifecycle listeners associated with this Realm.SecurityConstraint[]
findSecurityConstraints(String uri, String method, Context context)
Gets the security constraints configured by the given context for the given request URI and method.SecurityConstraint[]
findSecurityConstraints(HttpRequest request, Context context)
Return the SecurityConstraints configured to guard the request URI for this request, ornull
if there is no such constraint.String
getAlternateAuthType(HttpRequest req)
Return an alternate auth type from the request if available.Principal
getAlternatePrincipal(HttpRequest req)
Return an alternate principal from the request if available.Container
getContainer()
Return the Container with which this Realm has been associated.ObjectName
getController()
int
getDebug()
Return the debugging detail level for this component.String
getDigest()
Return the digest algorithm used for storing credentials.protected char[]
getDigest(String username, String realmName)
Return the digest associated with given principal's user name.String
getDigestEncoding()
Returns the digest encoding charset.String
getInfo()
Return descriptive information about this Realm implementation and the corresponding version number, in the format<description>/<version>
.protected abstract String
getName()
Return a short name for this Realm implementation, for use in log messages.protected abstract char[]
getPassword(String username)
Return the password associated with the given principal's user name.protected abstract Principal
getPrincipal(String username)
Return the Principal associated with the given user name.String
getRealmName()
Returns the name of the associated realm.boolean
getValidate()
Return the "validate certificate chains" flag.protected boolean
hasMessageDigest()
boolean
hasResourcePermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, Context context)
Perform access control based on the specified authorization constraint.boolean
hasRole(Principal principal, String role)
Returntrue
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
.boolean
hasRole(HttpRequest request, HttpResponse response, Principal principal, String role)
Returntrue
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
.boolean
hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints)
Enforce any user data constraint required by the security constraint guarding this request URI.boolean
hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method)
Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied.boolean
invokeAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context, Authenticator authenticator, boolean calledFromAuthenticate)
Authenticates the user making this request, based on the specified login configuration.boolean
invokePostAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context)
Post authentication for given request and response.boolean
isSecurityExtensionEnabled(jakarta.servlet.ServletContext servletContext)
Returns whether the specified ServletContext indicates that security extension is enabled.protected void
log(String message)
Log a message on the Logger associated with our Container (if any)protected void
log(String message, Throwable t)
Log a message on the Logger associated with our Container (if any)void
logout(HttpRequest hreq)
Logs out.int
preAuthenticateCheck(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled)
Checks whether or not authentication is needed.void
removeLifecycleListener(LifecycleListener listener)
Remove a lifecycle event listener from this component.void
removePropertyChangeListener(PropertyChangeListener listener)
Remove a property change listener from this component.void
setContainer(Container container)
Set the Container with which this Realm has been associated.void
setController(ObjectName controller)
void
setDebug(int debug)
Set the debugging detail level for this component.void
setDigest(String digest)
Set the digest algorithm used for storing credentials.void
setDigestEncoding(String charset)
Sets the digest encoding charset.void
setRealmName(String name, String authMethod)
Set the name of the associated realm.void
setValidate(boolean validate)
Set the "validate certificate chains" flag.void
start()
Prepare for the beginning of active use of the public methods of this component.void
stop()
Gracefully terminate the active use of the public methods of this component.
-
-
-
Field Detail
-
log
protected static final Logger log
-
rb
protected static final ResourceBundle rb
-
debug
protected int debug
The debugging detail level for this component.
-
container
protected Container container
The Container with which this Realm is associated.
-
checkIfRequestIsSecure
protected boolean checkIfRequestIsSecure
Flag indicating whether a check to see if the request is secure is required before adding Pragma and Cache-Control headers when proxy caching has been disabled
-
digest
protected String digest
Digest algorithm used in storing passwords in a non-plaintext format. Valid values are those accepted for the algorithm name by the MessageDigest class, ornull
if no digesting should be performed.
-
digestEncoding
protected String digestEncoding
The encoding charset for the digest.
-
info
protected static final String info
Descriptive information about this Realm implementation.- See Also:
- Constant Field Values
-
lifecycle
protected LifecycleSupport lifecycle
The lifecycle event support for this component.
-
md
protected volatile MessageDigest md
The MessageDigest object for digesting user credentials (passwords).
-
md5Encoder
protected static final MD5Encoder md5Encoder
The MD5 helper object for this class.
-
md5Helper
protected static volatile MessageDigest md5Helper
MD5 message digest provider.
-
started
protected boolean started
Has this component been started?
-
support
protected PropertyChangeSupport support
The property change support for this component.
-
validate
protected boolean validate
Should we validate client certificate chains when they are presented?
-
controller
protected ObjectName controller
-
-
Method Detail
-
getContainer
public Container getContainer()
Return the Container with which this Realm has been associated.- Specified by:
getContainer
in interfaceRealm
-
getDebug
public int getDebug()
Return the debugging detail level for this component.
-
setDebug
public void setDebug(int debug)
Set the debugging detail level for this component.- Parameters:
debug
- The new debugging detail level
-
setContainer
public void setContainer(Container container)
Set the Container with which this Realm has been associated.- Specified by:
setContainer
in interfaceRealm
- Parameters:
container
- The associated Container
-
getDigest
public String getDigest()
Return the digest algorithm used for storing credentials.
-
setDigest
public void setDigest(String digest)
Set the digest algorithm used for storing credentials.- Parameters:
digest
- The new digest algorithm
-
getDigestEncoding
public String getDigestEncoding()
Returns the digest encoding charset.- Returns:
- The charset (may be null) for platform default
-
setDigestEncoding
public void setDigestEncoding(String charset)
Sets the digest encoding charset.- Parameters:
charset
- The charset (null for platform default)
-
getInfo
public String getInfo()
Return descriptive information about this Realm implementation and the corresponding version number, in the format<description>/<version>
.
-
getValidate
public boolean getValidate()
Return the "validate certificate chains" flag.
-
setValidate
public void setValidate(boolean validate)
Set the "validate certificate chains" flag.- Parameters:
validate
- The new validate certificate chains flag
-
addPropertyChangeListener
public void addPropertyChangeListener(PropertyChangeListener listener)
Add a property change listener to this component.- Specified by:
addPropertyChangeListener
in interfaceRealm
- Parameters:
listener
- The listener to add
-
authenticate
public Principal authenticate(String username, char[] credentials)
Return the Principal associated with the specified username and credentials, if there is one; otherwise returnnull
.- Specified by:
authenticate
in interfaceRealm
- Parameters:
username
- Username of the Principal to look upcredentials
- Password or other credentials to use in authenticating this username
-
authenticate
public Principal authenticate(String username, char[] clientDigest, String nOnce, String nc, String cnonce, String qop, String realm, char[] md5a2)
Return the Principal associated with the specified username, which matches the digest calculated using the given parameters using the method described in RFC 2069; otherwise returnnull
.- Specified by:
authenticate
in interfaceRealm
- Parameters:
username
- Username of the Principal to look upclientDigest
- Digest which has been submitted by the clientnOnce
- Unique (or supposedly unique) token which has been used for this requestrealm
- Realm namemd5a2
- Second MD5 digest used to calculate the digest : MD5(Method + ":" + uri)
-
authenticate
public Principal authenticate(X509Certificate[] certificates)
Return the Principal associated with the specified chain of X509 client certificates. If there is none, returnnull
.- Specified by:
authenticate
in interfaceRealm
- Parameters:
certificates
- Array of client certificates, with the first one in the array being the certificate of the client itself.
-
backgroundProcess
public void backgroundProcess()
Execute a periodic task, such as reloading, etc. This method will be invoked inside the classloading context of this container. Unexpected throwables will be caught and logged.
-
findSecurityConstraints
public SecurityConstraint[] findSecurityConstraints(HttpRequest request, Context context)
Return the SecurityConstraints configured to guard the request URI for this request, ornull
if there is no such constraint.- Specified by:
findSecurityConstraints
in interfaceRealm
- Parameters:
request
- Request we are processingcontext
- Context the Request is mapped to
-
findSecurityConstraints
public SecurityConstraint[] findSecurityConstraints(String uri, String method, Context context)
Gets the security constraints configured by the given context for the given request URI and method.- Specified by:
findSecurityConstraints
in interfaceRealm
- Parameters:
uri
- the request URI (minus the context Path)method
- the request methodcontext
- the context- Returns:
- the security constraints configured by the given context for the given request URI and method, or null
-
hasResourcePermission
public boolean hasResourcePermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, Context context) throws IOException
Perform access control based on the specified authorization constraint. Returntrue
if this constraint is satisfied and processing should continue, orfalse
otherwise.- Specified by:
hasResourcePermission
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint we are enforcingcontext
- The Context to which client of this class is attached.- Throws:
IOException
- if an input/output error occurs
-
hasRole
public boolean hasRole(HttpRequest request, HttpResponse response, Principal principal, String role)
Returntrue
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
. This method can be overridden by Realm implementations. The default implementation is to forward to hasRole(Principal principal, String role).
-
preAuthenticateCheck
public int preAuthenticateCheck(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled) throws IOException
Checks whether or not authentication is needed. Returns an int, one of AUTHENTICATE_NOT_NEEDED, AUTHENTICATE_NEEDED, or AUTHENTICATED_NOT_AUTHORIZED.- Specified by:
preAuthenticateCheck
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint we are enforcingdisableProxyCaching
- whether or not to disable proxy caching for protected resources.securePagesWithPragma
- true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.ssoEnabled
- true if sso is enabled- Throws:
IOException
- if an input/output error occurs
-
invokeAuthenticateDelegate
public boolean invokeAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context, Authenticator authenticator, boolean calledFromAuthenticate) throws IOException
Authenticates the user making this request, based on the specified login configuration. Returntrue
if any specified requirements have been satisfied, orfalse
if we have created a response challenge already.- Specified by:
invokeAuthenticateDelegate
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingcontext
- The Context to which client of this class is attached.authenticator
- the current authenticator.calledFromAuthenticate
- true if the call originates from HttpServletRequest.authenticate- Throws:
IOException
- if an input/output error occurs
-
invokePostAuthenticateDelegate
public boolean invokePostAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context) throws IOException
Post authentication for given request and response.- Specified by:
invokePostAuthenticateDelegate
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingcontext
- The Context to which client of this class is attached.- Throws:
IOException
- if an input/output error occurs
-
hasRole
public boolean hasRole(Principal principal, String role)
Returntrue
if the specified Principal has the specified security role, within the context of this Realm; otherwise returnfalse
. This method can be overridden by Realm implementations, but the default is adequate when an instance ofGenericPrincipal
is used to represent authenticated Principals from this Realm.
-
hasUserDataPermission
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints) throws IOException
Enforce any user data constraint required by the security constraint guarding this request URI.- Specified by:
hasUserDataPermission
in interfaceRealm
- Parameters:
request
- Request we are processingresponse
- Response we are creatingconstraints
- Security constraint being checked- Returns:
true
if this constraint was not violated and processing should continue, orfalse
if we have created a response already- Throws:
IOException
- if an input/output error occurs
-
hasUserDataPermission
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) throws IOException
Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied. If uri and method are null, then the URI and method of the given request are checked. If a user-data-constraint exists that is not satisfied, then the given request will be redirected to HTTPS.- Specified by:
hasUserDataPermission
in interfaceRealm
- Parameters:
request
- the request that may be redirectedresponse
- the response that may be redirectedconstraints
- the security constraints to check againsturi
- the request URI (minus the context path) to checkmethod
- the request method to check- Returns:
- true if the request URI and method are not the target of any unsatisfied user-data-constraint with a transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected to HTTPS)
- Throws:
IOException
-
removePropertyChangeListener
public void removePropertyChangeListener(PropertyChangeListener listener)
Remove a property change listener from this component.- Specified by:
removePropertyChangeListener
in interfaceRealm
- Parameters:
listener
- The listener to remove
-
addLifecycleListener
public void addLifecycleListener(LifecycleListener listener)
Add a lifecycle event listener to this component.- Specified by:
addLifecycleListener
in interfaceLifecycle
- Parameters:
listener
- The listener to add
-
findLifecycleListeners
public List<LifecycleListener> findLifecycleListeners()
Gets the (possibly empty) list of lifecycle listeners associated with this Realm.- Specified by:
findLifecycleListeners
in interfaceLifecycle
-
removeLifecycleListener
public void removeLifecycleListener(LifecycleListener listener)
Remove a lifecycle event listener from this component.- Specified by:
removeLifecycleListener
in interfaceLifecycle
- Parameters:
listener
- The listener to remove
-
start
public void start() throws LifecycleException
Prepare for the beginning of active use of the public methods of this component. This method should be called before any of the public methods of this component are utilized. It should also send a LifecycleEvent of type START_EVENT to any registered listeners.- Specified by:
start
in interfaceLifecycle
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
-
stop
public void stop() throws LifecycleException
Gracefully terminate the active use of the public methods of this component. This method should be the last one called on a given instance of this component. It should also send a LifecycleEvent of type STOP_EVENT to any registered listeners.- Specified by:
stop
in interfaceLifecycle
- Throws:
LifecycleException
- if this component detects a fatal error that needs to be reported
-
destroy
public void destroy()
-
logout
public void logout(HttpRequest hreq)
Description copied from interface:Realm
Logs out.
-
isSecurityExtensionEnabled
public boolean isSecurityExtensionEnabled(jakarta.servlet.ServletContext servletContext)
Description copied from interface:Realm
Returns whether the specified ServletContext indicates that security extension is enabled.- Specified by:
isSecurityExtensionEnabled
in interfaceRealm
- Parameters:
servletContext
- the ServletContext- Returns:
- true if security extension is enabled; false otherwise
-
digest
protected char[] digest(char[] credentials)
Digest the password using the specified algorithm and convert the result to a corresponding hexadecimal string. If exception, the plain credentials string is returned.- Parameters:
credentials
- Password or other credentials to use in authenticating this username
-
hasMessageDigest
protected boolean hasMessageDigest()
-
getDigest
protected char[] getDigest(String username, String realmName)
Return the digest associated with given principal's user name.
-
getName
protected abstract String getName()
Return a short name for this Realm implementation, for use in log messages.
-
getPassword
protected abstract char[] getPassword(String username)
Return the password associated with the given principal's user name.
-
getPrincipal
protected abstract Principal getPrincipal(String username)
Return the Principal associated with the given user name.
-
log
protected void log(String message)
Log a message on the Logger associated with our Container (if any)- Parameters:
message
- Message to be logged
-
log
protected void log(String message, Throwable t)
Log a message on the Logger associated with our Container (if any)- Parameters:
message
- Message to be loggedt
- Associated exception
-
disableProxyCaching
protected void disableProxyCaching(HttpRequest request, HttpResponse response, boolean disableProxyCaching, boolean securePagesWithPragma)
-
getController
public ObjectName getController()
-
setController
public void setController(ObjectName controller)
-
getAlternatePrincipal
public Principal getAlternatePrincipal(HttpRequest req)
Return an alternate principal from the request if available. Tomcat realms do not implement this so always return null as default.- Specified by:
getAlternatePrincipal
in interfaceRealm
- Parameters:
req
- The request object.- Returns:
- Alternate principal or null.
-
getAlternateAuthType
public String getAlternateAuthType(HttpRequest req)
Return an alternate auth type from the request if available. Tomcat realms do not implement this so always return null as default.- Specified by:
getAlternateAuthType
in interfaceRealm
- Parameters:
req
- The request object.- Returns:
- Alternate auth type or null.
-
setRealmName
public void setRealmName(String name, String authMethod)
Set the name of the associated realm.- Specified by:
setRealmName
in interfaceRealm
- Parameters:
name
- the name of the realm.
-
getRealmName
public String getRealmName()
Returns the name of the associated realm.- Specified by:
getRealmName
in interfaceRealm
- Returns:
- realm name or null if not set.
-
authenticate
public Principal authenticate(jakarta.servlet.http.HttpServletRequest hreq)
Description copied from interface:Realm
Does digest authentication and returns the Principal associated with the username in the HTTP header.- Specified by:
authenticate
in interfaceRealm
- Parameters:
hreq
- HTTP servlet request.
-
-