public class SingleSignOn extends ValveBase
Host
).Realm
that contains the shared user and role
information must be configured on the same Container (or a higher
one), and not overridden at the web application level.org.apache.catalina.authenticator
package.Lifecycle.SingleUse
Modifier and Type | Field and Description |
---|---|
protected Map<String,SingleSignOnEntry> |
cache
The cache of SingleSignOnEntry instances for authenticated Principals,
keyed by the cookie value that is used to select them.
|
asyncSupported, container, containerLog, next
mserver
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
Constructor and Description |
---|
SingleSignOn() |
Modifier and Type | Method and Description |
---|---|
protected boolean |
associate(String ssoId,
Session session)
Associate the specified single sign on identifier with the
specified Session.
|
protected void |
deregister(String ssoId)
Deregister the specified single sign on identifier, and invalidate
any associated sessions.
|
String |
getCookieDomain()
Returns the optional cookie domain.
|
boolean |
getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm , or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realm . |
protected SessionListener |
getSessionListener(String ssoId) |
void |
invoke(Request request,
Response response)
Perform single-sign-on support processing for this request.
|
protected boolean |
reauthenticate(String ssoId,
Realm realm,
Request request)
Attempts reauthentication to the given
Realm using
the credentials associated with the single sign-on session
identified by argument ssoId . |
protected void |
register(String ssoId,
Principal principal,
String authType,
String username,
String password)
Register the specified Principal as being associated with the specified
value for the single sign on identifier.
|
protected void |
removeSession(String ssoId,
Session session)
Remove a single Session from a SingleSignOn.
|
void |
sessionDestroyed(String ssoId,
Session session)
Process a session destroyed event by removing references to that session
from the caches and - if the session destruction is the result of a
logout - destroy the associated SSO session.
|
void |
setCookieDomain(String cookieDomain)
Sets the domain to be used for sso cookies.
|
void |
setRequireReauthentication(boolean required)
Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm , or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm . |
protected void |
startInternal()
Start this component and implement the requirements
of
LifecycleBase.startInternal() . |
protected void |
stopInternal()
Stop this component and implement the requirements
of
LifecycleBase.stopInternal() . |
protected boolean |
update(String ssoId,
Principal principal,
String authType,
String username,
String password)
Updates any
SingleSignOnEntry found under key
ssoId with the given authentication data. |
backgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setContainer, setNext, toString
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, init, removeLifecycleListener, setState, setState, start, stop
protected Map<String,SingleSignOnEntry> cache
public String getCookieDomain()
public void setCookieDomain(String cookieDomain)
cookieDomain
- cookie domain namepublic boolean getRequireReauthentication()
Realm
, or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realm
.true
if it is required that a downstream
Authenticator reauthenticate each request before calls to
HttpServletRequest.setUserPrincipal()
and HttpServletRequest.setAuthType()
are made;
false
if the Valve
can itself make
those calls relying on the presence of a valid SingleSignOn
entry associated with the request.setRequireReauthentication(boolean)
public void setRequireReauthentication(boolean required)
Realm
, or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm
.
If this property is false
(the default), this
Valve
will bind a UserPrincipal and AuthType to the request
if a valid SSO entry is associated with the request. It will not notify
the security Realm
of the incoming request.
This property should be set to true
if the overall server
configuration requires that the Realm
reauthenticate each
request thread. An example of such a configuration would be one where
the Realm
implementation provides security for both a
web tier and an associated EJB tier, and needs to set security
credentials on each request thread in order to support EJB access.
If this property is set to true
, this Valve will set flags
on the request notifying the downstream Authenticator that the request
is associated with an SSO session. The Authenticator will then call its
reauthenticateFromSSO
method to attempt to reauthenticate the request to the
Realm
, using any credentials that were cached with this
Valve.
The default value of this property is false
, in order
to maintain backward compatibility with previous versions of Tomcat.
required
- true
if it is required that a downstream
Authenticator reauthenticate each request before calls
to HttpServletRequest.setUserPrincipal()
and HttpServletRequest.setAuthType()
are
made; false
if the Valve
can
itself make those calls relying on the presence of a
valid SingleSignOn entry associated with the request.AuthenticatorBase.reauthenticateFromSSO(java.lang.String, org.apache.catalina.connector.Request)
public void invoke(Request request, Response response) throws IOException, ServletException
request
- The servlet request we are processingresponse
- The servlet response we are creatingIOException
- if an input/output error occursServletException
- if a servlet error occurspublic void sessionDestroyed(String ssoId, Session session)
ssoId
- The ID of the SSO session which which the destroyed
session was associatedsession
- The session that has been destroyedprotected boolean associate(String ssoId, Session session)
ssoId
- Single sign on identifiersession
- Session to be associatedtrue
if the session was associated to the given SSO
session, otherwise false
protected void deregister(String ssoId)
ssoId
- Single sign on identifier to deregisterprotected boolean reauthenticate(String ssoId, Realm realm, Request request)
Realm
using
the credentials associated with the single sign-on session
identified by argument ssoId
.
If reauthentication is successful, the Principal
and
authorization type associated with the SSO session will be bound
to the given Request
object via calls to
Request.setAuthType()
and
Request.setUserPrincipal()
ssoId
- identifier of SingleSignOn session with which the
caller is associatedrealm
- Realm implementation against which the caller is to
be authenticatedrequest
- the request that needs to be authenticatedtrue
if reauthentication was successful,
false
otherwise.protected void register(String ssoId, Principal principal, String authType, String username, String password)
ssoId
- Single sign on identifier to registerprincipal
- Associated user principal that is identifiedauthType
- Authentication type used to authenticate this
user principalusername
- Username used to authenticate this userpassword
- Password used to authenticate this userprotected boolean update(String ssoId, Principal principal, String authType, String username, String password)
SingleSignOnEntry
found under key
ssoId
with the given authentication data.
The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.
NOTE: Only updates the SSO entry if a call to
SingleSignOnEntry.getCanReauthenticate()
returns
false
; otherwise, it is assumed that the SSO entry already
has sufficient information to allow reauthentication and that no update
is needed.
ssoId
- identifier of Single sign to be updatedprincipal
- the Principal
returned by the latest
call to Realm.authenticate
.authType
- the type of authenticator used (BASIC, CLIENT_CERT,
DIGEST or FORM)username
- the username (if any) used for the authenticationpassword
- the password (if any) used for the authenticationtrue
if the credentials were updated, otherwise
false
protected void removeSession(String ssoId, Session session)
ssoId
- Single sign on identifier from which to remove the session.session
- the session to be removed.protected SessionListener getSessionListener(String ssoId)
protected void startInternal() throws LifecycleException
ValveBase
LifecycleBase.startInternal()
.startInternal
in class ValveBase
LifecycleException
- if this component detects a fatal error
that prevents this component from being usedprotected void stopInternal() throws LifecycleException
ValveBase
LifecycleBase.stopInternal()
.stopInternal
in class ValveBase
LifecycleException
- if this component detects a fatal error
that prevents this component from being usedCopyright © 2000-2016 Apache Software Foundation. All Rights Reserved.