org.apache.catalina.realm

Class JAASRealm

java.lang.Object

org.apache.catalina.realm.RealmBase

org.apache.catalina.realm.JAASRealm

All Implemented Interfaces:

Lifecycle, Realm

public class JAASRealm
extends RealmBase

Implementation of Realm that authenticates users via the Java Authentication and Authorization Service (JAAS). JAAS support requires either JDK 1.4 (which includes it as part of the standard platform) or JDK 1.3 (with the plug-in jaas.jar file).

The value configured for the appName property is passed to the javax.security.auth.login.LoginContext constructor, to specify the application name used to select the set of relevant LoginModules required.

The JAAS Specification describes the result of a successful login as a javax.security.auth.Subject instance, which can contain zero or more java.security.Principal objects in the return value of the Subject.getPrincipals() method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlying LoginMethod implementation executed by JAAS, the following policy is implemented by this Realm:

• The JAAS LoginModule is assumed to return a Subject with at least one Principal instance representing the user himself or herself, and zero or more separate Principals representing the security roles authorized for this user.
• On the Principal representing the user, the Principal name is an appropriate value to return via the Servlet API method HttpServletRequest.getRemoteUser().
• On the Principals representing the security roles, the name is the name of the authorized security role.
• This Realm will be configured with two lists of fully qualified Java class names of classes that implement java.security.Principal - one that identifies class(es) representing a user, and one that identifies class(es) representing a security role.
• As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will identify the first Principal that matches the "user classes" list as the Principal for this user.
• As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will accumulate the set of all Principals matching the "role classes" list as identifying the security roles for this user.
• It is a configuration error for the JAAS login method to return a validated Subject without a Principal that matches the "user classes" list.

Version:

$Revision: 1.3 $ $Date: 2006/03/12 01:27:04 $

Author:

Craig R. McClanahan

Field Summary

Fields

Modifier and Type	Field and Description
protected String	appName The application name passed to the JAAS LoginContext, which uses it to select the set of relevant LoginModules.
protected static String	info Descriptive information about this Realm implementation.
protected static String	name Descriptive information about this Realm implementation.
protected ArrayList<String>	roleClasses The list of role class names, split out for easy processing.
protected String	roleClassNames Comma-delimited list of javax.security.Principal classes that represent security roles.
protected ArrayList<String>	userClasses The set of user class names, split out for easy processing.
protected String	userClassNames Comma-delimited list of javax.security.Principal classes that represent individual users.

Fields inherited from class org.apache.catalina.realm.RealmBase

checkIfRequestIsSecure, container, controller, debug, digest, digestEncoding, lifecycle, log, md, md5Encoder, md5Helper, rb, started, support, validate

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT

Fields inherited from interface org.apache.catalina.Realm

AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED

Constructor Summary

Constructors

Constructor and Description
JAASRealm()

Method Summary

Modifier and Type	Method and Description
Principal	authenticate(String username, char[] credentials) Return the Principal associated with the specified username and credentials, if there is one; otherwise return null.
protected Principal	createPrincipal(String username, Subject subject) Construct and return a java.security.Principal instance representing the authenticated user for the specified Subject.
String	getAppName() getter for the appName member variable
protected String	getName() Return a short name for this Realm implementation.
protected char[]	getPassword(String username) Return the password associated with the given principal's user name.
protected Principal	getPrincipal(String username) Return the Principal associated with the given user name.
String	getRoleClassNames()
String	getUserClassNames()
void	setAppName(String name) Deprecated. JAAS should use the Engine ( domain ) name and webpp/host overrides
void	setContainer(Container container) Set the Container with which this Realm has been associated.
void	setRoleClassNames(String roleClassNames)
void	setUserClassNames(String userClassNames)
void	start() Prepare for active use of the public methods of this Component.
void	stop() Gracefully shut down active use of the public methods of this Component.

Methods inherited from class org.apache.catalina.realm.RealmBase

addLifecycleListener, addPropertyChangeListener, authenticate, authenticate, authenticate, backgroundProcess, destroy, digest, disableProxyCaching, findLifecycleListeners, findSecurityConstraints, findSecurityConstraints, getAlternateAuthType, getAlternatePrincipal, getContainer, getController, getDebug, getDigest, getDigest, getDigestEncoding, getInfo, getRealmName, getValidate, hasMessageDigest, hasResourcePermission, hasRole, hasRole, hasUserDataPermission, hasUserDataPermission, invokeAuthenticateDelegate, invokePostAuthenticateDelegate, isSecurityExtensionEnabled, log, log, logout, preAuthenticateCheck, removeLifecycleListener, removePropertyChangeListener, setController, setDebug, setDigest, setDigestEncoding, setRealmName, setValidate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

appName

protected String appName

The application name passed to the JAAS LoginContext, which uses it to select the set of relevant LoginModules.

info

protected static final String info

Descriptive information about this Realm implementation.

See Also:

Constant Field Values

name

protected static final String name

Descriptive information about this Realm implementation.

See Also:

Constant Field Values

roleClasses

protected ArrayList<String> roleClasses

The list of role class names, split out for easy processing.

userClasses

protected ArrayList<String> userClasses

The set of user class names, split out for easy processing.

roleClassNames

protected String roleClassNames

Comma-delimited list of javax.security.Principal classes that represent security roles.

userClassNames

protected String userClassNames

Comma-delimited list of javax.security.Principal classes that represent individual users.

Constructor Detail

JAASRealm

public JAASRealm()

Method Detail

setAppName

public void setAppName(String name)

Deprecated. JAAS should use the Engine ( domain ) name and webpp/host overrides

setter for the appName member variable

getAppName

public String getAppName()

getter for the appName member variable

setContainer

public void setContainer(Container container)

Description copied from class: RealmBase

Set the Container with which this Realm has been associated.

Specified by:

setContainer in interface Realm

Overrides:

setContainer in class RealmBase

Parameters:

container - The associated Container

getRoleClassNames

public String getRoleClassNames()

setRoleClassNames

public void setRoleClassNames(String roleClassNames)

getUserClassNames

public String getUserClassNames()

setUserClassNames

public void setUserClassNames(String userClassNames)

authenticate

public Principal authenticate(String username,
                              char[] credentials)

Return the Principal associated with the specified username and credentials, if there is one; otherwise return null. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.

Specified by:

authenticate in interface Realm

Overrides:

authenticate in class RealmBase

Parameters:

username - Username of the Principal to look up

credentials - Password or other credentials to use in authenticating this username

getName

protected String getName()

Return a short name for this Realm implementation.

Specified by:

getName in class RealmBase

getPassword

protected char[] getPassword(String username)

Return the password associated with the given principal's user name.

Specified by:

getPassword in class RealmBase

getPrincipal

protected Principal getPrincipal(String username)

Return the Principal associated with the given user name.

Specified by:

getPrincipal in class RealmBase

createPrincipal

protected Principal createPrincipal(String username,
                                    Subject subject)

Construct and return a java.security.Principal instance representing the authenticated user for the specified Subject. If no such Principal can be constructed, return null.

Parameters:

subject - The Subject representing the logged in user

start

public void start()
           throws LifecycleException

Prepare for active use of the public methods of this Component.

Specified by:

start in interface Lifecycle

Overrides:

start in class RealmBase

Throws:

LifecycleException - if this component detects a fatal error that prevents it from being started

stop

public void stop()
          throws LifecycleException

Gracefully shut down active use of the public methods of this Component.

Specified by:

stop in interface Lifecycle

Overrides:

stop in class RealmBase

Throws:

LifecycleException - if this component detects a fatal error that needs to be reported