public class JAASRealm extends RealmBase
Implementation of Realm that authenticates users via the Java
Authentication and Authorization Service (JAAS). JAAS support requires
either JDK 1.4 (which includes it as part of the standard platform) or
JDK 1.3 (with the plug-in jaas.jar
file).
The value configured for the appName
property is passed to
the javax.security.auth.login.LoginContext
constructor, to
specify the application name used to select the set of relevant
LoginModules
required.
The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject
instance, which can contain zero
or more java.security.Principal
objects in the return value
of the Subject.getPrincipals()
method. However, it provides
no guidance on how to distinguish Principals that describe the individual
user (and are thus appropriate to return as the value of
request.getUserPrincipal() in a web application) from the Principal(s)
that describe the authorized roles for this user. To maintain as much
independence as possible from the underlying LoginMethod
implementation executed by JAAS, the following policy is implemented by
this Realm:
LoginModule
is assumed to return a
Subject
with at least one Principal
instance
representing the user himself or herself, and zero or more separate
Principals
representing the security roles authorized
for this user.Principal
representing the user, the Principal
name is an appropriate value to return via the Servlet API method
HttpServletRequest.getRemoteUser()
.Principals
representing the security roles, the
name is the name of the authorized security role.java.security.Principal
- one that identifies class(es)
representing a user, and one that identifies class(es) representing
a security role.Principals
returned by
Subject.getPrincipals()
, it will identify the first
Principal
that matches the "user classes" list as the
Principal
for this user.Principals
returned by
Subject.getPrincipals()
, it will accumulate the set of
all Principals
matching the "role classes" list as
identifying the security roles for this user.Subject
without a Principal
that
matches the "user classes" list.Catalina { org.foobar.auth.DatabaseLoginModule REQUIRED JNDI_RESOURCE=jdbc/AuthDB USER_TABLE=users USER_ID_COLUMN=id USER_NAME_COLUMN=name USER_CREDENTIAL_COLUMN=password ROLE_TABLE=roles ROLE_NAME_COLUMN=name PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory; };
CATALINA_OPTS
environment variable
similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
CallbackHandler
,
called (unsurprisingly) JAASCallbackHandler
. This handler supplies the
HTTP requests's username and credentials to the user-supplied LoginModule
Realm
implementations, digested passwords are supported if
the <Realm>
element in server.xml
contains a
digest
attribute; JAASCallbackHandler
will digest the password
prior to passing it back to the LoginModule
RealmBase.AllRolesMode
Lifecycle.SingleUse
Modifier and Type | Field and Description |
---|---|
protected String |
appName
The application name passed to the JAAS
LoginContext ,
which uses it to select the set of relevant LoginModule s. |
protected String |
configFile
Path to find a JAAS configuration file, if not set global JVM JAAS
configuration will be used.
|
protected Configuration |
jaasConfiguration |
protected boolean |
jaasConfigurationLoaded |
protected static String |
name
Descriptive information about this
Realm implementation. |
protected List<String> |
roleClasses
The list of role class names, split out for easy processing.
|
protected String |
roleClassNames
Comma-delimited list of
java.security.Principal classes
that represent security roles. |
protected boolean |
useContextClassLoader
Whether to use context ClassLoader or default ClassLoader.
|
protected List<String> |
userClasses
The set of user class names, split out for easy processing.
|
protected String |
userClassNames
Comma-delimited list of
java.security.Principal classes
that represent individual users. |
allRolesMode, container, containerLog, realmPath, sm, stripRealmForGss, support, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
mserver
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
Constructor and Description |
---|
JAASRealm() |
Modifier and Type | Method and Description |
---|---|
protected Principal |
authenticate(String username,
CallbackHandler callbackHandler)
Perform the actual JAAS authentication.
|
Principal |
authenticate(String username,
String credentials)
Return the
Principal associated with the specified username
and credentials, if there is one; otherwise return null . |
Principal |
authenticate(String username,
String clientDigest,
String nonce,
String nc,
String cnonce,
String qop,
String realmName,
String md5a2)
Return the
Principal associated with the specified username
and digest, if there is one; otherwise return null . |
protected Principal |
createPrincipal(String username,
Subject subject,
LoginContext loginContext)
Identify and return a
java.security.Principal instance
representing the authenticated user for the specified Subject . |
String |
getAppName() |
protected Configuration |
getConfig()
Load custom JAAS Configuration.
|
String |
getConfigFile() |
protected String |
getName() |
protected String |
getPassword(String username)
Get the password for the specified user.
|
protected Principal |
getPrincipal(String username)
Get the principal associated with the specified user.
|
String |
getRoleClassNames() |
String |
getUserClassNames() |
boolean |
isUseContextClassLoader()
Returns whether to use the context or default ClassLoader.
|
protected String |
makeLegalForJAAS(String src)
Ensure the given name is legal for JAAS configuration.
|
protected void |
parseClassNames(String classNamesString,
List<String> classNamesList)
Parses a comma-delimited list of class names, and store the class names
in the provided List.
|
void |
setAppName(String name)
Set the JAAS
LoginContext app name. |
void |
setConfigFile(String configFile)
Set the JAAS configuration file.
|
void |
setContainer(Container container)
Set the Container with which this Realm has been associated.
|
void |
setRoleClassNames(String roleClassNames)
Sets the list of comma-delimited classes that represent roles.
|
void |
setUseContextClassLoader(boolean useContext)
Sets whether to use the context or default ClassLoader.
|
void |
setUserClassNames(String userClassNames)
Sets the list of comma-delimited classes that represent individual
users.
|
protected void |
startInternal()
Prepare for the beginning of active use of the public methods of this
component and implement the requirements of
LifecycleBase.startInternal() . |
addPropertyChangeListener, authenticate, authenticate, authenticate, backgroundProcess, Digest, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getRoles, getServer, getTransportGuaranteeRedirectStatus, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, initInternal, isStripRealmForGss, main, removePropertyChangeListener, setAllRolesMode, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setValidate, setX509UsernameRetrieverClassName, stopInternal, toString
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, init, removeLifecycleListener, setState, setState, start, stop
protected String appName
LoginContext
,
which uses it to select the set of relevant LoginModule
s.protected static final String name
Realm
implementation.protected final List<String> roleClasses
protected final List<String> userClasses
protected boolean useContextClassLoader
protected String configFile
protected Configuration jaasConfiguration
protected volatile boolean jaasConfigurationLoaded
protected String roleClassNames
java.security.Principal
classes
that represent security roles.protected String userClassNames
java.security.Principal
classes
that represent individual users.public String getConfigFile()
public void setConfigFile(String configFile)
configFile
- The JAAS configuration filepublic void setAppName(String name)
LoginContext
app name.name
- The application name that will be used to retrieve
the set of relevant LoginModule
spublic String getAppName()
public void setUseContextClassLoader(boolean useContext)
useContext
- True means use context ClassLoaderpublic boolean isUseContextClassLoader()
public void setContainer(Container container)
RealmBase
setContainer
in interface Realm
setContainer
in class RealmBase
container
- The associated Containerpublic String getRoleClassNames()
public void setRoleClassNames(String roleClassNames)
java.security.Principal
.
The supplied list of classes will be parsed when LifecycleBase.start()
is
called.roleClassNames
- The class names listprotected void parseClassNames(String classNamesString, List<String> classNamesList)
java.security.Principal
.classNamesString
- a comma-delimited list of fully qualified class names.classNamesList
- the list in which the class names will be stored.
The list is cleared before being populated.public String getUserClassNames()
public void setUserClassNames(String userClassNames)
java.security.Principal
. The supplied list of classes will
be parsed when LifecycleBase.start()
is called.userClassNames
- The class names listpublic Principal authenticate(String username, String credentials)
Principal
associated with the specified username
and credentials, if there is one; otherwise return null
.authenticate
in interface Realm
authenticate
in class RealmBase
username
- Username of the Principal
to look upcredentials
- Password or other credentials to use in
authenticating this usernamenull
if there is none.public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2)
Principal
associated with the specified username
and digest, if there is one; otherwise return null
.authenticate
in interface Realm
authenticate
in class RealmBase
username
- Username of the Principal
to look upclientDigest
- Digest to use in authenticating this usernamenonce
- Server generated noncenc
- Nonce countcnonce
- Client generated nonceqop
- Quality of protection applied to the messagerealmName
- Realm namemd5a2
- Second MD5 digest used to calculate the digest
MD5(Method + ":" + uri)null
if there is none.protected Principal authenticate(String username, CallbackHandler callbackHandler)
username
- The user namecallbackHandler
- The callback handlernull
if there is none.protected String getName()
protected String getPassword(String username)
RealmBase
getPassword
in class RealmBase
username
- The user nameprotected Principal getPrincipal(String username)
RealmBase
getPrincipal
in class RealmBase
username
- The user namePrincipal
associated with the given user name.protected Principal createPrincipal(String username, Subject subject, LoginContext loginContext)
java.security.Principal
instance
representing the authenticated user for the specified Subject
.
The Principal is constructed by scanning the list of Principals returned
by the JAASLoginModule. The first Principal
object that matches
one of the class names supplied as a "user class" is the user Principal.
This object is returned to the caller.
Any remaining principal objects returned by the LoginModules are mapped to
roles, but only if their respective classes match one of the "role class" classes.
If a user Principal cannot be constructed, return null
.username
- The associated user namesubject
- The Subject
representing the logged-in userloginContext
- Associated with the Principal so
LoginContext.logout()
can be called laterprotected String makeLegalForJAAS(String src)
src
- The name to validateprotected void startInternal() throws LifecycleException
LifecycleBase.startInternal()
.startInternal
in class RealmBase
LifecycleException
- if this component detects a fatal error
that prevents this component from being usedprotected Configuration getConfig()
Copyright © 2000-2016 Apache Software Foundation. All Rights Reserved.