com.sun.web.security

Class RealmAdapter

java.lang.Object

org.apache.catalina.realm.RealmBase

com.sun.web.security.RealmAdapter

All Implemented Interfaces:

RealmInitializer, Lifecycle, Realm, org.glassfish.hk2.api.PostConstruct

@Service
 @PerLookup
public class RealmAdapter
extends RealmBase
implements RealmInitializer, org.glassfish.hk2.api.PostConstruct

This is the realm adapter used to authenticate users and authorize access to web resources. The authenticate method is called by Tomcat to authenticate users. The hasRole method is called by Tomcat during the authorization process.

Author:

Harpreet Singh, JeanFrancois Arcand

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	RealmAdapter.IOSupplier<T>

Field Summary

Fields

Modifier and Type	Field and Description
static String	BASIC
static String	FORM
protected boolean	isCurrentURIincluded
protected static String	name Descriptive information about this Realm implementation.
protected ReadWriteLock	rwLock
static String	SECURITY_CONTEXT
protected WebSecurityManager	webSecurityManager A WebSecurityManager object associated with a CONTEXT_ID
protected WebSecurityManagerFactory	webSecurityManagerFactory The factory used for creating WebSecurityManager object.

Fields inherited from class org.apache.catalina.realm.RealmBase

checkIfRequestIsSecure, container, controller, debug, digest, digestEncoding, info, lifecycle, log, md, md5Encoder, md5Helper, rb, started, support, validate

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT

Fields inherited from interface org.apache.catalina.Realm

AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED

Constructor Summary

Constructors

Constructor and Description
RealmAdapter()
RealmAdapter(String realmName, String moduleID) Create for WS EJB endpoint authentication.

Method Summary

Modifier and Type	Method and Description
Principal	authenticate(javax.servlet.http.HttpServletRequest httpServletRequest) This HttpServletRequest authenticate variant is primarily used by the DigestAuthenticator
Principal	authenticate(String username, char[] password) Authenticates and sets the SecurityContext in the TLS.
boolean	authenticate(WebPrincipal principal) Used by SecurityServiceImpl
Principal	authenticate(X509Certificate[] certs) This HttpServletRequest authenticate variant is primarily used by the SSLAuthenticator
protected void	configureSecurity(WebBundleDescriptor wbd, boolean isSystem) Generate the JSR 115 policy file for a web application, bundled within a ear or deployed as a standalone war file.
Principal	createFailOveredPrincipal(String username) This method is added to create a Principal based on the username only.
void	destroy()
SecurityConstraint[]	findSecurityConstraints(HttpRequest request, Context context) Returns null 1.
SecurityConstraint[]	findSecurityConstraints(String requestPathMB, String httpMethod, Context context) Returns null 1.
protected String	getName() Return a short name for this Realm Adapter implementation.
protected char[]	getPassword(String username) Return the password associated with the given principal's user name.
protected Principal	getPrincipal(String username) Return the Principal associated with the given user name.
String	getRealmName() Return the name of the realm this RealmAdapter uses.
WebBundleDescriptor	getWebDescriptor()
WebSecurityManager	getWebSecurityManager(boolean logNull) Utility method to get the web security manager.
boolean	hasResourcePermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, Context context) Perform access control based on the specified authorization constraint.
boolean	hasRole(HttpRequest request, HttpResponse response, Principal principal, String role) Check if the given principal has the provided role.
boolean	hasRole(String servletName, Principal principal, String role)
boolean	hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints) Enforce any user data constraint required by the security constraint guarding this request URI.
boolean	hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied.
void	initConfigHelper(javax.servlet.ServletContext servletContext)
void	initializeRealm(Object descriptor, boolean isSystemApp, String realmName)
boolean	invokeAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context, Authenticator authenticator, boolean calledFromAuthenticate) Authenticates the user making this request, based on the specified login configuration.
boolean	invokePostAuthenticateDelegate(HttpRequest request, HttpResponse response, Context context) Post authentication for given request and response.
boolean	isSecurityExtensionEnabled(javax.servlet.ServletContext context) Return true if a Security Extension is available.
void	logout() Clean up security and policy context.
void	logout(HttpRequest httpRequest) Logs out.
void	postConstruct()
void	postSetRunAsIdentity(ComponentInvocation invocation) Attempts to restore old SecurityContext (but fails).
int	preAuthenticateCheck(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled) Checks whether or not authentication is needed.
void	preSetRunAsIdentity(ComponentInvocation inv) Set the run-as principal into the SecurityContext when needed.
void	setCurrentSecurityContext(Principal principal)
void	setCurrentSecurityContextWithWebPrincipal(Principal principal)
void	setRealmName(String realmName)
void	setVirtualServer(Object container) Sets the virtual server on which the web module (with which this RealmAdapter is associated with) has been deployed.
void	updateWebSecurityManager()

Methods inherited from class org.apache.catalina.realm.RealmBase

addLifecycleListener, addPropertyChangeListener, authenticate, backgroundProcess, digest, disableProxyCaching, findLifecycleListeners, getAlternateAuthType, getAlternatePrincipal, getContainer, getController, getDebug, getDigest, getDigest, getDigestEncoding, getInfo, getValidate, hasMessageDigest, hasRole, log, log, removeLifecycleListener, removePropertyChangeListener, setContainer, setController, setDebug, setDigest, setDigestEncoding, setRealmName, setValidate, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SECURITY_CONTEXT

public static final String SECURITY_CONTEXT

See Also:

Constant Field Values

BASIC

public static final String BASIC

See Also:

Constant Field Values

FORM

public static final String FORM

See Also:

Constant Field Values

name

protected static final String name

Descriptive information about this Realm implementation.

See Also:

Constant Field Values

webSecurityManager

protected volatile WebSecurityManager webSecurityManager

A WebSecurityManager object associated with a CONTEXT_ID

isCurrentURIincluded

protected boolean isCurrentURIincluded

rwLock

protected final ReadWriteLock rwLock

webSecurityManagerFactory

@Inject
protected WebSecurityManagerFactory webSecurityManagerFactory

The factory used for creating WebSecurityManager object.

Constructor Detail

RealmAdapter

public RealmAdapter()

RealmAdapter

public RealmAdapter(String realmName,
                    String moduleID)

Create for WS EJB endpoint authentication. Roles related data is not available here.

Method Detail

initializeRealm

public void initializeRealm(Object descriptor,
                            boolean isSystemApp,
                            String realmName)

Specified by:

initializeRealm in interface RealmInitializer

getName

protected String getName()

Return a short name for this Realm Adapter implementation.

Specified by:

getName in class RealmBase

getRealmName

public String getRealmName()

Return the name of the realm this RealmAdapter uses.

Specified by:

getRealmName in interface Realm

Overrides:

getRealmName in class RealmBase

Returns:

realm name

setRealmName

public void setRealmName(String realmName)

setVirtualServer

public void setVirtualServer(Object container)

Sets the virtual server on which the web module (with which this RealmAdapter is associated with) has been deployed.

Specified by:

setVirtualServer in interface RealmInitializer

Parameters:

container - The virtual server

getWebDescriptor

public WebBundleDescriptor getWebDescriptor()

getWebSecurityManager

public WebSecurityManager getWebSecurityManager(boolean logNull)

Utility method to get the web security manager.

This will log a warning if the manager is not found in the factory, and logNull is true.

updateWebSecurityManager

public void updateWebSecurityManager()

Specified by:

updateWebSecurityManager in interface RealmInitializer

findSecurityConstraints

public SecurityConstraint[] findSecurityConstraints(HttpRequest request,
                                                    Context context)

Returns null 1. if there are no security constraints defined on any of the web resources within the context, or 2. if the target is a form login related page or target.

See SJSAS 6232464 6202703 otherwise return an empty array of SecurityConstraint.

Specified by:

findSecurityConstraints in interface Realm

Overrides:

findSecurityConstraints in class RealmBase

Parameters:

request - Request we are processing

context - Context the Request is mapped to

findSecurityConstraints

public SecurityConstraint[] findSecurityConstraints(String requestPathMB,
                                                    String httpMethod,
                                                    Context context)

Returns null 1. if there are no security constraints defined on any of the web resources within the context, or 2. if the target is a form login related page or target.

See SJSAS 6232464 6202703 otherwise return an empty array of SecurityConstraint.

Specified by:

findSecurityConstraints in interface Realm

Overrides:

findSecurityConstraints in class RealmBase

Parameters:

requestPathMB - the request URI (minus the context Path)

httpMethod - the request method

context - the context

Returns:

the security constraints configured by the given context for the given request URI and method, or null

hasUserDataPermission

public boolean hasUserDataPermission(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint[] constraints)
                              throws IOException

Enforce any user data constraint required by the security constraint guarding this request URI.

Specified by:

hasUserDataPermission in interface Realm

Overrides:

hasUserDataPermission in class RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

constraints - Security constraint being checked

Returns:

true if this constraint was not violated and processing should continue, or false if we have created a response already

Throws:

IOException - if an input/output error occurs

hasUserDataPermission

public boolean hasUserDataPermission(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint[] constraints,
                                     String uri,
                                     String method)
                              throws IOException

Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied. If uri and method are null, then the URI and method of the given request are checked. If a user-data-constraint exists that is not satisfied, then the given request will be redirected to HTTPS.

Specified by:

hasUserDataPermission in interface Realm

Overrides:

hasUserDataPermission in class RealmBase

Parameters:

request - the request that may be redirected

response - the response that may be redirected

constraints - the security constraints to check against

uri - the request URI (minus the context path) to check

method - the request method to check

Returns:

true if the request URI and method are not the target of any unsatisfied user-data-constraint with a transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected to HTTPS)

Throws:

IOException

preAuthenticateCheck

public int preAuthenticateCheck(HttpRequest request,
                                HttpResponse response,
                                SecurityConstraint[] constraints,
                                boolean disableProxyCaching,
                                boolean securePagesWithPragma,
                                boolean ssoEnabled)
                         throws IOException

Checks whether or not authentication is needed. Returns an int, one of AUTHENTICATE_NOT_NEEDED, AUTHENTICATE_NEEDED, or AUTHENTICATED_NOT_AUTHORIZED

See SJSAS 6202703

Specified by:

preAuthenticateCheck in interface Realm

Overrides:

preAuthenticateCheck in class RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

constraints - Security constraint we are enforcing

disableProxyCaching - whether or not to disable proxy caching for protected resources.

securePagesWithPragma - true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.

ssoEnabled - true if sso is enabled

Throws:

IOException - if an input/output error occurs

invokeAuthenticateDelegate

public boolean invokeAuthenticateDelegate(HttpRequest request,
                                          HttpResponse response,
                                          Context context,
                                          Authenticator authenticator,
                                          boolean calledFromAuthenticate)
                                   throws IOException

Authenticates the user making this request, based on the specified login configuration. Return true if any specified requirements have been satisfied, or false if we have created a response challenge already.

Specified by:

invokeAuthenticateDelegate in interface Realm

Overrides:

invokeAuthenticateDelegate in class RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

context - The Context to which client of this class is attached.

authenticator - the current authenticator.

calledFromAuthenticate -

Returns:

Throws:

IOException - if an input/output error occurs

authenticate

public Principal authenticate(String username,
                              char[] password)

Authenticates and sets the SecurityContext in the TLS.

This username/password authenticate variant is primarily used by the Basic- and FormAuthenticator.

Specified by:

authenticate in interface Realm

Overrides:

authenticate in class RealmBase

Parameters:

username - the user name.

password - the password.

Returns:

the authenticated principal.

authenticate

public Principal authenticate(javax.servlet.http.HttpServletRequest httpServletRequest)

This HttpServletRequest authenticate variant is primarily used by the DigestAuthenticator

Specified by:

authenticate in interface Realm

Overrides:

authenticate in class RealmBase

Parameters:

httpServletRequest - HTTP servlet request.

authenticate

public Principal authenticate(X509Certificate[] certs)

This HttpServletRequest authenticate variant is primarily used by the SSLAuthenticator

Specified by:

authenticate in interface Realm

Overrides:

authenticate in class RealmBase

Parameters:

certs - Array of client certificates, with the first one in the array being the certificate of the client itself.

authenticate

public boolean authenticate(WebPrincipal principal)

Used by SecurityServiceImpl

createFailOveredPrincipal

public Principal createFailOveredPrincipal(String username)

This method is added to create a Principal based on the username only. Hercules stores the username as part of authentication failover and needs to create a Principal based on username only See IASRI 4809144

Parameters:

username -

Returns:

Principal for the user username HERCULES:add

hasResourcePermission

public boolean hasResourcePermission(HttpRequest request,
                                     HttpResponse response,
                                     SecurityConstraint[] constraints,
                                     Context context)
                              throws IOException

Perform access control based on the specified authorization constraint. Return true if this constraint is satisfied and processing should continue, or false otherwise.

Specified by:

hasResourcePermission in interface Realm

Overrides:

hasResourcePermission in class RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

constraint - Security constraint we are enforcing

The - Context to which client of this class is attached.

Throws:

IOException - if an input/output error occurs

invokePostAuthenticateDelegate

public boolean invokePostAuthenticateDelegate(HttpRequest request,
                                              HttpResponse response,
                                              Context context)
                                       throws IOException

Post authentication for given request and response.

Specified by:

invokePostAuthenticateDelegate in interface Realm

Overrides:

invokePostAuthenticateDelegate in class RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

context - The Context to which client of this class is attached.

Throws:

IOException - if an input/output error occurs

hasRole

public boolean hasRole(HttpRequest request,
                       HttpResponse response,
                       Principal principal,
                       String role)

Check if the given principal has the provided role. Returns true if the principal has the specified role, false otherwise.

Specified by:

hasRole in interface Realm

Overrides:

hasRole in class RealmBase

Parameters:

principal - the principal

role - the role

request - Request we are processing

response - Response we are creating

Returns:

true if the principal has the specified role.

hasRole

public boolean hasRole(String servletName,
                       Principal principal,
                       String role)

preSetRunAsIdentity

public void preSetRunAsIdentity(ComponentInvocation inv)

Set the run-as principal into the SecurityContext when needed.

This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be one since this gets called also during internal processing (not clear..) not just part of servlet requests. However, if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is taken.

If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If one is set, the SecurityContext is switched to this principal.

See IASRI 4747594

Parameters:

inv - The invocation object to process.

postSetRunAsIdentity

public void postSetRunAsIdentity(ComponentInvocation invocation)

Attempts to restore old SecurityContext (but fails).

In theory this method seems to attempt to check if a run-as principal was set by preSetRunAsIdentity() (based on the indirect assumption that if the servlet in the given invocation has a run-as this must've been the case). If so, it retrieves the oldSecurityContext from the invocation object and set it in the SecurityContext.

The problem is that the invocation object is not the same object as was passed in to preSetRunAsIdentity() so it will never contain the right info - see bug 4757733.

In practice it means this method only ever sets the SecurityContext to null (if run-as matched) or does nothing. In particular note the implication that it will be set to null after a run-as invocation completes. This behavior will be retained for the time being for consistency with RI. It must be fixed later.

Parameters:

invocation - The invocation object to process.

logout

public void logout(HttpRequest httpRequest)

Description copied from interface: Realm

Logs out.

Specified by:

logout in interface Realm

Overrides:

logout in class RealmBase

Parameters:

httpRequest - the HttpRequest

logout

public void logout()

Description copied from interface: RealmInitializer

Clean up security and policy context.

Specified by:

logout in interface RealmInitializer

destroy

public void destroy()

Overrides:

destroy in class RealmBase

getPassword

protected char[] getPassword(String username)

Description copied from class: RealmBase

Return the password associated with the given principal's user name.

Specified by:

getPassword in class RealmBase

getPrincipal

protected Principal getPrincipal(String username)

Description copied from class: RealmBase

Return the Principal associated with the given user name.

Specified by:

getPrincipal in class RealmBase

isSecurityExtensionEnabled

public boolean isSecurityExtensionEnabled(javax.servlet.ServletContext context)

Return true if a Security Extension is available.

Specified by:

isSecurityExtensionEnabled in interface Realm

Overrides:

isSecurityExtensionEnabled in class RealmBase

Parameters:

context - the ServletContext

Returns:

true if a Security Extension is available. 1171

configureSecurity

protected void configureSecurity(WebBundleDescriptor wbd,
                                 boolean isSystem)

Generate the JSR 115 policy file for a web application, bundled within a ear or deployed as a standalone war file. Implementation note: If the generated file doesn't contains all the permission, the role mapper is probably broken.

setCurrentSecurityContextWithWebPrincipal

public void setCurrentSecurityContextWithWebPrincipal(Principal principal)

setCurrentSecurityContext

public void setCurrentSecurityContext(Principal principal)

initConfigHelper

public void initConfigHelper(javax.servlet.ServletContext servletContext)

postConstruct

public void postConstruct()

Specified by:

postConstruct in interface org.glassfish.hk2.api.PostConstruct