Class CertificateRealm
- java.lang.Object
-
- com.sun.enterprise.security.auth.realm.Realm
-
- com.sun.enterprise.security.BaseRealm
-
- com.sun.enterprise.security.auth.realm.IASRealm
-
- com.sun.enterprise.security.auth.realm.certificate.CertificateRealm
-
- All Implemented Interfaces:
Comparable
@Service public final class CertificateRealm extends IASRealm
Realm wrapper for supporting certificate authentication.The certificate realm provides the security-service functionality needed to process a client-cert authentication. Since the SSL processing, and client certificate verification is done by NSS, no authentication is actually done by this realm. It only serves the purpose of being registered as the certificate handler realm and to service group membership requests during web container role checks.
There is no JAAS LoginModule corresponding to the certificate realm, therefore this realm does not require the jaas-context configuration parameter to be set. The purpose of a JAAS LoginModule is to implement the actual authentication processing, which for the case of this certificate realm is already done by the time execution gets to Java.
The certificate realm needs the following properties in its configuration: None.
The following optional attributes can also be specified:
- assign-groups - A comma-separated list of group names which will be assigned to all users who present a cryptographically valid certificate. Since groups are otherwise not supported by the cert realm, this allows grouping cert users for convenience.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
CertificateRealm.AppContextCallback
ALoginModule
forCertificateRealm
can instantiate and pass aAppContextCallback
tohandle
method of the passedCallbackHandler
to retrieve the application name information.
-
Field Summary
Fields Modifier and Type Field Description static String
AUTH_TYPE
-
Fields inherited from class com.sun.enterprise.security.BaseRealm
JAAS_CONTEXT_PARAM, sm
-
Fields inherited from class com.sun.enterprise.security.auth.realm.Realm
_logger, groupMapper, PARAM_GROUP_MAPPING
-
-
Constructor Summary
Constructors Constructor Description CertificateRealm()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
authenticate(Subject subject, X500Principal principal)
Complete authentication of certificate user.String
getAuthType()
Returns a short (preferably less than fifteen characters) description of the kind of authentication which is supported by this realm.Enumeration
getGroupNames(String username)
Returns the name of all the groups that this user belongs to.protected void
init(Properties props)
Initialize a realm with some properties.-
Methods inherited from class com.sun.enterprise.security.BaseRealm
addUser, addUser, getAuthenticationHandler, getGroupNames, getUser, getUserNames, persist, refresh, removeUser, supportsUserManagement, updateUser, updateUser
-
Methods inherited from class com.sun.enterprise.security.auth.realm.Realm
addAssignGroups, compareTo, getDefaultDigestAlgorithm, getDefaultInstance, getDefaultRealm, getInstance, getInstance, getJAASContext, getMappedGroupNames, getName, getProperties, getProperty, getRealmNames, getRealmStatsProvier, instantiate, instantiate, instantiate, isValidRealm, isValidRealm, refresh, setDefaultRealm, setName, setProperty, toString, unloadInstance, unloadInstance, updateInstance, updateInstance
-
-
-
-
Field Detail
-
AUTH_TYPE
public static final String AUTH_TYPE
- See Also:
- Constant Field Values
-
-
Method Detail
-
init
protected void init(Properties props) throws BadRealmException, NoSuchRealmException
Initialize a realm with some properties. This can be used when instantiating realms from their descriptions. This method is invoked from Realm during initialization.- Overrides:
init
in classRealm
- Parameters:
props
- Initialization parameters used by this realm.- Throws:
BadRealmException
- If the configuration parameters identify a corrupt realm.NoSuchRealmException
- If the configuration parameters specify a realm which doesn't exist.
-
getAuthType
public String getAuthType()
Returns a short (preferably less than fifteen characters) description of the kind of authentication which is supported by this realm.- Specified by:
getAuthType
in classRealm
- Returns:
- Description of the kind of authentication that is directly supported by this realm.
-
getGroupNames
public Enumeration getGroupNames(String username) throws NoSuchUserException, InvalidOperationException
Returns the name of all the groups that this user belongs to.- Specified by:
getGroupNames
in classRealm
- Parameters:
username
- Name of the user in this realm whose group listing is needed.- Returns:
- Enumeration of group names (strings).
- Throws:
InvalidOperationException
- thrown if the realm does not support this operation - e.g. Certificate realm does not support this operation.NoSuchUserException
-
authenticate
public void authenticate(Subject subject, X500Principal principal)
Complete authentication of certificate user.As noted, the certificate realm does not do the actual authentication (signature and cert chain validation) for the user certificate, this is done earlier in NSS. This method simply sets up the security context for the user in order to properly complete the authentication processing.
If any groups have been assigned to cert-authenticated users through the assign-groups property these groups are added to the security context for the current user.
- Parameters:
subject
- The Subject object for the authentication request.principal
- The X500Principal object from the user certificate.
-
-