public class JAASRealm extends RealmBase
Implementation of Realm that authenticates users via the Java
Authentication and Authorization Service (JAAS). JAAS support requires
either JDK 1.4 (which includes it as part of the standard platform) or
JDK 1.3 (with the plug-in jaas.jar
file).
The value configured for the appName
property is passed to
the javax.security.auth.login.LoginContext
constructor, to
specify the application name used to select the set of relevant
LoginModules
required.
The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject
instance, which can contain zero
or more java.security.Principal
objects in the return value
of the Subject.getPrincipals()
method. However, it provides
no guidance on how to distinguish Principals that describe the individual
user (and are thus appropriate to return as the value of
request.getUserPrincipal() in a web application) from the Principal(s)
that describe the authorized roles for this user. To maintain as much
independence as possible from the underlying LoginMethod
implementation executed by JAAS, the following policy is implemented by
this Realm:
LoginModule
is assumed to return a
Subject
with at least one Principal
instance
representing the user himself or herself, and zero or more separate
Principals
representing the security roles authorized
for this user.Principal
representing the user, the Principal
name is an appropriate value to return via the Servlet API method
HttpServletRequest.getRemoteUser()
.Principals
representing the security roles, the
name is the name of the authorized security role.java.security.Principal
- one that identifies class(es)
representing a user, and one that identifies class(es) representing
a security role.Principals
returned by
Subject.getPrincipals()
, it will identify the first
Principal
that matches the "user classes" list as the
Principal
for this user.Principals
returned by
Subject.getPrincipals()
, it will accumulate the set of
all Principals
matching the "role classes" list as
identifying the security roles for this user.Subject
without a Principal
that
matches the "user classes" list.Catalina { org.foobar.auth.DatabaseLoginModule REQUIRED JNDI_RESOURCE=jdbc/AuthDB USER_TABLE=users USER_ID_COLUMN=id USER_NAME_COLUMN=name USER_CREDENTIAL_COLUMN=password ROLE_TABLE=roles ROLE_NAME_COLUMN=name PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory; };
CATALINA_OPTS
environment variable
similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
CallbackHandler
,
called (unsurprisingly) JAASCallbackHandler
. This handler supplies the
HTTP requests's username and credentials to the user-supplied LoginModule
Realm
implementations, digested passwords are supported if
the <Realm>
element in server.xml
contains a
digest
attribute; JAASCallbackHandler
will digest the password
prior to passing it back to the LoginModule
RealmBase.AllRolesMode
Modifier and Type | Field and Description |
---|---|
protected java.lang.String |
appName
The application name passed to the JAAS
LoginContext ,
which uses it to select the set of relevant LoginModule s. |
protected java.lang.String |
configFile
Path to find a JAAS configuration file, if not set global JVM JAAS
configuration will be used.
|
protected static java.lang.String |
info
Descriptive information about this
Realm implementation. |
protected javax.security.auth.login.Configuration |
jaasConfiguration |
protected boolean |
jaasConfigurationLoaded |
protected static java.lang.String |
name
Descriptive information about this
Realm implementation. |
protected java.util.List<java.lang.String> |
roleClasses
The list of role class names, split out for easy processing.
|
protected java.lang.String |
roleClassNames
Comma-delimited list of
java.security.Principal classes
that represent security roles. |
protected boolean |
useContextClassLoader
Whether to use context ClassLoader or default ClassLoader.
|
protected java.util.List<java.lang.String> |
userClasses
The set of user class names, split out for easy processing.
|
protected java.lang.String |
userClassNames
Comma-delimited list of
java.security.Principal classes
that represent individual users. |
allRolesMode, container, containerLog, digest, digestEncoding, md, md5Encoder, md5Helper, realmPath, sm, stripRealmForGss, support, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
mserver
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
Constructor and Description |
---|
JAASRealm() |
Modifier and Type | Method and Description |
---|---|
protected java.security.Principal |
authenticate(java.lang.String username,
javax.security.auth.callback.CallbackHandler callbackHandler)
Perform the actual JAAS authentication
|
java.security.Principal |
authenticate(java.lang.String username,
java.lang.String credentials)
Return the
Principal associated with the specified username
and credentials, if there is one; otherwise return null . |
java.security.Principal |
authenticate(java.lang.String username,
java.lang.String clientDigest,
java.lang.String nonce,
java.lang.String nc,
java.lang.String cnonce,
java.lang.String qop,
java.lang.String realmName,
java.lang.String md5a2)
Return the
Principal associated with the specified username
and digest, if there is one; otherwise return null . |
protected java.security.Principal |
createPrincipal(java.lang.String username,
javax.security.auth.Subject subject,
javax.security.auth.login.LoginContext loginContext)
Identify and return a
java.security.Principal instance
representing the authenticated user for the specified Subject . |
java.lang.String |
getAppName()
getter for the
appName member variable |
protected javax.security.auth.login.Configuration |
getConfig()
Load custom JAAS Configuration
|
java.lang.String |
getConfigFile()
Getter for the
configfile member variable. |
java.lang.String |
getInfo()
Return descriptive information about this Realm implementation and
the corresponding version number, in the format
<description>/<version> . |
protected java.lang.String |
getName()
Return a short name for this
Realm implementation. |
protected java.lang.String |
getPassword(java.lang.String username)
Return the password associated with the given principal's user name.
|
protected java.security.Principal |
getPrincipal(java.lang.String username)
Return the
Principal associated with the given user name. |
java.lang.String |
getRoleClassNames() |
java.lang.String |
getUserClassNames() |
boolean |
isUseContextClassLoader()
Returns whether to use the context or default ClassLoader.
|
protected java.lang.String |
makeLegalForJAAS(java.lang.String src)
Ensure the given name is legal for JAAS configuration.
|
protected void |
parseClassNames(java.lang.String classNamesString,
java.util.List<java.lang.String> classNamesList)
Parses a comma-delimited list of class names, and store the class names
in the provided List.
|
void |
setAppName(java.lang.String name)
setter for the
appName member variable |
void |
setConfigFile(java.lang.String configFile)
Setter for the
configfile member variable. |
void |
setContainer(Container container)
Set the Container with which this Realm has been associated.
|
void |
setRoleClassNames(java.lang.String roleClassNames)
Sets the list of comma-delimited classes that represent roles.
|
void |
setUseContextClassLoader(boolean useContext)
Sets whether to use the context or default ClassLoader.
|
void |
setUserClassNames(java.lang.String userClassNames)
Sets the list of comma-delimited classes that represent individual
users.
|
protected void |
startInternal()
Prepare for the beginning of active use of the public methods of this
component and implement the requirements of
LifecycleBase.startInternal() . |
addPropertyChangeListener, authenticate, authenticate, authenticate, backgroundProcess, compareCredentials, digest, Digest, findSecurityConstraints, getAllRolesMode, getContainer, getDigest, getDigest, getDigestCharset, getDigestEncoding, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getServer, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, initInternal, isStripRealmForGss, main, removePropertyChangeListener, setAllRolesMode, setDigest, setDigestEncoding, setRealmPath, setStripRealmForGss, setValidate, setX509UsernameRetrieverClassName, stopInternal, toString
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, init, removeLifecycleListener, setState, setState, start, stop
protected java.lang.String appName
LoginContext
,
which uses it to select the set of relevant LoginModule
s.protected static final java.lang.String info
Realm
implementation.protected static final java.lang.String name
Realm
implementation.protected java.util.List<java.lang.String> roleClasses
protected java.util.List<java.lang.String> userClasses
protected boolean useContextClassLoader
protected java.lang.String configFile
protected javax.security.auth.login.Configuration jaasConfiguration
protected volatile boolean jaasConfigurationLoaded
protected java.lang.String roleClassNames
java.security.Principal
classes
that represent security roles.protected java.lang.String userClassNames
java.security.Principal
classes
that represent individual users.public java.lang.String getConfigFile()
configfile
member variable.public void setConfigFile(java.lang.String configFile)
configfile
member variable.public void setAppName(java.lang.String name)
appName
member variablepublic java.lang.String getAppName()
appName
member variablepublic void setUseContextClassLoader(boolean useContext)
useContext
- True means use context ClassLoaderpublic boolean isUseContextClassLoader()
public void setContainer(Container container)
RealmBase
setContainer
in interface Realm
setContainer
in class RealmBase
container
- The associated Containerpublic java.lang.String getRoleClassNames()
public void setRoleClassNames(java.lang.String roleClassNames)
java.security.Principal
.
The supplied list of classes will be parsed when LifecycleBase.start()
is
called.protected void parseClassNames(java.lang.String classNamesString, java.util.List<java.lang.String> classNamesList)
java.security.Principal
.classNamesString
- a comma-delimited list of fully qualified class names.classNamesList
- the list in which the class names will be stored.
The list is cleared before being populated.public java.lang.String getUserClassNames()
public void setUserClassNames(java.lang.String userClassNames)
java.security.Principal
. The supplied list of classes will
be parsed when LifecycleBase.start()
is called.public java.lang.String getInfo()
<description>/<version>
.public java.security.Principal authenticate(java.lang.String username, java.lang.String credentials)
Principal
associated with the specified username
and credentials, if there is one; otherwise return null
.authenticate
in interface Realm
authenticate
in class RealmBase
username
- Username of the Principal
to look upcredentials
- Password or other credentials to use in
authenticating this usernamepublic java.security.Principal authenticate(java.lang.String username, java.lang.String clientDigest, java.lang.String nonce, java.lang.String nc, java.lang.String cnonce, java.lang.String qop, java.lang.String realmName, java.lang.String md5a2)
Principal
associated with the specified username
and digest, if there is one; otherwise return null
.authenticate
in interface Realm
authenticate
in class RealmBase
username
- Username of the Principal
to look upclientDigest
- Digest to use in authenticating this usernamenonce
- Server generated noncenc
- Nonce countcnonce
- Client generated nonceqop
- Quality of protection applied to the messagerealmName
- Realm namemd5a2
- Second MD5 digest used to calculate the digest
MD5(Method + ":" + uri)protected java.security.Principal authenticate(java.lang.String username, javax.security.auth.callback.CallbackHandler callbackHandler)
protected java.lang.String getName()
Realm
implementation.protected java.lang.String getPassword(java.lang.String username)
getPassword
in class RealmBase
protected java.security.Principal getPrincipal(java.lang.String username)
Principal
associated with the given user name.getPrincipal
in class RealmBase
protected java.security.Principal createPrincipal(java.lang.String username, javax.security.auth.Subject subject, javax.security.auth.login.LoginContext loginContext)
java.security.Principal
instance
representing the authenticated user for the specified Subject
.
The Principal is constructed by scanning the list of Principals returned
by the JAASLoginModule. The first Principal
object that matches
one of the class names supplied as a "user class" is the user Principal.
This object is returned to the caller.
Any remaining principal objects returned by the LoginModules are mapped to
roles, but only if their respective classes match one of the "role class" classes.
If a user Principal cannot be constructed, return null
.subject
- The Subject
representing the logged-in userloginContext
- Associated with the Principal so
LoginContext.logout()
can be called laterprotected java.lang.String makeLegalForJAAS(java.lang.String src)
src
- The name to validateprotected void startInternal() throws LifecycleException
LifecycleBase.startInternal()
.startInternal
in class RealmBase
LifecycleException
- if this component detects a fatal error
that prevents this component from being usedprotected javax.security.auth.login.Configuration getConfig()
Copyright © 2000-2015 Apache Software Foundation. All Rights Reserved.